HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

4 Vulnerabilities Identified in Baxter & Sigma Spectrum Infusion Pumps

Researchers at Rapid 7 have identified four vulnerabilities in Baxter and Sigma Spectrum infusion pumps, which are used to deliver medications and nutrition to patients. The devices are TCP/IP enabled and are usually connected to healthcare networks. Successful exploitation of the vulnerabilities could allow malicious actors to make system configuration changes and access sensitive patient data.

The vulnerabilities were discovered around 5 months ago and were reported to Baxter. Rapid 7 has been working with Baxter to resolve the medium- and low-severity vulnerabilities and recently published a report on the flaws.

The flaws affected the following Baxter and Sigma Spectrum infusion pumps.

  • Sigma Spectrum v6.x model 35700BAX
  • Sigma Spectrum v8.x model 35700BAX2
  • Baxter Spectrum IQ (v9.x) model 35700BAX3
  • Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
  • Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
  • Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28

The Baxter Spectrum WBM (v16, v16D38, v17, v17D19, v20D29 to v20D32) does not perform mutual authentication with the gateway server host. This flaw could be exploited in a machine-in-the-middle attack, which would allow the device parameters to be changed which would cause the network connection to fail. The vulnerability is tracked as CVE-2022-26394 and has a CVSS v3 severity score of 5.5 (medium severity). Authentication is already available in Spectrum IQ which resolves the vulnerability.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The Baxter Spectrum WBM (v20D29) is susceptible to format string attacks via application messaging. If the flaw is exploited an attacker could read memory in the WBM and access sensitive information. The flaw could also be exploited to cause a denial-of-service condition on the WBM. The vulnerability is tracked as CVE-2022-26393 and has a CVSS v3 severity score of 5.0 (medium severity). The vulnerability has been addressed in WBM version 20D30.

The researchers discovered that network credentials and patients’ protected health information (PHI) are not encrypted in the Baxter Spectrum wireless battery modules. PHI is only stored in Spectrum IQ pumps using auto programming. If an attacker has physical access to a vulnerable device, without all data and settings erased it would be possible to extract sensitive information. The vulnerability is tracked as CVE-2022-26390 and has a CVSS v3 severity score of 4.2 (medium severity). Baxter said it is adding instructions to the Spectrum Operator’s Manual on how to erase all data and settings on WBMs and pumps before decommissioning and transferring the devices to other facilities. The instructions are also detailed in the CISA ICS Medical Advisory.

In superuser mode, the Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32) are susceptible to format string attacks via application messaging, which could allow an attacker to read memory in the WBM and access sensitive information. The vulnerability is tracked as CVE-2022-26392 and has a CVSS v3 severity score of 3.1 (low severity). Software updates to disable Telnet and FTP to resolve the vulnerability are in process.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.