Cybersecurity Vulnerabilities With Certain Patient Monitors
VFC Heath/CyberAware Shield Members,
The Shield Program received notifications from CISA and the FDA advising of vulnerabilities contained in certain patient monitors used by the US Healthcare and Public Health Sector. An analysis of three firmware package versions of the Contec CMS8000 found an embedded backdoor function with a hard-coded IP address and functionality that enables patient data spillage. These monitors may be re-labeled and sold by resellers.
Contec Medical Systems, the company which manufactures this monitor as well as other medical device and healthcare solutions, is headquartered in Qinhuangdao, China. The Contec CMS8000 is used in medical settings across the U.S. and European Union to provide continuous monitoring of a patient?s vital signs?tracking electrocardiogram, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate. CISA assesses that inclusion of this backdoor in the firmware of the patient monitor can create conditions which may allow remote code execution and device modification with the ability to alter its configuration. This introduces risk to patient safety as a malfunctioning patient monitor could lead to an improper response to patient vital signs.
Follow the links below for more information and recommended actions.
The opinions or conclusions of the authors reflected in the open source articles and resources is not endorsed and/or does not necessarily reflect the opinion of the Virginia Fusion Center. The sources have been selected to provide you with event information to highlight available resources designed to improve public safety and reduce the probability of becoming a victim of a crime.
------------
You have received this message because has subscribed to the "HealthAware" or "CyberAware" mailing lists. Should you wish to unsubscribe please click the link below.
