A popular medical instructor is the latest device produced in China to receive a meticulous examination for its potential cyber-risk. However, it is not the only health device that concerns us. Experts say that the proliferation of Chinese health devices in the American medical system is a source of concern in the entire ecosystem.
The CMS8000 Contec is a popular medical instructor who follows the vital signs of a patient. The device follows electrocardiograms, heart rate, blood oxygen saturation, non -invasive blood pressure, temperature and breathing speed. In recent months, The FDA and the cybersecurity and infrastructure safety agency (CISA) warned against a “stolen door” In the device, an “easy -to -use vulnerability that could allow a bad actor to modify its configuration”.
The CISA’s research team described the “abnormal network traffic” and the stolen door “allowing the device to download and run unaccounts” not associated IP address with a manufacturer of medical devices Or a medical installation but to a third -party university – “very unusual characteristics” this goes against generally accepted practices, “in particular for medical devices”.
“When the function is executed, the files on the device are crushed by force, preventing the end customer – like a hospital – by maintaining the awareness of what software works on the device,” wrote Cisa.
Warnings indicate that such an alteration of the configuration could lead, for example, to the instructor saying that the kidneys of a patient do not work badly or breathe failure, and which could lead medical staff to administer unnecessary remedies that could be harmful.
The vulnerability of the Contriber does not surprise medical and computer experts who have warned for years that the security of medical devices is too lax.
Hospitals are worried about cyber liking
“This is a huge gap that is about to explode,” said Christopher Kaufman, professor of business at Westcliff University in Irvine, California, who specializes in IT and disturbing disturbing technologies , referring specifically to the safety gap in many medical devices.
The American Hospital Association, which represents more than 5,000 hospitals and clinics in the United States, agrees. He considers the proliferation of Chinese medical devices as a serious threat to the system.
As for the Contec monitors in particular, the AHA says that the problem must be resolved urgently.
“We have to put this at the top of the list for the potential for the prejudice of patients; we must patcher before hacking,” said John Riggi, national advisor for cybersecurity and the risk for the American Hospital Association. Riggi also occupied roles to combat FBI terrorism before joining AHA.
The CISA reports that no software correction is available to help mitigate this risk, but in its opinion said that the government is currently working with Contec.
Contec, whose headquarters are in Qinhuangdao, China, has not returned a comment request.
One of the problems is that he is unknown to the number of monitors in the United States
“We do not know because of the volume of equipment in hospitals. We assume that there are thousands of these monitors in a conservative way; this is a very critical vulnerability,” said Riggi, Adding that Chinese access to the devices can install strategic, technical and supply chain.
In the short term, the FDA advised medical systems and patients to ensure that devices only work locally or to deactivate any remote monitoring; Or if remote monitoring is the only option, to stop using the device if an alternative is available. The FDA said that to date, it was not aware of any cybersecurity incident, injuries or deaths related to vulnerability.
The American Hospital Association also told its members that until a fix is available, hospitals must ensure that the instructor had no access to the Internet and is segmented by the rest of the network.
Riggi said that if Continu’s monitors are an excellent example of what we do not often consider among the risk of health care, it extends to a range of medical equipment produced abroad. American hospitals short of money, he explained, often buy medical devices in China, a country with a history of destructive malware inside critical infrastructure in the United States, Low -cost equipment buys Chinese potential access to a mine of American medical information which can be reused and aggregated for all kinds of purposes. Riggs claims that data is often transmitted to China in order to monitor the performance of a device, but nothing is known about what happens to data beyond.
Riggi claims that individuals are not at acute medical risk as much as the information collected and aggregated to reuse and put the largest medical system in danger. However, he stresses that, at least theoretically, cannot be excluded that eminent Americans with medical devices could be targeted for disturbances.
“When we talk to hospitals, CEOs are surprised, they had no idea of the dangers of these devices, so we help them understand. The question of government is how to encourage domestic production, far from abroad” said Riggi.
Chinese data collection on Americans
Contec warning is similar to a general level in Tiktok, Deepseek, TP-Link routers and other China’s devices and technologies which, according to the American government, collects data on Americans. “And that’s all I need to hear to decide to buy medical devices in China,” said Riggi.
Aras Nazarovas, information security researcher at Cybernews, agrees that the CISA threat raises serious problems that must be resolved.
“We have a lot to fear,” said Nazarovas. Medical devices, such as the CMS8000 Content, often have access to very sensitive patient data and are directly connected to the vital functions. Nazarovas says that when the devices are poorly defended, they become easy prey for hackers who can handle the displayed data, modify the vital settings or completely deactivate the device.
“In some cases, these devices are so badly protected that attackers can obtain remote access and modify the functioning of the device without the hospital or patients knowing,” said Nazarovas.
The consequences of the vulnerability and vulnerabilities of the Contec in a range of Chinese manufacturing medical devices could easily be fatal.
“Imagine a patient instructor who ceases to alert doctors to lower a patient’s heart rate or send incorrect readings, leading to a delayed or bad diagnosis,” said Nazarovas. In the case of the CTEC CMS8000 and the MN-120 EPSIMED (a different brand name for the same technology), warning of the government, these devices have been configured to allow the execution of the remote code by the remote server.
“This feature can be used as a point in the hospital network,” said Nazarovas, leading to the danger of patients.
More and more hospitals and clinics pay attention. Bartlett regional hospital in Juneau, Alaska, does not use Contec monitors but is still looking for risks. “Regular surveillance is essential because the risk of cybersecurity attacks against hospitals continues to increase,” said Erin Hardin, spokesperson for Bartlett.
However, regular monitoring may not be sufficient as long as the devices are made with poorly safety.
Potentially aggravate things, says Kaufman is that the Ministry of Effectiveness of the Hollow Government The services responsible for the safeguarding of these devices. According to the Associated Press, Many recent FDA layoffs are employees who examine the safety of medical devices.
Kaufman deplores the probable lack of supervision of the government on what is already, he says, an unregulated industry. An American government’s responsibility office report In January 2022, said that 53% of connected medical devices and other Internet objects in hospitals experienced critical vulnerabilities. He says that the problem has only been getting worse since then. “I do not know what will remain in the management of these agencies,” said Kaufman.
“The problems of medical devices have been widespread and have been known for some time now,” said Silas Cutler, a principal safety researcher at Medical Data Company Censys. “The reality is that the consequences can be disastrous – and even fatal. Although very publicized individuals are at high risk, the most affected will be the hospital systems themselves, with cascade effects on daily patients.”
