BD said it would issue software updates for two of its products after discovering separate privacy concerns and potential hacking risks in each.
The affected technologies are BD’s Pyxis systems for medication management and dispensing and its Synapsys workflow management software for clinical diagnostic labs. BD voluntarily reported each of the cybersecurity issues to the FDA and other relevant authorities, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA.
The more serious of the two concerns the Pyxis technology. In a cybersecurity bulletin published Tuesday, BD said some of the systems may still be operating using the default credentials that were used at setup, which may be used across multiple products on a healthcare facility’s operating system or server.
If hackers track down the default login info and are able to breach a facility’s network, they could potentially gain access to the confidential health information and other sensitive data stored in the Pyxis platform’s underlying file system.
The risk was given a rating of 8.8 on the Common Vulnerability Scoring System (CVSS). That places it at the top end of a “high” risk rating, near the border of “critical” risks, which start at scores of 9.0.
BD said it’s already working on strengthening the Pyxis systems’ credential management capabilities and has dispatched customer service workers to help update at-risk credentials. It’s also piloting a new credential management solution that would offer stricter authentication requirements.
In the meantime, the company suggests that healthcare facilities using the Pyxis system limit access only to authorized personnel, keep an eye out for suspicious attempts to access the system, protect the system behind firewalls and other security protocols and keep the system’s cybersecurity and antivirus software up to date.
The Synapsys issue, meanwhile, was given a CVSS score of 5.7, solidly within the “medium” risk range, according to another bulletin from BD.
It stems from a vulnerability in the time it takes for a session with the software to expire, which the company classified as “insufficient.” Because sessions don’t expire right away and immediately log users out, hackers “may have an extended period of time to be able to access, modify or delete sensitive information, including electronic protected health information, protected health information and personally identifiable information,” BD said.
However, hacking into the system requires physical access to a facility’s Synapsys workstation—unlike the Pyxis vulnerability, which could be exploited remotely—which explains the lower risk score.
BD said it discovered the issue in “standard internal testing” and has not received any reports of it being exploited in a real-world lab setting.
The company is planning to roll out a software update to patch up the cybersecurity risk this month. Until then, Synapsys users should align their operating system’s inactivity session timeout with the software’s session expiration timeout, limit authorized access to the Synapsys workstations and remind all users to completely log out of or lock the workstations when they leave.