Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A popular medical monitor is the largest device manufactured in China, which will gain control over its potential cyber risks. However, this is not the only health device we need to worry about. Experts say the spread of Chinese health devices in the US medical system is a cause for concern throughout the ecosystem.
Contec CMS8000 is a popular medical monitor that tracks the patient’s vital signs. The device monitors electrocardiogram, heart rate, oxygen saturation, non -invasive blood pressure, temperature and respiration rate. In the last months, FDA and the Cybersecurity and Infrastructure Security Agency (CISA) both warn of a “rear” In the device “Easy -to -operate a vulnerability that could allow a bad actor to change his configuration.”
The CISA research team described “Anomalous Network Traffic” and the Rear “, allowing the device to download and execute unprofitable remote files of an IP address that is not related to a manufacturer of medical devices or medical facilities, with a third party,” exclusively Unusual characteristics “This is contrary to generally accepted practices,” especially for medical devices “.
“When the feature is executed, the files of the device are forcibly overwritten, preventing the end customer – as a hospital – from maintaining awareness of what the software works on the device,” CISA wrote.
Alerts say that such a change in configuration can, for example, lead to the monitor to say that the patient’s kidneys are unfulfilled or the breathing of failure, and this can cause medical staff to administer unnecessary drugs that may be harmful.
The vulnerability of Contec equipment does not surprise medical and IT experts who have warned the security of medical devices for years.
Hospitals are worried about cyber risks
“This is a huge gap that is about to explode,” says Christopher Kaufman, a business professor at Westcliffe University in Irvine, California, who specializes in IT and destructive technology, more special about the security difference in many medical devices S
The American Hospital Association, which represents over 5,000 hospitals and clinics in the United States, agrees. He views the spread of Chinese medical devices as a serious threat to the system.
As for the Contec monitors specifically, AHA says the problem that needs to be resolved urgently.
“We have to put this at the top of the patient’s potential list; we have to stick before they hacked,” says John Riggi, a national councilor for cybersecurity and risk to the American Hospital Association. Rigi also serves the roles of the FBI to combat terrorism before joining AHA.
CISA reports that a software patch is not available to help mitigate this risk, but at its advisor he said the government is currently working with Contec.
The context, based in Kinhuandao, China, did not return a comment request.
One of the problems is that it is not known how many monitors are in the US
“We do not know because of the large volume of equipment in hospitals. We speculate that there are, conservatively, thousands of these monitors; this is a very critical vulnerability,” Riggi said, adding that Chinese access to devices could be strategic, technical and chain risks For deliveries.
In the short term, the FDA advises medical systems and patients to make sure that the devices work only locally or deactivate any remote monitoring; Or if the remote monitoring is the only option, stop using the device if an alternative is available. The FDA has said that it has not been familiar with cybersecurity incidents, injuries or deaths related to vulnerability so far.
The US Hospital Association also told its members that until a patch is available, hospitals must make sure that the monitor is no longer accessible to the Internet and is segmented by the rest of the network.
Riggi said that while Contec monitors are an excellent example of what we often do not look at the risk of health care, it extends to a number of medical equipment manufactured abroad. He explained in the United States, he explained, often buying medical devices from China, a country with the history of installing destructive malware inside the critical infrastructure in US low -priced equipment, buy potential access to Chinese recontified and aggregated for any purpose. Riggi says data is often transmitted to China for the purpose of monitoring the performance of the device, but little more is known what happens to the data beyond that.
Riggi says that people are not exposed to acute medical risk as much as the information that is collected and summarizes to rearrange and expose the greater medical system at risk. However, he points out that at least theoretically, it cannot be ruled out that prominent Americans with medical devices can be directed to interruption.
“When we talk to hospitals, CEOs are surprised, they have no idea of ​​the dangers of these devices, so we help them understand. The question of the government is how to stimulate domestic production, away from abroad,” Rigi said.
Chinese data collection of Americans
Contec Warning is similar to Tiktok’s general level, Deepseek. Tp-link routersOther devices and technologies from China, which the US government says are collecting data on Americans. “And that’s all I have to hear when deciding whether to buy medical devices from China,” Riggi said.
Aras Nazarovas, a Cybernews Information Security Researcher, agrees that the threat of CISA raises serious questions that need to be addressed.
“We have a lot to be afraid,” Nazarovas said. Medical devices, such as Contec CMS8000, often have access to highly sensitive patient data and are directly related to life -saving functions. Nazarovas says that when the devices are poorly protected, they become an easy prey for hackers that can manipulate the data shown, change vital settings, or deactivate the device completely.
“In some cases, these devices are so poorly protected that attackers can gain remote access and change the way the device works without the hospital or patients ever know,” Nazarovas said.
The consequences of the vulnerability of Contec and vulnerability in a number of medical devices produced by Chinese can easily be life -threatening. “Imagine a patient monitor who stops warning doctors to a patient’s heart rate or sends incorrect indications, leading to a delayed or misdiagnosis,” Nazarova said. Contec CMS8000 and Epsimed MN-12 (a different brand for the same technique), “can be used as an entry point in the hospital network,” Nazarovas added.
More hospitals and clinics pay attention. The Bartlet Regional Hospital in Juno, Alaska, does not use Contec monitors, but is always looking for risks. “Regular monitoring is crucial, as the risk of cybersecurity attacks on hospitals continues to increase,” says Erin Hardin, a spokesman for Bartlet.
However, regular monitoring may not be sufficient while the devices are made with poor security.
Potically deteriorates things, says Kaufman, is that the Ministry of Government Efficiency carves departments that are responsible for protecting such devices. According to the Associated Press, Many of the latest abbreviations in FDA are employees who inspect the safety of medical devices.
Kaufman complains the probable lack of state supervision about what is already, according to him, a poorly regulated industry. US Government Accountability Service report As of January 2022, it was said that 53% of related medical devices and other internet devices in hospitals knew critical vulnerabilities. He says the problem has only worsened since then. “I’m not sure what these agencies will remain,” Kaufman said.
“Problems with medical devices have been widespread and have been known for some time,” says Silas Cutler, Chief Security Researcher at Censys Medical Data Company Censys. “The reality is that the consequences can be horrible-and even deadly. While people with a high profile are at increased risk, the most affected will be the hospital systems themselves, with cascading effects on daily patients.”
