stnazkul - stock.adobe.com

DHS CISA: Serious Vulnerabilities Found in 6 Medical Device Systems

System vulnerabilities found in medical devices from Baxter and Biotronik could allow an attacker to compromise patient information and alter system configurations if exploited.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency issued alerts for vulnerabilities found in six different medical devices manufactured by Biotronik, Baxter, and BD Alaris.

If exploited, some of these flaws could enable a hacker to launch a DDOS attack or alter system configurations or device data, as well as compromise patient information.

Four of the six flaws are found in Baxter medical devices: ExactaMix, PrismaFlex and PrimsaMax, Sigma Spectrum Infusion Pumps, and Hemodialysis Delivery System. The vulnerabilities were identified by the the manufacturer and reported to CISA.

The flaws in the PrismaFlex and PrimsaMax devices pertain to the system’s method of cleartext transmission of sensitive data, along with hard-coded passwords and improper authentication. If a hacker successfully exploited the flaw with network access, they could view and change device data.

Vulnerabilities found in the infusion pumps also involve hard-coded passwords and cleartext data transmission, in addition to incorrect assignment of permissions to critical resources and operations after a release of expiration.

A successful exploit of the infusion pump flaws could allow an attacker to access sensitive device data, change system configurations, and alter system availability.

The ExactaMix flaws are found in its employment of hard-coded passwords, cleartext data transmission, and improper access controls, along with improper input validation and a lack of encryption on sensitive data. One vulnerability also exposes resources to the wrong sphere.

If exploited, a threat actor could access system data, alter system configurations and resources, and interrupt system availability.

Lastly, flaws in the Phoenix system again pertain to the cleartext data transmission. A hacker could exploit the flaw to gain unauthorized network access and view sensitive information.

Baxter Mitigation Steps

Phoenix flaws can be mitigated by ensuring an organization has employed defense-in-depth cybersecurity measures, including proper network segmentation, which would ensure the devices only reside on dedicated subnetworks. The devices must be the only ones present within it.

For remote connections, the subnetwork must remain dedicated through the use of a Virtual Private Network connection. Each network segment must be firewalled, while IT administrators must routinely scan for unauthorized network access, vulnerabilities, and viruses.

“Users should also identify, analyze, evaluate and control all risks associated with integration of medical devices in an enterprise network,” Baxter officials wrote. “Subsequent changes to the enterprise network could introduce new risks and require new analysis.”

For the impacted infusion pumps, organizations must ensure the devices are leveraging appropriate access controls to prevent unauthorized access. The devices should be isolated to their own network VLAN to segregate the system from other hospital systems and reduce the probability that a hacker would launch a man-in-the-middle attack.

Further, IT administrators must ensure the use of wireless network security protocols to authenticate and encrypt wireless data sent to and from the infusion pump, while monitoring for and or blocking unexpected traffic, such as FTP.

“Customers should ensure the Wireless Battery Module is rebooted after configuration for their network(s) by removing the WBM from the rear of the Spectrum device for 10-15 seconds, and then re-attaching the WBM,” Baxter officials wrote.

“As a last resort, customers may disable wireless operation of the pump,” they added. “The Spectrum Infusion System was designed to operate without network access. This action would impact an organization’s ability to rapidly deploy drug library (formulary) updates to their pumps.”

Baxter previously launched its Spectrum IQ Infusion System, which does not contain these critical vulnerabilities.

The flaws in the PrismaFlex and PrisMax devices can be mitigated by limiting physical access to the device and training personnel that have been granted elevated privileges to the devices.

Lastly, organizations can mitigate ExactaMix vulnerabilities through the implementation of compensating controls, such as ensuring appropriate physical controls, keeping passwords confidential, and using the device only for its intended purpose.

Network segmentation should also be employed, while blocking all non-required communication through the firewall and ACL configuration. Organizations will need to follow up to ensure security patches are up-to-date, while following proper backup and storage procedures.

BD and Biotronik Flaws, Mitigation

CISA also alerted to flaws found in BD Alaris and Biotronik devices. A vulnerability in BD Alaris PCU infusion pump would allow an attacker to launch a DDoS attack on the targeted system, which could also allow the device to disconnect from the healthcare enterprise’s wireless network.

The flaw is tied to a Linux Kernal flaw within the Wi-Fi module of the device.

“Wireless functionality operates independently from the pump system and a disruption in wireless connectivity would not affect pump module functionality,” according to the alert.

“Exploiting this vulnerability would not provide administrative access to the BD Alaris PC Unit or the BD Alaris Systems Manager,” it continued. “An unauthorized user would not be able to gain permissions or be able to perform remote commands for the BD Alaris PC Unit.”

BD has addressed this vulnerability and provided mitigation steps, although the flaw is found specifically in a third-party component. Officials said they recommend organizations consider stronger network controls for wireless authentication to make it harder to replicate and substitute, as well as WPA2 protocols.

IT administrators should monitor wireless networks leveraged by any patient-connected devices for malicious activity.

“BD Alaris Systems Manager should be considered a critical service,” according to the alert. “Whenever possible, it should operate on a secured network behind a firewall, it should be patched regularly, and should have malware protection. Ensure that the BD Alaris PC Unit and BD Alaris Systems Manager are separated by a firewall.”

Lastly, CISA alerted to vulnerabilities in Biotronik CardioMessenger II devices, which include a lack of encryption of sensitive data, stored passwords in a recoverable format, improper authentication, and sensitive data transmitted in cleartext.

An exploit would allow a hacker with physical access to steal sensitive information, obtain transmitted medical data directly from the implanted cardiac device, or disrupt the functionality of the device.

Further, an attacker with adjacent access could influence communications between the home monitoring unit and the access point name gateway network.

Biotronik will not be issuing a product security update but provided compensating controls to reduce the risk of exploit and prevent patient safety risks.

Specifically, organizations should maintain good physical control over the impacted units. Devices should not be connected to any unapproved devices. And system access should be restricted to authorized personnel.

CISA also stressed the need for organizations to perform impact analysis and risk assessments before deploying defensive measures. The alerts follow another warning from CISA that millions of medical devices are impacted by Ripple20 vulnerabilities that could give a hacker control of an affected system.

Next Steps

Dig Deeper on Cybersecurity strategies