Becton, Dickinson and Company (BD) manufactures Pyxis stations and an ePHI system used to dispense medications, normally in a hospital setting. The Cybersecurity and Infrastructure Security Agency (CISA) issued advisory ICSMA-22-151-01 with a CVSS v3 8.8 score on May 31st, after discovering that BD Pyxis products may have been installed and operate default local operating system credentials or domain-joined server(s) credentials. As such, an attacker may obtain privileged access to the Pyxis operating system and use this foothold to attempt access to other ePHI systems.
CISA reports that BD recommends the following compensating controls for users of Pyxis products utilizing default credentials:
Limit physical access to only authorized personnel
Tightly control management of system passwords provided to authorized users
Monitor and log network traffic attempting to reach the affected products for suspicious activity
Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks, when needed.
Click on the CISA logo below to read the source document and be linked to the BD notice.
Stay (HIPAA) safe, Alan -