Baxter infusion pumps found to be at risk of remote hacking

Baxter’s infusion pumps are in the crosshairs once again after cybersecurity software developer Rapid7 discovered multiple potential vulnerabilities in the devices.

The Sigma Spectrum infusion pumps are equipped with software that allows them to automatically dole out predetermined quantities of drugs, blood and other fluids via infusion tubes to patients in healthcare settings.

Cybersecurity researchers uncovered a handful of issues in the pump’s internet-connected software and reported them to Baxter in April of this year, according to Rapid7, which publicly disclosed the issues on Thursday.

Among the potential hacking risks is a lack of encryption in the devices, which allows local Wi-Fi network credentials and patient health information to be easily accessed by a hacker with physical access to one of the devices. The system also does not require authentication to connect to a gateway server, giving hackers a way to disrupt the device’s network connection.

Meanwhile, the pumps’ wireless battery modules can also be breached by commands sent remotely via application messaging, which hackers could potentially use to break into the system’s memory, and access sensitive patient information or change a device’s settings.

The Cybersecurity & Infrastructure Security Agency, or CISA—housed within the U.S. Department of Homeland Security—handed down a score of 5.5 on a widely used vulnerability scoring system, denoting a “medium” risk associated with the software flaws.

In evaluating the risk of the cybersecurity issues, CISA cited the fact that they could be exploitable remotely and that “successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration.”

Still, the agency noted, there are no known public exploits specifically targeting the vulnerabilities.

Since Rapid7 began working with Baxter to fix the issues earlier this year, a handful of software updates to mitigate the issues have either already been rolled out or are currently in development.

The company is also working on updating the system’s manual to provide instructions for completely erasing all data and settings from the infusion pumps and their batteries before they’re decommissioned and transferred to other facilities.

Additionally, Baxter recommends that the infusion pumps be connected to their own walled-off corner of a facility’s network, separate from other hospital systems, to reduce online access to the pumps. They should also be protected by the strongest available wireless network security protocols, and users should always monitor for unexpected traffic to the devices’ corner of the network.

Baxter didn’t immediately respond to Fierce Medtech’s request for comment. But in a statement shared by Rapid7, the company reiterated its efforts to mitigate the identified issues and said, “We are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process.”