Skip to main content
close search
site logo
Dive Brief

BD's Pyxis medication dispenser gets fifth DHS cybersecurity alert in 5 years

Published June 1, 2022
By
Contributor
DHS, homeland security
Photo illustration by Danielle Ternes/MedTech Dive; photograph by spainter_vfx via Getty Images

Dive Brief:

  • The Department of Homeland Security on Tuesday issued its fifth cybersecurity alert about Becton Dickinson's Pyxis medication dispensing machines in as many years.
  • In the latest notice, the DHS’s Cybersecurity and Infrastructure Security Agency​ describes the lack of password aging as a weakness that could give an attacker access to electronic protected health information. DHS scored the vulnerability as 8.8 on a 10-point scale.
  • BD, which voluntarily reported the vulnerability, is working with users whose credentials need updating while piloting a new system that is intended to improve authentication management.

Dive Insight:

The DHS has posted one notice about the Pyxis device each year from 2018 to 2020. While no new vulnerabilities emerged last year, two alerts were given in 2022 with the latest coming weeks after the department flagged a risk related to the use of hard-coded credentials after being told about the problem by BD.

The latest notice stems from the fact that some Pyxis products may still operate with their default credentials. Multiple products may have the same default credentials that are shared across product types, potentially opening a door through which an attacker could gain privileged access to the file system.

BD set out what the vulnerability means in practice in an emailed statement on Tuesday. 

“The default credentials in BD Pyxis devices are primarily managed by BD support personnel. To exploit this vulnerability, an unauthorized user would have to gain access to the default credentials, infiltrate a facility’s network and gain access to individual devices and/or servers. If exploited, an unauthorized user may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to electronic protected health information or other sensitive information,” the company said in the statement.

There are no known public exploits that specifically target the vulnerability and BD is working to address the problem, it added.

Service personnel now are working to update domain-joined server credentials as needed. The company also noted it's piloting “a credential management solution initially targeted for specific BD Pyxis product versions and will allow for improved authentication management practices with specific local operating system credentials.” Installation, upgrade and application remediations are under evaluation. 

While working on a fix, BD said it's advising users to ensure only authorized personnel have physical access, “tightly control management of system passwords provided to authorized users,” log network traffic and isolate affected products in a secure virtual local area network or behind firewalls with restricted access.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Lunit Shows Promise of AI in Predicting Immunotherapy Response for Rare Cancer Patients at SIT…
From Lunit
November 10, 2024
New Published Study Shows MedLite ID as Faster and Simpler Solution to Primary Medication Infu…
From Orion Innovations
November 20, 2024
Powerful Medical Becomes the First Company to Win Best Science Startup and Overall Winner at A…
From Powerful Medical
November 21, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell