BD Kiestra™ - Temporary Exposure of a Service Credential Not Used by Customers

United States
North America

Canada (FR)

Canada (EN)

Mexico

United States

South America

Argentina

Brasil

Chile

Colombia
Europe

Belgium (FR)

Belgium (NL)

Česká republika

Denmark

Europe

Suomi

France

Deutschland

Hebrew

Hungary (EN)

Hungary (HU)

Ireland

Italia

Nederland

Norge

Polska

Россия

España

Sverige

Schweiz

Türkiye

United Kingdom
Middle East / Africa

Middle East, North Africa

Africa

Asia / Pacific

Australia / New Zealand

中国

Greater Asia

India

Indonesia

日本

Korea

Malaysia

Philippines

Singapore

Thailand

Vietnam
Login

Apr 24, 2023

Bulletins

LOW

BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers manage potential risks through awareness and guidance.

This notification provides product security information and recommendations related to a publicly available credential used in specific configurations of BD Kiestra™. The credential is used and managed only by BD personnel and not used by the customers.

As a routine practice, BD has voluntarily shared this information with the U.S. Food and Drug Administration (FDA), the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organi zations (ISAOs) where BD participates. Read Coordinated Vulnerability Disclosure to learn more about our disclosure process.

This notification applies to the following products:

BD Kiestra™ Total Lab Automation (TLA) with a Systems Control Unit (SCU)
BD Kiestra™ Work Cell Automation (WCA) with a Systems Control Unit (SCU)
BD Kiestra™ ReadA with a Systems Controls Unit (SCU)

During routine security monitoring of the BD network, a publicly available internet-based service was used by a BD associate for file analysis. During the analysis, an activity report was generated that contained a BD Kiestra™ credential. Since the service was publicly available, the report containing the information was also public, meaning the credential was temporarily on the Internet. BD engaged the service’s support team to remove the report from public access. There is no evidence that the credential was viewed or accessed while on the Internet.

In order to leverage the credential, threat actors would first need to obtain the credential, infiltrate a facility’s network, and gain logical access to the BD Kiestra™ Systems Control Unit (SCU).

The credential is not known or used by customers. It is managed and used by BD regional Customer Support Center associates for servicing the BD Kiestra™ SCU. Additionally, this credential does not grant privileges to view or access any sensitive information within the product.

BD assessed this vulnerability for potential patient safety impact and determined that there is no risk to patients. If exploited, the Systems Control Unit would continue to conduct its current task and then shut down.

BD is proactively working with customers to change the credential. BD recommends the following mitigations and compensating control(s) to reduce risk that may be associated with this credential exposure:

Ensure physical access controls to the BD Kiestra™ systems are in place.
Ensure only authorized end-users have access to the BD Kiestra™ systems and/or hospital network.
Monitor network(s) for rogue traffic and malicious packets.
Ensure industry standard network security policies and procedures are followed.

For product- or site-specific concerns, contact your BD service representative.