We used to think it was bad that IV pumps reset when visitors ignored "No cell phones" warnings. Healthcare Brew reports today's evolved version of the problem.

https://www.healthcare-brew.com/stories/2025/06/10/recalled-ventilator-easy-hack

Recalled ventilator was so easy to hack, ‘a teenager’ could have done it

‘Secure by design’ isn’t just a tech buzzword.

By Caroline Catherman    |    June 10, 2025

There’s a cybersecurity problem breathing down the healthcare industry’s neck.

On April 7, Baxter Healthcare pulled all 4,100+ Welch Allyn Life2000 ventilators due to severe cybersecurity concerns. The FDA labeled this a Class I recall, meaning these issues threatened patients’ lives, though the agency hasn’t reported any injuries or deaths.

Naomi Schwartz, a former FDA employee and VP of services for MedCrypt, a cybersecurity firm for medical device manufacturers, told Healthcare Brew this recall should be a lesson for the medical technology industry.

This is one of several device recalls in recent years prompted by cybersecurity concerns, and in her opinion, Baxter did the right thing fast. The global medtech company first flagged these weaknesses in November, noting that there hadn’t been any hacks up to that point. An April market removal is a relatively short turnaround, she added.

But the vulnerabilities were easily avoidable with a development framework known as secure by design, the idea that companies—not consumers—are responsible for cybersecurity, and products should have features like multi-factor authentication.

The issues. On a scale of “you have to have a PhD” to “a teenager” could hack the system, Baxter’s ventilator security was more toward the latter, Schwartz said. Let’s run through some of the issues:

• No encryption. For one, the ventilators didn’t encrypt sensitive information, like passwords, according to Baxter’s November security advisory. “If I’m just issuing all my data in plain text, that’d be like me sending you an email saying, ‘Hey, my front door is unlocked. Walk into my house, why don’t you?’” Schwartz said.
• Physical ports. All a hacker needed to do to access the device was walk into a hospital and plug a piece of hardware into a physical port on the ventilator, Schwartz explained.
• Few authentication requirements. The software used to test and calibrate the ventilators didn’t require authentication from the user either, so anyone could have tweaked the ventilator settings. This flaw was severe enough to earn a score of 10/10 on a scale used by the government to measure vulnerabilities—“a nightmare scenario,” Schwartz said.

Learning opportunities. These issues should prompt other companies to double-check their own ventilators’ security—especially legacy devices that were made many years ago, Schwartz said.

“These are very common problems, and they’re all things that a secure-by-design set of practices would have prevented,” she said.

The good news is Schwartz thinks Baxter responded quickly and appropriately once it discovered these flaws.

“The people out there who are producing and selling these products are doing their due diligence. They’re going back and checking older systems. They’re making sure that things are good and secure, and when they’re not, they’re taking appropriate action,” she said.

This incident comes after the FDA and Congress have ramped up medical device cybersecurity requirements in recent years.

For instance, in March 2023, the Protecting and Transforming Cyber Healthcare Act started requiring medical device manufacturers to address cybersecurity requirements in their submissions for market approval.