The Cybersecurity Infrastructure Agency, a component of the Department of Homeland Security (DHS), has issued its fifth cybersecurity alert in five years to Becton Dickinson. The medical technology company has received the alerts as a result of vulnerabilities found in their Pyxis automated medication dispensing systems. The Cybersecurity alert is the second alert the medical device manufacturers have received this year. In March, the DHS had identified a vulnerability regarding the use of hard-coded credentials which may allow unauthorized malicious actors to gain access to the file system and use the data for exploitation. The DHS has issued the latest alert as they have found that several Pyxis products may operate with the previously flagged credentials.
The DHS have identified sixteen BD Pyxis medication dispensing machines which operate under default credentials. BD Pyxis products include the BD Pyxis ES Anesthesia Station, BD Pyxis CIISafe, BD Pyxis Logistics, BD Pyxis Medbank, BD Pyxis Medstation 4000, BD Pyxis ParAssist, BD Supplystation, and the BD Rowa Pouch Packaging Systems among others. The products are identified as susceptible to scenarios where BD Pyxis products are implemented with the same default credentials that may be shared with other product types. In the same manner as the previous alert, unauthorized third parties can gain access to the underlying file system through this vulnerability and profit from sensitive patient information.
The report was voluntarily issued by BD to CISA through their coordinated vulnerability disclosure program. BD maintains that they will strengthen the credential management capabilities of their BD Pyxis products. This will be achieved through implementing credential management solutions to improve authentication management procedures. BD committed to employing service personnel to assist users whose domain-joined servers credentials necessitate updates. Finally, BD advises users of BD Pyxis medication dispensing machines to implement several compensating controls. These include restricting physical access to authorized personnel, confining control management of system passwords to only authorized users, monitoring affected products of suspicious activity, and isolating affected products behind firewalls to permit communication with trusted moderators in other networks only.