Baxter’s internet-connected infusion pumps utilized in clinical settings by healthcare providers to administer medication to patients, have been found to contain a number of security flaws. 

 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated in a joint advisory that “the successful exploitation of these vulnerabilities could result in access to sensitive data and manipulation of system settings.” 

Hospitals employ internet-connected infusion pumps to administer nutrients and drugs straight into a patient’s circulatory system. 

The following Sigma Spectrum Infusion systems are impacted by the four vulnerabilities. These are identified by cybersecurity firm Rapid7 and reported to Baxter in April 2022. 

  • Sigma Spectrum v6.x model 35700BAX 
  • Sigma Spectrum v8.x model 35700BAX2 
  • Baxter Spectrum IQ (v9.x) model 35700BAX3 
  • Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28 
  • Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28 
  • Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28 

The Flaws

The list of flaws uncovered is below: 

  • CVE-2022-26390 (CVSS score: 4.2) – Storage of network credentials and patient health information (PHI) in unencrypted format 
  • CVE-2022-26392 (CVSS score: 2.1) – A format string vulnerability when running a Telnet session 
  • CVE-2022-26393 (CVSS score: 5.0) – A format string vulnerability when processing Wi-Fi SSID information, and 
  • CVE-2022-26394 (CVSS score: 5.5) – Missing mutual authentication with the gateway server host 

If the aforementioned flaws were to be successfully exploited, it may result in a remote denial-of-service (DoS). These provides an attacker physical access to the device, allows them to steal sensitive data, or allow them to launch adversary-in-the-middle assaults. 

According to Deral Heiland, principal security researcher for IoT at Rapid7, the vulnerabilities might also lead to a loss of critical Wi-Fi password data. This could lead to larger network access should the network not be adequately segmented. 

In a warning, Baxter highlighted that the problems only affect users of the Spectrum Infusion System’s wireless features. But it also cautioned that, should the bugs be exploited, they might cause a delay or halt in therapy. 

The Issues

According to the business, “if exploited, the vulnerabilities could lead to [Wireless Battery Module] operation disruption, disconnection from the wireless network, modification of the WBM’s settings, or exposure of data stored on the WBM.” 

The most recent discoveries are yet another example of how widespread software vulnerabilities continue to plague the medical sector. This is a worrying trend considering how they might impair patient care. 

Nevertheless, infusion pump security issues have already been the subject of scrutiny. Palo Alto Networks Unit 42 revealed earlier that vast majority of infusion pumps were vulnerable to over 40 known flaws. These underscore the necessity of protecting healthcare systems from security risks. 

Baxter advises clients to utilize strong wireless network security standards, keep infusion systems behind a firewall. Enforce network segmentation, and ensure to delete data and settings from retired pumps. 

In order to ensure that PII and/or configuration data, such as Wi-Fi, WPA, PSK, etc., are deleted from the devices before selling or transfering to another party. Heiland said it is essential to create policies and procedures to manage the de-acquisition of medical technology. 

Maintain tight physical security in and around medical facilities that house MedTech devices and facilities accessing biomedical networks. Implement network segmentation for all biomedical networks to prohibit communication between MedTech devices and other public or commercial networks.