Governance & Risk Management , Operational Technology (OT) , Patch Management
Feds Issue Alerts for Flaws in 2 Baxter Medical Devices
Experts Say Vulnerabilities Are Part of Broader Device Cyber Oversight ProblemsU.S. federal authorities are alerting healthcare sector entities about critical vulnerabilities in two medical device products from manufacturer Baxter. Both flaws can be exploited remotely, potentially jeopardizing patient care.
See Also: OnDemand | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines
The Department of Health and Human Services' Health Sector Cyber Coordination Center said its alert issued Tuesday is based on two recent separate advisories from the Cybersecurity and Infrastructure Security Agency on vulnerabilities identified in the Baxter Welch Allyn Connex Spot Monitor and the Baxter Welch Allyn Configuration Tool.
Both Baxter products are used in the public health and healthcare sector worldwide - and both vulnerabilities involve multiple common weaknesses, HHS HC3 said.
Baxter Welch Allyn Connex Spot Monitor Flaw
Two security researchers reported the "use of default cryptographic key" vulnerability affecting the Baxter Welch Allyn Connex Spot Monitor, or CSM, versions 1.52 and earlier, CISA said. A CVSS v4 base score of 9.1 has been calculated for the vulnerability, assigned as CVE-2024-1275.
Exploitation of the vulnerability in the product, which was formerly manufactured by Hillrom, could allow an attacker to modify device configuration and firmware data. "Tampering with this data could lead to device compromise, resulting in impact and/or delay in patient care," CISA warned.
HHS HC3 said Baxter has released an update for all affected Baxter Welch Allyn Connex Spot Monitor devices and software to address this vulnerability. A new version of the product - Version 1.52.01 - which became available in October 2023 - mitigates the vulnerability, HHS HC3 said.
Baxter recommends users upgrade to the latest versions of the products, as well as implement suggested workarounds to help reduce risk. They include applying proper network and physical security controls and ensuring a unique encryption key is configured and applied to the product, as described in the Connex Spot Monitor Service Manual.
Baxter Welch Allyn Product Configuration Tool Flaw
Successful exploitation of the "insufficiently protected credentials" flaw identified in the Baxter Welch Allyn Product Configuration Tool could lead to the unintended exposure of credentials to unauthorized users, CISA said in its alert.
"Any credentials that were used for authentication or input while using the Baxter Welch Allyn Configuration Tool have the potential to be compromised and should be changed immediately," CISA warned.
A CVSS v4 score of 9.4 has been calculated for the vulnerability, assigned as CVE-2024-5176.
"Baxter has found no evidence to date of any compromise of personal or health data. Baxter will release a software update for all impacted software to address this vulnerability," CISA said.
A new version of the product - Welch Allyn Product Configuration Tool versions 1.9.4.2 - will be available in the third quarter of 2024. "No user action will be required once the update is released," CISA said.
CISA said the Baxter Welch Allyn Configuration Tool has been removed from public access. "Customers are advised to contact Baxter Technical Support or their Baxter Project Manager to create configuration files, as needed."
Baxter recommends workarounds - such as applying strong network and security controls - as additional mitigation measures.
Baxter did not immediately respond to Information Security Media Group's request for additional details about the product vulnerabilities.
Bigger Problems
Many currently deployed medical device products in use today simply did not have sufficient security testing from their manufacturers - "full stop," said David Brumley, CEO of security firm ForAllSecure and cybersecurity professor at Carnegie Mellon University.
While the Food and Drug Administration has a list of new cybersecurity expectations from manufacturers seeking premarket approval for their new medical devices, that intensified FDA review - empowered by Congress - is less than two years old.
"The new FDA guidance is only 'premarket,' meaning it's only for new devices that have not been fielded. Everything out there already deployed hasn't had sufficient security testing, and that's security debt we're seeing catch up with us now," Brumley said.
The FDA needs to provide stronger regulatory scrutiny and guidance for "currently fielded devices meeting modern security standards, not just premarket devices," Brumley said. "We also need the FDA to be more prescriptive, not less prescriptive. Putting it on the hospitals is the wrong place; it's like asking you to change how you drive your car while flying down the freeway at 80 miles per hour to fix a vendor issue."
Phil Englert, vice president of medical device security at the Health Information Sharing and Analysis Center, said advisories and disclosures involving vulnerabilities in medical devices - or most often in their components - frequently lack the type of clarity needed for biomedical or hospital IT security teams to analyze and act upon them appropriately.
"Healthcare providers would be better served if vulnerability disclosures were better aligned with the device recall and safety notice protocols currently in use by FDA," he said.
Current vulnerability disclosures from device makers and government agencies such as CISA frequently "focus on the issue with the vulnerable components rather than the medical devices themselves," he said.
But the FDA recalls and safety notices contain section headers that can be helpful, including the recalled product's name and dates manufactured, the device's intended use, the reason for the recall and who is affected.
"The lack of clear declaration for these categories may delay analysis and action" in many current vulnerability disclosures, Englert said.