By Vincentas Baubonis, Head of Security Research at Cybernews
The recent discovery of a backdoor in the Contec CMS8000 patient monitor – revealed by CISA – should be a wake-up call for anyone in the cybersecurity or healthcare sectors. This is not a rare, isolated issue.
A report by the US Government Accountability Office (GAO) highlighted that, as of January 2022, 53% of connected medical devices and other Internet of Things devices in hospitals had known critical vulnerabilities, emphasizing the widespread nature of this problem.
These findings indicate that many of the devices we rely on in healthcare are very vulnerable. Specifically, the CMS8000 backdoor allows remote access, potentially enabling attackers to manipulate vital signs monitoring or leak sensitive patient data without detection. And as terrifying as this case is, it’s just one example of a much broader, deeply ingrained problem.
Let’s talk numbers. According to the Cybernews Business Digital Index, the healthcare industry is performing terribly when it comes to cybersecurity. A full 22% of analyzed healthcare companies scored a D in security, and nearly half – 48% – earned an F. Only 5% of the sector’s organizations reached an A. With an average security score of just 69, healthcare comes in dead last when it comes to cybersecurity. That should make everyone in this field sit up and take notice.
The reality is, medical devices like the Contec CMS8000 aren’t being designed with the security they require. With more and more devices connecting to the internet and sharing sensitive data, this is a ticking time bomb. Healthcare organizations are failing to enforce the most basic security measures. In the worst cases, manufacturers are shipping devices with poorly coded firmware that’s vulnerable to remote manipulation – leaving hospitals, doctors, and patients exposed. Devices bought by critical sectors should be evaluated technically before acquisition and potential risks associated with them must be managed and mitigated by the buyer.
Medical devices like the Contec CMS8000 often lack essential security features, making them vulnerable to cyber threats. As more devices connect to the internet and handle sensitive patient data, the risks increase significantly. Reports from regulatory agencies, including the FDA and CISA, have repeatedly highlighted security flaws in medical devices, including vulnerabilities that allow remote access and data exposure.
In some cases, manufacturers ship devices with outdated or insecure firmware, exposing healthcare providers and patients to potential cyberattacks. To mitigate these risks, healthcare organizations must enforce stricter security evaluations before procurement, ensuring that all devices meet established cybersecurity standards and that identified vulnerabilities are promptly addressed.
Medical devices need to be treated with the same rigor as any other critical infrastructure. But far too often, the focus is on getting the device to market quickly, not securing it properly. This oversight has immediate consequences: data breaches, privacy violations, and, in the worst cases, loss of life.
So, what needs to happen now? First and foremost, cybersecurity must be baked into the design and testing of every medical device. Manufacturers must adopt a security-first mindset, regularly updating their devices and using secure coding practices to eliminate these vulnerabilities before they hit the market. Healthcare providers, too, must take ownership by ensuring their networks are secure and implementing strong access controls on all connected devices.
This is not a problem that can be solved with band-aid fixes. It’s time for a fundamental shift. If the healthcare industry doesn’t start prioritizing cybersecurity across the board, incidents like the CMS8000 backdoor will continue to be just the tip of the iceberg, especially against the backdrop of rising state-backed cyberattacks.
ABOUT THE EXPERT
Vincentas Baubonis is an expert in Full-Stack Software Development and Web App Security, with a specialized focus on identifying and mitigating critical vulnerabilities in IoT, hardware hacking, and organizational penetration testing. As Head of Security Research at Cybernews, he leads a team that has uncovered significant privacy and security issues affecting high-profile organizations and platforms such as NASA, Google Play, and PayPal. Under his leadership, the Cybernews team conducts over 7,000 pieces of research annually, publishing more than 600 studies each year that provide consumers and businesses with actionable insights on data security risks.
Insight Partners pwned in a cyberattack
Posted in Commentary with tags Hacked on February 20, 2025 by itnerdVC giant Insight partners confirmed that they have been pwned in a cyberattack. From their statement:
On January 16, 2025, Insight Partners detected that an unauthorized third-party accessed certain Insight information systems through a sophisticated social engineering attack.
As soon as this incident was detected, we moved quickly to contain, remediate, and start an investigation within a matter of hours. We notified stakeholders connected to Insight in January to alert them and encourage vigilance and tightened security protocols irrespective of having shared data compromised. We also notified law enforcement in relevant jurisdictions.
There is no evidence that the threat actor was present after January 16, 2025. Further, there has been no additional disruption to Insight’s operations as a result of the incident.
Christian Geyer, founder and CEO of Actfore had this to say:
“While socially engineered cyberattacks are not new, the tactics involved with these attacks have evolved. For example, in the past, with these attacks, it was easier to tell from bad grammar, tone of voice, or other clues like lack of sophistication within the phishing email, or poor presentation in a baiting attempt that the perpetrator was not who they claimed to be. Now, with the advent of new AI technologies, generative AI chat bots, hackers can craft a more polished presentation that are harder to identify. This levels up the sophistication factor to make baiting or phishing attacks, to name a few socially engineered tactics, harder to spot with more detrimental and widespread effects. With the global average cost per data breach reaching $4.88 million U.S. dollars in 2024, it’s critical that organizations focus on proactive security measures, not just post-breach actions and remediation to help combat these and other kinds of cyber attacks.
Other proactive measures organizations should include the creation and maintenance of an up-to-date incident response playbook that clarifies roles and responsibilities during a crisis, so they have a preexisting plan of action in place once a cyber-attack or breach happens. Tabletop exercises can refine these playbooks to address real-world scenarios effectively. Proactive security measures should also include regular patching, vulnerability scans, continuous monitoring, and meticulous data hygiene to minimize risk further. As good practice, organizations should also have quality backups of corporate data. Implementing immutable backups—similar in concept to audit logs—can act as a safeguard against modification or deletion of data for a defined period. This immutability makes them resistant to tampering, encryption, or corruption. By preventing unauthorized changes, immutable backups provide organizations with a clean copy of their data to restore from, reinforcing their ability to recover quickly.”
This highlights the need to train users to be vigilant so that they don’t fall victim to social engineering attacks. That on top of doing simulated attacks to make sure that users learn and act accordingly to ward of a real attack.
Leave a comment »