Alaris™ System residual data
This bulletin is a reminder from a previous notification issued on November 1, 2016.
This notification applies to the following BD Alaris™ System products:
On November 1, 2016, BD issued a notification to inform customers that data in the BD Alaris™ PCUs (“PCUs”) were not being adequately cleared when the PCUs were transferred between facilities, causing residual infusion log data to be misdirected and stored on the wrong facility’s BD knowledge portal for infusion technologies application (“IKP”).
If BD’s data clearing procedures released in Service Bulletin 597 are not followed, residual data could be present on the PCU when it is decommissioned or moved to another facility (i.e. rental units, managed asset customers). In February 2019, BD discovered that the data clearing procedures, for PCUs, in Service Bulletin 597 were not been followed, which caused de-identified data to be misdirected on IKP, in limited instances
With the prior notification in 2016, BD created a quarantine process that was added to IKP to help mitigate any future residual data misdirection in cases where BD’s clearance process is not followed. The quarantine process evaluates the drug profile associated with infusion data records and captures the records that do not match the profile at the facility or IDN, so misdirected data is not shown or accessible. While the quarantine process is highly effective, in rare circumstances, the IKP quarantine logic may allow misdirected data to pass through quarantine and be stored on the wrong facility’s IKP.
As a result, BD has issued this updated security bulletin to remind customers, hospital biomedical engineering, and rental companies that Service Bulletin 597 must be followed to remove residual data on the PCU prior to re-deployment or during decommissioning. BD has carefully reviewed the misdirected data, and determined that it is de-identified based on a statistical expert opinion, and therefore, not protected health information. In addition, BD conducted a risk assessment using the HIPAA 4-factor test and concluded there was a low probability of compromise of such data.
BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
BD will take the following actions to address this vulnerability:
Original Publication Date: November 2016
Product Security Bulletin for BD Alaris™ PC Unit
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
In line with our commitment to continuously improve patient care, BD offers our customers innovative solutions for collecting and analyzing infusion information from the Alaris System. Protecting and securing that data is a top priority for BD and we are committed to transparency and corrective action when issues arise
For more information on our proactive approach to product security and vulnerability management, visit our product security website.