Over 2150 New Jersey Auctions End Today - Bid Now
Over 100 Total Lots Up For Auction at One Location - CA 12/04

BD finds some BodyGuard infusion pumps at risk for hacking

by John R. Fischer, Senior Reporter | December 07, 2022
Cyber Security Health IT Infusion Pumps
BD's CME BodyGuard 323 Color Vision is one of the pumps with the cybersecurity vulnerability
Medtech company BD announced last week that a defect in some of its BodyGuard infusion pumps could allow online attackers to hack in and disable the pump, putting patient lives in jeopardy.

The pumps, which are not sold in the U.S., are vulnerable through their RS-232 (serial) port interface. The associated risk has been categorized by BD as "Medium" because it can not be exploited remotely.

"A physical attack vector is required to exploit this vulnerability on the BD BodyGuard pump," the company said in a statement. "A threat actor would have to physically connect to the enabled RS-232 interface — which limits the attack surface. A successful attack against the pump via the RS-232 interface would require the attacker to have some knowledge of the pump to execute successful commands."
DOTmed text ad

Reveal 35C: spectral bedside imaging, no extra dose, now available in the EU

KA Imaging’s Reveal 35C detector, currently available as an upgrade solution in the US and selected geographies, can now be sold in the European Union. The detector recently obtained the CE Mark. Contact us at sales@kaimaging.com to book a free demo.

This notification applies to the following BD BodyGuard products:

  • BD BodyGuard
  • CME BodyGuard 323 (2nd Edition)
  • CME BodyGuard 323 Color Vision (2nd Edition)
  • CME BodyGuard 323 Color Vision (3rd Edition)
  • CME BodyGuard Twins (2nd Edition)
A missing protection mechanism for an alternate hardware interface is required to fix the issue.

The pumps store no electronic or nonelectronic health information or personally identifiable information, according to a statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Nevertheless, it encourages providers to make sure physical access controls are in place to reduce risks and only allow authorized users to access the pump. They should also connect only BD-approved equipment to the RS-232 interface and not connect equipment to the interface during infusions.

You Must Be Logged In To Post A Comment