On June 2, 2022, the U.S. Food and Drug Administration (FDA) reported a cybersecurity vulnerability that affects software in the Illumina NextSeq 550Dx, MiSeqDx, NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq next generation sequencing instruments. The devices are used in diagnostic (Dx), research-use only (RUO), or dual boot (either Dx or RUO) modes.
The cybersecurity vulnerability affects the local run manager (LRM) software. Unauthorized users can exploit the LRM, remotely taking control of the instrument, altering instrument configurations, or affecting patient test results.
According to FDA, Illumina has developed a software patch to protect users against the vulnerability and is working to launch a permanent software fix for all instruments. FDA urged laboratory personnel and healthcare providers to be aware of the required actions to mitigate the cybersecurity risks. If you are using one of the devices in your practice, FDA recommended that you:
Review Illumina’s Urgent Safety Notification or Product Quality Notification. If you did not receive a notification from Illumina, but believe you should have, contact email@example.com.
Immediately install the software patch (Dx mode and RUO mode) on every affected instrument, including in each stand-alone instance of the off-instrument LRM for RUO mode on the Dx instruments, while connected to the internet.
Contact firstname.lastname@example.org if you suspect your instrument may have been compromised.
Illumina has developed a software patch to protect against the exploitation of the vulnerability and is working to provide a permanent software fix. FDA and Illumina have not received any reports indicating the vulnerability has been exploited.
FDA is working with Illumina and coordinating with the Cybersecurity Infrastructure Security Agency to identify, communicate, and prevent issues related to the vulnerability.
Healthcare professionals should report any adverse reactions or quality problems they experienced using the device to MedWatch, FDA’s Safety Information and Adverse Event Reporting Program.