FDA recommended hospitals stop using the devices or disconnect them from the internet.
A patient monitor made by Chinese manufacturer Contec contains a backdoor that could allow an attacker to access patient data and remotely manipulate the devices, U.S. authorities said on Friday.
The Contec patient monitor CMS8000 is a device used to monitor human vital signs in hospitals and and clinics in the European Union and the United States.
The Food and Drug Administration (FDA) issued a statement, recommending hospitals and caregivers check Contec CMS8000 monitors, disconnect the device from the internet, or stop using it if the device relies on remote monitoring features.
The recommendation also applies to the same devices relabelled and sold as Epsimed MN-120 patient monitors.
“Once the patient monitor is connected to the internet, it begins gathering patient data, including personally identifiable information (PII) and protected health information (PHI), and exfiltrating (withdrawing) the data outside of the health care delivery environment,” the FDA said.
The device also contains a backdoor that can allow unauthorized persons to cause the device to crash or malfunction, or to corrupt data on the device, the FDA said.
The regulator said it’s not currently aware of any cybersecurity incidents, injuries, or deaths related to the vulnerabilities found on the device. It asked users to report any problems they find.
The vulnerabilities were identified by a research team from the Cybersecurity & Infrastructure Security Agency (CISA), which analyzed three versions of firmware for the Contec CMS8000 patient monitor.
The team found a backdoor that connects the devices to a hard-coded IP address, “allowing the device to download and execute unverified remote files,” CISA said in a report detailing the team’s findings.
The agency didn’t disclose the location of the IP address, stating only that it belongs to a “third-party university.”
The research team determined that it is “very unlikely” the backdoor serves as an alternative update mechanism due to the code’s “highly unusual characteristics,” which differ from those of other update mechanisms.
CISA said when the backdoor function on the device is executed, “files on the device are forcibly overwritten” without the knowledge of the end user, so hospitals won’t know what software is running on the device.
By Lily Zhou
