US Federal Agencies Warn of Backdoor in Chinese-Made Patient Monitors

Leaking Patient Data and Allowing Unauthorized Code Execution

US federal agencies have issued a warning about a popular Chinese-made patient monitor device used in medical settings across the US and Europe, which has a built-in backdoor that leaks patient data to an unauthorized remote server. The backdoor, also present in a rebranded version of the device, allows the remote server, which appears to belong to a university, to execute unauthorized code on the device.

Affected Patient Monitors

The affected patient monitors are the Contec CMS8000 and the Epsimed MN-120, a relabeled version of the Contec device. These devices are used to monitor patients’ vital signs, including electrocardiogram, heart rate, blood oxygen saturation, noninvasive blood pressure, temperature, and respiration rate.

Cybersecurity Vulnerabilities

The US Food and Drug Administration (FDA), which authorizes medical devices for use in the US, has published a safety advisory outlining the cybersecurity vulnerabilities of these devices. The FDA has identified that the Contec CMS8000 and Epsimed MN-120 devices are susceptible to remote code execution and data exfiltration, which poses a significant risk to patient safety and confidentiality.

Contec Medical Systems

Contec Medical Systems is one of the largest Chinese medical device manufacturers, with headquarters in Qinhuangdao and subsidiaries in Chicago, Dusseldorf, and New Delhi. The company produces a wide range of medical products, including patient monitors, pumps, ultrasound systems, endoscopes, respiratory aids, EEG and EMG systems, diagnostics devices, and more.

Implications and Recommendations

The FDA advisory recommends that healthcare providers and patients take immediate action to mitigate the risks associated with these devices. This includes implementing additional security measures, such as network segmentation, access controls, and regular software updates. Patients and healthcare providers are advised to report any suspected cybersecurity incidents to the FDA’s MedWatch program.

Conclusion

The discovery of a backdoor in patient monitors used in medical settings is a serious concern, as it compromises patient data and poses a risk to their safety. It is essential for healthcare providers and patients to be aware of these cybersecurity vulnerabilities and take necessary steps to mitigate them. The FDA’s advisory serves as a timely reminder of the importance of prioritizing cybersecurity in the healthcare industry.

FAQs

Q: What devices are affected by this vulnerability?

A: The Contec CMS8000 and Epsimed MN-120 patient monitors are affected by this vulnerability.

Q: What is the purpose of these devices?

A: These devices are used to monitor patients’ vital signs, including electrocardiogram, heart rate, blood oxygen saturation, noninvasive blood pressure, temperature, and respiration rate.

Q: Who is responsible for the production of these devices?

A: Contec Medical Systems, a Chinese medical device manufacturer, produces these devices.

Q: What is the recommended course of action for healthcare providers and patients?

A: The FDA recommends implementing additional security measures, such as network segmentation, access controls, and regular software updates, and reporting any suspected cybersecurity incidents to the FDA’s MedWatch program.

Q: What is the significance of this vulnerability?

A: This vulnerability compromises patient data and poses a risk to their safety, making it essential for healthcare providers and patients to be aware of these cybersecurity vulnerabilities and take necessary steps to mitigate them.