A well-liked medical monitor is the most recent device produced in China to receive scrutiny for its potential cyber risks. Nevertheless, it will not be the one health device we should always be concerned about. Experts say the proliferation of Chinese health-care devices within the U.S. medical system is a cause for concern across your entire ecosystem.
The Contec CMS8000 is a preferred medical monitor that tracks a patient’s vital signs. The device tracks electrocardiograms, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate. In recent months, the FDA and the Cybersecurity and Infrastructure Security Agency (CISA) each warned a few “backdoor” within the device, an “easy-to-exploit vulnerability that might allow a foul actor to change its configuration.”
CISA’s research team described “anomalous network traffic” and the backdoor “allowing the device to download and execute unverified distant files” to an IP address not related to a medical device manufacturer or medical facility but a third-party university — “highly unusual characteristics” that go against generally accepted practices, “especially for medical devices.”
“When the function is executed, files on the device are forcibly overwritten, stopping the tip customer—akin to a hospital—from maintaining awareness of what software is running on the device,” CISA wrote.
The warnings says such configuration alteration could lead on to, for example, the monitor saying that a patient’s kidneys are malfunctioning or respiration failing, and that might cause medical staff to manage unneeded remedies that could possibly be harmful.
The Contec’s vulnerability doesn’t surprise medical and IT experts who’ve warned for years that medical device security is simply too lax.
Hospitals are frightened about cyber risks
“It is a huge gap that’s about to blow up,” said Christopher Kaufman, a business professor at Westcliff University in Irvine, California, who focuses on IT and disruptive technologies, specifically referring to the safety gap in lots of medical devices.
The American Hospital Association, which represents over 5,000 hospitals and clinics within the U.S., agrees. It views the proliferation of Chinese medical devices as a serious threat to the system.
As for the Contec monitors specifically, the AHA says the issue urgently must be addressed.
“We now have to place this at the highest of the list for the potential for patient harm; we have now to patch before they hack,” said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association. Riggi also served in FBI counterterrorism roles before joining the AHA.
CISA reports that no software patch is out there to assist mitigate this risk, but in its advisory said the federal government is currently working with Contec.
Contec, headquartered in Qinhuangdao, China, didn’t return a request for comment.
One in every of the issues is that it’s unknown what number of monitors there are within the U.S.
“We do not know due to sheer volume of kit in hospitals. We speculate there are, conservatively, hundreds of those monitors; this can be a very critical vulnerability,” Riggi said, adding that Chinese access to the devices can pose strategic, technical, and provide chain risks.
Within the short-term, the FDA advised medical systems and patients to ensure that the devices are only running locally or to disable any distant monitoring; or if distant monitoring is the one option, to stop using the device if an alternate is out there. The FDA said that thus far it will not be aware of any cybersecurity incidents, injuries, or deaths related to the vulnerability.
The American Hospital Association has also told its members that until a patch is out there, hospitals should ensure that the monitor now not has access to the web, and is segmented from the remaining of the network.
Riggi said the while the Contec monitors are a chief example of what we do not often consider amongst health care risk, it extends to a variety of medical equipment produced overseas. Money-strapped U.S. hospitals, he explained, often buy medical devices from China, a rustic with a history of putting in destructive malware inside critical infrastructure within the U.S. Low-cost equipment buys the Chinese potential access to a trove of American medical information that might be repurposed and aggregated for all forms of purposes. Riggs says data is usually transmitted to China with the stated purpose of monitoring a tool’s performance, but little else is thought about what happens to the info beyond that.
Riggi says individuals aren’t at acute medical risk as much as the data being collected and aggregated for repurposing and putting the larger medical system in danger. Still, he points out that, a minimum of theoretically, is cannot be ruled out that outstanding Americans with medical devices could possibly be targeted for disruption.
“After we check with hospitals, CEOS are surprised, they’d no idea concerning the dangers of those devices, so we’re helping them understand. The query for presidency is how one can incentivize domestic production, away from overseas,” Riggi said.
Chinese data collection on Americans
The Contec warning is comparable at a general level to TikTok, DeepSeek, TP-Link routers, and other devices and technology from China that the U.S. government says are collecting data on Americans. “And that’s all I would like to listen to in deciding whether to purchase medical devices from China,” Riggi said.
Aras Nazarovas, an information security researcher at Cybernews, agrees that the CISA threat raises serious issues that have to be addressed.
“We now have loads to fear,” Nazarovas said. Medical devices, just like the Contec CMS8000, often have access to highly sensitive patient data and are directly connected to life-saving functions. Nazarovas says that when the devices are poorly defended, they grow to be easy prey for hackers who can manipulate the displayed data, alter vital settings, or disable the device completely.
“In some cases, these devices are so poorly protected that attackers can gain distant access and alter how the device operates without the hospital or patients ever knowing,” Nazarovas said.
The implications of the Contec vulnerability and vulnerabilities in an array of Chinese-made medical devices could easily be life-threatening.
“Imagine a patient monitor that stops alerting doctors to a drop in a patient’s heart rate or sends incorrect readings, resulting in a delayed or mistaken diagnosis,” Nazarovas said. Within the case of the Contec CMS8000, and Epsimed MN-120 (a special brand name for a similar tech), warning from the federal government, these devices were configured to permit distant code execution by the distant server.
“This functionality might be used as an entry point into the hospital’s network,” Nazarovas said, resulting in patient danger.
More hospitals and clinics are being attentive. Bartlett Regional Hospital in Juneau, Alaska, doesn’t use the Contec monitors but is at all times in search of risks. “Regular monitoring is critical as the chance of cybersecurity attacks on hospitals continues to extend,” says Erin Hardin, a spokeswoman for Bartlett.
Nevertheless, regular monitoring might not be enough so long as devices are made with poor security.
Potentially making matters worse, Kaufman says, is that the Department of Government Efficiency is hollowing out departments accountable for safeguarding such devices. In keeping with the Associated Press, lots of the recent layoffs on the FDA are employees who review the protection of medical devices.
Kaufman laments the likely lack of presidency supervision on what’s already, he says, a loosely regulated industry. A U.S. Government Accountability Office report as of January 2022, indicated that 53% of connected medical devices and other Web of Things devices in hospitals had known critical vulnerabilities. He says the issue has only gotten worse since then. “I’m unsure what’s going to be left running these agencies,” Kaufman said.
“Medical device issues are widespread and have been known for a while now,” said Silas Cutler, principal security researcher at medical data company Censys. “The fact is that the implications might be dire – and even deadly. While high-profile individuals are at heightened risk, essentially the most impacted are going to be the hospital systems themselves, with cascading effects on on a regular basis patients.”
