Bulletins
HIGH
BD communicates with our customers about cybersecurity vulnerabilities to enable healthcare providers to manage potential risks through awareness and guidance.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of Alaris™ Infusion Central, which is not sold in the U.S.
Alaris™ Infusion Central is a standalone software, separate from the pumps, that allows healthcare providers to monitor infusion data sent from BD Alaris™ Plus and BD Alaris™ neXus pumps on a computer.
As a routine practice, BD has voluntarily shared this vulnerability with the U.S. Food and Drug Administration (FDA), the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates. Read Coordinated Vulnerability Disclosure to learn more about our disclosure process.
This notification applies to the following Alaris™ Infusion Central products:
- Alaris™ Infusion Central, versions 1.1 to 1.3.2
Please note: The product listed above is not sold in the U.S. This vulnerability does not impact customers who use BD Alaris™ PCU 8015 or BD Alaris™ Systems Manager.
- CVE-2022-47376 – The Alaris™ Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data.
BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity. BD assigned the following CVSS score to this vulnerability:
CVSS: 7.3 (High) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Rationale: A threat actor requires local access to the Alaris™ Infusion Central server which limits the attack surface. A successful attack would require the threat actor to have access to the Windows operating system on the Alaris™ Infusion Central server where the password remains recoverable. Any such attack would have high impact to confidentiality and integrity; and partial impact to availability of data, as obtaining access to the password could result in disclosure and tampering of resident personal data.
BD assessed this vulnerability for potential patient safety impact and determined that there is a low probability of harm occurring. Alaris™ Infusion Central collects and displays medical device data and has no access to control or configure either the BD Alaris™ Plus or the BD Alaris™ neXus pump configuration or operation.
BD is directly reaching out to the small group of customers who may be impacted by this vulnerability to initiate remediation. BD is providing this information to increase awareness. Additionally, the installation procedure has been revised to prevent this vulnerability in future installations.
BD recommends the following mitigations and compensating controls to reduce risk associated with this vulnerability:
- Change passwords periodically per best security practice.
- Ensure physical access controls are in place and only authorized administrators have access to the Alaris™ Infusion Central server.
For product, or site-specific concerns, contact your BD service representative.