PCI 7 November 2023, 15:22
Thermofisher: Thu 29 February 2024, 11:15
BMG Labtech: Wed 18 September 2024, 11:55
Owen Mumford 12 January 2022, 16:46

Current Edition

Cell and Gene Therapy

Upcoming Events

Biotechnology Show 2025: 20th January 2025
Anglonordic: 16th January 2025
AI in Drug Discovery – SAE media – January 14th 2025

Advertisement

Fujifilm rectangle: Fri 22 November 2024, 14:23
Roald Dahl Charity: Fri 15 November 2024, 12:57
A&M STABTEST: Fri 21 June 2024, 11:43
CDD Vault: Wed 17 July 2024, 11:46
HTI Automation: Tue 12 November 2024, 14:28
Discovery Park: Tue 17 September 2024, 10:01

BD issues cybersecurity alert for hacking risk found in Alaris infusion pump software

A vulnerability found in software used to monitor some of BD’s infusion pumps could potentially give hackers access to personal data stored in the system.

BD posted a cybersecurity bulletin about the issue Thursday and said it has already notified the FDA and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), among other relevant authorities, about the potential threat.

According to the alert, the vulnerability affects only the company’s Alaris Infusion Central software—rather than the infusion pumps themselves—which is not distributed in the U.S. The software is installed on a hospital computer and linked to Alaris Plus and Alaris neXus pumps. It allows clinicians to monitor data sent from the devices, which are used to control the delivery of medications, nutrients and other fluids to patients via IV.

The alert comes after BD discovered that in certain versions of the software, the password used for database installation could be recovered fairly easily; in a notice of its own, CISA graded the vulnerability as having “low attack complexity.”

Though the Alaris Infusion Central database doesn’t store patient health data, according to BD, hospitals using the software may choose to store other personal information in the database—which could then be accessed and tampered with by a hacker who is able to recover the system password.

BD assigned the hacking risk a score of 7.3 out of 10 on the Common Vulnerability Scoring System, denoting a “high” severity. The software flaw didn’t reach the “critical” risk threshold of the rating system, because, while it could potentially result in a “high impact to confidentiality and integrity” and “partial impact to availability of data,” per the device maker, it’s limited by the fact that a hacker would need to have local access to a hospital’s own operating system and server to reach the software.

Despite the potential risks, BD concluded from its own assessments that “there is a low probability of harm occurring,” especially because the software is only used to track infusion pump data and can’t be used to alter the settings of connected devices.

The company said it is in the process of contacting all affected healthcare providers to “initiate remediation.” In the meantime, those using the software should regularly change their database passwords and ensure that only authorized users have access to the server. BD has also revised the installation procedure for the software to protect future users from opening up the hacking risk.

Though this vulnerability relates only to the software used to monitor infusion pumps, the pumps themselves are particularly vulnerable to other attacks. A study published last year found that as many as 75% of the devices could be at risk of being hacked, potentially allowing malicious actors to access the pumps’ data and even reconfigure their settings.

BD hasn’t been immune to those risks. In December, it put out another cybersecurity bulletin describing the possibility that several models of its BodyGuard infusion pumps could be broken into—though only by hackers with physical access to the pumps. That concern was given a “medium”-severity Common Vulnerability Scoring System score of 5.3.

Newcells 3 June 2024, 15:12
Novonordisk: Wed 17 July 2024, 11:22
FujiFilm 30 October 2023, 16:23
Eclateral 30 October 2023, 15:34
Autoscribe Mon 26 June 2023, 15:15
Aldevron: 16th January 2025
Richter: Wed 23 October 2024, 09:03
GenXPro: Mon 16 September 2024, 10:40
Biosynth: Tue 1 October 2024, 13:25