The hospital bed is one of the most intimate places a person can occupy — fully dependent on staff and medical devices to restore their health. Today, those devices do far more than monitor: they deliver fluids and medications, control respiration, and alert clinical staff when patient telemetry signals danger. They manage the line between health and illness, life and death.
More on OT Security:
Bill Brenner
, and CYBR.SEC.Media
George V. Hulme
They’re also, essentially, a computer attached to the internet, often manufactured cheaply abroad, running outdated software, sitting on a poorly segmented network, and vulnerable to anyone who knows where to look.
This is the current condition of American digital healthcare infrastructure, as long documented by federal agencies, confirmed by independent researchers, and now the subject of urgent warnings from governors, regulators, and the security community. The question that remains is whether there will enough action to reduce the risks.
To that end, Texas Governor Greg Abbott issued a directive on March 9, 2026 calling for an immediate cybersecurity audit of Chinese-manufactured patient monitoring devices across state facilities, citing earlier federal warnings. "Maintaining Texans' physical security and protecting their personal privacy, especially as it relates to something as important and intimate as personal medical data, is of paramount importance," he wrote. "I will not let Communist China spy on Texans." Agencies have until April 17 to report findings of their audits.
A Backdoor at the Bedside
Earlier federal warnings include those from January 2025, when the Cybersecurity and Infrastructure Security Agency (CISA) dropped a finding that should have garnered more attention. Analysts had discovered essentially backdoor functionality with a hard-coded IP address in multiple firmware versions of the Contec CMS8000 — a patient monitor manufactured by a company headquartered in Qinhuangdao, China, widely deployed in hospitals and clinics across the United States and the European Union.
The CMS8000 monitors vital signs continuously: electrocardiogram, heart rate, blood oxygen, blood pressure, temperature, respiration. It is the kind of equipment that sits in ICUs, post-surgical wards, and home healthcare settings. And it was, according to federal investigators, quietly phoning home.
The device reportedly exfiltrated patients' data to a hard-coded IP address and contained backdoor functionality capable of downloading and executing unverified remote files on the device. CISA assessed that the backdoor could create conditions allowing remote code execution and device modification — a malfunctioning patient monitor could lead to an improper response to a patient's vital signs. However, Claroty’s Team82 later determined that the “backdoor” was likely the result of poor development practices rather than a purposefully planted backdoor.
Regardless of whether the vulnerability was intentional or accidental, CISA traced the hard-coded IP address to a Chinese university. Further investigation found the same backdoor pattern present in medical equipment from other Chinese healthcare manufacturers, including a pregnancy patient monitor. The Contec CMS8000 is also sold under the Epsimed MN-120 brand name — meaning hospitals may not even know they are running the same vulnerable hardware. The FDA's initial recommendation to healthcare facilities: unplug the device's ethernet cable, disable wireless capabilities, and if that isn't possible, stop using it entirely. A software patch was eventually issued by Contec on July 2, 2025, though installation requires specialized expertise and must be handled by facility IT staff.
The FDA further warned that the vulnerabilities could allow all vulnerable Contec and Epsimed monitors on a shared network to be exploited simultaneously. A single credential, a single network access point, and every connected patient monitor in a hospital wing could be compromised at once.
George V. Hulme
The Architecture of Exposure
To understand why this vulnerability exists and why it is so difficult to fix, one has to understand how hospital networks were built — and when.
Mick Coady, a retired PwC partner who served as acting CISO at three separate hospital systems and now works on network microsegmentation at Elisity, details the structural challenges: Most hospital networks are aged and historically flat. When an attacker gets in, they can move east and west across the entire environment in minutes. The core issue is that the most critical devices on those networks — CT scanners, MRI machines, infusion pumps, patient monitors — were never designed to be secured. “You cannot install a protective endpoint agent on a twenty-year-old imaging system. It wasn't built for it,” Coady says.
The issues are not limited to a couple networked medical devices. According to RunSafe Security's 2025 Medical Device Cybersecurity Index, which surveyed 605 healthcare executives across the U.S., UK, and Germany a stunning 99% of healthcare organizations that experienced medical device cybersecurity incidents, 46% also required manual processes to maintain operations, 44% reported delayed diagnoses or procedures, and 44% had extended patient stays. When systems failed, 43% experienced up to 4 hours of downtime, while 31% faced up to 12 hours without critical systems.
These are real patients waiting longer for imaging results, for drug delivery, for the vital sign read that determines the next clinical decision.
Additionally, a 2022 report from the FBI's Cyber Division found that 53% of networked medical devices have at least one known critical vulnerability. The majority of manufacturers still do not employ a “security-by-design” development cycle, treating cybersecurity as a compliance checkbox rather than a foundational design require ment. Medical devices such as heart monitors often contain outdated operating systems and weak authentication protocols. When devices fail during a security incident, clinicians find themselves in crisis mode over problems they did not cause and can’t readily fix.
The Regulatory Race
Washington has been trying to catch up. The FDA updated its cybersecurity guidance in June 2025, introducing mandatory lifecycle requirements for medical devices — including secure design processes, postmarket vulnerability monitoring, and patching protocols — that manufacturers must now demonstrate in premarket submissions. The Consolidated Appropriations Act, signed in December 2022, added statutory cybersecurity requirements for new devices seeking FDA clearance.
The catch is that the guidance applies only to new devices. The installed base — the monitors, pumps, scanners, and ventilators already running in hospitals across the country — is largely beyond the reach of those requirements. Many of these devices have expected lifespans measured in decades. And the majority of connected medical devices currently in use wouldn't meet the FDA's latest cybersecurity standards if submitted for approval today. Replacing them is expensive, logistically complex, and clinically disruptive. So they stay vulnerabile and exposed.
The regulatory pressure is also producing some landmark enforcement. On July 31, 2025, the DOJ announced a $9.8 million False Claims Act settlement with Illumina — the first such settlement focused specifically on cybersecurity failures in medical devices sold to federal agencies. The case was not triggered by a breach or a data leak. It rested on the allegation that Illumina knowingly sold genomic sequencing systems to government agencies while falsely representing that its software met required cybersecurity standards. The government contended the claims were false regardless of whether any actual cybersecurity breach occurred. Manufacturer liability is rising. Whether that translates to better device security, or merely to better documentation of inadequate device security, remains to be seen.
Healthcare Asymmetry
What adversaries — whether state-linked or otherwise — understand about healthcare that its defenders are still grappling with is the asymmetry of the systems they defend. Hospitals cannot simply go offline. Devices cannot be unplugged without clinical consequence. The pressure to restore systems is intense and immediate. While the reputational, regulatory, and patient safety stakes make institutions reluctant to disclose the full scope of incidents when they occur.
And, of course, it is not just medical devices healthcare providers must be concerned about. It is cameras, building management systems, every networked device that lives inside a hospital network — the entire interconnected environment those devices inhabit.
The prescription from those who study this environment most closely a heightened focus on the basics: more swift exposure closure, stronger identity controls, improved device security assessments, rigorous vendor criticality mapping, medical device asset visibility, and recovery plans tested against the actual operational messiness of real healthcare settings.
That is the work that remains undone. The backdoor in the bedside monitor is just a symptom of an industry that connected its most critical hardware to global networks without fully reckoning with the vulnerabilities it was inviting in. The regulators are writing new rules. The governors are ordering audits. And too many devices that haven't been patched are still running.
