• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Advertise
  • Subscribe

Drug Delivery Business

  • Clinical Trials
  • Research & Development
  • Drug-Device Combinations
  • FDA
  • Pharmaceuticals
  • Policy

BD discloses 8 cybersecurity vulnerabilities with Alaris infusion system

July 13, 2023 By Sean Whooley

BD Alaris with Guardrails Suite MX
The Alaris system with Guardrails Suite MX. [Image courtesy of BD]
BD (NYSE:BDX) today voluntarily posted a product security bulletin for a number of vulnerabilities with its Alaris infusion system.

Franklin Lakes, New Jersey-based BD recently identified eight vulnerabilities. These vulnerabilities are associated with the BD Alaris system with Guardrails Suite MX, versions 12.1.3 and earlier.

The company discovered the vulnerabilities through routine internal security testing as part of its software development life cycle. This includes vulnerability scanning, code analysis, threat modeling and penetration testing. BD received no reports of exploitation of these vulnerabilities in any customer environment or clinical setting. Additionally, the company cites no impact on patient health information or personally identifiable information.

BD said it assessed the clinical risk and patient safety impact of all the vulnerabilities. For all eight, the existing product control measures proved to effectively reduce the probability of harm.

If exploded, two of the vulnerabilities pose no impact on patient safety, while six present remote or improbable potential impact. The potential for harm can only occur upon the exploitation of the vulnerability, BD said.

BD provided mitigations and compensating controls for each of the vulnerabilities in its security bulletin. The company said it disclosed the vulnerabilities to make customers aware of potential risks, plus mitigations and compensating controls. These can help to reduce such risks, the company says.

As part of its disclosure process, BD voluntarily shared the vulnerabilities with the FDA, the Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organizations (ISAOs) where it participates.

The latest setback for the BD Alaris system

BD has dealt with a range of issues related to the Alaris system over the past several years. Today’s notice marks the latest hiccup for the infusion system, which remains in the midst of a shipping hold in the U.S.

A BD spokesperson confirmed the shipping hold remains in place. The spokesperson shared the following statement: “The Alaris 510(k) submission remains our number one priority. While we don’t comment on the status of the review or approval timing, we are taking all the steps necessary to provide the required regulatory information and support our customers upon clearance.”

In early 2020, the company initiated an FDA Class I recall for the infusion pumps. The recall centered around multiple system errors, software errors, and use-related errors.

BD cut its financial outlook for that year after it enacted a hold of new shipments of Alaris pumps. The company applied for a new FDA clearance for the pumps in April 2021. It started a remediation effort in July 2021.

In August 2022, a federal judge in New Jersey ruled that a lawsuit against BD over how it communicated company performance amid its Alaris problems may proceed.

This past February, EVP and CFO Chris DelOrefice said on the company’s fourth-quarter earnings call: “Regarding Alaris, we continue to only model shipments related to medical necessity in line with fiscal 2022 demand.” Later that month, BD issued a voluntary notification regarding cybersecurity vulnerabilities with its Alaris Infusion Central software.

Alaris Infusion Central, a standalone software — separate from pumps — provides data from the Alaris pumps. It allows healthcare providers to monitor infusion data sent from Alaris Plus and Alaris neXus pumps on a computer. Alaris Infusion Central is not sold in the U.S. Despite similar product family names, that vulnerability did not impact users of the Alaris PCU 8015 or Alaris Systems Manager.

Filed Under: Business/Financial News, Drug-Device Combinations, Featured, Regulatory/Compliance, Technology Tagged With: Alaris, BD, Cybersecurity

IN CASE YOU MISSED IT

  • Tandem Diabetes Care wins CE mark for Mobi insulin pump with Control-IQ+ technology
  • Glooko adds chief strategy officer to chief medical officer’s title
  • Cordis launches 10,000-patient registry for drug-eluting balloon
  • Senseonics opens $50M public offering, $25M private placement with Abbott
  • Study links Abbott CGM use to lower risk of hospitalizations due to heart complications

About Sean Whooley

Sean Whooley is an associate editor who mainly produces work for MassDevice, Medical Design & Outsourcing and Drug Delivery Business News. He received a bachelor's degree in multiplatform journalism from the University of Maryland, College Park. You can connect with him on LinkedIn or email him at swhooley@wtwhmedia.com.

Primary Sidebar

“ddb
EXPAND YOUR KNOWLEDGE AND STAY CONNECTED
Get the latest news and trends happening now in drug delivery.

MEDTECH 100 INDEX

Medtech 100 logo
Market Summary > Current Price
The MedTech 100 is a financial index calculated using the BIG100 companies covered in Medical Design and Outsourcing.

Footer

Drug Delivery Business News Logo

MassDevice Medical NETWORK

MassDevice
DeviceTalks
Medical Tubing + Extrusion
Medical Design & Outsourcing
MedTech100 Index
Drug Discovery & Development
Pharmaceutical Processing World
Medical Design Sourcing
R&D World

DRUG DELIVERY BUSINESS NEWS

Subscribe to Drug Delivery’s E-Newsletter
Advertise with us
About
Contact us
Privacy
Listen to our Weekly Podcasts

Copyright © 2025 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Privacy Policy | RSS