Appreciating the various types of dispensing cabinets and associated vulnerabilities

June 11, 2020

Consider vulnerabilities that can be exploited remotely and the level of skil required to execute exploitation.

Earlier this month, I wrote an article addressing the importance of including automated dispensing cabinets (“ADCs”) in the annual risk analysis, which is required under the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (Aug. 1996)  (“HIPAA”) Security Rule, 45 CFR § 164.30(a)(1)(ii)(A). In light of the spikes in cyber crime attacks in the healthcare sector and other sectors during the coronavirus pandemic, this is one area not to overlook because hospitals are “deeply vulnerable” to attacks, as well as other providers and business associates.

In order to further clarify vulnerabilities associated with ADCs, I drew on my past experiences as an operating room aide, a dietary aide, and a spinal implant sales representative, where I saw various types of ADCs utilized on a daily basis. First, let’s look at the cabinets that are similar to ADCs, but dispense items other than medications. For example, Becton, Dickinson and Company (“BD”) is a market leader in medication and supply management platforms–both of which are meant to document utilization, require individual medical personnel user-name and password log-in, and either create, receive, maintain or transmit protected health information (“PHI”) in relation to the items (i.e., medication or supplies) being dispensed and charged to a particular patient. 

Having established that an ADC or other supply management platform should be part of any risk analysis, there are some key items to focus on. First, consider vulnerabilities that can be exploited remotely. Second, look at the level of skill required to exploit the vulnerability. Next, look at the adequacy of policies and procedures. Finally, assess the various technical, administrative and physical safeguard requirements of the Security Rule in relation to prevention, detection and correction. 

Trending: Smart investing for physicians

Here are some specific examples, which the Department of Homeland Security (“DHS”) noted as being problematic for BD:

  • ICS Medical Advisory (ICSMA-19-248-01) – “BD reports this vulnerability was remediated in the latest software release; however, BD has been unsuccessful in reproducing this issue since initially testing and reproducing it earlier in the year [2019].”

  • ICS Advisory (ICSMA-18-114-10) – a crucial vulnerability, “reusing a Nonce” was discovered to affect a variety of BD products (e.g., BD Pyxis Anesthesia ES, BD Pyxis MedStation ES and BD Pyxis Supply Station). A “nonce” is a “number used once.” Reusing a nonce causes a person to lose confidentiality for the message or transmission. 

  • ICS Advisory (ICSA-14-288-01) – an independent researcher identified authentication vulnerabilities in CareFusion’s Pyxis SupplyStation; yet, BD only mitigated some of these issues. “The Pyxis SupplyStation system contains a hard-coded service password that grants administrator privileges by default. A remote attacker may be able to compromise the device if an attacker is able to defeat the network and/or physical security of the facility in which the SupplyStation system is deployed. Physical access to the device is required to remove contents of the automated supply cabinet.”

Additionally, in 2016, security researchers found 1,417 remotely exploitable flaws in CareFusion’s Pyxis SupplyStation. “715 of those vulnerabilities in ‘automated supply cabinets used to dispense medical supplies’ have a severity rating of high or critical.” 

Read More: Concierge medicine and primary care: The differences

The take-aways from this article and the article published earlier this month cannot be stressed enough. Many covered entities and business associates overlook automated dispensing machines as part of their risk analysis, despite the knowledge that cybercriminals are looking for ways to exploit vulnerabilities in the healthcare sector. In light of COVID-19 and the increase of cyberattacks, the need for an adequate risk analysis, as well as policies and procedures and related controls is crucial. 

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.