CISA, FDA Warn of Cyber Threats in Medical Devices

Posted on February 14, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued an urgent warning regarding serious cybersecurity vulnerabilities in the Contec CMS8000, a widely used patient monitoring device. This medical system, which tracks vital signs such as heart rate, blood oxygen levels, and blood pressure, contains embedded security flaws that could expose sensitive patient data and compromise hospital networks.

Contec Medical Systems, a Chinese manufacturer of medical equipment, supplies these devices to hospitals and clinics across the United States, with some models rebranded and sold under different names, such as the Epsimed MN-120. According to U.S. authorities, the CMS8000 is vulnerable to remote exploitation, allowing unauthorized users to take control of the device and modify its functions. Additionally, it contains a hidden backdoor that could enable attackers to infiltrate the connected network. Perhaps most concerning is the revelation that, when connected to the internet, the device automatically transmits patient data, including personally identifiable information (PII) and protected health information (PHI), to servers in China.

Given the absence of an available security patch, healthcare organizations are urged to take immediate action. Authorities recommend disconnecting affected devices from the internet by unplugging Ethernet cables and disabling Wi-Fi or cellular connections. The CMS8000 should be used exclusively for in-person monitoring, and healthcare providers requiring remote monitoring should consider switching to alternative systems from different manufacturers. In addition, organizations are advised to conduct internal security audits to assess risks posed by other internet-connected medical devices and to strengthen cybersecurity protocols to prevent future breaches.

This situation underscores the growing cybersecurity threats facing medical technology. As healthcare systems become increasingly digital, safeguarding patient data and ensuring the security of networked devices must remain a top priority to prevent unauthorized access and potential disruptions in patient care.

Source: JD Supra

The European Cyber Intelligence Foundation is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.