The popular medical monitor is the latest device manufactured in China to obtain control because of its potential cyber risk. However, this is not the only health device to worry about. Experts say that the spread of Chinese health devices in the US medical system is a reason for concern throughout the ecosystem.
Contec CMS8000 is a popular medical monitor that follows the vital signs of the patient. The device is accompanied by electrocardiograms, heartbeat, blood oxygen saturation, non -invasive blood pressure, temperature and breathing speed. In recent months, FDA and the Cyber Security Agency -Safe and Infrastructure (CISA) Alerted to the “rear part” In the device, “simple vulnerability that could allow a bad actor to change his configuration.”
The CISA research team described the “anomal network traffic” and the back of “allowing the device to download and execute unproven distant files” to the IP address not connected to the manufacturer of medical products or medical institutions, but with the University of the third party-“very unusual characteristics” It goes against generally accepted practices, “especially for medical devices”.
“When the function is executed, the files on the device are forcibly transcribed, preventing the end customer – like the hospital – from maintaining awareness of what the software is done on the device,” Cisa wrote.
The warning says that such a change in configuration could lead to, for example, a monitor saying that the patient kidneys do not function or breathe, which could cause medical staff to manage unnecessary drugs that could be harmful.
Vulnerability Contec does not surprise medical and IT experts who have warned for years that the safety of medical products is too light.
Hospitals are worried about Cyber risk
“This is a huge gap that is about to explode,” said Christopher Kaufman, a business professor at Westcliff University in Irvine, California, who specializes in IT and devastating technology, especially referring to the security gap in many medical devices.
The American Hospital Association, which in the United States, represents over 5000 hospitals and clinics. The reflection of Chinese medical devices considers a serious threat to the system.
As for concrete monitors Contec, aha says the problem is urgently needed to solve.
“We have to put it on top of the patient’s potential census; we have to patch up before they hack,” said John Riggi, a national Cyber counselor -Safe and risk for the American Hospital Association. Riggi also served in the roles of the FBI for anti -terrorism before joining Aha.
Cisa reports that a software patch is not available to help alleviate this risk, but in his advisory he said that the Government is currently working with Contec.
Contec, based in Qinhuangda, China, did not return the comment request.
One of the problems is that it is not known how many monitors are there in the US
“We do not know because of the pure amount of equipment in hospitals. We speculate that, conservative, thousands of these monitors; this is a very critical vulnerability,” Riggi said, adding that the Chinese approach to devices may be a strategic, technical and risks of the supply chain.
In the short term, the FDA advised medical systems and patients to ensure that the devices work only locally or to prevent any remote control; or if remote control is the only option, stop using the device if an alternative is available. The FDA said that to this day he is not aware of any incidents, injuries or deaths associated with vulnerability.
The American Hospital Association also told its members that until the patch is available, hospitals should ensure that the monitor no longer has access to the Internet, and is segmented from the rest of the network.
Riggi said that while the Contec monitors are a great example of what we often do not consider among the risk of health care, this is expanded to a number of medical equipment produced abroad. US hospitals that have paid in cash, explained, often buy medical devices from China, a country with a history of installing destructive malicious software within critical infrastructure in US cheap equipment, buying a Chinese potential approach to American medical information that can be remodeled and collected for all kinds of purpose . Riggs says that data is often transmitted to the cinema for the purpose of monitoring the performance of the device, but few are known about what happens to the information beyond that.
Riggi says that individuals are not in acute medical risk of how much information collected and aggregated to divert and bring in a larger medical system at risk. Still, he points out that, at least theoretically, it cannot be excluded to highlight Americans with medical devices to be focused on disorders.
“When we talk to hospitals, executive directors are surprised, they had no idea about the dangers of these devices, so we help them understand. The question for the Government is how to encourage domestic production, far from abroad,” Riggi said.
Chinese collection of data on Americans
Warning Contette on a general level is similar to tictok, Deepseek,, TP-Link routerOther devices and technology from China, which the US government says collecting information about Americans. “And that’s all I have to hear in deciding whether to buy medical devices from China,” Riggi said.
Aras Nazavas, an investigator of information security in Cybernews, agrees that CISA threat raises serious questions that need to be resolved.
“We have a lot to fear,” Nasavas said. Medical devices, such as the Contec CMS8000, often have access to highly sensitive patients and are directly related to life rescue functions. Nazavas says that when devices are poorly defended, they become simple prey with hackers that can manipulate the data shown, change vital settings, or completely disable the device.
“In some cases, these devices are so poorly protected that attackers can get a remote approach and change the way the device operates without a hospital or patients who ever know,” Nazavas said.
Contec vulnerability and vulnerability in a series of medical devices with Chinese products could easily be life-threatening.
“Imagine a patient’s monitor who stops alerting doctors to the fall of the patient’s heart rate or sends misconceptions, leading to delayed or wrong diagnosis,” Nasarovas said. In the case of Contec CMS8000 and Epsimed MN-12 (different brand for the same technology), the Government warnings are configured by allowing remote to execute the code by a remote server.
“This functionality can be used as an entry point to the hospital net,” Nasarovas said, leading to the danger of the patient.
More hospitals and clinic pay attention. The Bartlett Regional Hospital in Juneau, Alaska, does not use container monitors, but is always looking for risks. “Regular monitoring is crucial because the risk of cyber security attack on hospitals is still increasing,” says Erin Hardin, a spokeswoman for Bartletta.
However, regular monitoring may not be enough as long as the devices are made with poor security.
The potential exacerbation of things, Kaufman says, is that the Ministry of Efficiency of the Government has eluded departments in charge of the protection of such devices. According to Associated Press, Many of the recent FDA dismissals are employees who examine the safety of medical devices.
Kaufman regrets the probable lack of government supervision of what is already a slightly regulated industry. US Government’s Liability Office report Since January 2022. It has indicated that 53% of connected medical devices and other Internet of Things in hospitals have been known to critical vulnerability in hospitals. He says the problem has only worsened since then. “I’m not sure what will be left to start these agencies,” Kaufman said.
“Medical products are widespread and they have been known for some time,” said Silas Cutler, the main safety researcher at Medical Data Company Censys. “The reality is that the consequences can be terrible-well even deadly. Although high individuals are exposed to increased risk, the most prominent will be hospital systems, with cascading effects on daily patients.”
