A medical device company has issued a high-priority security warning about some of its products.
BD said the vulnerability is related to certain Pyxis medication dispensing products installed with the same default local operating system or domain-joined server credentials.
"If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to [electronic protected health information] or other sensitive information," the May 31 warning stated. "To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate a facility's network, and gain access to individual devices and/or servers."
BD said its support personnel will work with customer representatives on domain-joined server credentials that require updates and is also recommending:
1. Limiting physical access to only authorized personnel.
2. Tightly controlling management of system passwords provided to authorized users.
3. Monitoring and logging network traffic attempting to reach the affected products for suspicious activity.
4. Isolating affected products in a secure virtual local area network or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed.
5. Working with the local BD support team to ensure that patching and virus definitions are up to date.
The vulnerability score was rated "high," according to the Forum of Incident Response and Security Teams. The company said it reported the vulnerability to the FDA and Department of Homeland Security.