Feds Issue Alerts for Several Medical Device Security Flaws

Federal authorities have issued advisories about security vulnerabilities identified in several medical device products, including various genetic testing and sequencing devices from manufacturer Illumina Inc. and certain automated medication dispensing systems and microbiology software products from Becton, Dickinson & Co. The U.S. Cybersecurity and Infrastructure Security Agency in its alert says the vulnerabilities include flaws that, if exploited, could allow attackers to gain access to data or in some cases control of the affected products. The Food and Drug Administration, which issued a related alert for healthcare providers, says the affected Illumina IVD products are medical devices that may be specified either for clinical diagnostic use in sequencing a person's DNA or testing for various genetic conditions. "Illumina has confirmed a security vulnerability affecting software in certain Illumina desktop sequencing instruments," the company says in a statement provided to Information Security Media Group.

CISA issued two separate alerts Monday pertaining to certain BD product security vulnerabilities. The CISA alerts include a warning that exploitation of a "not using password aging" vulnerability identified in certain BD Pyxis automated medication dispensing system products that could allow an attacker to gain privileged access to the underlying file system or electronic protected health information or other sensitive information. An advisory issued by BD about the vulnerability says the company is currently strengthening credential management capabilities in BD Pyxis products. Luz notes that BD discovered the recent Synapsys and Pyxis device vulnerabilities internally, "which proves their investment in product security and by reporting it to CISA and H-ISAC they also demonstrate their care informing all stakeholders to have this fixed quickly," he says.