Book a DemoSupport

Will the FDA Start Banning Chinese-Made Medical Devices?

Posted On

by

Deb Radcliff

Interview with Joe Silvia, CEO of MedWare Cyber

Click here to listen.

In late January, the FDA issued a safety warning on Contec CMS8000 patient monitors and those relabeled as MN-120. The Chinese-made devices, used by thousands of medical institutions across the world, contain back doors in the firmware that could put patients at risk. Once these devices connect to the internet for remote-monitoring of patients’ vitals, attackers can execute remote code to alter records, turn off monitoring, spread to other connected devices, gather personal patient data, and more, according to a CISA advisory.

The risk is so dangerous that federal agencies suggested unplugging them from the Internet until a patch becomes available.

While FDA investigators believe this to be an unintentional design flaw, the news comes at a time when government agencies are banning many types of Critical Infrastructure system software developed in “Adversarial Countries,” which we covered in a recent post. The concern is an adversarial country leveraging built-in back doors (usually in the form of manufacturer remote administration channels) to cause destruction and harm.

Most recently, in late February, the FDA, CISA, and AHA (American Hospital Association) shared concerns over the “imminent threat” of Chinese-made medical systems across the U.S. medical ecosystem, indicating a possible ban in the future.

In this interview with Joe Silvia, we discuss the implications to healthcare providers, patients, and product companies servicing this industry.

“A lot of these different vulnerabilities link to each other, so you have some bad code, another piece of code coming from a mobile app, a remote-execution channel, and something bad happens. Is it coming from the mobile app, the web app, or flaws in the code (for the medical device)?” he asks. “Most attacks will leverage remote execution. So, product companies have to ask themselves, is this capability even necessary? It’s something the FDA asks. If isn’t necessary, turn it off.”

Listen here to learn more. 

Resources:

FDA Medical Device Regulation Overview

FDA Pre-Market Approval for Medical Devices

FDA eMDR – Electronic Medical Device Reporting

FDA IMDRF – International Medical Device Regulation Forum

SBOMS (Software Bills of Materials) for Medical Systems – Previous interview with Joe Silvia

Product Security Guidance for Medical Manufacturers 

Share post:

A person with short red hair smiling and wearing hoop earrings, with a blurred green background.

Deb Radcliff

Deb Radcliff is an award-winning journalist, sought-after cybersecurity analyst, and author of the popular, award-winning Breaking Backbones hacker thriller trilogy books and scripts destined for streaming series. Currently, as an independent author and industry analyst, Radcliff runs a syndicated column and video interview series focused on DevSecOps for critical embedded systems; areas of coverage include software supply chain and SBOMs. She is also a regular contributor to CSO Online and podcast host.

Other Posts

Check out all other blog posts and stay informed.

view all posts