Researchers have raised alarm over the potential exposure of Wi-Fi configuration settings in decommissioned medical infusion pumps sold through the secondary market.
A study by Rapid7 examined three models of infusion pumps, including the Alaris PC 8015, the Baxter Sigma Spectrum model 35700BAX2 with its associated Wireless Battery Module (WBM), and the Hospira Abbott PLUM A+ with MedNet. Despite being no longer manufactured, these pumps were still in use in various medical organizations worldwide. The study found that many of the purchased pumps retained wireless authentication data from the original deploying organizations, leading to security risks.
The analysis revealed that the Wi-Fi configuration data exposed on the Alaris 8015 included SSIDs, AES keys for encryption, Wi-Fi Pre Shared Keys (PSK) passphrase in clear text, credentials for Microsoft Active Directory authentication, and other sensitive information.
For Baxter Sigma Spectrum 35700BAX2 and its WBM, the researchers discovered Wi-Fi configuration data, including the Wi-Fi Protected Access (WPA) passphrase converted to a 64-character hex key (PSK). Similarly, the Hospira Abbott PLUM A+ with MedNet also exposed Wi-Fi configuration information. The lack of online documented data purge processes for device decommissioning raised concerns about the handling of critical data during the transfer and resale of these medical devices.
Rapid7’s report emphasizes the urgent need for organizations using medical devices to establish policies and processes for proper handling during both acquisition and de-acquisition. The discovery of sensitive data on de-acquisitioned medical devices being sold in the secondary market highlights a systemic issue that requires immediate attention.
The researchers recommend that organizations define ownership and governance of the processes within their organization to ensure the security and protection of critical infrastructure configuration data and personal health information (PHI) stored on these devices. The study serves as a wake-up call for the healthcare industry to prioritize cybersecurity and data protection in all stages of medical device usage to prevent potential breaches and exposures.
