Skip to main content

Taking Action: CISA Advisory on BD Vulnerabilities for Pyxis and Synapsys Product Lines

The Cyber & Infrastructure Security Agency (CISA) recently issued two security advisories highlighting vulnerabilities associated with connected devices made by medical technology firm Becton, Dickinson & Co. (BD). The advisories follow disclosures BD made to CISA, and describe security flaws in the company’s Pyxis and Synapsys product lines. 

Among the vulnerabilities described in the advisories are the use of default and shared credentials in the Pyxis products and “insufficient” session expiration for the Synapsys informatics platform. Both flaws could leave the devices vulnerable to exploitation by threat actors who could then gain access to sensitive patient protected health information (PHI) or even affect the delivery of correct treatment. 

Device Vulnerabilities Put Network and Patient Safety at Risk

The disclosure of these security flaws by BD, and the subsequent advisories issued by CISA, underscores the risk to both network and patient security when vulnerable  internet of medical things (IoMT) devices are deployed within healthcare environments. Even when such devices must remain in service and cannot be patched, allowing them to continue operation without taking steps to mitigate their associated risks should be regarded as a dereliction of duty. 

In this current case, BD recommends a number of steps to close the now-known security gaps, including:

  • Limit physical access to only authorized personnel;

  • Tightly control management of system passwords provided to authorized users;

  • Monitor and log network traffic attempting to reach the affected products for suspicious activity;

  • Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed; and,

  • Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts.

From an IT and security operations standpoint, these steps may be difficult for hospitals and other healthcare delivery organizations (HDOs), especially in larger organizations with no means for effecting proper asset management. This leaves questions like: Does my organization have these devices in inventory and where are they located? What software versions are installed? Are they in use and unable to be taken out of service? 

Ordr can answer these questions and easily address the recommendations by BD above.

See, Know, Secure, Every Connected Device

Our See, Know, Secure approach to connected device security means our customers can find and identify all the BD connected assets—as well as other connected devices operating in the network—within minutes of deployment. Once Ordr has discovered the devices, their specific make, model, and other operational data are identified, the BD products that are impacted by this vulnerability can be  monitored for any anomalous behavior that could be an indicator of compromise (IOC). 

Ordr can identify which BD devices are being accessed by which user, and track which users were logged into a specific device, at what time, duration and more.

Ordr also enables security teams to proactively segment the impacted BD devices, and to set Zero Trust security policies specific to each. In the event that a device is compromised, and we detect anomalies such as a suspicious communications pattern or other operations outside of defined parameters—our segmentation policies limit  an attack’s potential “blast radius” by isolating affected devices and network segments, and allowing security teams to take mitigating actions within minutes of a breach. 

Ordr Can Help Secure Your Devices and Environment

With studies suggesting that as many as three-quarters of all connected medical devices currently in service contain at least one security vulnerability, and that half may contain two or more, it is critically important for hospitals and HDOs to do what is necessary to gain the upper-hand on connected device inventory, management, and security.  For more information about how the Ordr can assist in this endeavor, please visit our site to learn more about our security platform, or contact us with questions specific to your organization’s situation.

 

About the Author

Darrell Kesti is the Director of Healthcare Sales with Ordr Inc, based out of Minneapolis, MN. Darrell has 19 years of Cyber Security and Network expertise with a current focus on Medical, Industrial, Energy, Financial, Education, and Retail organizations of all sizes bringing his technical background and business outcome approach to these organizations. Prior to his role at Ordr he has held technical and account management roles at ForeScout Technologies, FireEye, Mandiant, F5 Networks, and Secure Computing Corporation. Darrell earned a Bachelor of Science in Electrical and Computer Engineering from the University of Minnesota, Duluth.

Profile Photo of Darrell Kesti