Medical Device Network

Hacking risk found in Baxter’s patient monitoring devices

The Cybersecurity and Infrastructure Security Agency (CISA) has indicated a "high" risk associated with the security issues.

The US Department of Health and Human Services' Health Sector Cyber Coordination Center has warned healthcare entities about serious security issues in two medical device products from Baxter, namely the Baxter Welch Allyn Configuration Tool, and the Baxter Welch Allyn Connex Spot Monitor (CSM).

This follows two ICS Medical Advisories for Baxter products from the Cybersecurity and Infrastructure Security Agency (CISA), denoting a “high” risk associated with the flaws. If someone takes advantage of these flaws, they could gain access to sensitive information such as passwords or change important settings and software on the devices. This tampering could compromise the devices and disrupt patient care.

The first vulnerability, CWE-522, involves the insecure handling of passwords, making them easy targets for hackers. The second, CWE-1394, involves using preset encryption keys that, if not changed, can lead to easy system breaches.

Baxter advises that any passwords used with the configuration tool should be changed immediately to prevent potential problems. Although no attacks have been reported yet, Baxter plans to release a fix for this problem by Q3 2024. The CISA said that the Welch Allyn Configuration Tool has been removed from public access.

The Baxter Welch Allyn CSM is a device used to measure and monitor patients’ vital signs, including blood pressure, temperature, and pulse rate in a clinical setting. The configuration tool is a software tool used to set up and manage Welch Allyn medical devices.

In September 2022, cybersecurity software developer Rapid7 discovered multiple potential vulnerabilities in Baxter’s Sigma Spectrum infusion pumps. The security flaws included a lack of encryption, potential network disruption, and the wireless battery modules could have been breached remotely – allowing hackers to access sensitive patient data or alter device settings.

Cybercrime involving hospitals and healthcare has been on the rise over the past decade. A report issued by the US Federal Bureau of Investigation (FBI) found that in 2022 there were 210 ransomware attacks on healthcare facilities, with the overall rate of cyberattacks in 2023 doubling from 2021. According to a report on GlobalData’s Medical Intelligence Center, the global cybersecurity market is forecast to be worth $334bn by 2030, having grown at a compound annual growth rate (CAGR) of 10% between 2022 and 2030.

Investing in cybersecurity measures is the best way for medical device companies to defend themselves against cyber threats, according to GlobalData analyst Alexandra Murdoch.