Skip to main content
close search
site logo
Dive Brief

Vulnerability in BD’s infusion pump flagged to US cybersecurity agency

Published Dec. 5, 2022 Updated Dec. 6, 2022
By
Contributor
Becton Dickinson logo
Permission granted by Becton Dickinson

Dive Brief:

  • Becton Dickinson reported a vulnerability in its BodyGuard pumps to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which posted a report on the problem.

  • An attacker with physical access to the device and specialized equipment and knowledge could exploit the vulnerability to change the configuration settings or disable the pump, according to the agency.

  • The vulnerability scored 5.3 on the 10-point risk scale. The medium score on the risk scale reflects the need for physical access and low probability of harm.

Dive Insight:

The vulnerability affects multiple products in BD’s line of BodyGuard infusion pumps. The pumps deliver fluids and medications into a patient's body in controlled amounts.

By connecting to a RS-232 data transmission port on the device, an attacker could control the pump without prior authentication. The control would allow the individual to read and change configurations. BD discussed the implications of the weakness in its summary of the vulnerability.

“Any such attack would have partial impact to confidentiality and integrity and high impact to availability, as the loss of access to the pump technician codes in the wake of adverse infusion configuration changes would render the pump no longer usable,” BD wrote.

The company said there is a low probability of patient harm because the pump directions for use don’t include requirements to use the RS-232 port during clinical procedures.

In response to the threat, BD is asking customers to ensure physical access controls are in place and only authorized end-users have access to BodyGuard pumps. Hospitals should only connect equipment that is approved by BD to the RS-232 interface and shouldn’t connect anything to the port when a pump is delivering an infusion. BD added customers also should protect connected computer systems. 

The company said in its statement that the flawed pumps are not sold in the U.S. 

The cyber vulnerability is one of a handful of weaknesses that BD has reported to CISA in recent months. This year, CISA has issued notices about BD’s automated molecular testing system, microbiology informatics software platform and Totalys MultiProcessor, plus two notices about the Pyxis medication dispensing system.

Clarification: Updates to clarify that the breach was first reported to CISA by the manufacturer, Becton Dickinson.

Editors' picks

Company Announcements

View all | Post a press release
identifeye Health Unveils AI-Enabled Automated Camera System to Make Retinal Imaging More Acce…
From identifeye HEALTH
October 17, 2024
Survey Shows Growing Dependence on Contracts Among Medical Device Companies, Even as Contract …
From AcuityMD
October 21, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
Innoventric Secures $28.5M and Unveils Groundbreaking Tricuspid Regurgitation Treatment to Hel…
From Innoventric
October 29, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell