BD is currently monitoring the Meltdown and Spectre vulnerabilities. While these vulnerabilities are hardware-based, they impact multiple operating systems. A flaw in computer processing units (CPU) could allow malicious software to gain access to other processes and data on any impacted computer or server, including cloud applications. These vulnerabilities are not exclusive to BD or medical devices. They potentially affect every computer and/or device with a CPU, specifically certain Intel chips, AMD and ARM processors.
BD has assessed these vulnerabilities and identified the risk to have a low-impact. Any attack would require local or physical access, the difficulty in exploiting these vulnerabilities is high and the vulnerabilities do not have the potential to corrupt, modify, or delete data.
BD has provided a list of products in scope in order to better help our customers identify any BD products with a CPU that has the potential to be vulnerable to these threats. The list of BD products in scope is currently dynamic and will be updated as we complete analysis of products in scope. Additionally, BD has incorporated a list of Vascular Access Devices in scope.
For product or site-specific concerns, contact your BD service representative. We will update this communication as new information becomes available.
For procedures specific to your product, contact your BD service representative. If you observe symptoms of a ransomware attack, disconnect your system from the network and contact your BD service representative and/or BD Product Security at ProductSecurity@bd.com.
As a result of these events, BD recommends the following for systems with a vulnerable CPU and an unpatched operating system with any form of network connectivity to minimize risk and impact:
Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s). Software patches addressing Meltdown and Spectre may result in the slowdown of affected systems. When deploying any such software patches, be sure to prioritize and test updates as necessary to assess potential performance impact.
For Vascular Access Devices, a Business Group of BD (formerly Bard Access Systems), updates to the operating system or firmware are currently being evaluated for potential performance impact.
US-CERT Notice: Vulnerability Note VU#584653
Intel responds to security research findings, noting these exploits do not have the potential to corrupt, modify or delete data.