CISA and FDA warn about vulnerabilities in patient monitoring device

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration (FDA) recently issued a joint warning about security vulnerabilities in the Contec CMS8000 patient monitoring device. 

These vulnerabilities could allow unauthorized access to patient data, remote device manipulation, and protected health information (PHI) transmission to external entities.

What happened

The Contec CMS8000, a patient monitoring device used in hospitals and clinics to track vital signs, has been found to contain embedded functions with massive security risks. Healthcare organizations using the device must mitigate potential unauthorized access and assess whether breaches have already occurred.  

Manufactured by Contec Medical Systems, a company in China, the CMS8000 is marketed in the United States, repackaged, and marketed by third-party resellers, also under the name ‘Epsimed MN-120’. 

Ultimately, its extensive distribution further increases healthcare providers’ possible risk exposure.

Going deeper

The FDA and CISA identified three vulnerabilities in the Contec CMS8000:

• Unauthorized users can remotely control or modify the device, leading to potential malfunctions.
• A backdoor in the device’s software could allow malicious actors to compromise networks.
• Once connected to the internet, the device transmits patient data, including personally identifiable information (PII) and protected health information (PHI), to China.

What was said

According to the joint warning, the FDA makes the following recommendations for patients and caregivers:

• “Talk to your health care provider about whether your device relies on remote monitoring features. 
• If your healthcare provider confirms that your device relies on remote monitoring features, unplug the device and stop using it. 
• If your device does not rely on remote monitoring features, use only the local monitoring features of the patient monitor. 
• If you cannot disable the wireless capabilities, unplug the device and stop using it. Talk to your healthcare provider about finding an alternative patient monitor.    
• Know, the FDA is not aware of any cybersecurity incidents, injuries, or deaths related to this vulnerability at this time. 
• Report any problems or complications with your Contec CMS8000 patient monitor to the FDA.”

Additionally, the FDA makes the following recommendations for healthcare providers:

• “Work with health care facility staff to determine if a patient’s Contec CMS8000 monitor may be affected and how to reduce any associated risk. 
• Read and follow the recommendations for patients and caregivers in the FDA’s safety communication. 
• Check the Contec CMS8000 patient monitors for any signs of unusual functioning, such as inconsistencies between the displayed patient vitals and the patient’s actual physical state. 
• Report any problems with your Contec CMS8000 patient monitor to the FDA.”

In the know

The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered entities safeguard individuals’ PHI. So, healthcare providers must verify that medical devices collecting PHI adhere to HIPAA’s Security Rule.

Moreover, unauthorized access to PHI, as seen in the Contec CMS8000 vulnerability, can result in HIPAA violations with severe consequences, including hefty fines and legal ramifications.

Why it matters

The increasing connectivity of medical devices introduces greater cybersecurity risks, including potential data breaches and unauthorized access to critical patient information. So, when healthcare organizations use medical devices, like Contec, they must conduct security audits, improve incident response planning, and adhere to FDA and CISA guidelines.

FAQs

Has a security patch been released for the CMS8000?

No, as of now, there is no available patch to fix the vulnerabilities.

What cybersecurity measures does HIPAA require for medical devices?

HIPAA mandates safeguards such as encryption, access controls, risk assessments, and security monitoring.

What should healthcare organizations do if they suspect a breach?

Conduct an immediate investigation, notify affected patients, and report the breach to the appropriate regulatory authorities.

Go deeper: How to respond to a data breach