Due to safety issues: Baxter removes ventilators from the market

An open debug port, no authentication, unencrypted passwords—and unauthorized individuals can easily manipulate a ventilator. Baxter is therefore permanently withdrawing the entire Life2000 series from the market. The case shows that cybersecurity becomes the Achilles heel of medical technology.

On November 26, 2025, the US Food and Drug Administration (FDA) classified a permanent recall of Baxter's Life2000 ventilators as a "Class I" incident – the highest risk category. The reason: a critical security vulnerability that would have allowed attackers with physical access to the device to change therapy parameters or access sensitive device data. More than 4,800 devices worldwide are affected and must now be removed from hospitals and care facilities.

Vulnerability with CVSS score of 9.3

The vulnerability CVE-2024-48973 received a CVSS score of 9.3 and is therefore considered "critical." Specifically, internal security tests identified an open debug port without authentication, unencrypted sensitive information such as passwords, and missing access controls. Experts estimate that the attack was so easy that even "a teenager" could have carried it out. Although no actual cyberattacks, serious injuries, or deaths have been reported in connection with this vulnerability, the potential risk was so high that Baxter decided against retrofitting and opted for the permanent removal of the devices.

Patients and facilities were asked to immediately stop using Life2000 ventilators and organize alternative treatment options. Baxter sent urgent medical device recall letters to all affected customers on April 10, 2025. The recall is part of a paradigm shift: The FDA now treats cybersecurity issues like classic safety defects – with all the regulatory consequences that entails.

Medicine as the most vulnerable industry

The Baxter case is one of a series of alarming incidents. Between January and October 2024 alone, the BSI recorded over 200 relevant cybersecurity incidents in the German healthcare sector. Internationally, ransomware groups such as Lockbit and AlphV/Blackcat caused massive damage: At the end of November 2023, the Esslingen Clinic had to take imaging systems offline after an attack via a Citrix vulnerability. On Christmas Eve 2023, the Catholic Hospital Association of East Westphalia suffered a complete IT failure in three hospitals. In Barcelona, 150 non-urgent operations and 3,000 examinations were canceled after a ransomware attack.

The problem extends far beyond individual attacks: in exemplary investigations of two hospital information systems, the BSI discovered 32 vulnerabilities – in systems that form the digital backbone of modern clinics and are crucial for patient care. The situation is also critical for medical devices themselves: according to the FDA, even a USB port or serial interface is enough to classify a device as a "cyber device" and thus subject it to strict cybersecurity requirements.

Regulatory pressure increases massively

The FDA gained new legal powers with the Food and Drug Omnibus Reform Act (FDORA) of December 2022 and now requires comprehensive cybersecurity concepts for approval applications. These include a documented cybersecurity risk management program, a software bill of materials (SBOM) for all medical devices, and post-market cybersecurity plans. Non-compliance is considered a prohibited act that can be prosecuted.

Pressure is also growing in Europe: The new IEC 81001-5-1 standard builds on ISO 14971 and focuses on threat modeling, risk assessment in networked systems, and multi-layered security controls. AI-based medical devices are coming under particular scrutiny after experiments showed that "data set poisoning" can reduce the accuracy of ML models by up to 24 percent – potentially resulting in incorrect diagnoses.

Security by design – or not at all

The Baxter recall sends a clear message: medical technology without robust cybersecurity has no future. Retrofitting older devices is often technically and regulatory impossible, which is why Baxter chose the most radical solution and permanently removed the devices from the market. For new developments, there is only one way forward: "security by design" must be systematically implemented from the initial concept phase onwards. Secure authentication, encrypted communication, closed debug ports, and continuous vulnerability analyses are no longer optional features—they are basic requirements for market approval and safe operation.

The Achilles' heel of medical technology is exposed. Manufacturers who ignore this not only risk recalls and damage to their reputation, but also endanger people's health. (uh)