In the medical devices produced by China are all over the United States and the government are concerned
A popular medical monitor is the latest device produced in China to check the potential cyber risks. However, it is not the only health center that we should worry about. Experts say that the spread of Chinese health devices in the US medical system is a reason for concern in the entire ecosystem.
The Contec CMS8000 is a popular medical monitor that pursues a patient's vital functions. The device pursues electrocardiograms, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature and respiratory rate. In the past few months, the FDA and cyber security and infrastructure security (CISA) both warned of a “back door” in the device, a “slightly too exploitic susceptibility to security that could enable a bad actor to change his configuration.”
The CISA research team described “Anomal Network Transport” and the Backdoor “, with which the device does not download remote files that have not been checked and executed to an IP address that is not connected to a manufacturer of medical devices or a medical facility, but a university of third-party providers is “highly unusual features”.
“When the function is carried out, files are violently overwritten on the device and prevent the end customer – like a hospital – from maintaining awareness of which software is carried out on the device,” wrote CISA.
According to the warnings, such a configuration change could lead to the monitor, for example, that the kidneys of a patient can malfunction or breathe, which can lead to the medical personnel administered unnecessary remedies that could be harmful.
The susceptibility to security of the Contec devices does not surprise the medical and IT experts who have warned for years that the safety of medical devices is too loose.
Hospitals are concerned about cyber risks
“This is a big gap that will explode,” said Christopher Kaufman, a business professor at Westcliff University in Irvine, California, which specializes in this, and disruptive technologies, especially on the security gap in many medical devices.
The American Hospital Association, which represents over 5,000 hospitals and clinics in the United States. It regards the spread of Chinese medical devices as a serious threat to the system.
With regard to the Contec monitors, the AHA says that the problem urgently needs to be addressed.
“We have to put this at the top of the list to get the potential for patient damage. We have to patch before hacking,” said John Riggi, a national consultant for cyber security and risk for the American Hospital Association. Riggi also served in the FBI roles of fighting terrorism before joining the AHA.
CISA reports that no software patch is available to alleviate this risk, but in her advice the government currently said with Contec.
Contec with headquarters in Qinhuangdao, China, did not give back a request for comment.
One of the problems is that it is not known how many monitors are in the USA
“We do not know that there are room for equipment in hospitals in hospitals. We speculate that there are conservative thousands of these monitors. This is a very critical susceptibility,” said Riggi and added that Chinese access to the devices can be strategic . Technical and supply chain risks.
In the short term, the FDA advised medical systems and patients to ensure that the devices only run locally or deactivate remote monitoring. Or if the remote monitoring is the only option to prevent the device when an alternative is available. The FDA said that so far it has no cyber security incidents, injuries or deaths in connection with vulnerability.
The American Hospital Association has also told its members that hospitals until a patch is available should ensure that the monitor has no more access to the Internet and is divided by the rest of the network.
Riggi said that the Contec monitors are an excellent example of what we do not often take into account under the health risk. In the US hospitals with cash, he said, he often bought medical devices from China, a country with a history in which destructive malware within the critical infrastructure in the US inexpensive devices bought the Chinese potential access to an abundance of American medical information that implemented and aggregated for all possible purposes. According to Riggi, data is often transferred to China with the purpose of monitoring the performance of a device, but little else is known about what happens to the data beyond.
According to Riggi, individuals do not have acute medical risk as strong as the collected and aggregated information in order to put the larger medical system at risk. Nevertheless, he points out that at least theoretically it cannot be ruled out that prominent Americans could target disorders with medical devices.
“When we talk to hospitals, the CEOs are surprised, they had no idea about the dangers of these devices, so we help them to understand them. The question for the government is how domestic production cannot be stimulated in overseas,” said Riggi.
Chinese data acquisition for Americans
The Contec warning is similar to TikK, Deepseek, TP-Link router and other devices and technologies from China, which the US government says to collect data on Americans. “And that's all I have to hear to decide whether I should buy medical devices from China,” said Riggi.
Aras Nazarovas, a researcher for information security at Cybernews, agrees that the CISA threatening raises serious problems that need to be addressed.
“We have a lot to fear,” said Nazarovas. Medical devices, like the Contec CMS8000, often have access to highly sensitive patient data and are directly connected to life -saving functions. According to Nazarovas, if the devices are poorly defended, they become easy prey for hackers who manipulate the data displayed, change the vital settings or can completely deactivate the device.
“In some cases, these devices are so badly protected that attackers can receive remote access and change the way the device ever know without the hospital or the patients,” said Nazarovas.
The consequences of the contec security gap and the weaknesses in a number of medical devices from Chinese medical persons could be easy to life. “Imagine a patient monitor who stops the Amer on the heart rate of a patient to change the doctors to a decline in patients, or to a wrong measurement, which leads to a delayed or false diagnosis,” said Nazarovas. The Contec CMS8000 and the EPSIMED MN-1220 (another brand name for the same technology) can be used as an entry point to the hospital network, “added Nazarovas.
Other hospitals and clinics pay attention. The Bartlett Regional Hospital in Juneau, Alaska, does not use the CONTAC monitors, but always searches for risks. “Regular surveillance is of crucial importance, since the risk of cyber security attacks on hospitals continues to increase,” says Erin Hardin, a spokeswoman for Bartlett.
However, regular monitoring may not be sufficient as long as devices are produced with poor certainty.
The matter may deteriorate, says Kaufman, that the Department of Government Efficiency hollows out the departments that are responsible for securing such devices. According to the Associated Press, many of the recent layoffs of the FDA are employees who check the safety of medical devices.
Kaufman complains about the likelihood of state supervision of what a loose regulated industry is already. An office view for the US government's accountability in January 2022 showed that 53% of the networked medical devices and other Internet of Things had known critical weaknesses in hospitals. He says the problem has only become worse since then. “I am not sure what these agencies will lead,” said Kaufman.
“Problems with the medical devices are widespread and have been known for some time,” said Silas Cutler, main researcher of the main security researcher at medical data companies Censys. “The reality is that the consequences can be bad-and even fatal. While top-class people are exposed to an increased risk, those affected will be the hospital system itself, with the effects on everyday patients cascading.”
