Skip to main content
close search
site logo
Dive Brief

Vulnerability in medication dispensing system flagged again by DHS cyber team

Published April 1, 2020
By
Contributor
https://flic.kr/p/opeLx6

Dive Brief:

  • The Department of Homeland Security has issued another cybersecurity alert about BD’s line of Pyxis medication and supply management devices.

  • In a notice posted Tuesday, DHS's Cybersecurity and Infrastructure Security Agency​ alerted users of Pyxis MedStation and Anesthesia ES Systems to a vulnerability that could enable someone with physical access to the machines to view or modify sensitive data. However, BD has no reports of the vulnerability being exploited. 

  • The notice, the third issued by CISA in relation to Pyxis products in as many years, calls for sites to limit access to authorized users and investigate unplanned system reboots.

Dive Insight:

BD sells a range of medication and supply management devices under the Pyxis brand. The latest DHS advisory relates to an automated medication dispensing system and a cart for anesthetists.

DHS issued a cybersecurity alert about the devices after learning that someone with physical access to the systems could escape the “kiosk mode” that is supposed to limit what they can do. As a person with limited skill could exploit the vulnerability to view or change data, provided they have physical access to the device, DHS gave the weakness a score of 6.8 out of 10 on its risk scale.

In its notice about the vulnerability, BD said “the probability of harm is low” because the user would need physical access to the equipment to exploit the vulnerability. Still, BD said the “vulnerability may have a high impact on the confidentiality, integrity and availability of the system,” indicating that low probability of harm is being taken seriously.  

BD contends the benefits of continued use of the devices outweigh the risks, but the company is advising users to take some additional precautions. 

BD is recommending hospitals limit physical access to the systems to authorized users, to minimize likelihood that a bad actor could exploit the vulnerability. BD has also asked hospitals to isolate impacted machines, only connect them to trusted systems, and investigate all unplanned reboots.

In the longer term, BD plans to roll out a security update to mitigate the threat. The security update will strengthen kiosk mode by closing off known means of escape. The company said the update will restrict “access to tools for viewing or manipulating local resources.”

The cybersecurity notice comes six months after DHS last issued an advisory about Pyxis devices. Last year, DHS flagged a Pyxis Enterprise Server vulnerability that could enable an attacker to gain the same level of clearance as the previous user, potentially enabling them to access patient medications and data. 

DHS also issued a notice about Pyxis devices, including MedStation and the Anesthesia System, two years ago. The 2018 advisory discussed an industry-wide vulnerability that could lead to the partial disclosure of encrypted communication.

Editors' picks

Company Announcements

View all | Post a press release
New Published Study Shows MedLite ID as Faster and Simpler Solution to Primary Medication Infu…
From Orion Innovations
November 20, 2024
Lunit Shows Promise of AI in Predicting Immunotherapy Response for Rare Cancer Patients at SIT…
From Lunit
November 10, 2024
Osteal Therapeutics Announces Positive 12-Month Results from the APEX Clinical Trial Program a…
From Osteal Therapeutics
November 14, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell