“The FDA [United States Food and Drug Administration] follows the least burdensome principle, limiting its ability to require cybersecurity testing beyond what is necessary to demonstrate safety and effectiveness. As a result, hospitals incur risks of insecure devices with limited mechanism to hold manufacturers accountable. A recent FDA advisory and subsequent congressional testimony have underscored these concerns, raising urgent questions about whether current regulatory pathways are sufficient or in need of modernization.
On January 30, 2025, the FDA issued a safety advisory on the Contec CMS8000 patient monitor, identifying vulnerabilities in its security protocols. These devices collect information from pulse oximeters, electrocardiograms, blood pressure cuffs, and similar devices to display patients’ vital signs and alarms contemporaneously at the bedside and at central displays in clinical units. Reliable data are essential for monitoring patients’ clinical status and detecting deterioration early. In its advisory for the Contec CMS8000 patient monitor, the FDA warned that these devices may contain a security flaw, wherein once connected to the internet, they may communicate with—and be remotely controlled by—a computer anywhere in the world.
The safety communication explains software design flaws that could be exploited over the internet by a remote attacker to install and execute malicious software code, overwrite files on the device, or obtain access to unencrypted patient data. For example, this vulnerability would allow a motivated hacker to remotely disable vital sign alarms, potentially preventing detection of patient deterioration and delaying lifesaving care. The device was also found capable of contacting a Chinese internet protocol (IP) address over a network port typically reserved for printers, a clear red flag indicating poor security design and a potential data exfiltration risk. This vulnerability allows a remote attacker to install and execute malicious software code, overwrite files, or obtain unencrypted patient data.
[..] The cybersecurity flaw means that a remote hacker could (1) cause the monitor to display false yet coherent cardiac rhythms; (2) access protected health information and covertly transmit it over the internet; (3) create nuisance alarms that distract and overload staffing resources; or (4) conceal their actions and make it impossible to ascertain what they did and which charted data are real.
[..] medical device manufacturer code is shrouded in secrecy, locked behind nondisclosure agreements and often beyond premarket cybersecurity scrutiny. This lack of transparency leaves hospitals unaware of the risks they are assuming and makes it easier for attackers to exploit vulnerabilities.
Hospitals are currently fielding medical devices on their networks with limited insight into their security risks and even less market power to demand improvements. Patients, hospitals, and insurance companies foot the bill for cyber incidents, whereas device manufacturers have limited legal or financial incentive to improve security. We consider these incidents to be cybersecurity “never events,” just as preventable and unforgivable as wrong-site surgery. With careful regulatory, manufacturer, and health system reform, these critical safety threats to patients should never lead to real harms.
Several opportunities exist to anticipate the foreseeable problems identified in this advisory and prevent needless risks to patients. First, Congress must update its legislative control over medical device regulation to hold manufacturers accountable for cybersecurity. The 2023 Omnibus Appropriations Bill introduced section 524B of the Federal Food, Drug, and Cosmetic Act, requiring manufacturers to submit cybersecurity plans, including a software bill of materials and postmarket vulnerability management processes. However, enforcement remains weak, and recently announced sharp reductions in experienced FDA staff will only further strain postmarket surveillance systems. Stronger oversight and consequences for noncompliance are essential to ensure that devices meet basic security expectations before they reach hospitals. For new medical devices, cybersecurity requirements have improved under section 524B, mandating security documentation and postmarket monitoring. However, older devices already in circulation face little regulatory scrutiny. This gap leaves hospitals exposed to legacy security flaws, with no clear pathway to remediation. Strengthening FDA authority over postmarket security updates and requiring ongoing vulnerability assessments would help close this loophole.
Second, overdesign and unnecessary internet connectivity introduce vulnerabilities that outweigh benefits. Many medical devices do not need broad network access to perform their essential functions. A least connected principle should be adopted, ensuring that only the minimum necessary network interfaces are enabled. This approach could significantly reduce attack susceptibility and mitigate risks from compromised devices. In a well-intentioned effort to create a seamless and intuitive experience for medical professionals, manufacturers may create systems that are so interconnected that they inadvertently widen the cyber sterile field from the benign hospital information technology system to the entire internet. As the pressure to release new medical devices quickly intensifies, manufacturers often overlook a critical component of secure development: ensuring that all test code is properly removed before devices reach the market. Test code typically includes features that are not intended for regular use, such as backdoors, diagnostic tools, or debug interfaces. These features, although useful during development, may not be secured with the same attention to detail as the rest of the device’s code, leaving wide gaps in security.
Third, the secrecy surrounding medical device software must end. Security researchers and hospitals need clear channels to report vulnerabilities and receive timely, actionable information. Coordinated vulnerability disclosure processes should be strengthened to allow responsible reporting and remediation without legal threats or delays. Additionally, agencies like CISA must improve their guidance by providing actionable intelligence, such as known malicious IP addresses, so hospitals can defend against threats effectively. The FDA’s guidance on medical device cybersecurity encourages thinking about risk differently than the traditional probabilistic approach taken to medical device safety or reliability. In this view, exploitation is treated as unreliably quantifiable because threat actors are adaptive and unpredictable, whereas vulnerabilities may be latent and then suddenly exploited after discovery, which means cybersecurity risk assessments should not downplay risks according to low historical exploitation frequency.
Cybersecurity vulnerabilities in medical devices are not only a technical issue but also a patient safety crisis. The CMS8000 event adds to examples such as the Change Healthcare incident and others to highlight how weak security design can introduce significant risks, from data breaches to direct threats to clinical workflows. The regulatory system must adapt to hold manufacturers accountable, limit unnecessary connectivity, and improve transparency. Without these reforms, the health care system will remain vulnerable to cyberattacks, with patients ultimately bearing the cost. It is time to treat these vulnerabilities with the same urgency as any other preventable harm in medicine is treated: as a new kind of never event.”
Full editorial, DB Kramer, JR Amos, JM Goldman et al. JAMA, 2025.7.7