Dive Brief:
The Cybersecurity and Infrastructure Security Agency posted two notices last week regarding vulnerabilities in Baxter products that could allow unauthorized users to compromise machines or access credentials.
The notices outline cyber risks in a Baxter Welch Allyn patient monitor and a Baxter Welch Allyn configuration tool. The notice for the configuration tool stated that Baxter found “no evidence to date of any compromise of personal or health data,” while the notice for the patient monitor said that no known public exploitation “specifically targeting this vulnerability has been reported to CISA at this time.”
Baxter, which posted cybersecurity bulletins on its website on May 30, declined to comment on how the vulnerabilities were identified and whether they were found due to a breach or cyberattack.
Dive Insight:
The CISA posted notices outlining two separate issues with the Baxter products. One notice covered the use of a default encryption key for Baxter’s Welch Allyn Connex Spot Monitor, a patient monitoring device that displays vital sign measurements. The vulnerability could allow an attacker to compromise the device by modifying its configuration and firmware data, potentially affecting or delaying patient care.
Using a default encryption key can facilitate the installation or deployment of a product, but not changing the default can make it easier for hackers to bypass authentication processes.
Baxter has released an update for all affected devices and software to mitigate the vulnerability, according to the CISA notice. The agency advised users to ensure affected devices are not accessible from the internet and to isolate them from business networks, among other protective measures.
Edwin van Andel, chief technology officer of Zerocopter, a company that uses a network of hackers to identify cybersecurity risks, was one of two people named in the advisory to have notified Baxter of the issue.
The second notice covered insufficiently protected credentials for Baxter’s Welch Allyn configuration tool. The CISA stated that exploiting the vulnerability could expose credentials to unauthorized users.
“Any credentials that were used for authentication or input while using the Welch Allyn Configuration Tool have the potential to be compromised and should be changed immediately,” stated the notice.
Baxter has found no evidence of compromised personal or health data, and the company will release an update for all impacted software to address the issue. The configuration tool has been removed from public access.
Baxter acquired the products through its $10.5 billion purchase of Hillrom in 2021. Hillrom acquired Welch Allyn in 2015 for $2.05 billion.
Ricky Zipp
https://www.medtechdive.com/news/cisa-warns-of-cybersecurity-risks-in-baxter-products/718346/