The US Cybersecurity and Infrastructure Security Agency (CISA) has uncovered a critical security vulnerability in Contec CMS8000 patient monitoring devices, widely used in healthcare facilities. The discovery reveals a concerning backdoor that compromises patient data security and device integrity.

Key Findings:

1. Data Transmission:
– Patient information is secretly transmitted to a remote IP address linked to a Chinese university
– Transmitted data includes doctor’s name, patient ID, personal information, and date of birth
– Data sent through unusual channels (port 515) instead of standard healthcare protocols

2. Backdoor Functionality:
– Allows unauthorized download and execution of files
– Enables complete remote takeover of patient monitors
– Activities occur without system logging or administrator alerts
– Affects both Contec CMS8000 and rebranded Epsimed MN-120 devices

3. Technical Details:
– Backdoor embedded in ‘monitor’ executable
– Uses Linux commands to enable network adapter
– Mounts remote NFS share from hard-coded IP address
– Copies files between system directories without security checks

4. Failed Remediation:
– Contec’s attempted fixes proved ineffective
– Company merely disabled network adapter, which backdoor can re-enable
– No permanent solution currently available

CISA Recommendations:
– Disconnect affected devices from networks when possible
– Monitor devices for unusual behavior or incorrect patient data display
– Implement additional security measures to protect patient information

Healthcare organizations are advised to take immediate action to protect patient data and system integrity until a permanent solution becomes available.