The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration (FDA) have jointly issued warnings regarding significant cybersecurity vulnerabilities found in Contec CMS8000 patient monitors. These monitors, used in medical settings across the U.S. and the European Union, are designed to continuously monitor a patient’s vital signs. The identified vulnerabilities pose a serious risk to patient safety and data privacy:

• Backdoor Functionality:  The Contec CMS8000 contains an embedded backdoor with a hard-coded IP address. This hidden functionality, which device users are not informed about, allows unauthorised actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device.
• Data Spillage:  The patient monitors also have functionality that enables the exposure of private personal information to unauthorised actors.  Once connected to the internet, these monitors gather and have to potential to be used to exfiltrate patient data, including personally identifiable information (PII) and protected health information (PHI), outside of the healthcare environment. This data exfiltration is possible even when the device is used in a home setting.
• Remote Control and Manipulation: These vulnerabilities can allow unauthorised users to remotely control the patient monitor, or cause it to malfunction.  The device could be manipulated to alter its configuration, leading to an improper response to patient vital signs.  A compromised device could also be made to crash.
• Widespread Risk: The vulnerabilities could allow all affected Contec and Epsimed patient monitors on a given network to be exploited simultaneously. Additionally, the FDA has only authorised the device for wired functionality but is aware that some patient monitors are being sold with wireless capabilities without FDA authorisation.
• Relabeling: It is important to note that the Contec CMS8000 may be re-labeled and sold by resellers, such as the Epsimed MN-120.

There is no software patch available at this time. The FDA and CISA are working with Contec to correct the vulnerabilities as soon as possible.

These vulnerabilities have the potential to deny access to the device or to take control of the device remotely to perform unexpected or undesired actions, such as corrupting data. The FDA urges the reporting of any problems or complications to the FDA.

Cybersplice offers solutions that can help protect against exploitation of vulnerabilities like those found in the Contec CMS8000 patient monitors. Cybersplice can provide rapid visibility of your OT network using its Splicecloud platform with zero-touch or virtual probes that offer full asset tracking and behavioural analysis. Cybersplice can also create a secure private sensor network via Splice-net, which is an encrypted overlay network that works on top of existing carrier infrastructure, offering secure, carrier-independent connectivity. Furthermore, Cybersplice provides an ICS Secure Access Edge that incorporates logical isolation, vulnerability shielding via an encrypted overlay network, passive node discovery, and secure remote access for operators and support partners.