CISA issues advisory after vulnerabilities found on Baxter infusion pumps

Dive Brief:

• Baxter is working to patch software on its Sigma Spectrum Infusion Pumps after cybersecurity consultants Rapid7 found multiple vulnerabilities.
• The U.S. Cybersecurity and Infrastructure Security Agency said in a Thursday advisory that “successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration.”
• Baxter’s Sigma products have been the subject of previous cybersecurity warnings, and a recent study found 75% of pumps have vulnerabilities..

Dive Insight:

Researchers flagged cybersecurity concerns about Sigma pumps in 2015 and again in 2020. The latest set of issues relate to a particular firmware version used in the Sigma infusion pump and several versions of its associated WiFi battery.

Baxter has already made authentication available to address one of the vulnerabilities, which could have led to data leaks or manipulation, and has updated its instructions to mitigate the risk that people who acquire batteries on the secondary market will gain access to hospital WiFi credentials. 

“We have not identified any impact to patients or infusions to date. Additionally, we have determined that these vulnerabilities are controlled, meaning they are unlikely to impact patients.” Baxter said in an emailed statement.

Software updates for the other two vulnerabilities are in development. One of the vulnerabilities could allow for a denial of service, making the device unavailable. While Baxter is working on the fixes, users are advised to restrict access to the parts of their networks that contain infusion pumps and to monitor traffic for unauthorized communication.  

”An attacker with physical access to an infusion pump could install a Wi-Fi battery unit, purchased on eBay, and then quickly power-cycle the infusion pump and remove the Wi-Fi battery – allowing them to walk away with critical Wi-Fi data once a unit has been disassembled and reverse engineered,” Rapid7 said in a statement about the findings.

Because the battery units store WiFI credentials in a non-volatile memory, the researchers noted that there is a “risk that when the devices are de-acquisitioned and no efforts are made to overwrite the stored data, anyone acquiring these devices on the secondary market could gain access to critical WiFi credentials of the organization that de-acquisitioned the devices.”

While the performance of the pump could be affected, Baxter said in a safety communication issued Thursday, the vulnerabilities do not directly affect any hardware or software components of the Spectrum pump itself. Still, the company said, a hack of the wireless battery could cause “a delay or interruption of therapy.”

Rapid7 praised “the responsiveness, transparency, and genuine interest shown by Baxter's product security teams.” The firm discovered the vulnerabilities in April and reported them to Baxter later that month, leading to multiple interactions between the teams.

The findings follow earlier reports related to Sigma products and other brands of infusion pumps, such as Becton Dickinson’s Alaris. Separately, Baxter’s Sigma pumps were the subject of a Class I recall that began late last year in response to reports of 51 serious injuries and three deaths over five years.

Updates to include comment from Baxter.

Comments are closed.