Briefs

Cyber Vulnerabilities Reported in Becton Dickinson’s Alaris Plus Syringe Pumps

The Department of Homeland Security warned that Becton Dickinson’s Alaris Plus medical syringe pump is vulnerable to a remote attacker gaining unauthorized access and gaining control of the pump when it’s connected to a terminal server via the serial port.

BD reported that the affected pumps are sold in the European Union. The vulnerable pumps include the Alaris GS, Alaris GH, Alaris CC, and the Alaris TIVA.

The cybersecurity firm CyberMDX discovered the vulnerability, and BD reported it to the DHS Industrial Control Systems Cyber Emergency Response Team. BD said the vulnerability can’t be accessed if the device is connected to the Alaris Gateway workstation docking station and an attacker can’t switch the device on remotely.

The attack uses a known vulnerability in terminal servers, the devicemaker said, and users should understand that the device does not support terminal server use. To mitigate risk, users should ensure they are operating the devices in a segmented network environment or as a stand-alone device, BD said.

The National Cybersecurity and Communications Integration Center recommended the following defensive measures to minimize risk:

• Minimize network exposure for all control system devices and systems and ensure that they are not accessible to the internet;
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network; and
• When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

India’s CDSCO Releases Guidance on Evaluating IVDs

Manufacturers of in vitro diagnostic devices in India must submit performance reports issued by central medical device testing laboratories with their Class B, Class C and Class D IVD applications, India’s Central Drugs Standard Control Organization said.

Under new medical device rules that became effective Jan. 1, laboratories that test medical devices and in vitro diagnostics must register with the agency.

The registrations will allow CDSCO and other government agencies to maintain updated information on all laboratories involved in testing of medical devices and IVDs. No laboratory may be designated without first being accredited by the National Accreditation Board for Testing and Calibration Laboratories.

Laboratories that go through the accreditation process will need to inform CDSCO about which IVDs can be tested at their facilities, as well as the persons involved in the testing.

The CDSCO notice lists specific labs for specific tests. It notes that laboratories must be accredited by the National Accreditation Board for Testing and Calibration Laboratories, the National Accreditation Board for Hospitals and Healthcare Providers, the Central Government or State Government laboratory or the Central Licensing Authority.

Egypt Rolls Out Broader Device Regulations

Egypt’s Central Administration for Pharmaceutical Affairs is now requiring all medical devices to be registered.

Devicemakers should consult with the agency to see what documentation is required to review their technical files and re-register their devices. The agency said that if devices meet requirements they can remain in circulation, but devices that fail to meet requirements will be pulled from the market.

Previously, only sterile devices needed to be registered with the Egyptian regulator.