BD (NYSE: BDX) is touting that it is the first medical technology company authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority by the CVE Program.
BD officials say the authorization further boosts the company’s healthcare cybersecurity leadership.
Get the full story on our sister site Medical Design & Outsourcing.
BD (NYSE: BDX) is touting that it is the first medical technology company authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority by the CVE Program.
BD officials say the authorization further boosts the company’s healthcare cybersecurity leadership. Cybersecurity has become a major issue for the medical device industry, with FDA even appointing its first medtech cybersecurity chief this year.
“The CVE Program is the de facto international standard for vulnerability identification and naming,” CVE board member Chris Levendis said in a June 2 news release from BD. “Being authorized as a CVE Numbering Authority demonstrates mature vulnerability management practices and a strong commitment to cybersecurity. By making accurate and timely vulnerability information available, CNAs like BD help their customers streamline early-stage vulnerability management.”
BD has developed a mature Coordinated Vulnerability …
Philips IntelliVue MX750
The U.S. Department of Homeland Security warned of several vulnerabilities in patient monitors made by Royal Philips (NYSE:PHG).
Amsterdam-based Philips’ Patient Information Center iX, PerformanceBridge Focal Point, IntelliVue Patient Monitors MX100, MX400-MX850 and MP2-MP90 and IntelliVue X2 and X3 were all listed among the affected equipment in a DHS release.
Potential vulnerabilities within those devices include improper neutralization of formula elements in a CSV file, cross-site scripting, improper authentication, improper check for certificate revocation, improper handling of length parameter inconsistency, improper validation of syntactic correctness of input, improper input validation and exposure of resource to wrong sphere.
According to DHS, these vulnerabilities can be exploited by those with low skill levels and, if done successfully, it could lead to …
(Photo by SJ Objio on Unsplash)
A group of labor unions and environmental organizations is petitioning the Trump Administration to mandate production of personal protective equipment (PPE) using the Defense Production Act.
The petition, submitted Aug. 11 to the U.S. departments of Health and Human Services and Homeland Security, dovetails with the FDA’s issuance on Monday of its first list of PPE shortages, which includes surgical gowns, gloves, testing supplies and ventilation-related products for the sickest patients. PPE shortages have plagued the U.S. since the COVID-19 pandemic spread to this country.
Get the full story on our sister site, Medical Design & Outsourcing.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said it is aware of vulnerabilities affecting Treck IP stack implications for embedded systems.
Known as Ripple20, the vulnerabilities allow a remote attacker to exploit and take control of an affected system, according to the CISA statement.
Among the affected companies were B. Braun, Baxter (NYSE:BAX), Green Hills Software and CareStream. CISA encouraged affected users and administrators to review the affected products for additional information and mitigations, as well as to update to the latest stable version of the Treck IP stack software.
B. Braun issued a statement saying that it is aware of the notification from CISA, sharing that the vulnerabilities exist in the third-party software used for network communication in its Outlook 400ES safety infusion pump system.
The company said it received 24 patches from Treck to resolve vulnerabilities, determining that 20 patche…
The U.S. Department of Homeland Security released notices citing cyber vulnerabilities with four devices made by Baxter (NYSE:BAX).
Included among the devices listed by DHS were Baxter’s PrismaFlex/PrisMax devices, its ExactaMix, its Phoenix hemodialysis delivery system and its Sigma Spectrum infusion pumps.
All four notices included warnings regarding the devices’ Cleartext transmission of sensitive information. According to the notices, the affected devices do not implement data-in-transit encryption when configured to send treatment data to a patient data management system (PDMS), which could make the devices vulnerable to an attacker seeking to observe sensitive data.
The PrismaFlex system for acute kidney injury and the PrisMax system for delivering continuous renal replacement therapy and therapeutic plasma exchange both had vulnerabilities with improper authentication, meaning the devices could be susceptible to an attacker modifying t…