The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

BD Issues Security Advisories About Pyxis and Synapsys Vulnerabilities

Posted By on Jun 1, 2022

BD has issued security advisories about two vulnerabilities that affect certain BD Pyxis automated medication dispensing system products and the BD Synapsys microbiology informatics software platform.

BD Pyxis – CVE-2022-22767

According to BD, certain BD Pyxis products have been installed with default credentials and may still operate with those credentials. In some scenarios, the affected products may have been installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types.

If a threat actor were to exploit the vulnerability, it would be possible to gain privileged access to the underlying file system, which would allow access to ePHI or other sensitive information. The vulnerability is tracked as CVE-2022-22767 and has a CVSS v3 base score of 8.8 out of 10 (high severity).

The following products are affected by the vulnerability

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • BD Pyxis ES Anesthesia Station
  • BD Pyxis CIISafe
  • BD Pyxis Logistics
  • BD Pyxis MedBank
  • BD Pyxis MedStation 4000
  • BD Pyxis MedStation ES
  • BD Pyxis MedStation ES Server
  • BD Pyxis ParAssist
  • BD Pyxis Rapid Rx
  • BD Pyxis StockStation
  • BD Pyxis SupplyCenter
  • BD Pyxis SupplyRoller
  • BD Pyxis SupplyStation
  • BD Pyxis SupplyStation EC
  • BD Pyxis SupplyStation RF auxiliary
  • BD Rowa Pouch Packaging Systems

BD said it is working with customers whose domain-joined server(s) credentials require updating and it is strengthening the credential management capabilities of BD Pyxis products.

BD recommends the following compensating controls for users of Pyxis products utilizing default credentials:

  • Restrict physical access to Pyxis products to only authorized personnel
  • Tightly control management of system passwords
  • Monitor and log network traffic attempting to reach the affected products for suspicious activity
  • Isolate affected products in a secure VLAN or behind firewalls and only permit communication with trusted hosts in other networks, when needed

BD Synapsys – CVE-2022-30277

Certain BD Synapsis products are affected by an insufficient session expiration vulnerability, which could potentially allow an unauthorized individual to access, modify, or delete sensitive information such as ePHI, which could potentially result in delayed or incorrect treatment. BD says a physical breach of a vulnerable workstation would be unlikely to lead to the modification of ePHI as the sequence of events has to be conducted in a specific order. The vulnerability is tracked as CVE-2022-30277 and has been assigned a CVSS v3 base score of 5.7 out of 10 (medium severity).

The vulnerability affects D Synapsys versions 4.20, 4.20 SR1, and 4.30. The flaw will be addressed in BD Synapsys v4.20 SR2, which will be released this month.

BD has suggested the following compensating controls:

  • Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys.
  • Ensure physical access controls are in place and only authorized end-users have access to BD Synapsys workstations.
  • Place a reminder at each computer for users to save all work, logout, or lock their workstation when leaving the BD Synapsys workstation.
  • Ensure industry standard network security policies and procedures are followed.

BD has alerted CISA, the FDA, and ISACs about the vulnerabilities under its responsible vulnerability disclosure policy.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist