25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

BD Identifies High Severity Vulnerability in its Diagnostic Solutions Products

Posted By on Dec 18, 2024

Becton, Dickinson, and Company (BD) has discovered a high-severity vulnerability affecting several of its BD Diagnostic Solutions Products. The vulnerability, tracked as CVE-2024-10476 (CVSS v3, 8.0), is due to the use of default credentials, which were intended for use only by BD technical support teams within the clinical setting. Exploitation of the vulnerability could potentially allow a threat actor to access, modify, or delete data, including personally identifiable information (PII) and protected health information (PHI). The vulnerability could be exploited in a low-complexity attack, which could cause a system shutdown or impact the availability of the system.

The vulnerability affects all versions of the following products:

  • BD BACTEC Blood Culture System
  • BD COR System
  • BD EpiCenter Microbiology Data Management System
  • BD MAX System
  • BD Phoenix M50 Automated Microbiology System
  • BD Synapsys Informatics Solution

Exploitation of the vulnerability would require a threat actor to have direct access (logical or physical) to the affected product, so a threat actor would need to compromise the local network in order to exploit the flaw. In some cases, a threat actor would also need to be physically present at the instrument to use the service credentials, which greatly limits the potential for exploitation.

To strengthen security, BD recommends limiting access to the products to authorized personnel, ensuring passwords are tightly controlled, logging and monitoring network traffic attempting to reach medical device management environments, disabling RDP ports, establishing appropriate permissions on file shares, and disconnecting devices from the network if connectivity is not required. BD said it is unaware of any attempted exploitation of the flaw and is proactively contacting all customers to provide technical assistance to update the default credentials.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist