A major vulnerability in the software used by gene sequencers produced by genetic-research equipment maker Illumina highlights the dangers of software vulnerabilities in medical devices, but also demonstrates the positive impact of legislation in strengthening cybersecurity in the medical field.

The vulnerability, originally discovered during an internal Illumina assessment, allows an unauthenticated attacker to exploit the system and execute code at the operating system level, according to an advisory published by the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability — and a second less serious flaw — raise the possibility of attackers specifically targeting medical research facilities and forensics laboratories.

While the cybersecurity of medical devices is critical, security issues in DNA sequencing and synthesis equipment pose specific risks, says Josh Corman, vice president of cyber safety strategy at Claroty, a cyber-physical security provider, and a former chief strategist with CISA.

"Anything that touches DNA — yes, it's a privacy concern — but also think about digital forensics or think about custom cancer treatments, right?" he says. "If you could taint evidence for a crime, if you could mess with someone's treatment, if you cast doubt on a particular device manufacturer — this is an integrity attack to me, not so much just attacking the availability of the device or using it as a jumping off point for ransomware."

Yet the vulnerabilities also demonstrate the impact of the current legislative and regulatory push to force the makers of connected devices to improve their overall cybersecurity posture. In December, the omnibus federal budget bill changed the requirements for manufacturers of medical devices as of March 29, 2023, requiring that they provide a software bill of materials (SBOM), have a plan to address post-market vulnerabilities and exploit, and have a secure development lifecycle. The Biden administration's National Cybersecurity Strategy also called for tighter cybersecurity requirements and potential liability for those who failed to take action, while a bipartisan bill — the Protecting and Transforming Cyber Health Care (PATCH) Act — will require medical devices makers to focus more on cybersecurity.

Both the Food and Drug Administration (FDA) and CISA are doing more to focus medical device-makers on cybersecurity. The FDA issued a letter to healthcare providers on April 27 advising them of the vulnerabilities and that Illumina had issued a patch for their products and worked with the FDA and CISA to communicate information to its users.

"On April 5, 2023, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability," the FDA stated in its letter, adding: "The FDA wants healthcare providers and laboratory personnel to be aware of the required actions to mitigate these cybersecurity risks."

Cybersecurity With a Twist

The Illumina Universal Copy Service vulnerability highlights how widespread the healthcare impact of vulnerabilities can be on medical systems and devices. Using the vulnerability (CVE-2023-1966), an attacker could modify configurations and settings, install additional software, and access sensitive data on vulnerable products, according to CISA's April 27 advisory. A second, less serious vulnerability (CVE-2023-1968) would also allow attackers to turn the sequencer into a network-monitoring device.

The obvious threat for an organization with these devices is that the devices could be used as a beachhead into a network, allowing the compromise of lab equipment and computers on the same network. Because that equipment is often not managed by the organizations' IT security groups, an attacker may be able to have a greater impact.

In addition, the fact that these devices also handle sensitive DNA data adds a twist, Mohammad Waqas, principal solutions architect for healthcare at Armis, a provider of cybersecurity for the extended attack surface.

"Healthcare is seen as an easy target for cyberattacks due to historically low investments in IT security and the mission-critical nature of the data and systems," he says. "Genomic sequencing devices, in particular, process protected health information, which is high value data for hackers."

Both CISA and Illumina have stated that the organizations have seen no evidence of exploitation, and an Illumina spokesperson stressed that the company had taken all the appropriate steps, from discovering the vulnerability internally to issuing a patch to notifying the FDA.

"We provided specific instructions to each customer, along with the recommendation that the actions be performed on all impacted systems, regardless of whether the instruments are connected to the Internet or a local network," an Illumina spokesperson tells Dark Reading. "We ensured the patch created little to no downtime and provided access to our Tech Support team throughout the entire process."

Device Manipulating Human "Code" Pose Risks

Attacks on medical devices and services have increased, with a 35% jump in overall attacks, much of it due to ransomware. The interconnectedness of the medical devices often makes the impacts of attacks hard to predict. An attack on the cloud storage system of radiation provider Eleckta, for example, led to an outage for imaging and cancer treatments across at least four major health organizations in 2021.

While the cybersecurity of any medical device is critical, devices that deal with human DNA — such as sequencers and synthesizers — can add a few new wrinkles to the threat models, says Claroty's Corman.

"Medical-device manufacturers are starting to understand that the threat model is not just about who could steal DNA information from America, but ... understanding there's integrity risks as to the results, and there's potential for tampering," he says. "Just think of any ethics conversations you've heard around CRISPR or DNA sequencing or privacy, ... and then think [if you could] manipulate individual or large swaths of results coming out of these devices."

Healthcare organizations and medical device manufacturers need to conduct threat-modeling exercises to determine how the devices could impact the healthcare system. Cyberattacks have already led to significant direct stress on healthcare infrastructure leading to excess deaths, according to an analysis conducted by CISA.

In addition, Armis' Waqas says that healthcare organizations need to focus on risks, addressing asset visibility, cross-team collaboration, and risk remediation.