Skip Navigation

Medical Equipment

Medical equipment – the kind implanted in the body or used in a hospital setting – is one type of health-related hardware that is expected to protect user privacy. Since this equipment is subject to HIPAA, there are fewer concerns about its manufacturer collecting and sharing data about the patient. However, there are still privacy concerns related to the cybersecurity of the equipment, especially if it has Internet connectivity.

Page Contents

Vulnerable Devices and Networks

These days, just about every kind of device is available in a “smart” version that has some kind of network connectivity that enables “features,” sometimes for dubious reasons. An example from a previous lesson is the “smart” TV, which adds network connectivity mostly for the purpose of spying on the human watching it. Unfortunately, the push toward “smart” crap isn’t limited to consumer devices. Network connectivity is now available in many kinds of medical equipment, including devices that are surgically implanted into the human body like pacemakers and infusion pumps. Some of these implanted devices have been found to contain vulnerable software, making it possible for a hacker to take control of the device or to use the device to attack a hospital or other healthcare network.1

Hospital and healthcare networks are prime attack targets given both the sensitivity of the information that travels on these networks and the desire for foreign actors to gain competitive advantages by stealing health information for their own research. Hacking groups from the People’s Republic of China – collectively named Silk Typhoon by Microsoft researchers – are actively trying to break into healthcare networks (among other targets) by compromising IT supply chains.2 Some hacking groups have taken to spoofing medical software applications in an attempt to get users to install a Remote Access Trojan (RAT) on hospital computer systems.3 An installed RAT gives the attacker continuous access to the infected system over the Internet, allowing the attacker access to data on the infected system. With RAT access, an attacker can also use the infected system as a launchpad for attacks against other systems on the hospital’s network.

Backdoors in Equipment

In early 2025, an alert was jointly issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) concerning the Contec CMS8000 and Epsimed MN-120 patient monitors. These devices, manufactured by Contec Medical Systems in Qinhuangdo, China, were found to contain code that would try to connect to a remote server and download files, potentially allowing an attacker to gain control of the devices. At first, security researchers were concerned that the devices were shipped with a backdoor built-in. However, once someone took the time to read the manual included with the equipment, the remote server to which the device connects is expected to be deployed on the hospital network as part of the healthcare solution. This particular case proved to be a false alarm, although the equipment does have a vulnerable design that requires blocking a set of addresses on the hospital network in order to mitigate.4

Nevertheless, the news media seized upon the story and widely reported that hospital equipment might be vulnerable to foreign intrusion. This concern is not unfounded, as lax security is a longstanding problem with medical devices and healthcare facilities. A considerable amount of medical equipment is imported from China, and this equipment can contain telemetry code that transmits health information back to its manufacturer. The challenge facing hospitals and doctors’ offices is that there are few domestic suppliers of healthcare equipment, leaving the medical facilities little choice but to purchase imported machines.5

Mitigation

Unfortunately, there are few things that an individual can do to mitigate the risks from medical devices used in a healthcare setting. HIPAA privacy regulations apply, but these regulations are only effective if the device isn’t compromised. If a person has a health condition that requires a pacemaker or other implanted device, it would be wise to ask as many questions as possible about the device and its capabilities. WiFi connectivity on such a device is probably not such a great idea, and an alternate model might be a better choice. However, as is the case with the equipment in the hospital itself, the choices for an individual patient might be limited. The privacy and security risks of the device might pale in comparison to the potentially fatal consequences of not having the device.

For those of you who take future career positions in healthcare, especially in the IT department, take the time to review potential choices of medical equipment. Consider the origin of the equipment (domestic or foreign), its capabilities, its connectivity, and whether or not the features and connections it has make sense for its application. A well-designed, properly segmented network is a must in any healthcare setting, since threats are ever present in this particular industry.

Notes and References

  1. Doug Criss. “Software vulnerabilities in some medical devices could leave them susceptible to hackers, FDA warns.” CNN. October 2, 2019. 

  2. Bill Toulas. “Silk Typhoon hackers now target IT supply chains to breach networks.” BleepingComputer. March 5, 2025. 

  3. Benedict Collins. “Chinese hacking group hijacks hospital computers by spoofing legitimate medical software.” TechRadar. February 26, 2025. 

  4. Ravie Lakshamanan. “CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors.” The Hacker News. January 31, 2025. 

  5. Kevin Williams. “Chinese medical devices are in health systems across U.S., and the government and hospitals are worried. CNBC. February 23, 2025. 

HIPAA and Its Limits

Health and Fitness Data
Pharmacies
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.