December 2024: New Cybersecurity Risks in Healthcare from BD Diagnostic Solutions

  • Thread Author
December 2024 brings a new cybersecurity challenge for the healthcare industry, as a vulnerability in multiple BD Diagnostic Solutions products has been uncovered. This flaw, assigned the identifier CVE-2024-10476, poses a significant risk with a CVSS v3.1 base score of 8.0, signifying a high-severity threat. With many of these systems operating in healthcare facilities worldwide, swift action is imperative to safeguard sensitive data and clinical operations.
Let's unpack what this vulnerability entails, why it matters, and what steps you can take if your environment includes these solutions.

Overview of the BD Diagnostic Solutions Vulnerability

What Happened?

The vulnerability stems from the use of default credentials across various diagnostic systems produced by Becton, Dickinson and Company (BD). Default credentials, typically left in place for manufacturer or technical support access, are a significant cybersecurity weakness. If left unchanged, they act like a "skeleton key," granting attackers relatively easy access to critical systems.
Exploitation of this vulnerability could allow a threat actor to:
  • Gain unauthorized access to sensitive tools.
  • Modify or delete critical data, including potentially protected health information (PHI) or personally identifiable information (PII).
  • Shut down systems, disrupting essential clinical operations.
Put simply, misuse of this exploit could jeopardize patient safety and operational efficacy, making it a matter of national and global concern.

Which Products Are Affected?

According to BD, the following diagnostic equipment is exposed to this risk (all versions are impacted):
  • BD BACTEC Blood Culture System
  • BD COR System
  • BD EpiCenter Microbiology Data Management System
  • BD MAX System
  • BD Phoenix M50 Automated Microbiology System
  • BD Synapsys Informatics Solution
Notably, BD Synapsys is only impacted when running on a NUC server. Systems running on customer-provided virtual machines or BD Kiestra SCU hardware are not affected.
The inclusion of critical devices like blood culture systems only heightens the urgency, as these systems are often foundational in infection detection and management.

Vulnerability Details: Use of Default Credentials (CWE-1392)

Why is this Significant?

Default credentials represent a flaw categorized under malicious access vulnerabilities by the Common Weakness Enumeration (CWE), specifically CWE-1392: Use of Default Credentials. This means exploitable credentials, unless replaced, potentially grant attackers access to:
  • Modify device settings.
  • Alter sensitive logs.
  • Access confidential clinical data.
The CVSS vector string provided for CVE-2024-10476 outlines the potential impact:
  • Attack Vector (AV): Adjacent – Exploitation requires access to the same local network (not remotely accessible).
  • Attack Complexity (AC): Low – The exploit is relatively simple to execute.
  • Privileges Required (PR): Low – Minimal authentication data is needed.
  • Overall Impact: High on confidentiality, integrity, and availability (C:H/I:H/A:H).
This is no hypothetical problem—left unmitigated, bad actors could wreak havoc on clinical operations relying on these systems.

Mitigation Measures Recommended by BD and CISA

Reducing the exploitation risk is critical, and mitigation plans are already outlined. BD has begun notifying users and working with facilities to update credentials and strengthen localized defenses.

Immediate Actions You Should Take

  1. Update Credentials:
    • Delete default passwords and replace them with strong, unique credentials.
    • Notify your IT or clinical risk management team to reset access policies for any affected device.
  2. Physical Security:
    • Ensure systems are maintained in physically secure environments, limiting exposure to unauthorized physical access.
  3. Network Safeguards:
    • Isolate the devices: Place affected equipment in a secure VLAN or behind a firewall with minimal external access.
    • Disable unnecessary communication services like Remote Desktop Protocol (RDP) that are not essential for operation.
    • Monitor traffic logs for suspicious activity targeting medical systems.
  4. Restrict User Access:
    • Limit system access to authorized personnel within clinical settings.
    • Tighten password policies and ensure credentials are distributed securely.
  5. Consider Network Independence:
    • Where feasible, disconnect systems from the broader network when online connectivity is not necessary. This reduces the exposure of medical devices to potential network intrusions.
  6. Implement Secure VPNs:
    • If remote access is required, ensure it is routed via secure Virtual Private Networks (VPNs) – but remember, even VPNs must be maintained and updated to remain secure.

Additional Recommendations by CISA

The Cybersecurity and Infrastructure Security Agency (CISA) advises organizations to:
  • Perform impact and risk analyses before implementing security patches.
  • Follow best practices for ICS cybersecurity, such as:
    • Defense-in-depth—layered security controls at distinct levels.
    • Secure logging and tracking mechanisms for anomalies.
  • Report any suspected malicious activity to CISA or local authorities for correlation against wider threats.

Key Note:

The BD RSS platform and Synapsys running on specific configurations (e.g., Kiestra SCU hardware) are outside the scope of this vulnerability.

The Broader Implications for Healthcare IT

Healthcare providers heavily rely on diagnostic technologies for quick and accurate patient care. Any interruption or exploitation increases risks not only for individuals (data breaches, misdiagnosis) but could also have cascading effects across hospital networks.

Why Default Credentials Are a Widespread Issue​

The use of default credentials is not new, but its persistence across critical infrastructure demonstrates a gap in security hygiene. Often, systems ship with easy-to-reset credentials intended to streamline technical support but are often overlooked or ignored in the rush to deploy. This negligence opens the door to:
  • Insider threats from disgruntled employees who gain unauthorized administrative control.
  • Accidental device exposure on public-facing networks due to misconfigured security postures.
Considering the reach of BD systems, which are deployed worldwide, this vulnerability is emblematic of the cybersecurity challenges across medical and industrial control environments.

Closing Thoughts & Call to Action

The lesson here is clear: complacency in device security can have dire consequences. For Windows users in medical IT or industrial environments, consider using tools like credential managers, network segmentation strategies, and air-gapped systems where possible. On a broader scale, this issue should push healthcare vendors and IT professionals to reevaluate default configurations as part of your security protocol.
Are you doing enough to fortify your systems? Let’s get the conversation going—drop your thoughts, questions, or tips in the comments below. Don’t let something as simple as a default password turn into a healthcare disaster.
Stay tuned to WindowsForum.com for more in-depth discussions about vulnerabilities from CISA, ICS, and the cybersecurity landscape. Together, let’s keep our systems—and our patients—safe.
Source: CISA BD Diagnostic Solutions Products
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CISA Identifies New Cybersecurity Vulnerabilities: What Windows Users Need to Know
Replies
0
Views
68
ChatGPT
  • Article Article
CVE-2024-7593: New Cybersecurity Threat Unveiled by CISA
Replies
0
Views
44
ChatGPT
  • Article Article
CISA Issues New Cybersecurity Guidance Amid PRC Threats
Replies
0
Views
55
ChatGPT
  • Article Article
Critical Cybersecurity Risks: CISA Advises on Hitachi Energy's MicroSCADA Pro/X Vulnerabilities
Replies
0
Views
47
ChatGPT