U.S. federal authorities have issued alerts about significant vulnerabilities in two medical devices from Baxter, a major manufacturer. The Department of Health and Human Services‘ Health Sector Cyber Coordination Center revealed that these flaws, affecting the Baxter Welch Allyn Connex Spot Monitor and the Baxter Welch Allyn Configuration Tool, could be exploited remotely, potentially compromising patient care. These vulnerabilities were highlighted in advisories from the Cybersecurity and Infrastructure Security Agency.
The first issue involves the Baxter Welch Allyn Connex Spot Monitor, which has a vulnerability due to the use of default cryptographic keys in versions 1.52 and earlier. This flaw, assigned a high severity score of 9.1, could allow attackers to alter device configurations and firmware, affecting patient care. Baxter has addressed this by releasing an update that mitigates the issue, advising users to upgrade to the latest version and apply proper security measures.
The second vulnerability pertains to the Baxter Welch Allyn Configuration Tool, which suffers from insufficiently protected credentials. This flaw, with a CVSS score of 9.4, could lead to unauthorized exposure of credentials. Baxter has announced that a new version will be released in the third quarter of 2024 to address this issue. In the meantime, Baxter recommends implementing strong network security controls and contacting technical support for configuration needs.
The broader issue highlights ongoing challenges in medical device security, with experts pointing out that many devices in use today lack sufficient security testing. The FDA’s new cybersecurity guidance focuses on premarket devices, leaving a gap for existing products. Improved regulatory scrutiny and clearer vulnerability disclosures are needed to better protect healthcare providers and patients from potential risks associated with these and other medical devices.
Reference:
