Critical ‘Backdoor’ Discovered in Widely Used Healthcare Patient Monitors
On January 30, 2025, the U.S. Food and Drug Administration (FDA) issued a safety communication regarding cybersecurity vulnerabilities in Contec CMS8000 and Epsimed MN-120 patient monitors. The discovered vulnerabilities pose potentially serious patient risks when these devices are internet-connected.
These devices are typically used to monitor patients receiving care at home or hospice remotely. “It’s very sick, at-risk people who depend on these devices,” said Martin Fisher, managing partner at Kiraso Partners LLC, a cybersecurity services and consulting firm. “And they’re typically networked to either the home network or a network at a small healthcare provider. These patients and these sized providers will not have any idea how to mitigate their risk,” said Fisher.
The affected devices are Contec CMS8000 and Epsimed MN-120.
Through a detailed analysis, following information provided by an unnamed security researcher, and researchers at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified three primary risks associated with the backdoor:
Embedded Backdoor: CISA discovered a backdoor function with a hard-coded IP address in all analyzed firmware versions of the Contec CMS8000.
Patient Data Spillage: The device has functionality that enables unauthorized transmission of patient data.
Remote Code Execution: The backdoor may allow unauthorized remote code execution and device modification.
According to CISA’s fact sheet, “Contec CMS8000 Contains a Backdoor, the backdoor uses NFS to mount a remote file share from an IP address registered to a university, not the device manufacturer. Files from the remote share are copied to the device’s local filesystem, potentially overwriting existing files. CISA does not believe this was intended as a software update capability because the function lacks typical update mechanism features, such as integrity verification or version tracking, and the backdoor persists even in the most recent pre-release firmware (Version 2.0.8).
Upon startup, the device automatically connects to the hard-coded IP address and streams patient data via port 5151. Patient information is transmitted using the Line Printer Daemon (LPD) protocol instead of the more common Health Level 7 (HL7) protocol, CISA said.
It’s important to note that while CISA and the FDA have labeled this vulnerability a “backdoor,” it doesn’t necessarily mean the backdoor was installed maliciously during the device’s design or manufacturing. Device makers and security architects often explain what were harmless capabilities during development to make troubleshooting or some other innocuous communication with the device more straightforward. Still, they are negligently left in the device after it’s shipped to production.
The FDA has provided recommendations for various stakeholders. Patients and caregivers should consult healthcare providers about the device’s reliance on remote monitoring. If remote monitoring is used, discontinue use and seek monitoring alternatives. For devices not using remote monitoring, use only local monitoring features and turn off network connectivity.
Fisher, a longtime healthcare CISO, explained realistically that this backdoor makes these monitors useless for organizations that use these devices. “The entire point of this device is to gather remote telemetry because the patient is fragile. For many of them, their only option is to replace the device,” he said.
Kurt Osburn, director of risk management and governance at cybersecurity services provider NCC Group, said healthcare delivery organizations must notify device users. “They have to have an action plan to notify patients and users of the devices with an issue with the information being sent to limit the impact. The individual users will not read an FDA notification, which is concerning,” he said.
Healthcare Providers should assess affected devices, and mitigate risks in some way and monitor devices for unusual functioning or inconsistencies in displayed vital signs. Healthcare staff should rely only on local monitoring features and turn off all network connectivity for devices that do not rely on remote monitoring.
Osburn added that most consumers of these devices aren’t equipped with the wherewithal to manage these situations. “Most people barely know how to set up a home network, much less monitor their network and what they should look for. Cybersecurity attacks are very sophisticated and go way beyond most people’s understanding,” Osburn said. “I would also say there needs to be more education or emphasis on the risks of using devices that report protected health information. We need these devices and their capabilities, but we should also understand the risks and do our research if we use these devices at home,” he added.
No software patch is currently available to mitigate this risk. However, the FDA said it is actively working with Contec and CISA to address these vulnerabilities and will provide updates as new information becomes available. The FDA has reported no cybersecurity incidents, injuries, or deaths related to these vulnerabilities.
