The U.S. Department of Homeland Security said yesterday that certain Becton Dickinson Pyxis medication-dispensing cabinets are vulnerable to unauthorized users within a local hospital network.
The Franklin Lakes, N.J.-based company said it reported the vulnerability to federal officials. The weakness would have allowed someone with the expired credentials to access patient data and medications. The company said a software update will resolve the issue.
“BD is not aware of any instances in which patient data was viewed, without authorization, due to this vulnerability,” the company said in a notice to information sharing and analysis organizations. “Any access by an expired user would be logged appropriately by the system and is viewable in all available reporting.”
An unauthorized user would have to log in using the system’s active directory and the device would have to be connected to the hospital domain, which BD said is “a rare configuration.” Systems that do not use the active directory are not affected by this vulnerability, the government said.
The problem affects BD Pyxis enterprise server versions 1.3.4 through to 1.6.1 and the Pyxis enterprise server with Windows server versions 4.4 through 4.12.
BD recommended that healthcare facilities remove expired users from the active directory that grants access to the Pyxis ES system and to not put those systems on the hospital’s domain.
“As a best practice, customers should not rely on expiration dates to remove users from their hospitals’ active directory system,” the company added.
BD said it has created an update that removes access to the file-sharing part of the Pyxis network. The company will provide more details, including on how to implement the fix, within 60 days.