An attacker with physical access to the device and specialized equipment and knowledge could exploit the vulnerability to change the configuration settings or disable the pump, according to the agency.
- The vulnerability scored 5.3 on the 10-point risk scale. The medium score on the risk scale reflects the need for physical access and low probability of harm.
The vulnerability affects multiple products in BD’s line of BodyGuard infusion pumps. The pumps deliver fluids and medications into a patient's body in controlled amounts.
By connecting to a RS-232 data transmission port on the device, an attacker could control the pump without prior authentication. The control would allow the individual to read and change configurations. BD discussed the implications of the weakness in its summary of the vulnerability.
“Any such attack would have partial impact to confidentiality and integrity and high impact to availability, as the loss of access to the pump technician codes in the wake of adverse infusion configuration changes would render the pump no longer usable,” BD wrote.
The company said there is a low probability of patient harm because the pump directions for use don’t include requirements to use the RS-232 port during clinical procedures.
In response to the threat, BD is asking customers to ensure physical access controls are in place and only authorized end-users have access to BodyGuard pumps. Hospitals should only connect equipment that is approved by BD to the RS-232 interface and shouldn’t connect anything to the port when a pump is delivering an infusion. BD added customers also should protect connected computer systems.
The company said in its statement that the flawed pumps are not sold in the U.S.
The cyber vulnerability is one of a handful of weaknesses that BD has reported to CISA in recent months. This year, CISA has issued notices about BD’s automated molecular testing system, microbiology informatics software platform and Totalys MultiProcessor, plus two notices about the Pyxis medication dispensing system.
Clarification: Updates to clarify that the breach was first reported to CISA by the manufacturer, Becton Dickinson.