Becton Dickinson (BD) issued a cybersecurity bulletin last week highlighting eight potential hacking risks within its versions 12.1.3 and earlier Alaris infusion pump system with Guardrails Suite MX software. The pumps are used to deliver preset medications, nutrients, and other fluid amounts to patients through IV.
Specifically effecting pumps equipped with Guardrails Suite MX — a medication safety and quality improvement software that’s integrated with the systems to reduce errors and track performance — two of the vulnerabilities have been categorized as low and five as medium severity.
The company has given one of the eight vulnerabilities a high severity rating, citing issues in the software that could allow for a malicious file to be uploaded into the “User Import” functionality. This could allow a malicious user to hijack a device user’s session with the software and gain access to a healthcare facilities confidential information. Of note, the hacker would need network access to the application in order to breach the system. Regardless, BD gave the issue a score of 8.2 on the 10-point Common Vulnerability Scoring System (CVSS).
“Regarding the ‘Stored Cross-Site Scripting on User Import Functionality’ vulnerability (CVSS: 8.2), a threat actor would require network access to the Systems Manager application,” a BD representative told MD+DI. “If no privileges are required on the computer running Systems Manager, the attack complexity would be low by comparison. However, we recommend that customers restrict user privileges by requiring administrative credentials on the computer running Systems Manager.”
The other seven risks were given CVSS scores between 3.0 and 6.9. Only one of those seven would allow hackers to breach other components of the system and would require an authorized user to complete certain steps to effectively attack it.
The company said it discovered the problems during routine internal security testing and have received no reports of any of them being exploited. “These vulnerabilities were discovered through routine internal security testing, which is part of our software development life cycle and includes vulnerability scanning, code analysis, threat modeling, and penetration testing,” a BD representative told MD+DI. “There have been no reports of these vulnerabilities being exploited in any customer environment or clinical setting, and there is no impact to patient health information or personally identifiable information.”
Additionally, BD said, “It has been determined that existing product control measures effectively reduce the probability of harm. If exploited, two of the vulnerabilities present no impact to patient safety and six present remote or improbable potential impact. The potential for harm can only occur if the vulnerability is exploited.”
The eight vulnerabilities include:
- CVE-2023-30559: Wireless Card Firmware Improperly Signed (CVSS 5.2, Medium Severity)
- CVE-2023-30560: PCU Configuration Lacks Authentication (CVSS 6.8, Medium Severity)
- CVE-2023-30561: Lack of Cryptographic Security of IUI Bus (CVSS 6.1, Medium Severity)
- CVE-2023-30562: Lack of Dataset Integrity Checking (CVSS 6.7, Medium Severity)
- CVE-2023-30563: Stored Cross-Site Scripting on User Import Functionality (CVSS 8.2, High Severity)
- CVE-2023-30564: Stored Cross-Site Scripting on Device Import Functionality (CVSS 6.9, Medium Severity)
- CVE-2023-30565: CQI Data Sniffing (CVSS 3.5, Low Severity)
- CVE-2018-1285: Apache Log4Net Calculation Services (CVSS 3.0, Low Severity)
The July 13 announcement comes only four months after BD reported security concerns regarding a separate component of the Alaris portfolio. The cybersecurity issue effected versions 1.1 to 1.3.2 of Alaris Infusion Central, which is not sold in the United States and doesn’t impact customers using Alaris PCU 8015 or Alaris Systems Manager.
BD reported in the cybersecurity bulletin that specific versions of Alaris Infusion Central — software that is installed on a hospital computer and used to monitor data from the infusion pumps — may contain a recoverable password after installation. The software doesn’t hold patient health data, but some hospitals store other personal information in it which could be accessed by a bad actor if the vulnerability were to be utilized. To breach the system, however, the hacker would need local access to the server.
In the bulletin detailing the security risk, the company said, “BD is directly reaching out to the small group of customers who may be impacted by this vulnerability to initiate remediation. Additionally, the installation procedure has been revised to prevent this vulnerability in future installations.”
And as the saying goes, “bad things come in threes.” Just a few weeks ago the company also announced it would eliminate 60 positions from a manufacturing facility in Drogheda, Ireland, in an effort to “right-size” its manufacturing operations post-COVID-19 and its spinoff of Embecta.