On January 30, 2025, CISA and the FDA issued a notice about critical vulnerabilities with Contec CMS8000 patient monitors, including an embedded backdoor and potential data exposure of private patient information. Healthcare organisations are advised to disconnect monitors where possible to prevent further exposure to their technology environments and sensitive data.
Given the increasing pressure on the healthcare industry to get ahead of malicious hacks and protect sensitive patient data, this guidance advises healthcare and technology providers to take immediate action to prevent harm. Here’s what organisations need to know and implement from this notice to mitigate and minimise risks.
Summary
CISA Overview: A warning is issued for Contec CMS8000 patient monitors, which contain an embedded backdoor with a hard-coded IP address to a third party not associated with any medical device manufacturer, and the ability to transmit data externally undetected via port 515 during the startup routine. The reverse backdoor allows the CMS8000 to download and execute unverified remote files, including overwriting existing system files once a reboot happens.
The Risk: Unauthorised patient data transmission, malicious activity hidden from logs, remote control by unauthorised users, potential network compromise, and potential patient monitor malfunction.
What You Should Do:
Isolate the Device: Place it in a secure network segment to minimise exposure.
Monitor for Abnormal Traffic: Limit outbound traffic to necessary internal communication only. Block all unnecessary inbound connections. Continuously analyse traffic for anomalies or suspicious behaviour.
Restrict Access: Limit usage to authorised personnel with Access Control Lists (ACLs).
Consider Device Replacement: If possible, replace affected devices, given the lack of an available patch and the lack of resolve to remove the backdoor in a subsequent patch to CISA.
Understanding the Risk
“Backdoors” in medical devices represent significant cybersecurity vulnerabilities that can compromise patient safety and data integrity. Exploitation of these vulnerabilities could allow attackers to execute remote code, leak sensitive patient information, or gain unauthorised access to the device and cause it to function improperly. These vulnerabilities affect multiple firmware versions and may impact healthcare environments worldwide, given the widespread use of these monitors.
Healthcare providers and IT security staff must be vigilant and prioritise efforts to protect their infrastructure, patients, and sensitive data in the face of such alerts. While no public exploitation reports, cybersecurity incidents, or patient harm have been confirmed related to these latest vulnerabilities, proactive cybersecurity steps are crucial for risk mitigation in healthcare to prevent further harm.
Healthcare organisations should implement the following security measures to reduce risk:
- Assess Remote Monitoring Capabilities
- If Remote Monitoring is Not Necessary: Use Local Monitoring Only. Remove access to the internet to avoid continued data exposure.
- If Remote Monitoring is Necessary: Isolate the Device. Place the device in a secure network environment to minimise exposure. Consider ceasing use.
- Check Monitor Functionality: Watch for signs of malfunction, such as inconsistencies with patient vitals, to prevent clinical impact and detect remote access attempts.
- Manage Network Traffic & Activity: Restrict outbound traffic to only necessary internal communications, preventing unauthorised external connections. Continuously analyse for traffic anomalies and suspicious connections.
- Enforce Access Controls: Restrict usage to authorised personnel only, ensuring proper authentication and oversight.
- Consider Device Replacement: Or other alternative solutions, given the essential nature of patient monitors and the lack of an available patch.
Read more here on how Armis can help.
[Partner Content]