OTPulse
FeedAboutContact

Baxter Phoenix Hemodialysis Delivery System (Update A)

Monitor7.5ICS-CERT ICSMA-20-170-03Jun 18, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Baxter Phoenix Hemodialysis Delivery System versions 3.36 and 3.40 transmit sensitive data including patient information and clinical parameters over the network without encryption (CWE-319). An attacker with network access to the device can passively intercept and read this unencrypted traffic, exposing protected health information.

What this means
What could happen
An attacker with unauthorized access to the hospital network could intercept unencrypted communications to the Baxter Phoenix dialysis machine and read sensitive patient data or clinical parameters. This could expose protected health information (PHI) and compromise patient privacy.
Who's at risk
Hospital and clinic operators responsible for dialysis services using Baxter Phoenix Hemodialysis Delivery System. This includes clinical engineers, IT staff managing medical device networks, and facility managers overseeing dialysis units. The vulnerability affects patient privacy in any facility running affected software versions 3.36 or 3.40.
How it could be exploited
An attacker on the same network segment as the Phoenix machine (or who has gained access to the hospital network via remote connections, VPN compromise, or insider access) can passively monitor or intercept network traffic to read sensitive unencrypted data transmitted by or to the dialysis delivery system.
Prerequisites
  • Network access to the same subnet or network segment as the Phoenix Hemodialysis Delivery System
  • No credentials required for passive eavesdropping
  • Attacker does not need to authenticate to the device itself
remotely exploitableno authentication requiredaffects patient privacy (PHI)no patch availablesensitive medical data exposuredata transmitted without encryption
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Phoenix Hemodialysis Delivery System :SW 3.36 and 3.403.36 | 3.40No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGScan network for unauthorized devices and rogue access points that could provide attacker entry to the medical device segment
HARDENINGPerform vulnerability and antivirus scans on all devices that have network access to the Phoenix system
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HARDENINGIsolate Phoenix machines and Exalis Server PCs on a dedicated subnetwork with no other devices present
HARDENINGImplement firewall rules to limit inbound and outbound connections to only necessary medical device communications
HARDENINGDeploy VPN for any remote connections to the Phoenix network segment; do not allow direct internet or business network access
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6d52692e-5161-47c0-b952-8355df6c73dd
Baxter Phoenix Hemodialysis Delivery System (Update A) | CVSS 7.5 - OTPulse