by
John R. Fischer, Senior Reporter | December 07, 2022
BD's CME BodyGuard 323 Color Vision is one of the pumps with the cybersecurity vulnerability
Medtech company BD announced last week that a defect in some of its BodyGuard infusion pumps could allow online attackers to hack in and disable the pump, putting patient lives in jeopardy.
The pumps, which are not sold in the U.S., are vulnerable through their RS-232 (serial) port interface. The associated risk has been categorized by BD as "Medium" because it can not be exploited remotely.
"A physical attack vector is required to exploit this vulnerability on the BD BodyGuard pump," the company said in a statement. "A threat actor would have to physically connect to the enabled RS-232 interface — which limits the attack surface. A successful attack against the pump via the RS-232 interface would require the attacker to have some knowledge of the pump to execute successful commands."
This notification applies to the following BD BodyGuard products:
- BD BodyGuard
- CME BodyGuard 323 (2nd Edition)
- CME BodyGuard 323 Color Vision (2nd Edition)
- CME BodyGuard 323 Color Vision (3rd Edition)
- CME BodyGuard Twins (2nd Edition)
A missing protection mechanism for an alternate hardware interface is required to fix the issue.
The pumps store no electronic or nonelectronic health information or personally identifiable information, according to a statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Nevertheless, it encourages providers to make sure physical access controls are in place to reduce risks and only allow authorized users to access the pump. They should also connect only BD-approved equipment to the RS-232 interface and not connect equipment to the interface during infusions.
