The FDA advises that Contec’s monitor be disconnected from the internet as it works with the China-based company to rectify the security issue. Image credit:

The US Food and Drug Administration (FDA) has issued guidance over potential cybersecurity vulnerabilities with Contec’s CMS8000 patient monitor and the Epsimed MN-120 (a relabelled version of the CMS8000).

According to the agency, the vulnerabilities identified with the device, which provides continuous monitoring of patients’ vital signs in US Healthcare and Public Health (HPH) settings, may put patients at risk once connected to the internet.

Go deeper with GlobalData

Go deeper with GlobalData

The gold standard of business intelligence.

Find out more

Discover B2B Marketing That Performs

Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.

Find out more

Contec’s patient monitor may be remotely controlled by an unauthorised user and not work as intended, the FDA said, asserting that this is due to a backdoor included in the device’s software.

The backdoor, which refers to a hidden functionality that device users are not told about, can allow unauthorised actors to bypass cybersecurity controls, and may result in the gathering of patient data, including personally identifiable information (PII) and protected health information (PHI), and the exfiltration of data outside of the healthcare delivery environment.

“These cybersecurity vulnerabilities can allow unauthorised actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device,” the FDA stated.

“The FDA is not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time.”

GlobalData Strategic Intelligence

US Tariffs are shifting - will you react or anticipate?

Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.

By GlobalData

Alongside the US Cybersecurity and Infrastructure Security Agency (CISA), the FDA is working with China-based Contec to rectify the outlined vulnerabilities as soon as possible.

In the meantime, the FDA advises that healthcare providers check the affected patient monitors for any signs of unusual functioning, such as inconsistencies between the displayed patient vitals and the patient’s actual physical state.

Healthcare IT and cybersecurity staff are advised to stop using the monitor in cases where it relies on remote patient monitoring, or to unplug the device from the internet if it is only being used for localised monitoring.

CISA has issued a detailed fact sheet on the monitor’s identified vulnerabilities, and “strongly urges” HPH sector organisations to implement the FDA’s suggested mitigations.

The FDA’s Center for Devices and Radiological Health (CDRH) recently initiated a pilot centred on improving the timeliness of communications to the public around corrective actions being taken by companies with devices believed to be high-risk recalls.

Speaking at the recent Outsourcing Clinical Trials (OCT) Medical Devices 2025 conference, which took place in Munich, Germany on 28-29 January, David Bicknell, principal analyst, strategic research at GlobalData, stated that the rising sophistication in medical devices means the requirement for sophisticated security measures to protect patient data and device functionality will likely rise in 2025.

Medical Device Network Excellence Awards - Nominations Closed

Nominations are now closed for the Medical Device Network Excellence Awards. A big thanks to all the organisations that entered – your response has been outstanding, showcasing exceptional innovation, leadership, and impact

Excellence in Action
SC MEDICA’s minimally invasive, radiation free spinal facet fixation system, FFX® is transforming spinal pain management and improving outcomes for surgeons and patients alike. Learn how SC MEDICA’s award-winning technology is redefining standards in facet joint pain treatment.

Discover the Impact