Skip to main content
close search
site logo
Dive Brief

BD's Alaris infusion pumps flagged for cybersecurity vulnerability

Published Nov. 13, 2020
By
Contributor
Getty

Dive Brief:

  • The Department of Homeland Security has issued an alert about a cybersecurity vulnerability affecting certain BD Alaris infusion pump products.

  • DHS, which scored the issue 6.5 out of 10 on a vulnerability scale, said a successful attack that exploited the weakness could force operators to manually program their Alaris pumps, used in hospitals to deliver fluids.

  • BD said it has received no reports of the vulnerability being exploited in clinical settings and will address the weakness through actions including an upcoming version of its BD Alaris PC Unit software.

Dive Insight:

BD’s Alaris infusion pump unit has been the subject of repeated Class I recall notices this year and is operating under an amended consent decree with FDA. The ICS Medical Advisory issued by DHS on Thursday is unrelated to those issues. Rather, the notice relates to a network session vulnerability that affects the authentication process between certain versions of the Alaris PC Unit and Systems Manager.

An attacker with access to the network associated with the affected BD devices could exploit the vulnerability to establish a direct networking session between the Alaris PC Unit and Systems Manager, provided they could redirect authentication requests and complete an authentication handshake, a type of identity check.

Successful exploitation of the vulnerability could enable a denial of service attack that leads to a drop in the wireless function of the PC Unit. Users would then need to manually operate the PC Unit but it would continue to function as programmed.

BD provided a list of potential consequences of successful attacks and steps to mitigate them in its notice about the vulnerability. An attack could prevent the pre-population of the Alaris PC Unit with infusion parameters taken from electronic medical records, or stop the wireless transmission of a new Guardrails dataset to the Alaris PC Unit. Users would need to manually program the pump and upload Guardrails datasets while the wireless capability is down.

It is possible no users will ever face those problems. BD is yet to receive reports of real-world attacks and has already addressed the vulnerability in more than 60% of Systems Manager installations through its normal server upgrades. A patch for the PC Unit software is planned. In the interim, BD is advising users to consider mitigations including use of a firewall and disabling of unnecessary account protocols and services. 

Medigate, a healthcare security company, reported the vulnerability to BD, which then voluntarily shared the information with DHS and FDA. The alert follows ICS Medical Advisories about BD Pyxis MedStation and BD Alaris PCU from earlier this year.  

Editors' picks

Company Announcements

View all | Post a press release
Osteal Therapeutics Announces Positive 12-Month Results from the APEX Clinical Trial Program a…
From Osteal Therapeutics
November 14, 2024
Lunit Shows Promise of AI in Predicting Immunotherapy Response for Rare Cancer Patients at SIT…
From Lunit
November 10, 2024
SYNDEO Medical Announces European MDR Approval for Two Product Brands
From SYNDEO Medical
November 06, 2024
Arsenal Medical Launches EMBO-02 Study for NeoCast™ to Assess Treatment of Chronic Subdural He…
From Arsenal Medical
November 14, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell