FDA Warns of Cybersecurity Risks in Contec and Epsimed Patient Monitors

The U.S. Food and Drug Administration (FDA) has issued a safety communication warning health care providers, facilities, and patients about cybersecurity vulnerabilities in Contec CMS8000 patient monitors and their relabeled counterpart, the Epsimed MN-120. These vulnerabilities could allow unauthorized access, manipulation of the devices, or exposure of sensitive patient data when connected to the internet.

Three key vulnerabilities have been identified. First, an unauthorized user could remotely control the device or cause it to malfunction. Second, the software contains a backdoor that may compromise both the monitor and the network it is connected to. Third, once online, the monitor automatically begins collecting and transmitting patient data, including personally identifiable information (PII) and protected health information (PHI), outside of the health care environment. Although the FDA has not received reports of cybersecurity incidents, injuries, or deaths linked to these vulnerabilities, the agency is urging immediate action.

The FDA advises patients and caregivers to consult their health care providers about whether their monitor relies on remote monitoring. If so, they should unplug the device and seek an alternative. Health care providers and facility staff are urged to disable wireless and ethernet connectivity unless essential and to monitor for unusual device behavior. Information technology and cybersecurity personnel should follow additional guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and be aware that no software patch is currently available to address these risks.

The FDA is working with Contec and CISA to resolve these vulnerabilities and continues to assess new information. Patients and health care professionals are encouraged to report any issues with affected monitors through the FDA’s MedWatch Voluntary Reporting system.

Article by multiple RFHC contributors.

---