Jump to content
  • Sign Up
×
×
  • Create New...

Backdoor uncovered in China-made patient monitors — Contec CMS8000 raises questions about healthcare device security

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted

This is the hidden content, please

********* uncovered in China-made patient monitors — Contec CMS8000 raises questions about healthcare device security

This is the hidden content, please

The US-based Cybersecurity & Infrastructure Security Agency recently released an

This is the hidden content, please
involving three firmware versions used in a patient monitoring system called Contec CMS8000, used in hospitals and healthcare facilities. It was discovered that these devices had a ********* with a hard-coded IP address, allowing the patient data to be transmitted. This is possible as the devices will enable a connection to a central monitoring system via a wired or wireless network, according to the product description.

The agency revealed the codes that transmit data to a particular IP address. This decoded data contains detailed information, such as the doctor’s name, patients, hospital department, admission date, date of birth, and other information about the people who used this device. This vulnerability is filed under

This is the hidden content, please
with a CVSS v4 score of 7.7 out of 10. Two other vulnerabilities were filed under
This is the hidden content, please
which indicates that it could allow an attacker to write data remotely to execute a code, and
This is the hidden content, please
which relates to privacy vulnerability.

“These cybersecurity vulnerabilities can allow unauthorized actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device,” the

This is the hidden content, please
, adding it’s “not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time.”

The agency mentioned that Contec Medical Systems is a medical device manufacturer based in China whose products are in hospitals, clinics, and other healthcare facilities in the European Union and the United States. However, a quick search revealed that these can also be purchased via

This is the hidden content, please
for
This is the hidden content, please
. These devices are also relabelled as Epsimed MN-120, according to the FDA. Contec is a major manufacturer of medical devices that are sold in over 130 countries and are FDA-approved. The CISA research team recently discovered this vulnerability as a part of its coordinated vulnerability disclosure process.

The agency mentions the IP address is not associated with any medical device manufacturer. Still, it is a third-party university, though it doesn’t mention the university, the IP address, or the country it is sending data to. The CISA also ruled out this coding was meant to be an alternative update system as it does not contain standard update procedures such as tracking updated versions or doing integrity checks. Instead, it has the remote file shared and transmitted to the IP address. As a solution for such a networked device, the FDA strongly recommends disconnecting the monitoring device from its network and monitoring the patient’s vital stats and physical condition.

Breach of Privacy and Confidential Information

The Contec CMS8000 explicitly monitors a patient’s vital signs while storing its data in great detail, including electrocardiogram, heart rate, blood oxygen, blood pressure, respiration rate, and many others. This will raise privacy concerns since the FDA released a notice implying that they and medical facilities are unaware of its purpose. According to the report, Contec has not addressed the matter yet and has not released any firmware to fix this.

Many networked devices have been reported to have vulnerabilities, not exclusively being from a ********-based company. However, given the key role of such devices, due diligence, checks, and disclosures will be vital. Even if the data is transmitted to the university irrespective of its location, and since the report implies neither the FDA nor the hospitals are aware of this *********, it violates the privacy of every patient and doctor, not limited to one region. There have been multiple cyber attacks from China since January and concerns involving TP-Link, which would naturally heighten the problem with these devices.

Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.



This is the hidden content, please

#********* #uncovered #Chinamade #patient #monitors #Contec #CMS8000 #raises #questions #healthcare #device #security

This is the hidden content, please

This is the hidden content, please

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept