How to avoid the "black swan" incident in the gene field: a security war behind a preventive "recall"

The picture comes from visual China

Because of data security risks , More than 1800 A gene sequencer “ Recall ”, involve 50 Several countries , The food and drug administration （FDA） A paper of publicity , The global sequencing industry giant inmana （Illumina） Sent to the cusp of domestic public opinion .

Since its establishment, inmana has 24 year , Its sequencer products are sold to 115 Countries and regions ,2005 year , Inmana enters the Chinese market .

As an upstream enterprise in the sequencing industry chain , Immana, who has always kept a low profile, is 6 month 14 Respond to potential safety hazards on the th ： An upgrade software has been developed , For all affected customers , It can effectively prevent the hidden danger from being used remotely , As of the date of announcement , No report has been received worldwide indicating that hidden dangers have been exploited .

in addition , In the first time in the world, inmana launched the “ Recall ” measures . In the Chinese market , Inmana 5 Report to Shanghai food and drug administration at the beginning of this month , And send a notice to each affected Chinese customer , Immediately carried out corresponding on-site software upgrade measures in China .

It's important to point out that , Both inmana and the industry said , this “ Recall ” Take the initiative for the enterprise 、 Measures that do not involve physical objects , With a clear preventive purpose . For the data security management of gene sequencing industry , Regulators and companies actually have common goals .

The relevant person in charge of inmana told titanium media App：“ Inmana has an independent global network security supervision team , All products are subject to strict network security risk screening and detection before they are launched , Standard risk detection will be carried out every quarter after the product is launched .”

meanwhile , Inmana and its customers jointly undertake the management and control of data security risks , This initiative “ Recall ” The security risk of is also found based on this cooperation mechanism .

that , This time “ Recall the door ” What is the context of the incident ？ Are there any criticisms about the response measures of inmana ？ What are the domestic regulatory authorities' requirements for genetic data security “ A firewall ” effect ？ Through this event , What should China's gene sequencing industry think about ？ And how to move forward ？

The whole story of potential safety hazards

The cause of the incident can be traced back to 2022 Beginning of the year , At that time, the British genetic testing company was doing routine system safety maintenance , Professional technology companies hired Pentest The software hidden trouble of inmana sequencer was found , The company was informed of the problem , This software is applied to many sequencer products of inmana . This is also the preventive alarm triggered by MENA's global safety supervision cooperation mechanism .

The results of large-scale investigation show that , Local operation management software on inmana sequencer Local Run Manager（LRM） There are five potential safety hazards , Three of these safety hazards are considered to be of the highest severity .

In this , Inmana started a comprehensive investigation , Simultaneously report to national regulatory authorities , And developed the corresponding software patches . meanwhile since 5 month 3 Notify customers who may be affected from the th .

stay 75% The customer completes the installation of the patch , Inmana and FDA、CISA The negotiation is synchronized and publicized on the official website , To widely inform users who may be exposed to sequencing service results .6 month 3 Japan , Cyber security and infrastructure security agency of the U.S. Department of Homeland Security （CISA） The industrial control system bulletin was issued , It is pointed out in detail that there are many potential safety hazards in many types of equipment .

6 month 13 Japan , The United States FDA The official website actively recalled immena （ No physical objects involved ） stay FDA Be publicized in the recall system , Under Imner 1813 Active recall of gene sequencers , Involving China and the United States 、 Australia 、 The French 、 Italy 、 Japan 、 Thailand, etc 55 Countries and regions .

Immena responded

The impact of the above potential safety hazards , Inmana in 6 month 14 In its response, the Japanese government said , This network security risk involves remote code execution without authentication （RCE）, Unauthorized users may bypass security controls , Improper access to the system as an administrator , This may affect the setup of the sequencer 、 To configure 、 Software 、 Data on the sequencer or customer network .

Unauthorized access means that it is possible for an illegal person with sufficient network hacking tools to invade , The barriers to interpretation of genetic data are higher , This also leads illegal personnel to take advantage of the hidden danger , The difficulty increases exponentially .

Report safety incidents to the regulatory authority in a timely manner , It's international practice , Whether in accordance with U.S. information security related laws , Or the European Union 《 General data protection regulations 》（GDPR）, There are clear requirements for the time limit for enterprises to report security incidents , If the enterprise violates the regulations , Cause user data leakage , Will be severely punished .

Starting from the supervisor , The United States CISA/FDA Recall of level II safety incidents is not uncommon , But as a normalized safety supervision measure . Only in the first half of this year ,FDA The recall frequency of secondary safety incidents is as high as 733 Time .

It is worth noting that , Under the cooperation of many parties , Up to now ,FDA And immena has not received any report indicating that the hidden danger has been exploited . The two sides are cooperating , And with CISA Coordinate , To identify 、 Communicate and prevent adverse events related to this network security risk , Inmana also complies with the alert requirements applicable in other parts of the world , Have informed and cooperated with the relevant regulatory bodies and competent authorities to carry out work .

Inmana said , From a global perspective , In the inmana sequencing platform and the whole field of gene sequencing , At present, there has not been any major or malignant gene information data leakage problem . The preventive measures or announcements made by the regulatory authorities in this regard are important to prevent the safe emergence of global genetic data “ The black swan ” Events are crucial .

Inmana also said in a statement , By 6 month 14 Japan , The on-site software upgrade of Chinese customers has been basically completed . in addition , The company has developed a software patch to prevent the hidden trouble from being exploited remotely . meanwhile , Inmana is also actively developing a permanent software repair solution , It aims to completely eliminate this hidden danger for current and future sequencers , Once completed, the customer will be informed to complete the upgrade in time .

Data security is nothing , How to deal with it in China ？

Immanuel from 2005 Since entering the Chinese market in , And stone burning medicine 、 Nuohe Zhiyuan 、 Beirui gene and other gene detection service providers in the middle of the industrial chain have established extensive cooperation , Only during the Shanghai International Fair last year , Just like 30 About Chinese gene testing enterprises have signed cooperation intentions .

this “ Recall the door ” event , Naturally, it also affected some Chinese customers . But whether it is the domestic regulator or inmana itself , They all react at the first time .

As early as 5 month 5 Japan , The Shanghai food and Drug Administration issued Imna's active recall notice , Include MiSeqDx and NextSeq 550Dx Two sequencers , The recall level is level II , But it does not involve physical recall .

In this incident “ Recall ” What are the key data in the sequencer ？ The official website of inmana shows that , The above two instruments are used for human DNA Clinical diagnosis of sequencing 、 Genetic testing or scientific research . according to the understanding of , In the gene sequencing equipment used all over the world , May have a large number of patients' medical data , Include DNA data 、 health information 、 Family genetic history and other data .

MiSeqDx（ The picture comes from the official website of inmana ）
NextSeq 550Dx（ The picture comes from the official website of inmana ）

In terms of genetic data security supervision , The domestic regulatory response mechanism will not be lax .

According to the regulation , The medical device manufacturer makes a decision on the recall of medical devices , A level II recall enterprise shall be registered in 3 Notify relevant medical device enterprises within days 、 The user or inform the user . The website of the State Drug Administration shows ,2022 Since, a total of 116 Voluntary recall notice of the pharmaceutical and mechanical enterprises .“ Active recall ” This form , It has become a normal way for the relevant domestic regulators to supervise the pharmaceutical machinery enterprises .

From the global scope to the Chinese market , The regulatory authorities attach great importance to the compliance and safety review in relevant fields , And constantly improve . Previously launched in Europe IVDR The policy has clear requirements ,FDA It is also planned to continue to update relevant regulations this year , At home , This year, 3 month , The device examination center of the State Food and drug administration also launched 《 Guiding principles for network security registration and review of medical devices （2022 Revised in ）》（ Hereinafter referred to as 《 Guiding principles 》）.

《 Guiding principles 》 And make it clear that , The design and development of medical devices can only take corresponding risk control measures against known network security vulnerabilities , After listing, it will still face the threat of network security events caused by potential unknown network security vulnerabilities . The registration applicant shall establish an emergency response mechanism for network security incidents based on relevant standards and technical reports , Ensure the safety and effectiveness of medical devices and protect patients' privacy .

in addition , According to the severity of network security events 、 Urgency 、 Extensive degree and other factors for classification and hierarchical management , Combined with product risk level , Carry out verification of emergency response measures according to risk management requirements and record them , Inform the user of the Countermeasures in time during the event . If applicable , According to adverse events of medical devices 、 Recall relevant laws and regulations ; When necessary, , Report to the national network security authority .

and , With the rapid development of sequencing industry in China in recent years , Genetic data security has been raised to an unprecedented level .2019 year 5 month , Issued by the state council 《 Regulations on the administration of human genetic resources 》,2020 year 10 month , The Standing Committee of the National People's Congress issued 《 Biosafety law 》, Bring the safety management of human genetic resources related activities into the supervision . Illegal gene editing 、 Illegal collection and use of national human genetic resources were also included in the scope of criminal law regulation in the same year . And in China , Foreign investors are not allowed to invest in or participate in any genetic testing services . According to inmana , In China, it strictly follows the requirements of the negative list , Playing the role of a provider of technical products in the gene testing industry .

This year, 3 month , The regulation is refined again , Issued by the Ministry of science and technology 《 Detailed rules for the implementation of the regulations on the administration of human genetic resources 》 Make it clear ：“ Human genetic resource material refers to the material containing human genome 、 Organs of genetic material such as genes 、 organization 、 Cells and other genetic materials ; Overseas organization 、 Individuals and institutions established or actually controlled by them shall not collect information within the territory of China 、 Preserve China's human genetic resources , China's human genetic resources shall not be provided abroad .”

It is also based on this , Inmana and domestic sequencing enterprises 、 Cooperation between scientific research institutions and hospitals , There are also more stringent requirements on data , A considerable number of sequencers are not connected to any network , Only run locally , This greatly reduces the risk of outsiders bypassing security controls , The improper access due to the potential safety hazard of MENA sequencer occurred .

according to the understanding of , It is different from the fact that overseas customers can download patches through the network to complete the upgrade by themselves , The patch upgrade measures of inmana in the Chinese market are implemented in the form of on-site manual services . During the closure and control of the epidemic in many places , Inmana is still fully engaged in relevant work .

At present , The global gene sequencing industry is expanding rapidly ,《 Report on market prospect and investment strategic planning of China's gene sequencing industry 》 forecast ,2020 The global gene sequencing market in 149 Billion dollars , Expect to 2025 The years will reach 341 Billion dollars ,5 The compound annual growth rate remains at 18% High growth of . China is one of the most potential markets in the development of gene industry .

2021 year , Inmana's income from China reaches 5 Billion dollars , Accounting for more than 10%, And the growth rate of the Chinese market is higher than that of the company's overall revenue . This is enough to prove that China's genetic industry is speeding up , In the process , It is bound to nurture more industrial giants .

Where will Chinese gene sequencing go ？

Genetic testing means passing blood 、 Other body fluids 、 Or cell pair DNA The technology of testing , It can be used to analyze the DNA Whether the gene types and gene defects contained in molecular information and their expression functions are normal , So that people can understand their own genetic information , Identify the cause or predict the risk of a disease .

at present , Gene sequencing is widely used in cancer 、 microbiology 、 Complex diseases 、 Reproductive and genetic health research . Cost reduction after wider application of technology-based iterations .

The first sequencing technology to realize commercial application is the first generation sequencing , The high cost of 、 inefficiency , from Sanger stay 1977 The invention of . At present, the most widely used is the high-throughput sequencing technology, also known as the next generation sequencing technology （Next-Generation Sequencing, NGS）, Is the Sanger Revolutionary progress after sequencing , With high flux 、 Low cost features . Use a generation Sanger Sequencing technology genome sequencing projects that have taken years can now be NGS Technology can be completed in a few days .

besides , In recent years, the third generation sequencing technology has emerged 、 Fourth generation sequencing technology , But because the error rate is still in the early stage of exploration , It is certain that the leapfrog development of technology has brought earth shaking changes to the industry .

High throughput sequencing is widely popularized , It generates more data points 、 faster 、 More efficient , And drive the industry to sink .2010 year , The cost of genome sequencing has dropped from hundreds of thousands to millions of dollars 1 Around ten thousand dollars , To 2021 year , The cost of genome sequencing has entered 600 The dollar era , Greatly improve the accessibility of gene sequencing .

For all that , Gene sequencing has not yet ushered in its “ The golden age ”. at present , Currently, gene sequencing is mainly used in scientific research 、 Clinical and consumer . Insiders estimate that , future 3 - 5 During the year , Clinical gene sequencing will enter a centralized outbreak period .

Based on the eve of industrial explosion , How much cake can China get from it , A large part depends on the extent of the energy radiation of the enterprises involved , However, the rare product in the domestic gene sequencing industry is the giant enterprise .

The gene industry is divided into upstream, middle and downstream , The upstream is the sequencer represented by inmana 、 Reagent consumables supplier , The barriers are high , The competition pattern is good ; Midstream is a sequencing service 、 Product provider , The threshold for providing sequencing services is not high , The competition in this field is fierce and there is no absolute industry giant , China currently has 200 More than related enterprises participated in the competition , Including stone burning medicine 、 Berry gene, etc ; Downstream is the sequencing application market , It determines the size of the midstream gene testing service market , Including hospitals 、 Scientific research institutions, etc .

2021 Blue Book of gene industry , Shenwan Hongyuan research

《2021 Blue Book of gene industry 》 Pointed out that , Foreign enterprises have competitive advantages in the upstream of the industrial chain , Domestic gene enterprises mainly focus on the detection services in the midstream .

In the industrial chain where Chinese enterprises gather , It is necessary to cultivate international industrial giants , It is inseparable from the upstream infrastructure support , It is also necessary for the downstream market to expand . The development of the gene sequencing industry is a win-win cooperation from the beginning , This kind of cooperation is not limited to certain enterprises , And across national borders .

In the academic world , As early as 1985 The human genome project was proposed in ,1990 After it started in 2005 , Including the U.S. 、 The British 、 The French 、 Germany 、 Scientists from Japan and China jointly participated in the budget for 30 The billion dollar human genome project ,2001 The working draft of the human genome was published in , Until this year 3 end of the month , A complete X The nucleotide sequence of chromosome has been completely decoded .

after 20 many years , This is called the life science community “ Mission to the moon ” Interdisciplinary cross-border scientific exploration project , Finally, a major breakthrough has been made . so , To dig 、 analysis 、 Protect the genetic treasure house of mankind , Not only is it time-consuming , We also need borderless cooperation at home and abroad .

The same logic applies to the commercial application of genetic data , And the applications in these fields point to overcoming rare diseases 、 Cancer and other major diseases , The promotion of many human public undertakings, such as improving the ability of disease prevention .

At home , With the aging of the population and the corresponding increase in the incidence of cancer 、 The promotion of healthy consumption awareness and consumption ability 、 The development of new early diagnosis and early screening technologies such as life multidimensional omics ,“ Great health ” It has become a national strategic focus and industrial hotspot in recent years , among , The gene sequencing industry, which covers precision medicine to life-cycle health management, is one of the main components .

stay “ Healthy China ” and “ Driven by scientific and technological innovation ” The policy window period , The application of gene technology is expanding , Routine sequencing 、 Gene editor 、NGS And nanopore single molecule sequencing , And the incubation and launch of new products are moving forward simultaneously .

But can China surpass the curve on an international scale , It also depends on whether it will usher in all-round Industrial Development in the future , This includes both technical applications , It also covers industry norms . The preventive recall of MENA in the world has not attracted so much attention in other countries where the national information security level requirements are also very strict as in China , From another perspective , On the one hand, it provides the public with an opportunity to understand the cross supervision of relevant regulations in the gene industry around the world , On the other hand, it is also helpful to remind the industry to pay more attention to the safe operation and maintenance of infrastructure equipment when running at a high speed , And possible challenges in other international markets , And think about their own forward-looking layout in R & D, manufacturing and operation management .

Need to know , In policy 、 technology 、 Under the multiple drives of capital , China's gene industry ecology has just taken shape , Domestic gene therapy 、 Gene synthesis technology still lags behind , Cloud computing infrastructure still has a lot of room for cost optimization . In the sequencing industry , What we need is to nip in the bud , Instead of mending .

The nine story platform starts from the accumulated soil , Before the market expansion , Only the benign interaction and cooperation between the industrial chains can condense into a solid support for China's gene sequencing industry to continuously explore the present , And every security risk that is discovered and remedied in the early stage of the industry , Will become valuable experience on the way forward of the industry .

（ This article was first published in titanium media App）