Multiple security vulnerabilities have been discovered in Baxter’s internet-connected infusion pumps used by healthcare professionals in clinical settings to dispense medication to patients.
“Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration,” the US Cybersecurity and Infrastructure Security Agency (CISA) said in a coordinated advisory.
Infusion pumps are internet-enabled devices used by hospitals to deliver drugs and food directly into a patient’s circulatory system.
The four vulnerabilities in question, discovered by cybersecurity firm Rapid7 and reported to Baxter in April 2022, affect the following Sigma Spectrum Infusion systems –
- Sigma Spectrum v6.x model 35700BAX
- Sigma Spectrum v8.x model 35700BAX2
- Baxter Spectrum IQ (v9.x) model 35700BAX3
- Sigma Spectrum LVP Wireless Battery Modules v6.x v16, v16D38, v17, v17D19, v20D29 to v20D32 and v22D24 to v22D28
- Sigma Spectrum LVP Wireless Battery Modules v8.x v17, v17D19, v20D29 to v20D32 and v22D24 to v22D28
- Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28
The list of detected flaws is below –
- CVE-2022-26390 (CVSS Score: 4.2) – Storing network credentials and patient health information (PHI) in unencrypted format
- CVE-2022-26392 (CVSS Score: 2.1) – A format string vulnerability when running a Telnet session
- CVE-2022-26393 (CVSS Score: 5.0) – A format string vulnerability when processing Wi-Fi SSID information, and
- CVE-2022-26394 (CVSS Score: 5.5) – Missing mutual authentication with gateway server host
Successful exploitation of the above vulnerabilities could cause a remote denial of service (DoS), or enable an attacker with physical access to the device to extract sensitive information or conduct reverse man-in-the-middle attacks.
The vulnerabilities could further result in a “loss of critical Wi-Fi password data, which could lead to greater network access if the network is not properly segmented,” said Deral Heiland, principal IoT security researcher at Rapid7, for Hacker News.
Baxter, in an advisory, emphasized that the problems only affect customers using the wireless capabilities of the Spectrum Infusion System, but also warned that it could lead to a delay or interruption of therapy if the defects are armed.
“If exploited, the vulnerabilities could result in disruption of [Wireless Battery Module] operation, disconnecting the WBM from the wireless network, changing the configuration of the WBM, or exposing data stored on the WBM,” the company said.
The latest findings are another indication of how common software vulnerabilities continue to plague the medical industry, a worrying development given their potential implications for patient care.
That said, this isn’t the first time that safety flaws in infusion pumps have come under the scanner. Earlier this March, the Palo Alto Networks Unit 42 revealed that a vast majority of infusion pumps were exposed to nearly 40 known vulnerabilities, highlighting the need to secure healthcare systems from security threats.
Baxter is recommending customers ensure that all data and settings are erased from disabled pumps, place infusion systems behind a firewall, implement network segmentation, and use strong wireless network security protocols to prevent access unauthorized.
It is essential to “implement processes and procedures to manage the de-acquisition of medical technology, [and] to ensure that PII and/or configuration data such as Wi-Fi, WPA, PSK, etc., are purged from devices prior to resale or transfer to another party,” Heiland said.
“Maintain strong physical security in and around medical areas containing MedTech equipment, as well as areas with access to a biomed network. Implement network segmentation for all biomed networks to prevent other general or business networks from communicating with the equipment MedTech.”
