Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.

Submission Preview

Link to Story

Medical Monitoring Machines Spotted Stealing Patient Data

Accepted submission by Arthur T Knackerbracket at 2025-02-03 20:04:40
Security

Arthur T Knackerbracket [soylentnews.org] writes:

--- --- --- --- Entire Story Below - Must Be Edited --- --- --- --- --- --- ---

Arthur T Knackerbracket has processed the following story [theregister.com]:

The Contec CMS8000, also [fda.gov] sold as the Epsimed MN-120, contains a trio [cisa.gov] of vulnerabilities (CVE-2024-12248 [nist.gov], CVSS 9.3; CVE-2025-0626 [nist.gov], CVSS 7.5; and CVE-2025-0683 [nist.gov], CVSS 5.9) that the Cybersecurity and Infrastructure Security Agency (CISA) last week warned could allow an attacker to remotely execute code, crash the device and, most alarmingly, exfiltrate information about patients.

"Once the patient monitor is connected to the internet, it begins gathering patient data, including personally identifiable information and protected health information, and exfiltrating the data outside of the health care delivery environment," the FDA said of the hardcoded hole.

The FDA recommends that anyone with a CMS8000 unplug it from the internet and disable its Wi-Fi immediately, and stop using it to remotely monitor patients.

While neither the FDA nor CISA believe there have been any cybersecurity incidents related to the devices, it's possible any left online could be compromised, and used by an attacker to move laterally to further compromise a connected network.

To make matters worse, CISA said in a factsheet [cisa.gov] about the vulnerability that it doesn't believe the backdoor is related to remote software updates - this appears to be all about harvesting data.

"The [back door] provides neither an integrity-checking mechanism nor version tracking of updates," CISA said. "When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device."

In other words, not only does it exfiltrate data, but it also actively hides its presence from hospitals and their infosec teams.

The FDA nor CISA said the Chinese-made devices send data to “a third-party university" but did not offer additional info. Other reports, however, allege [bleepingcomputer.com] the university is in China.

Dell rolled out a bundle [dell.com] of security updates last week, addressing vulnerabilities in OpenSSL, the Linux Kernel and PostgreSQL database server, plus patches for Dell NetWorker and NetWorker Virtual editions. While the tech giant describes the impact as "critical," most of the CVEs in the list are high severity at best.

Original Submission