Contec and Epsimed Monitors Containing ‘Backdoors’ Are at the Center of Order
Texas Governor Greg Abbott has initiated a comprehensive review of foreign-made connected medical devices, particularly those manufactured by Chinese companies, focusing mainly on their cybersecurity implications. The directive was aimed at state-owned facilities and aligns with Abbott’s ongoing efforts to safeguard Texans from potential threats posed by foreign adversaries, notably the Chinese Communist Party.
On March 9, the governor issued an order directing state health agencies, university chancellors, and Texas Cyber Command to assess the presence of Contec CMS8000 and Epsimed MN-120 patient monitors in state facilities. The review is not merely a precaution; it stems from past investigations and alerts by the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) concerning these specific devices. Researchers had previously discovered these monitors harbor a "hidden backdoor" that could jeopardize patient safety and data privacy.
The FDA has publicly expressed concerns about the vulnerabilities found in these patient monitors, warning that such flaws permit unauthorized access that could allow malicious actors to manipulate devices and extract sensitive patient information. Governor Abbott emphasized the gravity of the situation by stating that these vulnerabilities pose "meaningful risks for patients."
Similarly, CISA reaffirmed these concerns in their alerts, indicating that the Chinese-manufactured monitors can be controlled remotely, creating a significant risk of unauthorized access to patient data. Despite the urgency of addressing these issues, Abbott’s office did not provide a detailed explanation as to why the review commenced only in March 2026, even though federal officials had flagged the risks over a year prior.
Alongside the review of Contec and Epsimed monitors, Abbott’s directive includes broader actions aimed at enhancing state cybersecurity surrounding connected medical devices. This entails requiring state health and higher education agencies to compile a detailed inventory of all state-owned medical devices that can transmit data over a network or be accessed remotely. These agencies are to relay this information to the Texas Cyber Command for further analysis. Additionally, there is an imperative for these organizations to scrutinize existing cybersecurity policies designed to protect personal health information across state-owned medical facilities.
While these efforts represent a proactive step towards addressing cybersecurity vulnerabilities, Phil Englert, vice president of medical device security at Health Information Sharing and Analysis Center (Health-ISAC), noted that there is currently no evidence indicating a heightened foreign threat targeting medical devices. He underscored the importance of a collaborative approach between healthcare practices and cybersecurity experts, advocating for the implementation of best practices in medical device security.
Englert articulated essential practices that healthcare entities should adopt, including maintaining an up-to-date inventory of devices, segmenting and isolating devices based on their risk profiles, enforcing stringent identity and access controls, and ensuring that patches or compensating controls are applied consistently. Furthermore, regular monitoring of device communication patterns and establishing tailored incident response plans for medical device groups are critical for enhancing security resilience.
The manufacturers of the Contec CMS8000 and Epsimed MN-120 monitors have faced scrutiny not only for the recent security concerns but also for previously identified vulnerabilities. In 2022, researchers warned that these devices exhibited serious flaws that could potentially facilitate denial of service or tampering, further corroborating the apprehensions surrounding their use in healthcare settings. The FDA later revealed in an advisory issued in July 2025 that Contec had developed and deployed patches to address these vulnerabilities, but lingering concerns about the effectiveness and implementation of such fixes remain.
With the escalation of cybersecurity incidents globally, the focus on medical devices has become increasingly critical. The intersection of healthcare and technology underscores the necessity for robust defenses against cyber threats. As Texas proceeds with its review, the implications of these actions may resonate beyond state borders, potentially influencing policy changes and security practices across the medical industry as a whole. The ongoing efforts highlight a growing awareness of the vulnerabilities linked to connected medical devices—a concern that medical professionals, patients, and policymakers must confront collectively to ensure the safety and privacy of healthcare systems.