Tech & Innovation in Healthcare

Industry Notes:

Beware Vulnerabilities in Certain Infusion Pumps

Published on Mon Oct 03, 2022

Healthcare organizations using Baxter Sigma Spectrum and Baxter Spectrum infusion pumps should take notice of a new ICS Medical Advisory issued by the Cybersecurity & Infrastructure Security Agency (CISA) on Sept. 8, 2022.

In the advisory, CISA details the vulnerabilities that cyber threat actors can remotely exploit. By taking advantage of the vulnerabilities, malicious actors could access sensitive data and alter system configurations. The latter can pose dire health risks to patients.

The infusion pump models affected by the vulnerabilities include:

Baxter Sigma Spectrum v6.x
Baxter Sigma Spectrum v8.x
Baxter Spectrum IQ (v9.x)
Baxter Sigma Spectrum LVP v6.x wireless battery modules
Baxter Sigma Spectrum LVP v8.x wireless battery modules
Baxter Spectrum IQ LVP (v9.x) with wireless battery modules

(Refer to the CISA advisory for specific model numbers affected.)

In the advisory, CISA lists the vulnerabilities as the following:

Missing authentication for critical function: This weakness could allow the threat actor to create a “machine-in-the-middle attack” where the actor can alter parameters and cause the network connection to fail.
Use of externally controlled format string: By using format string attacks via application messaging, the threat actor could read the memory in the wireless battery module to access sensitive information or create a denial-of-service (DOS) attack on select wireless battery module models.
Missing encryption of sensitive data: Affected devices store patient health information (PHI) and network credentials in unencrypted forms. Once decommissioned, the device should be wiped of all data and settings because a threat actor could be able to extract sensitive information if the actor has physical access to the device.

Baxter has issued software updates that patch the format string vulnerability for select models, and the company has stated they’re working on software updates to disable Telnet and FTP. Baxter also recommended erasing data and settings on wireless battery modules and pumps before removing them from use and transferring the devices to other facilities.

In addition to the manufacturer’s mitigation measures suggested in the advisory, CISA also recommends users of the Baxter pumps take defensive measures to protect against threat actors exploiting these vulnerabilities. However, organizations should “perform proper impact analysis and risk assessment prior to deploying defensive measures,” the agency wrote in the advisory.

Tech & Innovation in Healthcare

Healthcare Data:
Employ Technology to Dissect Data and Improve Healthcare Equity
Take advantage of collaboration to identify disparities. Since the start of the COVID-19 public health [...]

Neuroscience:
Did Researchers Find a Cheat Code to Boost Older Adults’ Attention? Find out
Experts see video games as a future treatment option. With smartphones and tablets, older adults [...]

Cybersecurity Corner:
Investigate Insider IT Threats Before It’s Too Late
Educate your staff to report even minor incidents. With delivering care to patients, billing payers, [...]

Industry Notes:
Check the Security Status of Legacy Medical Devices, Suggests FBI
Check the Security Status of Legacy Medical Devices, Suggests FBI On Sept. 12, 2022, the [...]

Industry Notes:
Beware Vulnerabilities in Certain Infusion Pumps
Healthcare organizations using Baxter Sigma Spectrum and Baxter Spectrum infusion pumps should take notice of [...]

Reader Questions:
Battle COVID Subvariants With Bivalent Boosters
Question: Our practice has seen an increase of COVID-19 cases over the past two months. Several [...]

Reader Questions:
Reduce Fall Risks With Smart Socks
Question: We’re concerned about the safety and fall risks of our older patients in our facility [...]

View All