The US Department of Homeland Security released an advisory regarding newly-discovered cybersecurity vulnerabilities in a Becton, Dickinson and Company (BD) supply management system. The Pyxis SupplyStation – designed to dispense medical supplies based on fingerprint identification of authorized personnal – was evaluated by independent researchers who found that the system could be accessed remotely.
According to the agency, they will not be developing a patch to fix the issue as the affected systems are nearing the end of their product lifespan. Two independent researchers – Billy Rios and Mike Ahmadi – identified the issue in collaboration with the BD-owned subsidiary, CareFusion.
The independent researchers identified the security vulnerabilities using a system purchased from a retailer specializing in selling decommissioned units. The weak points were identified using an automated software composition analysis tool.
CareFusion has presented a number of ways for institutions to minimize exploitation risk of the Pyxis SupplyStation systems. The company was acquired by BD in 2015 in a $12.2 billion agreement.
The researchers identified over 1,400 different vulnerabilities across seven third-party vendor software packages. In all, 86 files were affected by the cybersecurity risk, and CareSystem no longer provides support for these supply management systems.
CareFusion’s main recommendation for facilities who are using the affected systems, is to disconnect the Pyxis SupplyStation from the internet. If remote access is required, they recommend closely monitoring traffic to the device through a virtual private network.
“Exploitation of these vulnerabilities may allow a remote attacker to compromise the Pyxis SupplyStation system,” said the US Department of Homeland Security. “The SupplyStation system is designed to maintain critical functionality and provide access to supplies in ‘fail-safe mode’ in the event that the cabinet is rendered inoperable. Manual keys can be used to access the cabinet if it is rendered inoperable.”