true
BD Kiestra™ - Temporary Exposure of a Service Credential Not Used by Customers

Background

BD communicates with our customers about cybersecurity vulnerabilities to help healthcare providers manage potential risks through awareness and guidance.

This notification provides product security information and recommendations related to a publicly available credential used in specific configurations of BD Kiestra™. The credential is used and managed only by BD personnel and not used by the customers.

As a routine practice, BD has voluntarily shared this information with the U.S. Food and Drug Administration (FDA), the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organi zations (ISAOs) where BD participates. Read Coordinated Vulnerability Disclosure to learn more about our disclosure process.

Products in Scope

This notification applies to the following products:

  • BD Kiestra™ Total Lab Automation (TLA) with a Systems Control Unit (SCU)
  • BD Kiestra™ Work Cell Automation (WCA) with a Systems Control Unit (SCU)
  • BD Kiestra™ ReadA with a Systems Controls Unit (SCU)

Publicly Available Credential Details

During routine security monitoring of the BD network, a publicly available internet-based service was used by a BD associate for file analysis. During the analysis, an activity report was generated that contained a BD Kiestra™ credential. Since the service was publicly available, the report containing the information was also public, meaning the credential was temporarily on the Internet. BD engaged the service’s support team to remove the report from public access. There is no evidence that the credential was viewed or accessed while on the Internet.

In order to leverage the credential, threat actors would first need to obtain the credential, infiltrate a facility’s network, and gain logical access to the BD Kiestra™ Systems Control Unit (SCU).

The credential is not known or used by customers. It is managed and used by BD regional Customer Support Center associates for servicing the BD Kiestra™ SCU. Additionally, this credential does not grant privileges to view or access any sensitive information within the product.

BD assessed this vulnerability for potential patient safety impact and determined that there is no risk to patients. If exploited, the Systems Control Unit would continue to conduct its current task and then shut down.

Mitigations & Compensating Controls

BD is proactively working with customers to change the credential. BD recommends the following mitigations and compensating control(s) to reduce risk that may be associated with this credential exposure:

  • Ensure physical access controls to the BD Kiestra™ systems are in place.
  • Ensure only authorized end-users have access to the BD Kiestra™ systems and/or hospital network. 
  • Monitor network(s) for rogue traffic and malicious packets.
  • Ensure industry standard network security policies and procedures are followed.

Additional Resources

For product- or site-specific concerns, contact your BD service representative.