In a concerning development for healthcare cybersecurity, the FDA and CISA have issued urgent advisories about two critical patient monitors found to have severe security vulnerabilities: the Contec CMS8000 and Epsimed MN-120 models.

These devices, widely used for remote monitoring of patients in hospitals and at home, are now at risk due to several alarming backdoor flaws, including:

• Hard-coded IP addresses and credentials: making the devices easy targets for cyber attackers.
• Remote code execution vulnerabilities: enabling attackers to potentially take control of the device.
• Patient data exposure risks: leaving sensitive health information open to compromise.

The Serious Threat to Patient Care

These vulnerabilities are not just theoretical risks—they pose real threats to both patient data privacy and operational healthcare safety. A compromised patient monitor could result in tampered vital readings or unauthorized access to personal health information.

Perhaps the most alarming aspect? There is currently no patch available to address these security flaws.

What Can Be Done?

While the lack of a software fix creates an urgent problem, healthcare providers and patients must act swiftly:

• Healthcare Providers: Review your use of these devices and evaluate whether local, non-networked monitoring solutions are safer for high-risk patients.
• Patients: Contact your healthcare provider if you are using one of these devices at home. Discuss potential alternatives or monitoring solutions.
• Security Professionals: Implement network monitoring to detect unusual activity and secure connected healthcare devices at all possible endpoints.

Healthcare devices have historically lagged behind in security compared to other connected systems. This situation underscores the need for more robust security frameworks and proactive device hardening in the healthcare industry.

When a patch isn’t an option, the response must shift toward containment and prevention strategies to minimize risk exposure.

We’ll continue to monitor this situation and provide updates as they become available.

The post Security Flaw Found in Patient Monitors: No Fix Yet appeared first on Centraleyes.