by John R. Fischer
, Senior Reporter | December 07, 2022
Medtech company BD announced last week that a defect in some of its BodyGuard infusion pumps could allow online attackers to hack in and disable the pump, putting patient lives in jeopardy.
The pumps, which are not sold in the U.S., are vulnerable through their RS-232 (serial) port interface. The associated risk has been categorized by BD as "Medium" because it can not be exploited remotely.
"A physical attack vector is required to exploit this vulnerability on the BD BodyGuard pump," the company said in a statement. "A threat actor would have to physically connect to the enabled RS-232 interface — which limits the attack surface. A successful attack against the pump via the RS-232 interface would require the attacker to have some knowledge of the pump to execute successful commands."
KA Imaging’s Reveal 35C detector, currently available as an upgrade solution in the US and selected geographies, can now be sold in the European Union. The detector recently obtained the CE Mark. Contact us at email@example.com to book a free demo.
This notification applies to the following BD BodyGuard products:
- BD BodyGuard
- CME BodyGuard 323 (2nd Edition)
- CME BodyGuard 323 Color Vision (2nd Edition)
- CME BodyGuard 323 Color Vision (3rd Edition)
- CME BodyGuard Twins (2nd Edition)
A missing protection mechanism for an alternate hardware interface is required to fix the issue.
The pumps store no electronic or nonelectronic health information or personally identifiable information, according to a statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Nevertheless, it encourages providers to make sure physical access controls are in place to reduce risks and only allow authorized users to access the pump. They should also connect only BD-approved equipment to the RS-232 interface and not connect equipment to the interface during infusions.