FDA warns of cybersecurity vulnerabilities in patient monitors
On Thursday, the U.S. Food and Drug Administration (FDA) released a safety communication alerting hospitals and health systems to cybersecurity risks associated with certain patient monitors.
In the alert, the FDA said multiple vulnerabilities have been identified in monitors manufactured by Contec and Epsimed. Specifically, the agency is concerned the devices could be accessed by malicious actors intent on manipulating the monitors, which show patient vital signs such as heart rate and blood pressure.
The issue extends to the ability of the monitors to be controlled remotely, whereby they can be accessed by someone from outside an organization and possibly used to gain access to the broader hospital network to which they are connected.
“The software on the patient monitors includes a backdoor, which may mean that the device or the network to which the device has been connected may have been or could be compromised,” the FDA warned.
“These cybersecurity vulnerabilities can allow unauthorized actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device,” the agency added.
The FDA said the notice is only a warning, as there have been no reported incidents of data breaches associated with use of the monitors, nor is there any evidence any of the devices have been accessed by cybercriminals in a real-world setting.
“The FDA is not aware of any cybersecurity incidents, injuries or deaths related to these cybersecurity vulnerabilities at this time,” the agency added. It asks providers to report any incidents related to Contec CMS8000 or Epsimed MN-120 patient monitors, using the FDA’s MedWatch portal.
The monitors are intended to be used when hardwired only, meaning connected to the Internet via ethernet. However, the wireless capabilities of the monitors means they could be used over hospital WiFi, increasing the chance they could be accessed remotely by a nefarious actor. The agency reminds healthcare organizations that the monitors are not authorized for wireless use due to the security risks.
“The Cybersecurity and Infrastructure Security Agency (CISA) has identified that once the patient monitor is connected to the internet, it begins gathering and exfiltrating (withdrawing) patient data outside of the health care delivery environment, including when the device is used in a home setting,” the FDA said.
The FDA added that it and CISA are working with vendors to “correct these vulnerabilities as soon as possible,” and will continue to issue alerts as cybersecurity vulnerabilities are identified.
The full notice can be found here.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.