In early 2025, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it had found serious vulnerabilities in patient monitors made by a Chinese medical device company.
The agency’s analysis revealed an embedded backdoor function with a hard-coded IP address, allowing unauthorized access and potential remote control of the device.
Perhaps even more concerning, when connected to a network, the monitor automatically transmits patient data to an external server, unencrypted and without authorization.
This case highlights the growing cybersecurity challenges facing healthcare providers and manufacturers as medical devices become increasingly connected and complex.
The Current State of Medical Device Cybersecurity
Connected devices let healthcare providers monitor patients remotely, seamlessly integrate data into electronic health records, and provide many other functions on the way to revolutionizing healthcare delivery. However, these capabilities come with significant security risks.
Prevalence of Cybersecurity Incidents
Data from the Department of Health and Human Services (HHS) show that while medical device vulnerabilities have yet to be commonly exploited in cybersecurity incidents, they remain a significant concern warranting attention. The potential for device vulnerabilities, like those identified by CISA, to wreak havoc on healthcare organizations and patients makes them a critical focus for cybersecurity efforts.
Potential Risks and Implications
Compromised medical devices can lead to serious consequences, including delayed patient care, exposure of sensitive patient data, and disruption of hospital operations. In the case of compromised patient monitors, attackers could modify device configurations or manipulate vital sign readings, putting patient safety at risk.
Challenges in Accessing Federal Support
The federal government can help healthcare providers and device manufacturers by providing vital analysis, guidance, and other support. However, organizations face several challenges in accessing that support.
Awareness and Communication Gaps
According to the Government Accountability Office (GAO), many organizations struggle with vulnerability communications from federal entities, finding alerts difficult to understand or overwhelming in volume.
Additionally, some organizations report not knowing whom to contact in the federal government about cybersecurity incidents or what federal resources are available.
Steps Taken by Federal Agencies
Fortunately, federal agencies are working to address these challenges. For example, the FDA has established best practices for providers to communicate cybersecurity vulnerabilities to patients. It has also worked with medical device makers to create a communications toolkit for healthcare providers and others. CISA has also published a toolkit on its website that brings together cybersecurity best practices for healthcare organizations.
Coordination Between Key Agencies
Effective interagency coordination is crucial for managing medical device cybersecurity risks.
FDA and CISA Collaboration
The FDA and CISA have established a formal agreement to share information and coordinate responses to medical device cybersecurity threats. This collaboration seeks to boost better awareness of and foster more effective responses to vulnerabilities like the one in monitoring devices found by CISA in early 2025.
Need for Updated Agreements
In late 2023, the GAO recommended that the FDA and CISA update their five-year-old cybersecurity agreement to reflect changes in how organizations operate in the post-pandemic era. The update, since implemented, helps ensure more effective coordination in addressing emerging cybersecurity threats.
However, agencies must continue to adapt collaborative agreements for changing global circumstances, regulatory requirements, and industry standards.
Limitations in Regulatory Authority
Although federal agencies are far from omnipotent in their quest to strengthen the cybersecurity posture of healthcare providers and manufacturers, cybersecurity legislation has helped.
Recent Legislative Enhancements
December 2022 legislation strengthened the FDA’s authority by requiring manufacturers to submit cybersecurity monitoring and vulnerability management plans for new medical devices.
Even so, there is a caveat.
Gaps in Authority Over Existing Devices
A significant limitation of the 2022 legislation is that the new cybersecurity requirements don’t apply retroactively to devices introduced before March 2023 unless manufacturers submit new marketing applications for changes to these devices.
Recommendations for Strengthening Cybersecurity
Recent audits and vulnerability assessments have highlighted the need for stronger cybersecurity measures in medical devices.
The GAO’s recommendations for strengthening cybersecurity in healthcare emphasize the importance of enhanced interagency coordination and comprehensive regulatory oversight. These systemic improvements are essential for addressing vulnerabilities across the healthcare sector.
To address immediate threats posed by compromised devices, CISA and the FDA recommend that healthcare providers work with facility staff to identify risky devices. If they can’t avoid using devices with known vulnerabilities, providers should use only local monitoring features and disconnect devices from network connections.
Protecting Patients and Healthcare Systems
Beyond the basics, healthcare organizations need to implement comprehensive cybersecurity risk management programs.
Such programs should include regular security audits, timely software patches, automated monitoring, and other safeguards to protect both sensitive patient data and critical medical devices.
A trusted cybersecurity partner such as Xantrion, with deep experience in the healthcare sector, can provide the managed security that healthcare organizations need to protect organizations and, most importantly, patients.
