Dive Brief:
- The Food and Drug Administration has released a safety communication about the cybersecurity vulnerabilities of certain patient monitors from Contec and Epsimed.
- The notice, which the FDA published Thursday, describes three vulnerabilities that can allow people to gain access to remote monitoring technology and potentially manipulate the devices.
- The FDA is not aware of cybersecurity incidents, injuries or deaths linked to the vulnerabilities but is advising patients, healthcare providers and IT staff to take steps to mitigate the risks.
Dive Insight:
Contec is a Chinese manufacturer of devices including the CMS8000 patient monitor. Epsimed relabels the Contec monitors and sells them as its MN-120 product line. The monitors display information such as a patient’s vital signs in healthcare and home settings.
The vulnerabilities allow unauthorized users to remotely control the monitors and stop them working as intended, the FDA said, for example by denying access to the devices or corrupting the data. A hidden backdoor in the software allows people to bypass cybersecurity controls, the agency said, and people with access to monitors that are connected to the internet could take patient data.
The Cybersecurity and Infrastructure Security Agency (CISA) said the potential for unauthorized users to alter the configuration of CMS8000 and MN-120 monitors “introduces risk to patient safety as a malfunctioning monitor could lead to improper responses to vital signs displayed by the device.”
The CISA described the vulnerabilities in its assessment of the threat. The backdoor and functions that enable access to patient data exist in all analyzed versions of the software, the CISA said, and the severity of the vulnerabilities is high. An anonymous researcher reported the vulnerabilities to the CISA.
The FDA is advising healthcare facility IT and cybersecurity staff to use local monitoring features only. If a device relies on remote monitoring, the staff should unplug and stop using the product. Devices that do not rely on remote monitoring should be disconnected from the internet by removing ethernet cables and disabling WiFi or cellular capabilities, the agency said.
“If you cannot disable the wireless capabilities, then continuing to use the device will expose the device to the backdoor and possible continued patient data exfiltration,” the FDA said. “Be aware, at this time there is no software patch available to help mitigate this risk.”
The warning comes amid growing concern about the security of health data. The Office for Civil Rights tracked a more than 100% increase in large data breaches from 2018 to 2023. The number of people affected by healthcare data breaches rose more than 1000% over the same period.
