On March 29, 2016, the US Department of Homeland Security issued an Advisory regarding the Carefusion Pyxis SupplyStation System Vulnerabilities that would only require an attacker with low skills. Specific mitigations listed in the Advisory include:
- Isolate affected products from the Internet and untrusted systems; however, if additional connectivity is required, use a VPN solution.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Monitor and log all network traffic attempting to reach the affected products for suspicious activity.
- Close all unused ports on affected products.
- Locate medical devices and remote devices behind firewalls, and isolate them from the business network.
- Work with local team to ensure all Microsoft patching and ESET virus definitions are up to date. A Security Module for automated WSUS patching and virus definition management is provided to all accounts. SupplyStations Version 8 and Version 9 have been upgraded to ESET.
- If pcAnywhere is used and has not been upgraded to Version 12.5 Service Pack 4, contact CareFusion’s Customer Support to schedule an upgrade or to have it removed.
- Use the extended password feature configured for strong passwords, enable the password history tracking feature, and set user passwords to expire according to site policy.
You can see the Advisory at this link: US Homeland Security Advisory (ICSMA-16-089-01)