Sigma Spectrum Infusion Pump (Photo courtesy of Baxter)
Multiple vulnerabilities put Baxter’s Sigma Spectrum Infusion Pumps at risk of hacking and hospital Wi-Fi credential leaks.
The issues pertain to a particular firmware version of the pumps and several versions of its associated Wi-Fi battery, said the U.S. Cybersecurity and Infrastructure Security Agency on September 8, in an advisory.
Since the battery units store Wi-Fi credentials, if a hospital disposes of a device but fails to overwrite the stored data, anyone who acquires the pump on the secondary market could access critical Wi-Fi credentials for the organization. Another vulnerability could result in service being denied, making the device unavailable.
“We have not identified any impact to patients or infusions to date. Additionally, we have determined that these vulnerabilities are controlled, meaning they are unlikely to impact patients,” Baxter told The Detroit News in an emailed statement.
The flaws were discovered in April by cybersecurity consultants Rapid7, who reported them to Baxter later that month. Baxter is currently working on a software patch for the pumps.
The company has enabled authentication to address one vulnerability, which risks creating data leaks or manipulation. It has also updated its instructions to ensure that people who acquire batteries on the secondary market will not be able to access hospital Wi-Fi credentials.
“An attacker with physical access to an infusion pump could install a Wi-Fi battery unit, purchased on eBay, and then quickly power-cycle the infusion pump and remove the Wi-Fi battery — allowing them to walk away with critical Wi-Fi data once a unit has been disassembled and reverse engineered,” said Rapid7.
Baxter is developing a software update for the denial-of-service flaw and a third vulnerability. It says users should restrict access to parts of their networks containing infusion pumps and monitor traffic for unauthorized communication.
The vulnerabilities do not directly affect any hardware or software components, but a hack of the battery could cause “a delay or interruption of therapy,” according to Baxter.
Cybersecurity concerns in the pumps were flagged in 2015 and 2020. Last year, Baxter issued a Class I recall of its Sigma pumps in response to reports of 51 serious injuries and three deaths over five years.
Rapid7 praised “the responsiveness, transparency, and genuine interest shown by Baxter’s product security teams,” in this specific case.