Sigma Spectrum (infusion pumps)

2022: Holes found in Baxter infusion pumps that can control devices remotely

The U.S. Cybersecurity and Infrastructure Protection Agency (CISA) issued a warning on September 8, 2022 about some of Baxter's Sigma and Spectrum infusion pumps. The problem is that devices can be managed remotely. Successful exploitation of vulnerabilities can lead to access to sensitive data. It could also lead to a reconfiguration of the system, the agency said.

Patient health information (PHI) may be stored unencrypted. An attacker who has physical access to the device and does not know all the data and software parameters can extract confidential information. Only Baxter's Spectrum IQ pumps store PHIs using automatic programming.

Sigma Spectrum Infusion Pump 35700BAX

In administrator mode, pumps are susceptible to format string attacks through messaging with the application. An attacker could use this to read memory in the pump to gain access to sensitive information. It can also cause the system to fail.

Baxter's Spectrum does not perform mutual authentication with the gateway server node, CISA said in a notice. This can lead to an attack in which the network parameters change, which leads to the failure of the network connection.

Affected infusion pumps:

• Sigma Spectrum v6.x model 35700BAX
• Sigma Spectrum v8.x model 35700BAX2
• Baxter Spectrum IQ (v9.x) model 35700BAX3
• Sigma Spectrum LVP v6.x with modules v16, v16D38, v17, v17D19, v20D29 - v20D32 and v22D24 - v22D28
• Sigma Spectrum LVP v8.x with v17, v17D19, v20D29 - v20D32 and v22D24 - v22D28 modules
• Baxter Spectrum IQ LVP (v9.x) with v22D19 modules - v22D28

Baxter said it was developing software updates to disable Telnet and FTP by September 2022. The company has already made software updates that fix the format string attack in some versions. In other versions of Spectrum IQ, authentication is already available.

2020: Recall of defective Sigma Spectrum infusion pumps

At the end of October 2020, Baxter began recalling hundreds of thousands of Sigma Spectrum infusion pumps. The manufacturer warns medical institutions that improper cleaning can cause corrosion of the case around the batteries and malfunction of the device with serious consequences for the patient.

Baxter has already received 16 reports of serious injuries related to the issue. The regulatory authorities designated the recall as a class I problem, that is, threatening the lives of patients. In total, 306,617 Baxter Sigma Spectrum infusion pumps are subject to recall.

Baxter recalls hundreds of thousands of defective infusion pumps

I want to emphasize that this is not the first time this issue has been raised. We warned customers about the risks associated with improper cleaning of pumps a few months ago, and immediately began work on updating instructions for use, said Baxter spokesman Bess Featherstone. - Awarding a Class I issue means regulators have completed a risk analysis. That being said, customers can still use infusion pumps if they follow the instructions to clean them.

However, improper cleaning can lead to corrosion of the housing in the area of the electrical contacts on the back of the infusion pump and the electrical contacts of the battery. The company reminded users to check the infusion pump housing for residue accumulation, corrosion and depressed contacts. In addition, it is recommended to check the batteries themselves for the ability to hold the charge.

Baxter warns that the battery-only, rusted Sigma Spectrum infusion pump can shut down without any warning. Depending on the type of medication used, the volume and rate of infusion, such disconnection can lead to serious injury or even death of the patient.^[1]

Notes