Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label FDA safety alert. Show all posts
patient monitor security
Contec CMS8000 Cyber Security cybersecurity risks FDA safety alert healthcare data breach patient monitor security

FDA Warns of Cybersecurity Risks in Contec and Epsimed Patient Monitors

 

The U.S. Food and Drug Administration (FDA) has issued a safety communication highlighting cybersecurity vulnerabilities in certain patient monitors manufactured by Contec and relabeled by Epsimed.

The FDA’s notice, published on Thursday, identifies three critical security flaws that could allow unauthorized access to remote monitoring systems, potentially enabling attackers to manipulate device functions. While no incidents, injuries, or deaths have been reported, the agency is urging patients, healthcare professionals, and IT personnel to implement protective measures.

Contec, a China-based medical device manufacturer, produces the CMS8000 patient monitor, which Epsimed sells under its MN-120 product line. These monitors display vital signs and other critical patient information in both healthcare and home settings.

According to the FDA, the vulnerabilities could permit unauthorized users to remotely control the devices, disrupt functionality, and compromise patient data. A hidden backdoor in the software enables attackers to bypass security controls, potentially leading to data breaches or device malfunctions.

The Cybersecurity and Infrastructure Security Agency (CISA) has also assessed the threat, stating that unauthorized changes to the configuration of CMS8000 and MN-120 monitors pose a significant risk to patient safety. A malfunctioning device could lead to improper medical responses to displayed vital signs.

CISA’s findings indicate that the vulnerabilities exist in all analyzed versions of the software and are considered highly severe. An anonymous researcher first reported the security flaws to CISA, prompting further investigation.

To mitigate risks, the FDA advises IT and cybersecurity staff at healthcare facilities to use local monitoring features exclusively. If a monitor relies on remote access, it should be disconnected immediately. Devices that do not require remote monitoring should be removed from the internet by unplugging ethernet cables and disabling WiFi or cellular connections.

“If you cannot disable the wireless capabilities, then continuing to use the device will expose the device to the backdoor and possible continued patient data exfiltration,” the FDA stated. “Be aware, at this time there is no software patch available to help mitigate this risk.”

This warning comes amid increasing concerns about the security of healthcare data. The Office for Civil Rights reported a more than 100% rise in large-scale data breaches from 2018 to 2023, with the number of individuals impacted soaring by over 1000% during the same period.
Read more »
Subscribe to: Posts (Atom)