The popular medical monitor is the latest device produced in China for scrutiny for potential cyber risks. However, it’s not just medical devices that we should be concerned about. Experts say the spread of Chinese medical devices in the US health system is the source of concern across ecosystems.
The Contec CMS8000 is a popular medical monitor that tracks patient vital signs. The device tracks ECG, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature and breathing rate. In recent months, the FDA and the Cybersecurity and Infrastructure Security Agency (CISA) have warned about “backdoors” of devices.
CISA research team explained “abnormal network traffic” and backdoors. “Devices can download and run devices to IP addresses that are not associated with medical device manufacturers or medical facilities, but to IP addresses that are not associated with “very anomalous characteristics” to third-party universities. It contradicts generally accepted practices, “particularly with medical devices.”
“When a function is performed, files on the device are forced to overwrite and end customers are prevented from hospitals and etc, as they maintain awareness of the software running on the device,” CISA writes.
The warning states that such a configuration change may, for example, be a malfunction or a respiratory failure in the patient, thereby administering unnecessary remedies that may be harmful to the medical staff. He says that having one could lead to a monitor.
The vulnerability of CONTEC devices does not surprise medical care, and IT experts have been warning for many years that medical devices are too loosely secure.
Hospitals are worried about cyber risks
“This is a huge gap that’s about to explode,” says Christopher Kaufman, a business professor at Westcliffe University in Irvine, California, specifically referring to the security gaps in many medical devices.
The American Hospital Association, which represents more than 5,000 hospitals and clinics in the United States, agrees. They view the spread of Chinese medical devices as a serious threat to the system.
Regarding Contec monitors, Aha in particular states that the issue needs to be addressed urgently.
“The possibility of patient harm must be placed at the top of the list. It must be patched before hacking,” said the National Advisor of Cybersecurity and the American Hospital Association of Risk. said John Rigigi, a risk. Riggi also played a role in the FBI counter-terrorism before joining the AHA.
The CISA reports that no software patches are available to help mitigate this risk, but in its advisory stated that the government is currently working with CONTEC.
Contec, headquartered in Qinhuangdao, China, did not reply to requests for comment.
One problem is that it is unknown how many monitors there are in the US
“Because of the enormous amount of hospital equipment, we don’t know. We estimate there are thousands of thousands of these monitors. This is a very serious vulnerability,” Rigigi said. added that China’s access to devices could become strategic. Technology and supply chain risks.
In the short term, the FDA advised healthcare systems and patients to ensure that the devices are running locally only or to disable remote monitoring. Alternatively, if remote monitoring is the only option, stop using the device if an alternative is available. The FDA said it has not previously recognized any cybersecurity incidents, injuries or deaths related to the vulnerability.
The American Hospital Association also told members that until patches become available, hospitals need to ensure that monitors are no longer accessible to the internet and are segmented from the rest of the network.
Riggi said Contec monitors are a typical example of not being considered well among healthcare risks, but extend to a variety of medical devices produced overseas. He explained that he often purchases medical devices from China, which has a history of installing destructive malware on critical infrastructure in the United States. It is reused and consolidated for all kinds of purposes. According to Riggi, data is often sent to China for the explicit purpose of monitoring device performance, but little else is known about what happens with more data.
According to Riggi, individuals are not exposed to keen medical risks, as are the information collected and aggregated because they are reusing and putting them at risk. Still, he points out that, at least in theory, it cannot be ruled out that prominent Americans with medical devices could be targeted by confusion.
“When we talk to hospitals, the CEOs are surprised. They didn’t know about the dangers of these devices, so we’re helping them understand. The government’s issues are It’s a way to encourage domestic production away from it,” Rigiji said.
Collecting Chinese data on Americans
The Contec warning is similar to Tiktok, Deepseek, TP-Link routers, and other devices and technologies from China, which the US government says are collecting data on Americans at the general level. “And that’s all you need to ask when deciding whether to buy medical devices from China,” Rigiji said.
CyberNews information security researcher Aras Nazarovas agrees to raise serious issues that CISA threats need to address.
“We have a lot to fear,” Nazarovas said. Medical devices like the Contec CMS8000 often have access to highly sensitive patient data and are directly connected to life-saving features. Nazarovas says that if your device is not protected enough, it will be an easy prey for hackers who can manipulate displayed data, change important settings, or disable the device completely.
“In some cases, these devices are very insufficiently protected so attackers can gain remote access and change the behavior of the device without a patient that hospitals and patients don’t know before.” said Nazarovas.
Contech’s vulnerabilities and consequences of vulnerabilities in various Chinese-made medical devices can easily be life-threatening. “Imagine a monitor of a patient who stops a patient’s heart rate from dropping to a doctor, sends false readings, or leads to a delayed or false diagnosis,” Nazarovas said. The Contec CMS8000, and the Epsimed MN-120 (another brand name of the same technology), “can be used as an entry point to the hospital’s network,” added Nazarovas.
More hospitals and clinics are paying attention. Bartlett Regional Hospital in Juneau, Alaska does not use Contech Monitors, but is always looking for risk. “Regular surveillance is important as the risk of cybersecurity attacks on hospitals continues to increase,” said Bartlett spokesman Erin Hardin.
However, as long as the device is created with reduced security, regular monitoring may not be sufficient.
Kaufman said things could get worse. The government’s efficiency department is holing out the department responsible for protecting such devices. Many of the recent layoffs at the FDA are employees considering medical device safety, according to the Associated Press.
Kaufmann is an already regulated industry, he laments that there is likely a shortage of government oversight. As of January 2022, the US Government’s Accountability Office report shows that 53% of connected medical devices and other Internet of Things devices in hospitals were aware of a critical vulnerability. He says that the problem has only gotten worse since then. “I don’t know what’s going to run these agencies,” Kaufman said.
“The medical device problem is widespread and has been known for some time,” said Silas Cutler, a leading security researcher at medical data company Censys. “The reality is that the outcomes are disastrous and even fatal. High-profile individuals are at increased risk, but the hospital system itself is the most affected, affecting everyday patients. I’ll give you.”
