25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Vulnerability Identified in BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System

Posted By on Apr 1, 2020

Becton, Dickinson and Company (BD) has identified a medium severity vulnerability in version 1.6.1 of the BD Pyxis MedStation medication dispensing system and the Pyxis Anesthesia (PAS) ES System of its anesthesia carts. If exploited, the vulnerability would allow an attacker to gain access to sensitive data.

BD devices use a software application implementation called kiosk mode. When in kiosk mode, restrictions are in place that limit the actions that can be performed. The vulnerability is a protection mechanism failure (CWE-693) which could allow an attacker to escape the restricted desktop environment, which would allow sensitive data to be accessed and altered.

The vulnerability only requires a low level of skill to exploit, but exploitation would require physical access to a vulnerable device. BD has performed a risk evaluation and has determined the risk of exploitation is low. As such, the vulnerability has been assigned a CVSS v3 base score of 6.8 out of 10.

BD is proactive in assessing its products to identify security vulnerabilities. The company operates with transparency and communicates security issues to customers in a timely fashion to allow them to take steps to effectively manage risk. While the vulnerability could potentially result in information disclosure, due to the low risk of exploitation customers have been advised not to discontinue use as the benefits of using the devices far outweigh the risk.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

BD is in the process of deploying an update for the affected products which will strengthen kiosk mode and make it harder for currently known methods of kiosk escape to be used. Until the update is applied to vulnerable devices, BD has offered mitigations that will limit exploitation. Hospitals using the affected devices should limit physical access to the devices to authorized personnel, impacted systems should be isolated and only connected to trusted systems, and the devices should be monitored for unplanned reboots using network monitoring tools.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist