HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Vulnerability Identified in BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System

Becton, Dickinson and Company (BD) has identified a medium severity vulnerability in version 1.6.1 of the BD Pyxis MedStation medication dispensing system and the Pyxis Anesthesia (PAS) ES System of its anesthesia carts. If exploited, the vulnerability would allow an attacker to gain access to sensitive data.

BD devices use a software application implementation called kiosk mode. When in kiosk mode, restrictions are in place that limit the actions that can be performed. The vulnerability is a protection mechanism failure (CWE-693) which could allow an attacker to escape the restricted desktop environment, which would allow sensitive data to be accessed and altered.

The vulnerability only requires a low level of skill to exploit, but exploitation would require physical access to a vulnerable device. BD has performed a risk evaluation and has determined the risk of exploitation is low. As such, the vulnerability has been assigned a CVSS v3 base score of 6.8 out of 10.

BD is proactive in assessing its products to identify security vulnerabilities. The company operates with transparency and communicates security issues to customers in a timely fashion to allow them to take steps to effectively manage risk. While the vulnerability could potentially result in information disclosure, due to the low risk of exploitation customers have been advised not to discontinue use as the benefits of using the devices far outweigh the risk.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

BD is in the process of deploying an update for the affected products which will strengthen kiosk mode and make it harder for currently known methods of kiosk escape to be used. Until the update is applied to vulnerable devices, BD has offered mitigations that will limit exploitation. Hospitals using the affected devices should limit physical access to the devices to authorized personnel, impacted systems should be isolated and only connected to trusted systems, and the devices should be monitored for unplanned reboots using network monitoring tools.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.