HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets

Becton Dickinson (BD) has discovered a vulnerability in its Pyxis drug dispensing cabinets which could allow an unauthorized individual to use expired credentials to access patient data and medications.

The vulnerability was discovered by BD, which self-reported the flaw to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). ICS-CERT has recently issued an advisory about the flaw.

The vulnerability affects Pyxis ES versions 1.3.4 to 1.6.1 and Pyxis Enterprise Server with Windows Server versions 4.4 through 4.12.

The vulnerability – tracked as CVE-2019-13517 – is a session fixation flaw in which existing access privileges are not properly coordinated with the expiration of access when a vulnerable device is joined to an Active Directory (AD) domain.

Please see the HIPAA Journal Privacy Policy

This means the credentials of a previously authenticated user could be used to gain access to a vulnerable device under certain configurations. This would allow an attacker to obtain the same level of privileges as the user whose credentials are being used, which could give access to patient information and medications. Healthcare providers that do not use AD with the devices are unaffected.

The vulnerability has been assigned a CVSS V3 base score of 7.6 out of 10. ICS-CERT warns that the vulnerability is remotely exploitable and requires a low level of skill to exploit; however, BD notes that connecting the drug cabinets to hospital domains is an uncommon configuration and is not recommended by BD. Consequently, only a limited number of hospitals that use the drug carts will be affected.

The flaw has been addressed in the latest software release, v, which removes access to the file-sharing part of the Pyxis network.

Affected healthcare providers have been recommended to implement the following mitigations to reduce the risk associated with the vulnerability:

  • Never rely on expiration dates to remove users from the hospital’s Active Directory system
  • Remove users from the AD role that grants them access to the Pyxis ES system
  • Never place Pyxis ES systems on the hospital domain

BD is unaware of any cases where the vulnerability has been exploited to view data without authorization.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.