Franklin Lakes, New Jersey-based BD recently identified eight vulnerabilities. These vulnerabilities are associated with the BD Alaris system with Guardrails Suite MX, versions 12.1.3 and earlier.
The company discovered the vulnerabilities through routine internal security testing as part of its software development life cycle. This includes vulnerability scanning, code analysis, threat modeling and penetration testing. BD received no reports of exploitation of these vulnerabilities in any customer environment or clinical setting. Additionally, the company cites no impact on patient health information or personally identifiable information.
BD said it assessed the clinical risk and patient safety impact of all the vulnerabilities. For all eight, the existing product control measures proved to effectively reduce the probability of harm.
If exploded, two of the vulnerabilities pose no impact on patient safety, while six present remote or improbable potential impact. The potential for harm can only occur upon the exploitation of the vulnerability, BD said.
BD provided mitigations and compensating controls for each of the vulnerabilities in its security bulletin. The company said it disclosed the vulnerabilities to make customers aware of potential risks, plus mitigations and compensating controls. These can help to reduce such risks, the company says.
As part of its disclosure process, BD voluntarily shared the vulnerabilities with the FDA, the Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organizations (ISAOs) where it participates.
The latest setback for the BD Alaris system
BD has dealt with a range of issues related to the Alaris system over the past several years. Today’s notice marks the latest hiccup for the infusion system, which remains in the midst of a shipping hold in the U.S.
A BD spokesperson confirmed the shipping hold remains in place. The spokesperson shared the following statement: “The Alaris 510(k) submission remains our number one priority. While we don’t comment on the status of the review or approval timing, we are taking all the steps necessary to provide the required regulatory information and support our customers upon clearance.”
In early 2020, the company initiated an FDA Class I recall for the infusion pumps. The recall centered around multiple system errors, software errors, and use-related errors.
BD cut its financial outlook for that year after it enacted a hold of new shipments of Alaris pumps. The company applied for a new FDA clearance for the pumps in April 2021. It started a remediation effort in July 2021.
In August 2022, a federal judge in New Jersey ruled that a lawsuit against BD over how it communicated company performance amid its Alaris problems may proceed.
This past February, EVP and CFO Chris DelOrefice said on the company’s fourth-quarter earnings call: “Regarding Alaris, we continue to only model shipments related to medical necessity in line with fiscal 2022 demand.” Later that month, BD issued a voluntary notification regarding cybersecurity vulnerabilities with its Alaris Infusion Central software.
Alaris Infusion Central, a standalone software — separate from pumps — provides data from the Alaris pumps. It allows healthcare providers to monitor infusion data sent from Alaris Plus and Alaris neXus pumps on a computer. Alaris Infusion Central is not sold in the U.S. Despite similar product family names, that vulnerability did not impact users of the Alaris PCU 8015 or Alaris Systems Manager.
