BD (NYSE:BDX) today issued a voluntary notification regarding cybersecurity vulnerabilities with its Alaris Infusion Central software.
Alaris Infusion Central, a standalone software — separate from pumps — provides data from the Alaris pumps. It allows healthcare providers to monitor infusion data sent from Alaris Plus and Alaris neXus pumps on a computer. Alaris Infusion Central is not sold in the U.S. Despite similar product family names, the vulnerability does not impact users of the Alaris PCU 8015 or Alaris Systems Manager.
BD said in the notice that it communicates with customers about cybersecurity vulnerabilities. This enables providers to manage potential risks through awareness and guidance. The company voluntarily shared the vulnerability with FDA, CISA and ISAOs where it participates.
The notice relates to the BD Alaris Infusion Central software, versions 1.1 to 1.3.2. This software may contain a recoverable password after the installation. No patient health is stored in the database, though some site installations may choose to store personal data.
BD said the vulnerability received a 7.3 (High) score in the Common Vulnerability Scoring System (CVSS). A threat actor requires local access to the software’s server, which limits the attack surface. Any such attack would have high impact to confidentiality and integrity, though. It also may have partial impact to the availability of data. Obtaining access to the password could result in disclosure and tampering of resident personal data.
The company determined a low probability of harm. Alaris Infusion Central collects and displays medical device data. It has no access to control, configure or operate the connected infusion pump.
BD said it revised its installation procedure to prevent the vulnerability in future installations. It recommends that users change passwords periodically and ensure physical access controls. Only authorized administrators should have access to the Alaris Infusion Central server.
Another Alaris issue for BD
Today’s notice from BD is the latest setback for Alaris, which has had its fair share over the past few years.
In early 2020, the company initiated an FDA Class I recall for the infusion pumps. The recall centered around multiple system errors, software errors, and use-related errors.
BD cut its financial outlook for that year after it enacted a hold of new shipments of Alaris pumps. BD applied for a new FDA clearance for the pumps in April 2021. It began a remediation effort in July 2021.
Last August, a federal judge in New Jersey ruled that a lawsuit against BD over how it communicated company performance amid its Alaris problems may proceed.
The most recent update on Alaris came in one sentence from the company’s fourth-quarter earnings call earlier this month. EVP and CFO Chris DelOrefice said: “regarding Alaris, we continue to only model shipments related to medical necessity in line with fiscal 2022 demand.”