Prismaflex (intensive care system)

2020: Light Equipment Hacking Warning

Baxter Prismaflexfor Intensive Care

In mid-June 2020, the US Department of Homeland Security warned medical professionals that Baxter devices do not use encryption and could become an easy victim of hackers.

The list includes PrismaFlex/PrisMax devices for the treatment of acute renal failure and continuous renal replacement therapy, the ExactaMix pumping system, the Phoenix hemodialysis system and Sigma Spectrum infusion pumps. According to the notification, these devices do not use encryption when transmitting information to the patient data management system (PDMS), because of which confidential information can fall into the hands of attackers.

PrismaFlex/PrisMax systems also have authentication problems, so that a hacker can change patient status information. PrismaFlex includes a hard-programmed service password with access to biomedical information, device settings, calibration settings and network configuration. All this allows attackers to change the settings of the system at their discretion.

The Baxter ExactaMix automatic pump system does not use encryption of sensitive data, does not control access control through the USB interface by an unauthorized user, and allows attackers to access the operating system and edit the application startup script. The Phoenix hemodialysis system has problems with data transfer, so attackers can intercept sensitive information transmitted between the Phoenix system and the Exalis tool.

The problem with Sigma Spectrum infusion pumps is also hard-programmed passwords. System vulnerabilities allow temporary configuration changes that threaten the patient.^[1]

Notes