Vulnerability Found in BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System

Becton, Dickinson and Company (BD) found a medium severity vulnerability in the BD Pyxis MedStation medication dispensing system version 1.6.1 and in the anesthesia carts Pyxis Anesthesia (PAS) ES System. An attacker who exploits the vulnerability could gain access to sensitive information.

BD devices utilize a software app implementation known as kiosk mode. During kiosk mode, prohibitions are all set limiting the things that could be executed. The vulnerability, a protection mechanism failure (CWE-693), can make it possible for an attacker to evade the constrained desktop setting, which will permit the access and alteration of sensitive data.

An attacker with a low level of skill can exploit the vulnerability, however, exploitation requires the attacker to have physical access to a vulnerable device. BD has done a risk assessment and confirmed a low risk of exploitation. Therefore, the vulnerability’s assigned CVSS v3 base score is 6.8 out of 10.

BD is actively evaluating its products to determine security vulnerabilities. The firm operates with openness and conveys security concerns to clients promptly to permit them to take the appropriate steps to properly deal with the risk. Although the vulnerability can possibly bring about data disclosure, because of a low probability of exploitation, customers were urged not to stop usage as the advantages of using the devices offset the risk.

Currently, BD is implementing an update for vulnerable products that will reinforce kiosk mode so that it would be more difficult to use kiosk escape. Until such time that an update is implemented to vulnerable devices, mitigations recommended by BD will help control exploitation. Hospitals utilizing the vulnerable devices must allow authorized personnel only to physically access the devices. Affected systems must be separated and the connection should only be with trusted systems. Unexpected reboots of the devices must be monitored using network tracking tools.

Tags

Murphy Miller

Murphy Miller

Murphy Miller is the Editor of Healthcare IT Journal, a leading newspaper in the healthcare information technology. Murphy's work covers a variety of topics including healthcare information technology advancements, health policy and compliance, patient privacy and confidentialy, and the financial aspects of healthcare. As the editor of the Healthcare IT Journal, Murphy Miller provides straightforward, informative content to guide professionals and policymakers in the healthcare and IT fields.

Get the free newsletter

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.
Name

Read Next

Scroll to Top

Get the free newsletter

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.
Name