Skip to main content
Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. All references to NHS Digital now, or in the future, relate to NHS England. More about the merger.

BD BodyGuard Pumps Vulnerability

CISA Advisory includes a missing protection mechanism for alternate hardware interface vulnerability that could allow an attacker to change configuration settings or disable the pump

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

CISA Advisory includes a missing protection mechanism for alternate hardware interface vulnerability that could allow an attacker to change configuration settings or disable the pump


Threat details

Introduction

The US government agency Cybersecurity and Infrastructure Security Agency (CISA) have released a medical advisory for a vulnerability affecting BD BodyGuard products. The advisory states that successful exploitation of this vulnerability could allow an attacker to change configuration settings or disable the pump. Attackers must have physical access to carry out these attacks.


Vulnerabilities

CVE-2022-43557 - CWE-1299 - MISSING PROTECTION MECHANISM FOR ALTERNATE HARDWARE INTERFACE

The affected BD BodyGuard infusion pumps allow for access through the RS-232 (serial) port interface. If exploited, an attacker with physical access and specialised equipment and knowledge could configure or disable the pump. No electronic protected health information (ePHI), protected health information (PHI), or personally identifiable information (PII) is stored in the pump. A CVSS v3 base score of 5.3 has been calculated.


Remediation advice

Affected organisations should review CISA Medical Advisory ICSMA-22-335-01 and apply any relevant mitigations.

CISA recommends the following mitigations:

  • Ensure physical access controls are in place to ensure only authorized users have access to the affected product.  
  • Ensure only BD-approved equipment is connected to the RS-232 interface of the affected pumps. 
  • When the affected pumps are delivering infusions, ensure no equipment is connected to the RS-232 interface. 
  • Protect connected computer systems with BodyComm software with standard security measures. 


Last edited: 2 December 2022 12:28 pm