A popular medical monitor is the latest device produced in China to receive scrutiny for its potential cyber risks. However, it is not the only health device we should be concerned about. Experts say the proliferation of Chinese health-care devices in the U.S. medical system is a cause for concern across the entire ecosystem.
The Contec CMS8000 is a popular medical monitor that tracks a patient’s vital signs. The device tracks electrocardiograms, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate. In recent months, the FDA and the Cybersecurity and Infrastructure Security Agency (CISA) both warned about a “backdoor” in the device, an “easy-to-exploit vulnerability that could allow a bad actor to alter its configuration.”
CISA’s research team described “anomalous network traffic” and the backdoor “allowing the device to download and execute unverified remote files” to an IP address not associated with a medical device manufacturer or medical facility but a third-party university — “highly unusual characteristics” that go against generally accepted practices, “especially for medical devices.”
“When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device,” CISA wrote.
The warnings says such configuration alteration could lead to, for instance, the monitor saying that a patient’s kidneys are malfunctioning or breathing failing, and that could cause medical staff to administer unneeded remedies that could be harmful.
The Contec’s vulnerability doesn’t surprise medical and IT experts who have warned for years that medical device security is too lax.
Hospitals are worried about cyber risks
“This is a huge gap that is about to explode,” said Christopher Kaufman, a business professor at Westcliff University in Irvine, California, who specializes in IT and disruptive technologies, specifically referring to the security gap in many medical devices.
The American Hospital Association, which represents over 5,000 hospitals and clinics in the U.S., agrees. It views the proliferation of Chinese medical devices as a serious threat to the system.
As for the Contec monitors specifically, the AHA says the problem urgently needs to be addressed.
“We have to put this at the top of the list for the potential for patient harm; we have to patch before they hack,” said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association. Riggi also served in FBI counterterrorism roles before joining the AHA.
CISA reports that no software patch is available to help mitigate this risk, but in its advisory said the government is currently working with Contec.
Contec, headquartered in Qinhuangdao, China, did not return a request for comment.
One of the problems is that it is unknown how many monitors there are in the U.S.
“We don’t know because of the sheer volume of equipment in hospitals. We speculate there are, conservatively, thousands of these monitors; this is a very critical vulnerability,” Riggi said, adding that Chinese access to the devices can pose strategic, technical, and supply chain risks.
In the short-term, the FDA advised medical systems and patients to make sure the devices are only running locally or to disable any remote monitoring; or if remote monitoring is the only option, to stop using the device if an alternative is available. The FDA said that to date it is not aware of any cybersecurity incidents, injuries, or deaths related to the vulnerability.
The American Hospital Association has also told its members that until a patch is available, hospitals should make sure the monitor no longer has access to the internet, and is segmented from the rest of the network.
Riggi said the while the Contec monitors are a prime example of what we don’t often consider among health care risk, it extends to a range of medical equipment produced overseas. Cash-strapped U.S. hospitals, he explained, often buy medical devices from China, a country with a history of installing destructive malware inside critical infrastructure in the U.S. Low-cost equipment buys the Chinese potential access to a trove of American medical information that can be repurposed and aggregated for all sorts of purposes. Riggs says data is often transmitted to China with the stated purpose of monitoring a device’s performance, but little else is known about what happens to the data beyond that.
Riggi says individuals aren’t at acute medical risk as much as the information being collected and aggregated for repurposing and putting the larger medical system at risk. Still, he points out that, at least theoretically, is can’t be ruled out that prominent Americans with medical devices could be targeted for disruption.
“When we talk to hospitals, CEOS are surprised, they had no idea about the dangers of these devices, so we are helping them understand. The question for government is how to incentivize domestic production, away from overseas,” Riggi said.
Chinese data collection on Americans
The Contec warning is similar at a general level to TikTok, DeepSeek, TP-Link routers, and other devices and technology from China that the U.S. government says are collecting data on Americans. “And that is all I need to hear in deciding whether to buy medical devices from China,” Riggi said.
Aras Nazarovas, an information security researcher at Cybernews, agrees that the CISA threat raises serious issues that need to be addressed.
“We have a lot to fear,” Nazarovas said. Medical devices, like the Contec CMS8000, often have access to highly sensitive patient data and are directly connected to life-saving functions. Nazarovas says that when the devices are poorly defended, they become easy prey for hackers who can manipulate the displayed data, alter vital settings, or disable the device completely.
“In some cases, these devices are so poorly protected that attackers can gain remote access and change how the device operates without the hospital or patients ever knowing,” Nazarovas said.
The consequences of the Contec vulnerability and vulnerabilities in an array of Chinese-made medical devices could easily be life-threatening.
“Imagine a patient monitor that stops alerting doctors to a drop in a patient’s heart rate or sends incorrect readings, leading to a delayed or wrong diagnosis,” Nazarovas said. In the case of the Contec CMS8000, and Epsimed MN-120 (a different brand name for the same tech), warning from the government, these devices were configured to allow remote code execution by the remote server.
“This functionality can be used as an entry point into the hospital’s network,” Nazarovas said, leading to patient danger.
More hospitals and clinics are paying attention. Bartlett Regional Hospital in Juneau, Alaska, does not use the Contec monitors but is always looking for risks. “Regular monitoring is critical as the risk of cybersecurity attacks on hospitals continues to increase,” says Erin Hardin, a spokeswoman for Bartlett.
However, regular monitoring may not be enough as long as devices are made with poor security.
Potentially making matters worse, Kaufman says, is that the Department of Government Efficiency is hollowing out departments in charge of safeguarding such devices. According to the Associated Press, many of the recent layoffs at the FDA are employees who review the safety of medical devices.
Kaufman laments the likely lack of government supervision on what is already, he says, a loosely regulated industry. A U.S. Government Accountability Office report as of January 2022, indicated that 53% of connected medical devices and other Internet of Things devices in hospitals had known critical vulnerabilities. He says the problem has only gotten worse since then. “I’m not sure what is going to be left running these agencies,” Kaufman said.
“Medical device issues are widespread and have been known for some time now,” said Silas Cutler, principal security researcher at medical data company Censys. “The reality is that the consequences can be dire – and even deadly. While high-profile individuals are at heightened risk, the most impacted are going to be the hospital systems themselves, with cascading effects on everyday patients.”
