From the Summer 2026 Issue

The Weaponization of Healthcare Technology: Medical Devices on the Cyber Frontline (Part 2)

Colin Clark
Intern | Janos LLC

Dr. Diane M. Janosek, Ph.D., Esq., CISSP
CEO | Janos LLC

Dr. Donna (Brady) Raziano, M.D., MBA, FACP, AGSF
Clinical Care Physician Executive |

      

From hospitals to battlefields, connected medical technologies are becoming attractive targets for nation-state adversaries, criminal organizations, and cyber actors.

This article continues our earlier “Hacking Humans” work, where we projected that medical devices could become the weakest link in cybersecurity, effectively turning patients into unwitting test subjects through outdated or vulnerable connected technologies.1 The CONTEC CMS8000, a patient monitor, shows that our projection became reality. While progress has been made, now the Legislative Branch, the Executive Branch, and state governments are getting involved. The expectation is that with this renewed priority and interest, action will be taken to protect Americans. 

The healthcare ecosystem is prepared for a future in which every connected medical device becomes both a clinical tool and a potential intelligence collection platform. This should be concerning to us all.

Dr. Diane M. Janosek

What Happened Recently?

While no one single device is the sole focus, CMS8000 has drawn attention. On May 26, 2026, Senator Tom Cotton, chairman of the Senate Intelligence Committee, sent letters to the FDA and CISA urging tighter review of older Chinese-made devices, specifically, equipment cleared before the FDA’s March 2023 cybersecurity requirements took effect.2 His letter reflects the Congressional concern for the increasing national-security risk due to Chinese human-connected medical devices and monitors. Cotton’s core point is that the 2023 requirements do not apply retroactively. They only secure devices cleared after the requirements took effect, leaving the pre-existing infrastructure un-reviewed and potentially vulnerable.2, 3 These worries grew from the U.S. Department of Commerce §232 authority to investigate imports of medical equipment and devices. The investigation began in September 2025, and then meanwhile at the state level, Texas likewise became interested. Texas Governor Greg Abbott issued a March 2026 Order directing state agencies to review Chinese-made monitors.4, 5

What is the CONTEC CMS8000?

  • Electrode and arm band vital monitoring
  • Portable bedside patient-monitoring device
  • Network connection enabled
  • Manufactured in China
  • Marketed as the Epsimed MN-120

CONTEC CMS8000 measures vital signs: heart rate, blood-oxygen level, blood pressure, and temperature. These vital data points are essential to monitoring patient status; however, they only represent one aspect of concern.

Why Now?

Over the last few years 80 percent of cyberattacks in healthcare occur through third-party vendors or services.The FDA and the CISA notified the public of vulnerabilities associated with the CONTEC CMS8000 in January 2025, highlighting unmitigated vulnerabilities in healthcare devices.6, 7 More recently, they also recalled the Epsimed MN-120, being sold by a different distributor under a different name, despite being identical devices.6 The supply chain can obscure Chinese-manufactured components behind American-sounding distributors.

What are Senator Tom Cotton’s concerns and why should you be concerned?

  • Devices contain sensitive data.
  • Data access is being abused by hackers.
  • Malign Chinese actors now have an “opportunity to directly manipulate how the device operates and displays data.”2
  • The risk to humans is that the manipulation of the device can “lead to dangerous misdiagnoses of heart failure, arrhythmias, and hypertension.”2
  • People’s health is directly affected to include premature death.
  • CISA warned the device “was programmed to allow unverified users to remotely control the device without a health provider’s knowledge.”2
  • Data exfiltration of sensitive medical information can lead to “widespread identity theft, insurance fraud, extortion, and more sophisticated scams against American patients.”2

Concerns Become Reality

Additional research shows that the FDA’s concerns were not merely theoretical. On May 14, 2025, the agency issued a Class II recall spanning roughly 7,000 patient monitors following warnings from both the FDA and CISA.7, 8 A Class II recall is reserved by the FDA for products that may cause temporary or medically reversible adverse health consequences; in this case, the FDA recalled a patient monitor that clinicians rely on for an accurate picture of a patient’s condition. CISA assigned the CMS8000 vulnerabilities ‘high’ and ‘critical’ severity ratings with CVSS scores ranging between 7.7
and 9.3 (v4).9, 10, 11

Medical vulnerabilities are no longer isolated issues for individual hospitals; they are national security issues. They sit between patient safety, supply chain security, and national security.

More than a year later, the CONTEC CMS8000 is not a simple device-vulnerability story. The FDA’s concern has grown into a broader discussion involving federal lawmakers, state governors, and national-security officials. Medical vulnerabilities are no longer isolated issues for individual hospitals; they are national security issues. They sit between patient safety, supply chain security, and national security.11, 12

The CONTEC CMS8000 vulnerabilities represent potential impact on American patients’ health and their privacy. They have drawn continued attention from American officials to the security of connected medical devices. On the privacy side, any patient whose information passed through a connected monitor could have been exposed to unauthorized collection or transmission of personally identifiable information, dates of birth, and protected health information outside of healthcare systems without the knowledge of patients or providers. On the clinical side, the greatest risk falls on the patients these devices are intended to protect: the critically ill, cardiac, and post-surgical patients, and those receiving care at home. For those individuals, an altered vital sign or a missed alarm is greater than a technical failure. It is a medical decision made based on inaccurate information.

Has Anyone Been Harmed Yet?

The FDA says it is aware of no incidents, injuries, or deaths tied to these flaws to date. Reassuring, however, it describes what has been reported, not what is possible or unnoticed.6

"Vulnerable populations, particularly, older adults, face disproportionately high risk. They often require close clinical monitoring yet may be unaware of cybersecurity threats to the personally identifiable and protected health information (PII and PHI), as well as potential downstream impacts on their health, presenting significant concerns for physicians, health systems and all Americans."

Dr. Donna Raziano, MD MBA

How Does the Exploit Work?

Investigators found that, on startup, the monitor reaches out to a hard-coded IP address outside the hospital, bypassing the facility’s own network settings and opening a connection to whoever controls the other end.7 Traffic routes to 202.114.4.119 over TCP ports 515-520 and 202.114.4.120 (HL7 server) over TCP port 511, which are hardcoded into the device.14 The hard coded IP addresses were originally intended so that out-of-the-box monitors would instantly pair with CONTEC’s proprietary Central Management System software hosting patient dashboards and is a result of poor design rather than intentional malice.14 Thus, the firmware creates security concerns due to the hidden channel running in both directions; it can push patient data outward in plain text, and it can pull unverified files onto the device and run them, which gives an attacker access to the data and to the larger network.13

Is This Only a Single Flaw?

No, the issue is much deeper and dwells in the legal environment of the manufacturer. Critically, Article 7 of the National Intelligence Law of the People’s Republic of China states that organizations and citizens shall support, assist, and cooperate with state intelligence work according to law.15 Additionally, China passed the Data Security Law of 2021, taking effect in 2021, which moves from simply defending data to gathering it by expanding the government’s jurisdiction of data collected by Chinese business.15 That transforms the discussion from one of software security into one of law, governance, and national security.

The Flaw

Under Chinese national-security and intelligence law, companies operating in China can legally be compelled to hand data to the state.15  That means sensitive patient data could reach a foreign government not through hacking, but through the lawful compliance of the company that built or operates the device.16  The problem stops being a bug needing a patch and becomes an international jurisdictional issue.

The Reach

Roughly fourteen percent of U.S. hospital medical equipment and fifty percent of all basic medical supplies are made in China, thus the CONTEC monitor is only one visible instance of a very large presence.17

The Impact

CONTEC is unlikely to be the last device discovered with security issues. The real concern is how many pre-2023 devices remain deployed and how data should be governed as healthcare practices develop using more sensors and technology, such as A.I. and remote care systems. That data becomes a matter of national security because it is national intelligence. In addition, states have started moving ahead of Washington. Texas ordered a review of Chinese-made monitors in state facilities, and Florida subpoenaed CONTEC and its U.S. reseller.18, 5

What is Senator Cotton Proposing?

Senator Cotton’s core request is that the agencies review Chinese-made devices cleared before March 29, 2023, extending the cybersecurity scrutiny now required of new devices backward to that legacy fleet.2, 19, 20

What Happens Next?

If the proposal moves forward, the roughly 7,000 recalled-but-still-in-use monitors, along with the wider installed base of pre-2023 devices, would be examined rather than grandfathered. It would set a precedent that treats medical-device security as national-security infrastructure, and it would harden the current state patchwork into one consistent rule.

If it does not move forward, thousands of unreviewed devices will stay connected, the dependence will deepen, and existing vulnerabilities will persist despite rapidly advancing red-teaming technologies.

What is the Solution?

CONTEC did release a security patch which “fully removes networking functionality from the affected CONTEC and Epsimed devices, making them only usable for local monitoring.”6 That patch essentially disables the device’s networking capabilities, a primary function of the product, without solving the data exfiltration, backdoor functionality, or remote manipulation. In other words, the networking function is suppressed to contain the problems, thus diminishing its purpose.

The fix also comes with a warning about technical expertise installing those limited protections; however, it represents a warning for the broader threat landscape too.21 More importantly, the CONTEC controversy demonstrates that cybersecurity risks do not always originate from software alone. They can arise from supply chains, legal jurisdictions, regulatory gaps, and design decisions made years before a vulnerability is discovered. In that sense, the CMS8000 is less significant because of the specific flaws it contained and more significant because of the questions it raised.

Conclusion

The CONTEC CMS8000 is more than a story about a vulnerable medical device. It is a reminder that cybersecurity, patient safety, supply-chain security, and national security are becoming inseparable. As healthcare increasingly relies on connected technologies, the risks extend beyond software flaws to include regulatory gaps, foreign legal jurisdictions, and long-standing dependencies on legacy devices.

While the FDA reports no known injuries or deaths linked to these vulnerabilities, the absence of harm should not be mistaken for the absence of risk. The real lesson is that medical devices are no longer just healthcare tools—they are connected systems operating within a complex global security environment.

The challenge now is ensuring that the technologies designed to protect human health do not become the weakest link in protecting the nation.

In our original Hacking Humans article, we warned that vulnerable medical devices could turn patients into unwitting participants in cybersecurity failures. The CMS8000 demonstrates that this concern is no longer theoretical. The challenge now is ensuring that the technologies designed to protect human health do not become the weakest link in protecting the nation. lock

Dr. Diane M. Janosek, Ph.D., Esq. CISSP
Dr. Donna Brady Raziano
Colin Clark

Endnotes

  1. Donna Raziano, Diane M. Janosek, and Gabrielle E. Hempel, “Hacking Humans: Are You Safe? Addressing Vulnerabilities in the Advancing Medical Device Landscape,” US Cybersecurity Magazine, 2019, https://www.uscybersecurity.net/csmag/hacking-humans-are-you-safe-addressing-vulnerabilities-in-the-advancing-medical-device-landscape/.
  2. Tom Cotton, letter to FDA Acting Commissioner Kyle Diamantas and CISA Acting Director Nick Andersen, May 26, 2026, https://business.cch.com/CybersecurityPrivacy/cottonfdaletter052726.pdf.
  3. U.S. Food and Drug Administration, “Cybersecurity in Medical Devices: Section 524B of the Federal Food, Drug, and Cosmetic Act,” effective March 29, 2023; see also Skadden, Arps, Slate, Meagher & Flom LLP, “Guidance on Cybersecurity in Medical Devices,” April 2023, https://www.skadden.com/-/media/files/publications/2023/04/privacy-and-cybersecurity-update/guidancecybersecuritydevicesrta.pdf.
  4. U.S. Department of Commerce, Bureau of Industry and Security, “Section 232 National Security Investigation of Imports of Personal Protective Equipment, Medical Consumables, and Medical Equipment, Including Devices,” Federal Register 90, no. 186 (September 26, 2025): 46383, https://www.federalregister.gov/documents/2025/09/26/2025-18729/notice-of-request-for-public-comments-on-section-232-national-security-investigation-of-imports-of.
  5. Office of the Governor of Texas, directive concerning review of Chinese-made medical monitoring devices, March 2026; Florida Attorney General investigations and subpoenas concerning CONTEC and Epsimed medical devices, 2025-2026.
  6. American Hospital Association, “2025 Cybersecurity Year in Review, Part One: Breaches and Defensive Measures,” October 7, 2025, https://www.aha.org/news/aha-cyber-intel/2025-10-07-2025-cybersecurity-year-review-part-one-breaches-and-defensive-measures.
  7. U.S. Food and Drug Administration, “Cybersecurity Vulnerabilities with Certain Patient Monitors from CONTEC and Epsimed,” Safety Communication, January 30, 2025, https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-CONTEC-and-epsimed-fda-safety-communication.
  8. Cybersecurity and Infrastructure Security Agency, “CONTEC CMS8000 Contains a Backdoor,” Fact Sheet, January 30, 2025, https://www.cisa.gov/sites/default/files/2025-01/fact-sheet-CONTEC-cms8000-contains-a-backdoor-508c.pdf.
  9. U.S. Food and Drug Administration, recall notice concerning the Epsimed MN-120 patient monitor marketed under an alternate distributor name, accessed June 2026.
  10. Cybersecurity and Infrastructure Security Agency, “ICS Medical Advisory ICSMA-25-030-01,” January 2025, https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01.
  11. Forum of Incident Response and Security Teams (FIRST), Common Vulnerability Scoring System Version 3.1: Specification Document, https://www.first.org/cvss/v3.1/specification-document.
  12. The situation echoes the 2019 Medtronic insulin-pump recall, when researchers demonstrated that unauthorized parties could communicate with certain insulin pumps over radio-frequency protocols and potentially alter insulin-delivery settings. Although the technologies differ, both incidents highlight the risks associated with legacy connected medical technologies.
  13. U.S. Food and Drug Administration, “FDA Warns About Cybersecurity Vulnerabilities in Medtronic MiniMed Insulin Pumps,” June 27, 2019, https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-affect-certain-medtronic-minimed-insulin-pumps-fda-safety.
  14. Claroty Team82, “Patient Monitoring System Hacking,” presentation delivered at Nexus Conference, 2022, https://nexusconnect.io/videos/team82-patient-monitoring-system-hacking.
  15. U.S. Department of Homeland Security, “Data Security Business Advisory,” December 2020, https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf.
  16. U.S. Food and Drug Administration, Class II Recall, CONTEC CMS8000 Patient Monitor, May 14, 2025, https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfres/res.cfm?start_search=1&event_id=96046.
  17. American Affairs, analysis of Chinese-manufactured medical equipment and medical-supply market share in the United States, 2025.
  18. Daphne Allen, “More Politicians Take a Swing at China-Made Medical Devices,” Medical Device and Diagnostic Industry, May 2026, https://www.mddionline.com/product-development/more-politicians-take-a-swing-at-china-made-medical-devices.
  19. Senator Cotton frames the issue as both a national-security and public-health concern, arguing that pre-2023 devices remain outside the scope of current FDA cybersecurity requirements. If adopted, the proposal would extend cybersecurity review to devices cleared before the implementation of FDORA §524B. See Cotton, letter to Diamantas and Andersen; and FDA, “Cybersecurity in Medical Devices: Section 524B.”
  20. Claroty Team82, “Are CONTEC CMS8000 Patient Monitors Infected with a Chinese Backdoor? The Reality Is More Complicated,” February 2025, https://claroty.com/team82/research/are-CONTEC-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated.
  21. The FDA recommends that patients, caregivers, and health care providers not install the patch themselves because installation requires specialized expertise. Instead, facilities should work through information technology and cybersecurity personnel. Existing mitigations include disconnecting affected devices from wired and wireless networks, thereby limiting the networking functionality for which the devices were designed. FDA, “Cybersecurity Vulnerabilities with Certain Patient Monitors from CONTEC and Epsimed.”

Leave a Comment