Sector News

BD issues cybersecurity alert for hacking risk found in Alaris infusion pump software

February 25, 2023
Life sciences

A vulnerability found in software used to monitor some of BD’s infusion pumps could potentially give hackers access to personal data stored in the system.

BD posted a cybersecurity bulletin about the issue Thursday and said it has already notified the FDA and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), among other relevant authorities, about the potential threat.

According to the alert, the vulnerability affects only the company’s Alaris Infusion Central software—rather than the infusion pumps themselves—which is not distributed in the U.S. The software is installed on a hospital computer and linked to Alaris Plus and Alaris neXus pumps. It allows clinicians to monitor data sent from the devices, which are used to control the delivery of medications, nutrients and other fluids to patients via IV.

The alert comes after BD discovered that in certain versions of the software, the password used for database installation could be recovered fairly easily; in a notice of its own, CISA graded the vulnerability as having “low attack complexity.”

Though the Alaris Infusion Central database doesn’t store patient health data, according to BD, hospitals using the software may choose to store other personal information in the database—which could then be accessed and tampered with by a hacker who is able to recover the system password.

BD assigned the hacking risk a score of 7.3 out of 10 on the Common Vulnerability Scoring System, denoting a “high” severity. The software flaw didn’t reach the “critical” risk threshold of the rating system, because, while it could potentially result in a “high impact to confidentiality and integrity” and “partial impact to availability of data,” per the devicemaker, it’s limited by the fact that a hacker would need to have local access to a hospital’s own operating system and server to reach the software.

Despite the potential risks, BD concluded from its own assessments that “there is a low probability of harm occurring,” especially because the software is only used to track infusion pump data and can’t be used to alter the settings of connected devices.

The company said it is in the process of contacting all affected healthcare providers to “initiate remediation.” In the meantime, those using the software should regularly change their database passwords and ensure that only authorized users have access to the server. BD has also revised the installation procedure for the software to protect future users from opening up the hacking risk.

Though this vulnerability relates only to the software used to monitor infusion pumps, the pumps themselves are particularly vulnerable to other attacks. A study published last year found that as many as 75% of the devices could be at risk of being hacked, potentially allowing malicious actors to access the pumps’ data and even reconfigure their settings.

BD hasn’t been immune to those risks. In December, it put out another cybersecurity bulletin describing the possibility that several models of its BodyGuard infusion pumps could be broken into—though only by hackers with physical access to the pumps. That concern was given a “medium”-severity Common Vulnerability Scoring System score of 5.3.

By Andrea Park


comments closed

Related News

March 19, 2023

Ferring Pharmaceuticals’ 1st in class C.diff Treatment, Rebyota, experiences a positive early launch ahead of potential competition

Life sciences

With a first to market advantage, Ferring’s Rebyota has seen early positive adoption from gastroenterologists and infectious disease specialist in the first month post-launch. As part of their Launch Dynamix™: C.diff service, Spherix reports, while new monthly initiations are modest, a majority of physicians trialing Rebyota report high satisfaction.

March 19, 2023

UCB enters drug discovery collaboration with Aitia

Life sciences

Global biopharmaceutical firm UCB has entered an early drug discovery collaboration with Aitia. The collaboration is aimed at discovering and validating new drug targets and drug candidates that are linked to clinical endpoints causally in Huntington’s disease, a debilitating genetic disorder.

March 19, 2023

Novo, Medtronic add $25M in fuel to FIRE1 and its heart failure monitoring device

Life sciences

Foundry Innovation & Research 1—known by its much catchier acronym, FIRE1—announced Wednesday the close of a $25 million financing round. It was led by a pair of new investors in the company: Andera Partners and Novo Holdings, the holding and investment company that serves as the controlling shareholder for Novo Nordisk and Novozymes.

How can we help you?

We're easy to reach