Alaris™ Gateway Workstation and Alaris™ Gateway Workstation web browser user interface (MDA/2019/040)

Manufactured by Becton Dickinson – if a software security vulnerability is exploited, an attacker with malicious intention could remotely install unauthorised firmware.

Action

  • Identify affected devices in your organisation.

  • Ensure that staff are aware of the recommendations given in the manufacturer's Customer Letter.

  • Make sure staff know that the manufacturer has developed a way to fix the product security vulnerability; this was released in October 2019 and is available for download from the BD website here

  • The link is password protected. Use the following log in details to access it:
    Username: uk-tech
    Password: safe8belt

  • Once logged in, you will find the instructions in the file called BDPB00106 and the CAB file is in the folder called Release.

  • Documentation is also available on the BD website using the same log in details as above

  • Report suspected or actual adverse events involving these devices through your local incident reporting system and/or your national incident reporting authority as appropriate: England, Scotland, Northern Ireland, Wales. You should also report directly to manufacturers if your local or national systems do not.

Action by

All medical, nursing and technical staff involved in the use and maintenance of these devices.

Deadlines for actions

Actions underway:11 December 2019

Actions complete:27 December 2019

Problem/background

The Alaris Gateway Workstation is aimed at integrating infusion data with a hospital's central clinical information system.

Alaris Gateway Workstation:

Potential vulnerability that can impact the Workstation. If exploited, this vulnerability may allow an attacker with malicious intention to remotely install unauthorised firmware.

Alaris Gateway Workstation web browser user interface:

Potential vulnerability that can impact the user interface in standalone configuration only. If exploited, this vulnerability may allow an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to information on the web browser user interface.

Manufacturer contacts

Becton Dickinson

Tel: 0800 917 8776 option 2, option 3

Email: BDUK_CustomerService@bd.com

Distribution

If you are responsible for cascading these alerts in your organisation, these are our suggested distribution lists.

Trusts (NHS boards in Scotland)

CAS and NICAS liaison officers for onward distribution to all relevant staff including:

• All departments

• All staff

• All wards

• Ambulance services directors

Independent distribution

Establishments registered with the Care Quality Commission (CQC) (England only)

• Hospitals in the independent sector

Please note: CQC and OFSTED do not distribute these alerts. Independent healthcare providers and social care providers can sign up to receive MDAs directly from the Central Alerting System (CAS) by sending an email to: safetyalerts@mhra.gov.uk and requesting this facility.

Enquiries

England

Send enquiries about this notice to MHRA, quoting reference number MDA/2019/040 or 2019/006/014/302/001

Technical aspects

Guido Fumagalli or David Grainger, MHRA

Tel: 020 3080 6000

Email: DSS-TM@mhra.gov.uk

Clinical aspects

Devices Clinical Team, MHRA

Tel: 020 3080 7274

Email: dct@mhra.gov.uk

To report an adverse incident involving a medical device in England use the Yellow Card reporting page

Northern Ireland

Northern Ireland Adverse Incident Centre (NIAIC), CMO Group, Department of Health (Northern Ireland)

Tel: 028 9052 3868

Email: niaic@health-ni.gov.uk

To report an adverse incident involving a medical device in Northern Ireland use the forms on the website.

Alerts in Northern Ireland are distributed via the NICAS system.

Scotland

Incident Reporting and Investigation Centre (IRIC), Health Facilities Scotland, NHS National Services Scotland

Tel: 0131 275 7575

Email: nss.iric@nhs.net

To report an adverse incident involving a medical device in Scotland, email IRIC to request a webform account.

For more information, or if you can't access the webform, visit the website: how to report an adverse incident

Wales

Population Healthcare Division, Welsh Government

Tel: 03000 255278 or 03000 255510

Email: Haz-Aic@gov.wales

To report an adverse incident involving a medical device in Wales, use the Yellow Card reporting page and follow specific advice for reporting in Wales in MDA/2004/054 (Wales).

Download documents

MDA-2019-040

Published 27 November 2019