Skip to main content
close search
site logo
Dive Brief

BD's Pyxis medication dispenser gets fifth DHS cybersecurity alert in 5 years

Published June 1, 2022
By
Contributor
DHS, homeland security
Photo illustration by Danielle Ternes/MedTech Dive; photograph by spainter_vfx via Getty Images

Dive Brief:

  • The Department of Homeland Security on Tuesday issued its fifth cybersecurity alert about Becton Dickinson's Pyxis medication dispensing machines in as many years.
  • In the latest notice, the DHS’s Cybersecurity and Infrastructure Security Agency​ describes the lack of password aging as a weakness that could give an attacker access to electronic protected health information. DHS scored the vulnerability as 8.8 on a 10-point scale.
  • BD, which voluntarily reported the vulnerability, is working with users whose credentials need updating while piloting a new system that is intended to improve authentication management.

Dive Insight:

The DHS has posted one notice about the Pyxis device each year from 2018 to 2020. While no new vulnerabilities emerged last year, two alerts were given in 2022 with the latest coming weeks after the department flagged a risk related to the use of hard-coded credentials after being told about the problem by BD.

The latest notice stems from the fact that some Pyxis products may still operate with their default credentials. Multiple products may have the same default credentials that are shared across product types, potentially opening a door through which an attacker could gain privileged access to the file system.

BD set out what the vulnerability means in practice in an emailed statement on Tuesday. 

“The default credentials in BD Pyxis devices are primarily managed by BD support personnel. To exploit this vulnerability, an unauthorized user would have to gain access to the default credentials, infiltrate a facility’s network and gain access to individual devices and/or servers. If exploited, an unauthorized user may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to electronic protected health information or other sensitive information,” the company said in the statement.

There are no known public exploits that specifically target the vulnerability and BD is working to address the problem, it added.

Service personnel now are working to update domain-joined server credentials as needed. The company also noted it's piloting “a credential management solution initially targeted for specific BD Pyxis product versions and will allow for improved authentication management practices with specific local operating system credentials.” Installation, upgrade and application remediations are under evaluation. 

While working on a fix, BD said it's advising users to ensure only authorized personnel have physical access, “tightly control management of system passwords provided to authorized users,” log network traffic and isolate affected products in a secure virtual local area network or behind firewalls with restricted access.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Innoventric Secures $28.5M and Unveils Groundbreaking Tricuspid Regurgitation Treatment to Hel…
From Innoventric
October 29, 2024
identifeye Health Unveils AI-Enabled Automated Camera System to Make Retinal Imaging More Acce…
From identifeye HEALTH
October 17, 2024
Celonis AgentC: Making AI Agents Work for the Enterprise with Process Intelligence
From Celonis
October 23, 2024
Survey Shows Growing Dependence on Contracts Among Medical Device Companies, Even as Contract …
From AcuityMD
October 21, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell