When False Claims Act and Cybersecurity Collide
Today we return to enforcement of the False Claims Act, and a case from last week where the Justice Department fined a medical device maker $9.8 million for failing to meet promised cybersecurity standards. Cybersecurity risk and increased enforcement of the False Claims Act are sizzling issues for compliance in the Trump 2.0 era, so let’s take a look.
The company in question is Illumina, maker of DNA sequencing equipment. Illumina agreed last Thursday to settle civil charges that from 2016 into 2023, it sold genomic sequencing equipment to Uncle Sam with the promise that Illumina met NIST standards for strong cybersecurity — when in fact, the Justice Department said, Illumina hadn’t followed those standards. That therefore qualified as a violation of the False Claims Act, and here we are.
Illumina, a huge player in the DNA sequencing industry on pace to do about $4.2 billion in revenue this year, denies the allegations against it; but agreed to settle to avoid the headache of litigation. The case still is important for compliance and audit teams for two reasons.
First, this case is the first False Claims Act enforcement action we’ve seen for cybersecurity issues at a medical device maker. We have previously seen FCA cases for cybersecurity issues in other industries, such as defense, IT services, and healthcare, where information security would naturally be a high concern. Now the medical device industry has been added to that list.
Even more important, however, are the allegations of exactly how Illumina flubbed its cybersecurity risk management, and the measures other companies would need to take to avoid similar FCA liability in the future.
Specifically, prosecutors accused Illumina of failing to weave cybersecurity measures into its whole product development process. For example, the company failed to incorporate product cybersecurity in its software design, development, and installation; and didn’t maintain a properly resourced team responsible for product security.
Those shortcomings led Illumina to deliver products that had unacceptable cybersecurity vulnerabilities. So regardless of whether there were any actual data breaches from insecure Illumina products, the existence of poor cybersecurity risk management while building those products was enough to trigger the Justice Department’s enforcement action.
How would other companies avoid all that in the first place? By embracing a cybersecurity philosophy known as security by design.
That’s the larger point that compliance, security, and audit teams need to ponder here.
The Alleged Cybersecurity Flaws
Let’s first review the allegations against Illumina. As a medical device maker regulated by the Food & Drug Administration, Illumina is supposed to obey a rule known as the Quality System Regulation. The “QSR” dictates how medical device makers are supposed to assure that they only manufacture safe, reliable products.
The three elements of the QSR relevant here are design control (you’re designing safe products from the start), corrective and preventative action (you can correct quality mistakes later as they’re discovered), and management (you have systems in place to coordinate all that work). Illumina was supposed to have systems in place to assure all three elements were working well to churn out secure, safe, reliable devices.
A whistleblower, however, filed a lawsuit in 2023 accusing Illumina of disregarding those QSR requirements in its quest to dominate the genomics sequencing market. The whistleblower (a product development manager who worked at Illumina in the early 2020s) said that from 2016 through 2023, Illumina allowed sloppy security practices such as:
- Granting elevated privileges to everyday users of its equipment by default (so, a world where everyone using Illumina equipment had administrator privileges and could see all sorts of personal data);
- Using software code that allowed user names and passwords to be generally accessible, which thwarted controls such as encryption and user authentication;
- Failing to take swift corrective action when Illumina customers told the company that the genomics equipment they purchased had suffered ransomware attacks.
We could keep going, but you get the idea. The whistleblower says Illumina turned a blind eye to weak cybersecurity practices in the product design phase, knowingly pushed insecure products onto the market to grab market share, and didn’t have sufficiently strong management processes to correct cybersecurity issues once its products were out in the wild.
Again, Illumina denies the allegations and says it agreed to settle to avoid the expense of prolonged litigation. OK, whatever. For compliance, audit, and security teams elsewhere, I’d focus on this passage from the settlement between Illumina and the Justice Department:
[The] United States contends that the claims were false because Illumina knowingly failed to incorporate product cybersecurity in its software design, development, installation, and on-market monitoring; failed to properly support and resource personnel, systems, and processes tasked with product security; failed to adequately correct design features that introduced cybersecurity vulnerabilities in the Genomic Sequencing Systems; and falsely represented that [its] software on the Genomic Sequencing Systems adhered to cybersecurity standards, including standards of the International Organization for Standardization and National Institute of Standards and Technology.
So what cybersecurity practices would you want to have in place, and what support would you need from management, to avoid an Illumina-like predicament?
That’s the question that brings us to security by design.
The Security by Design Opportunity
Security by design isn’t a regulation per se. It’s more a way of thinking, where companies make strong cybersecurity a greater priority than fast product development. At the practical level, it means embedding strong cybersecurity controls across the whole organization and emphasizing strong security in the control environment articulated by senior management.
The idea of security by design has kicked around for several years, but attention jumped up a notch earlier this year when Patrick Optet, the CISO of JPMorgan Chase, published an open letter to the technology sector basically saying that our current approach to cybersecurity sucks, and is no longer sustainable.
“Providers must urgently reprioritize security, placing it equal to or above launching new products,” Optet wrote. “Secure and resilient by design must go beyond slogans — it requires continuous, demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks.”
Optet then listed several security controls and measures he wants technology vendors to embrace, and overall he laid out a compelling business case for taking cybersecurity much more seriously. Now we have this enforcement action against Illumina, which shows that there’s a regulatory compliance case for drinking the security by design Kool Aid too. Like I said earlier, Illumina is the latest company sanctioned under the False Claims Act for sloppy cybersecurity; it’s not the only one by a country mile.
This all strikes me as an excellent opportunity for CCOs, internal auditors, and IT auditors. Security by design isn’t a shift companies can (or even should) embrace overnight. It takes time and planning. Senior management needs to shift the corporate culture at large, and business functions need to change their processes and controls one step at a time. Both groups will need help to understand what they should do, and how to explain the value of security by design to all your organization’s stakeholders — including customers, who will probably be delighted at the idea of more trustworthy tech; and regulators, who will want evidence that your wiser approach to security is sincere.
All of that plays to compliance and audit professionals’ strengths.