The US Food and Drug Administration (FDA) has issued guidance over potential cybersecurity vulnerabilities with Contec’s CMS8000 patient monitor and the Epsimed MN-120 (a relabelled version of the CMS8000).
According to the agency, the vulnerabilities identified with the device, which provides continuous monitoring of patients’ vital signs in US Healthcare and Public Health (HPH) settings, may put patients at risk once connected to the internet.
Go deeper with GlobalData
Contec’s patient monitor may be remotely controlled by an unauthorised user and not work as intended, the FDA said, asserting that this is due to a backdoor included in the device’s software.
The backdoor, which refers to a hidden functionality that device users are not told about, can allow unauthorised actors to bypass cybersecurity controls, and may result in the gathering of patient data, including personally identifiable information (PII) and protected health information (PHI), and the exfiltration of data outside of the healthcare delivery environment.
“These cybersecurity vulnerabilities can allow unauthorised actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device,” the FDA stated.
“The FDA is not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time.”
Alongside the US Cybersecurity and Infrastructure Security Agency (CISA), the FDA is working with China-based Contec to rectify the outlined vulnerabilities as soon as possible.
In the meantime, the FDA advises that healthcare providers check the affected patient monitors for any signs of unusual functioning, such as inconsistencies between the displayed patient vitals and the patient’s actual physical state.
Healthcare IT and cybersecurity staff are advised to stop using the monitor in cases where it relies on remote patient monitoring, or to unplug the device from the internet if it is only being used for localised monitoring.
CISA has issued a detailed fact sheet on the monitor’s identified vulnerabilities, and “strongly urges” HPH sector organisations to implement the FDA’s suggested mitigations.
The FDA’s Center for Devices and Radiological Health (CDRH) recently initiated a pilot centred on improving the timeliness of communications to the public around corrective actions being taken by companies with devices believed to be high-risk recalls.
Speaking at the recent Outsourcing Clinical Trials (OCT) Medical Devices 2025 conference, which took place in Munich, Germany on 28-29 January, David Bicknell, principal analyst, strategic research at GlobalData, stated that the rising sophistication in medical devices means the requirement for sophisticated security measures to protect patient data and device functionality will likely rise in 2025.
