FDA Safety Communication: Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed

January 31, 2025


• Categories: 01-Digital Health, Cybersecurity, Patient Safety, Topic - Health Information Technology, Topic – Digital Healthcare Intelligence

Date Issued: January 30, 2025

The U.S. Food and Drug Administration (FDA) is raising awareness among health care providers, health care facilities, patients, and caregivers that cybersecurity vulnerabilities in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors (which are Contec CMS8000 patient monitors relabeled as MN-120) may put patients at risk after being connected to the internet.

Three cybersecurity vulnerabilities have been identified:

• The patient monitor may be remotely controlled by an unauthorized user or not work as intended.
• The software on the patient monitors includes a backdoor, which may mean that the device or the network to which the device has been connected may have been or could be compromised.
• Once the patient monitor is connected to the internet, it begins gathering patient data, including personally identifiable information (PII) and protected health information (PHI), and exfiltrating (withdrawing) the data outside of the health care delivery environment.

These cybersecurity vulnerabilities can allow unauthorized actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device.

The FDA is not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time…read more from FDA