Concerns Over Cybersecurity in Chinese-Made Medical Devices
Senator Tom Cotton, representing Arkansas, expressed his unease on Tuesday regarding the cybersecurity risks posed by networked medical devices produced in China. In a letter to Kyle Diamantas, the Acting Commissioner of the Food and Drug Administration (FDA), he stated, “I write this letter to express my concerns about cybersecurity vulnerabilities associated with networked medical devices manufactured in China. Exposure of American patients to compromised Chinese-made medical devices poses a risk to both national security and public health.”
Cotton pointed out that both the FDA and the Cybersecurity and Infrastructure Security Agency (CISA) have alerted stakeholders about cybersecurity vulnerabilities associated with the Contec CMS8000, a networked patient monitoring device made in China. He elaborated on these issues in his letter.
The FDA discovered that this device could, when online, automatically collect personally identifiable health information of patients. Such a data breach could lead to serious consequences, including identity theft, insurance fraud, extortion, and other more sophisticated forms of fraud targeting American patients. Additionally, CISA issued warnings that the device was configured to allow an unidentified user to take control remotely, without the healthcare provider’s knowledge. This vulnerability could enable malicious actors from China to manipulate the device’s operations, potentially resulting in dangerous misdiagnoses like heart failure, arrhythmia, and elevated blood pressure. A Class II recall for the Contee CMS8000 was issued by the FDA on May 14, 2025.
He noted that while the FDA began requiring enhanced cybersecurity measures from medical device manufacturers to obtain premarket clearance in 2023, this regulation did not extend to devices already available before these requirements were established. This raises concerns that more effective measures need to be taken to protect Americans from vulnerable medical devices.
Cotton urged the FDA and CISA to reassess Chinese-made medical devices that received approval prior to March 2023.
In conclusion, he emphasized, “Protecting Americans’ privacy and ensuring that cybercriminals from hostile countries cannot access Americans’ health data is of paramount importance. I look forward to working with you on this issue.”
