Included among the devices listed by DHS were Baxter’s PrismaFlex/PrisMax devices, its ExactaMix, its Phoenix hemodialysis delivery system and its Sigma Spectrum infusion pumps.
All four notices included warnings regarding the devices’ Cleartext transmission of sensitive information. According to the notices, the affected devices do not implement data-in-transit encryption when configured to send treatment data to a patient data management system (PDMS), which could make the devices vulnerable to an attacker seeking to observe sensitive data.
The PrismaFlex system for acute kidney injury and the PrisMax system for delivering continuous renal replacement therapy and therapeutic plasma exchange both had vulnerabilities with improper authentication, meaning the devices could be susceptible to an attacker modifying treatment status information.
Additionally, according to the notice, the PrismaFlex includes a hard-coded service password with access to biomedical information, device settings, calibration settings and network configuration, which could allow an attacker to modify settings and calibration.
Baxter’s ExactaMix automated pumping system also had vulnerabilities with hard-coded service passwords, along with missing encryption of sensitive data, improper access control with its USB interface from an unauthorized user, exposure to non-administrative users seeking to access the operating system and edit the application startup script and improper input validation that can affect the control flow or data flow of a system.
The Phoenix hemodialysis delivery system’s only listed vulnerability in the notice was the Cleartext transmission issue, as an attacker could observe sensitive information sent between the Phoenix system and the Exalis tool.
Finally, the Sigma Spectrum infusion pumps also had vulnerabilities with the hard-coded passwords, as well as incorrect permission assignments for data stored on its wireless battery module (WBM) that permits temporary configuration changes and, when configured for wireless networking, the pumps had a vulnerability with operation on a resource after expiration or release, operating until the WBM is rebooted.
“We recently completed an extensive product security assessment of Baxter medical devices in use, including older versions of our products,” a Baxter spokesperson told MassDevice in a statement. “Our review identified a small number of vulnerabilities which are considered controlled risks that do not directly pose a risk to patient safety.
“Consistent with industry best practices, Baxter is voluntarily disclosing vulnerabilities in Sigma Spectrum, ExactaMix, Phoenix, Prismaflex and PrisMax devices. Baxter has worked with the Department of Homeland Security to release ICS-CERT security advisories and publish security bulletins on Baxter’s product security website to make customers and stakeholders aware of potential security issues and to share recommended mitigation actions.”