The FDA warns healthcare providers and patients of critical cybersecurity vulnerabilities in Contec and Epsimed patient monitors, urging them to take immediate risk mitigation measures.
The U.S. Food and Drug Administration has published a safety communication regarding the identification of serious cybersecurity vulnerabilities in patient monitors made by Contec and Epsimed. The said devices are important in healthcare settings and homes. They are expected to show patient vital information such as temperature, heartbeat, and blood pressure.
Vulnerabilities Identified:
Unauthorized Remote Access: Monitors maybe open to unauthorized access. People can control it or disrupt its intended functionality from a remote place.
Embedded Backdoor: An embedded backdoor function with a hard-coded IP address has been discovered in the firmware, which might compromise the device and the network it is attached to.
Data Exfiltration: After connecting to the internet, these monitors start collecting patient data, including PII and PHI, and exfiltrate that data out of the healthcare delivery environment.
CISA has corroborated these findings, stating that the embedded backdoor could enable remote code execution and device modification, which is a significant risk to patient safety.
Recommendations:
For patients and caregivers:
Consult Healthcare Providers: Discuss whether your device relies on remote monitoring features. If so, consider discontinuing its use and seek alternative monitoring solutions.
Disable Connectivity: If remote monitoring is unnecessary, disconnect the device from the internet by unplugging the ethernet cable and disabling wireless capabilities.
For healthcare providers and facility staff:
Assess Device Usage: Determine if affected monitors are in use and evaluate the necessity of their remote features.
Monitor Device Functionality: Generally inspect for signs of abnormal functioning; that is, disagreement between vitals being shown on the monitor and the patient’s condition.
Report Problems: Problems with the Contec CMS8000 or Epsimed MN-120 monitors should be reported to the FDA via the MedWatch Voluntary Reporting Form.
So far, no incidents, injuries, or deaths have been reported based on these security weaknesses. Currently, the FDA, in a partnership with CISA, works closely with Contec to address and correct all these security weaknesses in the shortest time possible.
