Lack of data encryption for Baxter devices flagged in flurry of DHS alerts
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has posted a barrage of warnings about cyber vulnerabilities affecting four separate Baxter devices.
DHS on Thursday published four alerts, ranging from 7.5 to 8.6 on its 10-point severity scale, about vulnerabilities in Baxter devices including infusion pumps and hemodialysis delivery systems. All the advisories detailed failures to encrypt data during transmission between technologies. The agency also flagged some less serious vulnerabilities impacting other devices sold by BD and Biotronik.
Baxter, which issued its own security bulletins about the devices, wants users to mitigate the risks created by the use of cleartext messaging by isolating certain products on dedicated subnetworks. Other vulnerabilities, such as the hard-coded passwords used by PrismaFlex, have already been fixed through software updates.
The DHS warnings about the Baxter devices relate to cleartext transmission of data and the potential threats to privacy. The use of cleartext messaging by devices during transmission means anyone who can access the data can potentially see sensitive medical information. In the case of Baxter’s Phoenix Hemodialysis Delivery System, using cleartext communication could enable someone with access to the network to view information about the treatment administered to a patient.
Baxter discovered and voluntarily disclosed these vulnerabilities to DHS, which led the agency to issue a clutch of security alerts regarding the company’s Phoenix system and three other devices that use cleartext messaging. The agency said it is most concerned about the vulnerabilities found in Baxter’s Sigma Spectrum Infusion Pumps.
In an advisory, DHS said the pumps suffer from the same cleartext communication problem as the other three Baxter products. The pumps also suffer from five other vulnerabilities, the most serious of which scored 8.6 on the 10-point threat scale.
DHS is most concerned about the embedding of non-encrypted passwords in the source code, and a vulnerability that could allow a hacker see data and change settings on the wireless battery module.
The alert about Baxter’s ExactaMix automated pumping system lists seven vulnerabilities. The agency again highlighted the use of non-encrypted passwords, as well as other issues with how the device handles sensitive data.
DHS’ alert about Baxter’s PrismaFlex and PrisMax devices also detailed the use of cleartext messages and hard-coded passwords. The fourth alert, which addresses Baxter’s Phoenix hemodialysis system, only covers the cleartext communication vulnerability. DHS sees the use of cleartext communication as particularly problematic in the context of the Phoenix system, reflecting the fact that the device sends sensitive treatment and prescription data.
Baxter in a statement to MedTech Dive said the company recently completed an extensive product security assessment of its medical devices and identified vulnerabilities which it considers to be “controlled” risks. However, the medtech said they “do not directly pose a risk to patient safety” and noted it worked with DHS to alert customers.
The flurry of cybersecurity notices mars Baxter’s relatively clean record. The only other notice listed on DHS’ site about a Baxter device dates back to 2015, when the agency flagged up another issue with the wireless battery module used with the company’s Sigma infusion pumps.
DHS on Thursday also posted new notices about BD and Biotronik devices. The Biotronik alert covers a cleartext communication issue, although in that case the vulnerability could only disclose credentials for connecting to remote communication infrastructure. DHS gave the cleartext vulnerability a score of 4.3 on the threat scale. The vulnerability affects CardioMessenger home monitoring units.
The BD alert is unrelated to cleartext communication. Rather, DHS called out BD for a weakness in its Alaris infusion technology that could enable a hacker to disconnect the device from a wireless network. The pump can function without wireless connectivity.