Vulnerability in medication dispensing system flagged again by DHS cyber team
The Department of Homeland Security has issued another cybersecurity alert about BD’s line of Pyxis medication and supply management devices.
In a notice posted Tuesday, DHS’s Cybersecurity and Infrastructure Security Agency alerted users of Pyxis MedStation and Anesthesia ES Systems to a vulnerability that could enable someone with physical access to the machines to view or modify sensitive data. However, BD has no reports of the vulnerability being exploited.
The notice, the third issued by CISA in relation to Pyxis products in as many years, calls for sites to limit access to authorized users and investigate unplanned system reboots.
BD sells a range of medication and supply management devices under the Pyxis brand. The latest DHS advisory relates to an automated medication dispensing system and a cart for anesthetists.
DHS issued a cybersecurity alert about the devices after learning that someone with physical access to the systems could escape the “kiosk mode” that is supposed to limit what they can do. As a person with limited skill could exploit the vulnerability to view or change data, provided they have physical access to the device, DHS gave the weakness a score of 6.8 out of 10 on its risk scale.
In its notice about the vulnerability, BD said “the probability of harm is low” because the user would need physical access to the equipment to exploit the vulnerability. Still, BD said the “vulnerability may have a high impact on the confidentiality, integrity and availability of the system,” indicating that low probability of harm is being taken seriously.
BD contends the benefits of continued use of the devices outweigh the risks, but the company is advising users to take some additional precautions.
BD is recommending hospitals limit physical access to the systems to authorized users, to minimize likelihood that a bad actor could exploit the vulnerability. BD has also asked hospitals to isolate impacted machines, only connect them to trusted systems, and investigate all unplanned reboots.
In the longer term, BD plans to roll out a security update to mitigate the threat. The security update will strengthen kiosk mode by closing off known means of escape. The company said the update will restrict “access to tools for viewing or manipulating local resources.”
The cybersecurity notice comes six months after DHS last issued an advisory about Pyxis devices. Last year, DHS flagged a Pyxis Enterprise Server vulnerability that could enable an attacker to gain the same level of clearance as the previous user, potentially enabling them to access patient medications and data.
DHS also issued a notice about Pyxis devices, including MedStation and the Anesthesia System, two years ago. The 2018 advisory discussed an industry-wide vulnerability that could lead to the partial disclosure of encrypted communication.