April 27, 2023
The U.S. Food and Drug Administration (FDA) has approved the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 sequencing instruments. These devices are medical devices designated either for clinical diagnostic use in sequencing an individual’s her DNA for various genetic conditions, or for Research Use Only (RUO).
An unprivileged user could exploit the vulnerability in the following ways:
- Control remotely.
- Modify any settings, configurations, software, or data on the Equipment or Customer’s network;again
- Influencing genomic data provides an instrument for clinical diagnostic purposes. This includes equipment not providing results, inaccurate results, altered results, or potential data breaches.
To date, FDA and Illumina have not received any reports indicating this vulnerability has been exploited.
Illumina has developed a software patch to prevent exploitation of this vulnerability. FDA wants healthcare providers and laboratory personnel to be aware of the steps necessary to mitigate these cybersecurity risks.
Recommendation
- Please review the Urgent Medical Device Recall or Product Quality Notice (for RUO Customers) that Illumina sent to impacted customers on April 5, 2023. If you have not received a notification from Illumina but believe you should have, please contact techsupport@illumina.com. .
- Immediately download and install software patches for all affected devices.
- Contact techsupport@illumina.com for other methods of installing software patches when you are not connected to the Internet.
- If you suspect that the equipment has been compromised by an unauthorized user, please contact techsupport@illumina.com immediately.
For more information on Illumina cybersecurity vulnerabilities, see the advisory ICSMA-23-117-01 Illumina Universal Copy Service issued by the Cybersecurity and Infrastructure Security Agency (CISA).
The FDA’s recommendation, issued on June 2, 2022, remains unchanged for healthcare providers regarding addressing another vulnerability in Illumina’s cybersecurity.
Background
On April 5, 2023, Illumina sent a notice to affected customers instructing them to check their devices and medical devices for signs of potential exploitation of the vulnerability.
Some of these instruments have a dual boot mode that allows the user to operate in clinical diagnostic mode or RUO mode. Devices for RUO are typically in the development stage and should be labeled “Research Use Only”. Do not use for diagnostic procedures. – However, some laboratories may use them in clinical diagnostic tests.
Illumina has developed a software patch that prevents exploitation of this vulnerability.
To date, FDA and Illumina have not received any reports indicating this vulnerability has been exploited.
FDA action
FDA is working with Illumina and working with CISA to identify, communicate, and prevent adverse events related to this cybersecurity vulnerability. FDA will continue to keep health care providers and laboratory personnel informed as new or additional information becomes available.
Reporting Problems to FDA
The FDA encourages users to report any adverse or suspected adverse events experienced with Illumina next-generation sequencing instruments.
contact address
If you have any questions about this letter, please contact the Department of Industry and Consumer Education (DICE).