Begin Update A: May 20, 2019
This bulletin is a reminder from a previous notification issued on November 1, 2016.
Products in Scope
This notification applies to the following BD Alaris™ System products:
- BD Alaris™ PC Unit Model 8000 and 8015 with all PCU software versions
- BD Knowledge Portal for Infusion Technologies
- Guardrails™ CQI Reporter
- Infusion Analytics Services
- Infusion Viewer for Alaris Viewer Suite
- BD Alaris™ EMR Interoperability
On November 1, 2016, BD issued a notification to inform customers that data in the BD Alaris™ PCUs (“PCUs”) were not being adequately cleared when the PCUs were transferred between facilities, causing residual infusion log data to be misdirected and stored on the wrong facility’s BD knowledge portal for infusion technologies application (“IKP”).
If BD’s data clearing procedures released in Service Bulletin 597 are not followed, residual data could be present on the PCU when it is decommissioned or moved to another facility (i.e. rental units, managed asset customers). In February 2019, BD discovered that the data clearing procedures, for PCUs, in Service Bulletin 597 were not been followed, which caused de-identified data to be misdirected on IKP, in limited instances
With the prior notification in 2016, BD created a quarantine process that was added to IKP to help mitigate any future residual data misdirection in cases where BD’s clearance process is not followed. The quarantine process evaluates the drug profile associated with infusion data records and captures the records that do not match the profile at the facility or IDN, so misdirected data is not shown or accessible. While the quarantine process is highly effective, in rare circumstances, the IKP quarantine logic may allow misdirected data to pass through quarantine and be stored on the wrong facility’s IKP.
As a result, BD has issued this updated security bulletin to remind customers, hospital biomedical engineering, and rental companies that Service Bulletin 597 must be followed to remove residual data on the PCU prior to re-deployment or during decommissioning. BD has carefully reviewed the misdirected data, and determined that it is de-identified based on a statistical expert opinion, and therefore, not protected health information. In addition, BD conducted a risk assessment using the HIPAA 4-factor test and concluded there was a low probability of compromise of such data.
Mitigations & Compensating Controls
BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
- BD is reiterating the importance to comply with Service Bulletin 597 to clear all infusion data logs from a PCU when it is decommissioned or moved between facilities.
- For PCUs that are not moved between facilities, no action is required.
BD will take the following actions to address this vulnerability:
- BD will release a new IKP software in July 2019 to update the quarantine process and further mitigate an infusion data from being misdirected on IKP.
- BD will continue to evaluate updated data clearing procedures that would address any underlying issues of residual data and eliminate the need for a backup quarantine process.
Original Publication Date: November 2016
Product Security Bulletin for BD Alaris™ PC Unit
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.
End Update A: July 15, 2019
In line with our commitment to continuously improve patient care, BD offers our customers innovative solutions for collecting and analyzing infusion information from the Alaris System. Protecting and securing that data is a top priority for BD and we are committed to transparency and corrective action when issues arise
For more information on our proactive approach to product security and vulnerability management, visit our product security website.
Files available for download