Chinese medical devices threaten US healthcare cybersecurity

Editor’s Note

Backdoors in Chinese-made medical monitors could put patients at risk and compromise hospital networks across the US, according to security agencies quoted in a February 23 report from CNBC.

The article cites the popular Contec CMS8000 patient monitor as an example. Both the US Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued warnings about "anomalous network traffic" and a backdoor in the Contec monitor that allows "unverified remote files" to be downloaded and executed. This vulnerability could potentially enable bad actors to alter device configurations, causing monitors to display false patient information that might lead to harmful treatment, as outlined in the report.

The article quotes John Riggi, national advisor for cybersecurity and risk for the American Hospital Association (AHA), calling urgent attention to this issue: "We have to put this at the top of the list for the potential for patient harm; we have to patch before they hack." No software patch is currently available, though government agencies are working with Contec. In the meantime, the FDA recommends either running devices only locally, disabling remote monitoring, or discontinuing use if alternatives exist.

For monitors and other devices, cash-strapped hospitals often purchase lower-cost Chinese options, CNBC reports, potentially providing China access to vast amounts of American medical data. Aras Nazarovas, an information security researcher, warned that poorly protected devices could be manipulated without detection, potentially putting patients at risk and serving as entry points into hospital networks. The article also cites a Government Accountability Office report indicating that as of January 2022, 53% of connected medical devices in hospitals had known critical vulnerabilities.