A major vulnerability in DNA sequencing equipment was discovered, highlighting the risks of cyberattacks on medical devices. The vulnerability was found, of all things, in DNA sequencing equipment made by San Diego biotech firm Illumina; discovered by its security team and subsequently patched. Such an intrusion could expose sensitive patient data or allow threat actors to alter genetic data or diagnostic testing results.
DNA sequencing is a powerful tool that has revolutionized the field of biology. It has allowed scientists to identify genes, understand how genes work, and diagnose and treat diseases. DNA sequencing is used to develop new personalized medicines tailored to the individual’s genetic makeup.
Anything touching DNA is a serious privacy concern, but it is also a concern for digital forensics and custom cancer treatments. An attacker could taint evidence of a crime, mess with someone’s life-saving medical treatment, or cast doubt on a device manufacturer, which would pose an integrity attack.
A vulnerability in DNA sequencing equipment could allow adversaries to gain access to sensitive patient data and use it to commit identity theft, fraud, or to take control of DNA sequencing equipment. This could allow threat actors to disrupt the equipment, which could have an impact on patient care.
Other manufacturers of medical devices need to take stock and take retaliatory measures such as compliance readiness and penetration testing to assess, prepare, and guard against vulnerabilities. Like computer networks, medical devices too are increasingly being connected to the internet, which makes them more risk-prone.
Cyberattacks on medical devices are on the rise. A 2021 report from the U.S. government found healthcare accounts for nearly a quarter of cyberattack events, the most of all industries. This trend is expected to gain momentum as medical devices become more software-driven and cloud-connected.
In response to these threats, a bipartisan bill sponsored by Sen. Bill Cassidy (R-LA) in April 2022 called the Protecting and Transforming Cyber Health Care (PATCH) Act, would require medical device manufacturers to ensure the cybersecurity of their devices. These requirements include conducting risk assessments, developing security plans, implementing policies to respond to cyber threats, and reporting security incidents like ransomware attacks.
The security guidelines below apply equally to health care and other industries, including small businesses:
- Implement security controls like firewalls, threat response, and intrusion detection systems.
- Regularly patch software and automate the updating of operating systems.
- Educate staff on cybersecurity best practices, including regular security awareness training to help identify, block, and report phishing scams.
- Conduct quarterly risk assessments and penetration testing.
- Have a mitigation plan in place, including a contact list of first responders in the event of cyberattack.
The PATCH Act is a significant step forward in the effort to protect patients from the risks of cyberattacks on medical devices. The bill is currently being considered by the Senate Health, Education, Labor, and Pensions Committee.