Multiple security vulnerabilities with Baxter’s Internet-Connected Infusion Pumps making them vulnerable to hacker attacks. The infusion pumps are used by healthcare professionals in clinical environments to dispense medication to patients.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a coordinated advisory said “Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration.”
Infusion pumps are internet-enabled devices that hospitals use to deliver medication and nutrition directly into the circulatory system of a patient.
The following are four vulnerabilities in Baxter’s Sigma Spectrum Infusion system that were discovered by cyber-security firm Rapid7, and reported in April 2022.
- Sigma Spectrum v6.x model 35700BAX
- Sigma Spectrum v8.x model 35700BAX2
- Baxter Spectrum IQ (v9.x) model 35700BAX3
- Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
- Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
- Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28
Flaws Discovered in Baxter’s Internet-Connected Infusion Pumps
- CVE-2022-26390 (CVSS score: 4.2) – Storage of network credentials and patient health information (PHI) in unencrypted format
- CVE-2022-26392 (CVSS score: 2.1) – A format string vulnerability when running a Telnet session
- CVE-2022-26393 (CVSS score: 5.0) – A format string vulnerability when processing Wi-Fi SSID information, and
- CVE-2022-26394 (CVSS score: 5.5) – Missing mutual authentication with the gateway server host
If an attacker can exploit the above vulnerabilities, it could cause a remote denial-of-service attack or allow an individual to extract sensitive information.
A security researcher warns that the vulnerabilities in the D-Link Deco could result in a “loss of critical Wi-Fi password data” and grant greater access to networks that aren’t properly segmented.
One advisory said that the issues only affect customers if they use the wireless capabilities of Spectrum Infusion System. However, it could lead to a possible delay in treatment should the flaws be used on purpose.
The company said, the vulnerabilities in the Wireless Battery Module could result in disruption of it’s operation, disconnection from a network, changes to the module’s configuration, or exposure of data stored on it.
These latest findings suggest how common software vulnerabilities continue to plague the medical industry, which should be concerning given its potential impact on patient care.
In March, Palo Alto Networks Unit 42 publicly announced that there were 39 vulnerabilities in infusion pumps. They warned healthcare systems about the need for security.
The most important thing to do when getting rid of a pump is to make sure that all data and settings are erased from the pump.
Businesses must design and execute procedures to properly delete data that identifies or illuminates people’s personal preferences, habits, and other data before they resell their medical device.
Ensure that the medical areas have strong physical security and are isolated from other networks. Implement a system of network segmentation so that no unauthorized communication can take place between general or business networks and medical devices.