A widely used Chinese medical monitoring device has recently come under U.S. government scrutiny due to potential cybersecurity risks. However, it is not the only medical device causing concern.

Experts warn that the increasing presence of Chinese healthcare devices in the U.S. medical system poses significant risks to the entire healthcare ecosystem.

The Contec CMS8000 Medical Monitor Faces Hacking Risks

The Contec CMS8000 is a popular medical monitoring device used to track patients' vital signs, including electrocardiogram (ECG), heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate.

Contec, a Chinese company specializing in medical equipment, manufactures patient monitors, pulse oximeters, electrocardiographs, and other healthcare devices. The company supplies hospitals, clinics, and healthcare facilities worldwide.

In recent months, the U.S. Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) have raised alarms about a “backdoor” found in the Contec CMS8000—a vulnerability that could be exploited by malicious actors to alter its configuration.

CISA researchers detected “unusual network traffic” and noted that the backdoor could allow the device to “download and execute unverified remote files” from an IP address unrelated to the manufacturer or the healthcare facility but instead linked to a third-party university. CISA described this as "highly unusual characteristics" that contradict standard medical device security protocols.

"When this function is activated, files on the device can be forcibly overwritten, leaving end users (such as hospitals) unable to control which software is running on the device," CISA reported.

The warning further emphasized that unauthorized changes to the device’s configuration could lead to incorrect patient status displays—potentially misreporting kidney failure or respiratory arrest. Such errors could cause healthcare providers to administer incorrect treatments, potentially endangering patients’ lives.

Hospitals Fear Cybersecurity Risks

"This is a ticking time bomb," said Christopher Kaufman, a business professor at Westcliff University in Irvine, California, who specializes in IT and emerging technologies.

The American Hospital Association (AHA), which represents over 5,000 hospitals and clinics across the U.S., has echoed these concerns, considering the rise of Chinese medical devices a major threat to the healthcare system.

Regarding Contec’s medical monitoring devices specifically, the AHA insists that the issue demands immediate attention.

"We must prioritize this risk because of the potential harm to patients. We need to fix this before it gets hacked," said John Riggi, national cybersecurity and risk advisor for the AHA. Before joining the AHA, Riggi worked in counterterrorism at the FBI.

CISA has reported that no software patch currently exists to mitigate the vulnerability, but the U.S. government is working with Contec to find a solution.

Contec has not responded to CNBC’s request for comment.

Uncertainty Over the Number of Devices in Use

Another pressing concern is that no one knows exactly how many of these medical monitors are currently being used in the U.S.

"We simply don’t know because hospitals use a vast number of medical devices. A conservative estimate suggests there are thousands of such devices in use. This is a serious vulnerability," Riggi warned, adding that China’s potential access to these devices presents strategic, technical, and supply chain risks.

In the short term, the FDA has advised healthcare systems and patients to operate these devices only in local mode or to disable remote monitoring functions. If remote monitoring is the only option, users should discontinue using the device if alternative solutions are available. The FDA stated that, so far, no cybersecurity incidents, injuries, or deaths have been reported due to this vulnerability.

The AHA has also recommended that hospitals disconnect these devices from the internet and isolate them from the rest of the hospital network until a software patch is available.

John Riggi stressed that Contec’s devices are just one example of the risks posed by medical technology. He pointed out that many other foreign-manufactured medical devices could also be vulnerable.

"U.S. hospitals frequently purchase inexpensive medical equipment from China, a country with a history of embedding malware into critical American infrastructure. Buying low-cost equipment like this could unintentionally grant China access to massive amounts of American medical data, which could be collected and used for various purposes," Riggi warned.

Is China Collecting Data from Americans?

Riggi noted that data is often transmitted to China under the pretext of monitoring device performance, but few people know what actually happens to the data once it arrives there.

According to Riggi, the immediate risk to individuals is lower than the broader threat of an entire healthcare system being compromised. However, he did not rule out the possibility that high-profile American individuals could be targeted through such medical devices.

"When we speak with hospitals, many executives are surprised because they had no idea about these risks. We are working to help them understand the situation better. The real question for the government is how to promote domestic medical device production rather than relying on foreign suppliers," Riggi said.

Parallels with TikTok and Other Chinese Technologies

Concerns over Contec’s devices mirror broader fears surrounding TikTok, DeepSeek, TP-Link routers, and other Chinese technologies that U.S. authorities suspect of collecting American data.

"Just hearing about this issue is enough for me to decide whether I should buy medical equipment from China," Riggi said.

Aras Nazarovas, an information security researcher at Cybernews, agrees that CISA’s warning raises serious concerns that need to be addressed. Cybernews is a website dedicated to reporting and analyzing cybersecurity issues.

"There’s a lot to worry about," Nazarovas stated. Medical devices like the Contec CMS8000 often have access to sensitive patient data and are directly connected to life-saving functions. If poorly secured, they could become easy targets for hackers, who could manipulate displayed data, alter critical settings, or even disable devices entirely.

"Imagine a monitoring device that stops alerting doctors about a patient’s heart condition or sends incorrect data, leading to misdiagnosis or delays in treatment," Nazarovas explained. The Contec CMS8000 and Epsimed MN-120 (a rebranded version of the same technology) could serve as gateways for hackers to infiltrate hospital networks.

Many hospitals and clinics are taking this issue seriously. Bartlett Hospital in Juneau, Alaska, does not use Contec’s monitoring devices but maintains vigilance regarding cybersecurity risks.

"Regular monitoring is crucial as the risk of cyberattacks on hospitals continues to grow," said Erin Hardin, a spokesperson for Bartlett Hospital.

A Potentially Worsening Situation

The situation could deteriorate further as the Government Efficiency Department, led by Elon Musk, is cutting divisions responsible for evaluating such devices, according to Professor Christopher Kaufman. Many of the recently laid-off FDA employees were specialists in assessing the safety of medical devices, CNBC reported.

Kaufman expressed concern over the U.S. government’s lax oversight of an already loosely regulated industry.

A Government Accountability Office (GAO) report from January 2022 revealed that 53% of network-connected medical devices and Internet of Things (IoT) devices in hospitals contained known critical vulnerabilities. Kaufman believes the problem is only worsening.

"I’m not sure who will continue running these agencies anymore," Kaufman said.

Silas Cutler, lead security researcher at Censys, a medical data analytics company, also weighed in:

"Medical device vulnerabilities are widespread and have been known for years. The reality is that the consequences can be severe, even fatal. While high-profile individuals may face greater risks, the primary victims are hospital systems, with cascading effects on everyday patients."