Medical device maker Becton, Dickinson and Co. (BD) and federal regulators have issued warnings about eight vulnerabilities found in BD’s medication infusion product suite, known as BD Alaris Guardrails Suite MX.
These vulnerabilities pose a risk to data and device integrity if exploited. BD discovered the vulnerabilities during routine internal security testing and reported them to the Food and Drug Administration (FDA), the Cybersecurity and Infrastructure Security Agency (CISA), and industry organizations.
The vulnerabilities include cross-site scripting flaws, improper authentication, missing encryption of sensitive data, and insufficient data authenticity verification. Exploiting these vulnerabilities could lead to compromised data, session hijacking, firmware modification, and system configuration changes. BD is actively working on remediation and deployment plans to address these vulnerabilities and reduce the risk they pose.
To mitigate the risk associated with these vulnerabilities, BD recommends implementing certain mitigations and compensating controls. These include deploying network perimeter security measures, regularly rotating Wi-Fi network credentials, and ensuring that BD Alaris System components are running updated software versions.
Following security best practices recommended by the National Institute of Standards and Technology (NIST), such as access control and physical asset protection, is also advised.
The discovery of these vulnerabilities underscores the growing emphasis on cybersecurity in the medical device industry. The FDA has implemented new policies that require medical device manufacturers to detail cybersecurity measures in premarket submissions and develop plans to address postmarket vulnerabilities and coordinate the disclosure of exploits.
These measures aim to enhance the overall security of medical devices and protect patient data.
