Researchers from Rapid7 found multiple vulnerabilities in Baxter SIGMA Spectrum Infusion Pump and SIGMA Wi-Fi battery TCP/IUP-enabled medical devices. The flaws could be exploited to access sensitive data and alter system configurations. Rapid7 alerted Baxter to the vulnerabilities in April. Baxter recommends ensuring all data and settings are wiped from devices before decommissioning them, placing devices behind hospital firewalls or on its own network VLAN, using strong wireless network security protocols, and as a last resort, disabling wireless operation.
Note
- Wiping all WiFi devices before decommissioning is vital because too many of them, include Baxter’s pumps, store WiFi credentials in non-volatile memory. The usual segmentation advice is true for any OT type technology, and even vulnerable IT devices and guest logins.
- These devices FTP and Telnet services enabled, and the firmware update is needed to disable them. Make sure that you’ve isolated them, using firewalls, separate VLANS, etc. If you’re using Wi-Fi, ensure that you’re using current wireless security. Hint: open access point or a captive portal aren’t sufficient. As a last resort you can operate these without a network, note that impacts the ability to deliver formulary (drug library) updates to them.
