This bulletin provides clinical and technical security information, recommendations and upgrade options for legacy Pyxis™ supply customers with installed end-of-life (EOL) product versions.
The affected Pyxis SupplyStation™ system software versions are:
This page contains:
Customers currently installed with legacy Pyxis supply systems should consider the following factors related to the sustainability and supportability of these EOL products:
EOL operating system and third-party software considerations
The decision by Microsoft® to announce EOL and end of extended support for the Microsoft Windows® XP and XP Embedded operating systems brings with it a host of sustainability, support and security issues that negatively impact customers. Microsoft has recommended that existing XP customers immediately migrate to newer, supported operating systems to minimize sustainment and security risks.
BD has developed upgrade options, described in this bulletin, for legacy Pyxis supply customers to best support their critical modernization objectives.
Security vulnerabilities associated with unsupported operating systems and third-party software
In addition to the numerous known vulnerabilities associated with Windows XP and XP Embedded, BD and independent security researchers have identified numerous vulnerabilities in EOL versions of the Pyxis SupplyStation system that are associated with EOL operating systems and software.
Version 8.1.3 of the Pyxis SupplyStation system, last updated around April 2010, was tested and determined to contain 1,418 vulnerabilities that are present in the seven different third-party vendor applications:
BD has collaborated with the U.S. Department of Homeland Security (DHS) to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores for these vulnerabilities, which will be further highlighted in a forthcoming DHS advisory, located at https://ics-cert.us-cert.gov/advisories. These vulnerability scores can be used in assessing risk within your own organization.
These vulnerabilities have also been assessed for clinical impact by BD and DHS and represent little to no risk to patient safety.
BD has also verified that the identified vulnerabilities are not present in currently available Pyxis supply versions.
BD has developed an upgrade path available to eligible legacy Pyxis supply customers, based on the current legacy product version. Legacy supply customers are urged to migrate to the latest Pyxis SupplyStation platform.
Contact your Pyxis sales representative to obtain more information and discuss available upgrade options.
Though BD strongly advises customers to upgrade their Pyxis SupplyStation systems to currently supported versions, it is understood that some may not choose to do so.
BD has worked with DHS to identify specific compensating controls to reduce risk for customers that cannot upgrade or elect to remain on the legacy Pyxis SupplyStation platform, which includes acknowledgment and acceptance of any residual risk associated with a product version that is no longer supported.
BD recommends that customers using older versions of the Pyxis SupplyStation system that operate on these legacy operating systems should apply the following compensating measures. ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
For more information on product security associated with legacy Pyxis supply products, see:
For more information on our proactive approach to product security and vulnerability management, view the BD product security and privacy statement.
Contact our Product Security Office if you have any questions.