Illumina Cybersecurity Vulnerability May Present Risks for Patient Results and Customer Networks: Letter to Health Care Providers
June 2, 2022
The U.S. Food and Drug Administration (FDA) is informing laboratory personnel and health care providers about a cybersecurity vulnerability affecting software in the Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq, next generation sequencing instruments. These instruments are medical devices that may be specified either for clinical diagnostic use in sequencing a person’s DNA or testing for various genetic conditions, or for research use only (RUO). Some of these instruments have a dual boot mode that allows a user to operate them in either clinical diagnostic mode or RUO mode. Devices intended for RUO are typically in a development stage and must be labeled “For Research Use Only. Not for use in diagnostic procedures.” – though many laboratories may be using them with tests for clinical diagnostic use.
The cybersecurity vulnerability affects the Local Run Manager (LRM) software. An unauthorized user could exploit the vulnerability by:
- taking control of the instrument remotely;
- operating the system to alter settings, configurations, software, or data on the instrument or a customer’s network; or
- impacting patient test results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results or incorrect results, altered results, or a potential data breach.
Illumina has developed a software patch to protect against the exploitation of this vulnerability and is working to provide a permanent software fix for current and future instruments. The FDA wants laboratory personnel and health care providers to be aware of the required actions to mitigate these cybersecurity risks.
- Review the Urgent Safety Notification or Product Quality Notification (for RUO Customers) sent by Illumina on May 3, 2022 to affected customers. If you did not receive a notification from Illumina, but believe you should have, please contact firstname.lastname@example.org.
- Immediately download and install the software patch (Dx mode and RUO mode) on every affected instrument, including in each stand-alone instance of the off-instrument LRM for RUO mode on the Dx instruments, while connected to the internet.
- Contact email@example.com for instructions about other ways to install the software patch, if you are not connected to the internet.
- Immediately contact firstname.lastname@example.org if you suspect your instrument may have been compromised by an unauthorized user.
For more information about Illumina’s cybersecurity vulnerability, see the Cybersecurity and Infrastructure Security Agency (CISA) published advisory, ICSA-22-153-02.
On May 3, 2022, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability.
Illumina has developed a software patch to protect against the exploitation of this vulnerability and is actively working to provide a permanent software fix for current and future instruments.
At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited.
The FDA is working with Illumina and coordinating with the CISA to identify, communicate, and prevent adverse events related to this cybersecurity vulnerability. The FDA will continue to keep health care providers and laboratory personnel informed if new or additional information becomes available.
Reporting Problems to the FDA
The FDA encourages users to report any adverse events or suspected adverse events experienced with Illumina’s next generation sequencing instruments.
- Voluntary reports can be submitted through MedWatch, the FDA Safety Information and Adverse Event Reporting program.
- Device manufacturers and user facilities must comply with the applicable Medical Device Reporting (MDR) regulations.
- Health care personnel employed by facilities that are subject to the FDA's user facility reporting requirements should follow the reporting procedures established by their facilities.
If you have questions about this letter, contact the Division of Industry and Consumer Education (DICE).