The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Advisory Issued About BD Totalys MultiProcessor Vulnerability

Posted By on Oct 5, 2022

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a medical advisory about a recently discovered vulnerability that affects the BD Totalys MultiProcessor, which is used by hospitals and labs for processing clinical tissue specimens.

The vulnerability is due to the use of hard-coded credentials, which could allow an attacker with access to a vulnerable Totalys MultiProcessor to access, modify, or delete sensitive data, including personally identifiable and protected health information.

The vulnerability cannot be exploited remotely. In order to exploit the flaw, a malicious actor would need physical access to the BD Totalys MultiProcessor or network access to the system. Any additional security controls would also need to be bypassed.

The vulnerability, tracked as CVE-2022-40263, affects all BD Totalys MultiProcessor versions including and prior to v1.70, and has been assigned a CVSS severity score of 6.6 out of 10 (medium severity).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The vulnerability was discovered by BD and was reported to CISA under its responsible disclosure policy. BD says the vulnerability is due to be remediated in the upcoming v1.71 software release, which is expected to be made available to users in Q4, 2022. In the meantime, BD has suggested mitigations to prevent exploitation of the vulnerability.

Users should ensure physical access controls are in place to ensure access to the BD Totalys MultiProcessor is restricted to authorized individuals. If the device must be networked, industry standard security policies and procedures should be followed.

At the time of issuing the alert, there have been no cases of exploitation of the flaw and there are no known exploits in the public domain.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist