Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A popular medical monitor is the last device produced in China to receive scrutiny for its possible cybernetic risks. However, it is not the only health device that we must worry about. Experts say that the proliferation of Chinese health devices in the US medical system. It is a matter of concern throughout the ecosystem.
The CMS8000 Contec is a popular medical monitor that tracks the vital signs of a patient. The device tracks electrocardiograms, heart rate, blood oxygen saturation, non -invasive blood pressure, temperature and breathing speed. In recent months, The FDA and the cybersecurity and infrastructure security agency (CISA) warned about a “back door” In the device, an “easy vulnerability to exploit that could allow a bad actor to alter its configuration.”
The CISA research team described “anomalous network traffic” and the back door “that allows the device to download and execute remote files not verified” to an IP address not associated with a medical device manufacturer or a medical installation, but a University of Third Parties, “highly unusual characteristics” that goes against generally accepted practices, “especially for medical devices.”
“When the function is executed, the files on the device are overwritten by force, preventing the final customer, as a hospital, to keep the awareness of which software runs on the device,” Cisa wrote.
Warnings say that such alteration of the configuration could lead to, for example, the monitor that says that the kidneys of a patient are wrong or breathing, and that could make medical personnel manage unnecessary remedies that could be harmful.
The vulnerability of the Contec does not surprise the medical and IT experts who have warned for years that the security of the medical device is too lax.
Hospitals are concerned about cyber risks
“This is a great gap that is about to explode,” said Christopher Kaufman, a business professor at Westcliff’s University in Irvine, California, who specializes in you and disruptive technologies, referring specifically to the security gap on many devices doctors
The American Association Hospital, which represents more than 5,000 hospitals and clinics in the United States, agrees. See the proliferation of Chinese medical devices as a serious threat to the system.
As for the contemp monitors specifically, the AHA says that the problem must be approached urgently.
“We have to put this at the top of the list for the patient damage potential; we have to patch before hacking,” said John Riggi, National Cybersecurity Advisor and Risk of the American Hospital Association. Riggi also served in FBI’s anti -terrorist roles before joining AHA.
CISA informs that there is no software patch available to help mitigate this risk, but in its notice he said that the government is currently working with Contec.
Contec, based in Qinhuangdao, China, did not return a request for comments.
One of the problems is that it is unknown how many monitors are in the United States.
“We do not know due to the large volume of equipment in hospitals. We speculate that there are, conservatively, thousands of these monitors; this is a very critical vulnerability,” Riggi said, adding that Chinese access to devices can pose strategic, technical risks, technical risks and of the supply chain.
In the short term, FDA advised medical systems and patients to ensure that devices only work locally or deactivate any remote monitoring; Or if remote monitoring is the only option, to stop using the device if there is an alternative available. The FDA said that to date it is not aware of any cybersecurity incident, injuries or deaths related to vulnerability.
The American Association Hospital has also told its members that until there is an available patch, hospitals must ensure that the monitor no longer has internet access and is segmented from the rest of the network.
Riggi said that while Contec monitors are an excellent example of what we do not often consider between the risk of medical care, it extends to a variety of medical equipment produced abroad. American hospitals with liquidity problems, explained, often buy medical devices from China, a country with a history of installation of destructive malware within the critical infrastructure in the low -cost equipment of the US An American medical information treasure that can be reused and added for all types of purposes. Riggs says that the data is often transmitted to China with the established purpose of monitoring the performance of a device, but little more is known about what happens with the data beyond that.
Riggi says that people are not at acute medical risk such as the information collected and added to reuse and put the largest medical system at risk. Even so, he points out that, at least theoretically, it cannot be ruled out that prominent Americans with medical devices could be destined for interruption.
“When we talk to hospitals, CEOs are surprised, they had no idea the dangers of these devices, so we are helping them to understand. The question for the government is how to encourage national production, far from abroad,” Riggi said .
Chinese data collection about Americans
Contec warning is similar to a general level to Tiktok, Veteran, TP-Link routorsand other devices and technology from China that the United States government says they are collecting data on Americans. “And that is all I need to listen to deciding whether to buy medical devices from China,” Riggi said.
Nazarvas Aras, a information security researcher at Cybernews, agrees that the threat of CISA poses serious problems that must be addressed.
“We have a lot to fear,” said Nazarovas. Medical devices, such as the CMS8000 Contec, often have access to highly sensitive patients and are directly connected to functions that save lives. Nazarovas says that when the devices are poorly defended, they become easy dams for computer pirates that can manipulate the data shown, alter vital configuration or disable the device completely.
“In some cases, these devices are so badly protected that attackers can obtain remote access and change the way the device operates without the hospital or patients knowing,” said Nazarovas.
The consequences of the vulnerability and vulnerabilities of Contec in a variety of Chinese manufacturing medical devices could be easily potentially fatal.
“Imagine a patient monitor that stops alerting doctors to fall into the heart rate of a patient or send incorrect readings, leading to a delayed or incorrect diagnosis,” Nazarovas said. In the case of the CMS8000 Contec, and Epsimed MN-120 (a different brand for the same technology), warning of the government, these devices were configured to allow the execution of the remote code by the remote server.
“This functionality can be used as a point of entry into the hospital network,” said Nazarovas, leading to the patient’s danger.
More hospitals and clinics are paying attention. The Bartlett Regional Hospital in Juanneau, Alaska, does not use contempos monitors, but always looks for risks. “Regular monitoring is critical since the risk of cybersecurity attacks against hospitals continues to increase,” says Erin Hardin, a Bartlett spokeswoman.
However, regular monitoring may not be enough that devices are carried out with little security.
Potentially things worsens, says Kaufman, is that the government efficiency department is emptying the departments in charge of safeguarding such devices. According to Associated Press, Many of the recent dismissals in the FDA are employees who review the safety of medical devices.
Kaufman regrets the probable lack of government supervision on what is already, he says, a freely regulated industry. A responsibility office of the United States Government report As of January 2022, he indicated that 53% of connected medical devices and other Internet devices in hospitals had known critical vulnerabilities. He says the problem has only worsened since then. “I’m not sure what these agencies will be running,” Kaufman said.
“The problems of medical devices are widespread and have been known for some time,” said Silas Cutler, principal security researcher at the Censys Medical Data Company. “The reality is that the consequences can be serious, and even mortal. While high -profile people have a high risk, the most affected will be hospital systems, with cascade effects on everyday patients.”
