BD warns of 8 cybersecurity flaws in Alaris infusion pump systems

For BD, bad things seem to come in eights: The medtech giant issued a cybersecurity bulletin Thursday describing an octad of potential hacking risks it has discovered within certain versions of its Alaris infusion pump systems.

The Alaris pumps are used to deliver preset amounts of medications, nutrients and other fluids to patients via IV.

The identified vulnerabilities affect Alaris systems equipped with Guardrails Suite MX, a medication safety and quality improvement software that integrates with the infusion pump systems to reduce medication errors and track the systems’ performance. According to BD, the issues are confined to versions 12.1.3 and earlier of the Alaris system with Guardrails Suite MX software.

BD categorized most of the vulnerabilities as being of low or medium severity, but one was given a high-severity rating. It encompasses a flaw in the software that allows for a malicious file to be uploaded into the “User Import” functionality, allowing a hacker to hijack a user’s session with the software and potentially gain access to the healthcare facility’s confidential information. Though the hacker would need network access to the application to breach the system, if they have that access and don’t face any other privacy barriers on the computer running the system, “the complexity of exploiting this vulnerability is low,” BD reported.

The company gave that issue a score of 8.2 on the 10-point Common Vulnerability Scoring System (CVSS), denoting its high severity. The other seven cybersecurity risks, meanwhile, were given scores between 3.0 and 6.9, since only one of them would allow a hacker to breach other components of the system—and even that one would require an authorized user to complete certain steps to make the attack effective.

Regardless of their CVSS scores, however, “for all eight vulnerabilities, it has been determined that existing product control measures effectively reduce the probability of harm,” BD said in a statement sent to Fierce Medtech. “If exploited, two of the vulnerabilities present no impact to patient safety, and six present remote or improbable potential impact. The potential for harm can only occur if the vulnerability is exploited.”

BD discovered the eight vulnerabilities during “routine internal security testing” and voluntarily reported them to customers and to the appropriate authorities, it said in the statement, adding that it hasn’t received any reports of the issues’ having actually been exploited.

The company is currently in the process of developing a remediation and deployment plan to fix the identified flaws.

This week’s cybersecurity bulletin comes a few months after BD published another notice regarding a separate component of the Alaris ecosystem. In that case, the devicemaker found that the some versions of the Alaris Infusion Central software—which is installed on a hospital computer and used to monitor data sent from the infusion pumps—allowed for the passwords used for database installation could be easily recovered.

Though the databases don’t hold patient health data, some hospitals may choose to store other personal information in them, which could then be breached by a hacker. Because of that risk, even though the hacker would need local access to the server, the vulnerability was given a high-severity CVSS score of 7.3.

Even so, BD concluded at the time that there was “a low probability of harm occurring” from the issue. The company said it would contact all affected healthcare providers to implement a fix and also updated the software’s installation instructions to keep from triggering the vulnerability.

Editor's note: This story was updated on July 17 to clarify details from BD about the reported vulnerabilities.