Securing Connected Medical Devices at Your Practice

In January 2025, CISA and the FDA jointly warned that the Contec CMS8000 patient monitor — a low-cost device used widely in small practices — contains an embedded backdoor that transmits plain-text patient data to a hard-coded IP address whenever a patient is connected. No firmware update exists. The recommendation: remove the device from your network entirely.

That is not a sophisticated cyberattack. It is a device working exactly as its manufacturer designed it — and it was leaking patient data with every use.

Connected medical devices are the fastest-growing attack surface in healthcare. The average medical device has 6.2 known vulnerabilities. 53% of networked medical devices have at least one critical vulnerability. And 75% of the devices on your network are unmanaged by IT — meaning nobody is tracking their firmware versions, patch status, or network activity. For small practices, these devices represent a HIPAA liability that most office managers do not know exists.

What Is on Your Network

A typical small medical practice has 10 to 15 connected devices beyond workstations and printers. You may not think of them as "networked," but if they connect to Wi-Fi, Ethernet, or Bluetooth, they are part of your attack surface:

• Patient vital signs monitors — blood pressure, pulse oximeters, temperature sensors streaming to your EHR
• EKG/ECG machines — transmitting cardiac data over the network
• Digital X-ray and imaging systems (PACS) — storing and sharing imaging files
• Lab analyzers — blood chemistry, urinalysis, auto-populating results to your EHR
• Smart infusion pumps — representing 38% of all connected medical devices in healthcare settings
• Ultrasound machines — increasingly cloud-connected for image sharing
• Connected scales and body composition analyzers
• Non-medical IoT — IP cameras, VoIP phones, smart thermostats, badge readers

Each device is a potential entry point. And unlike your workstations, most of these devices cannot run antivirus software, accept security patches easily, or support multi-factor authentication.

Why Medical Devices Are Uniquely Vulnerable

Outdated operating systems. One in five connected medical devices runs an end-of-life operating system that no longer receives security updates. Many imaging systems and lab analyzers purchased 7 to 15 years ago run Windows XP or Windows 7 — operating systems with hundreds of known, unpatched vulnerabilities.

Cannot run endpoint protection. Only 13% of medical devices support endpoint protection agents. Most devices use proprietary operating systems or embedded firmware that cannot accommodate security software. Your EDR solution protects your workstations — but it cannot see what your infusion pump is doing on the network.

Vendor-controlled patching. Unlike a laptop that you can patch overnight, medical device firmware updates must come from the manufacturer. The vendor controls the update schedule, and patches can take 6 to 18 months from vulnerability disclosure to available update. Some vendors charge additional fees for security patches. Others simply stop supporting older devices.

Default credentials. Many medical devices ship with default usernames and passwords that are published in their manuals — which are available online. If nobody changed the defaults during installation, anyone who reads the manual can access the device.

Flat networks. In most small practices, every device — medical, administrative, guest Wi-Fi, staff phones — shares the same network. A compromised smart thermostat can become a pivot point to your PACS server. An attacker who gains access through one device can move laterally to everything on the network.

The Financial Reality

The average healthcare data breach costs $7.42 million. The cost per exposed record is $398. In 2024, healthcare cyberattacks costing more than $200,000 rose 400% in a single year. And 55% of OCR financial penalties in 2022 were imposed on small medical practices.

The Change Healthcare breach — triggered by a single compromised credential on a system without MFA — affected 190 million patient records and cost $2.87 billion. The Ascension Health ransomware attack took 142 hospitals offline, compromised 5.6 million patients' data, and contributed to a $1.8 billion operating loss.

35 to 40% of breached small practices close permanently within two years. The devices on your network are not just clinical tools — they are financial liabilities if left unsecured.

How to Secure Your Medical Devices

1. Build a device inventory. You cannot protect what you do not know about. Walk your office and document every connected device: manufacturer, model, serial number, firmware version, operating system, what data it handles, and how it connects to the network. Include non-medical IoT — cameras, VoIP phones, smart devices. The proposed 2026 HIPAA Security Rule would make this technology asset inventory mandatory, updated at least every 12 months.

2. Segment your network. This is the single most impactful step. Create separate network segments (VLANs) for different device categories:

• Clinical workstations: EHR access, billing, email — protected by EDR and zero trust access controls
• Medical devices: Vital signs monitors, imaging, lab equipment — isolated from workstations and the internet
• Guest/patient Wi-Fi: Completely isolated from all clinical systems
• Non-medical IoT: Cameras, phones, smart devices — separate from everything clinical

A next-generation firewall controls traffic between segments. Medical devices can send data to the EHR server but cannot reach the internet, the billing system, or the guest network. If an attacker compromises one segment, the blast radius is contained. A managed switch and basic VLAN configuration can cost under $500.

3. Change every default password. Default credentials on medical devices are the easiest access vector. Change them all and document the new credentials in a password manager. This takes an afternoon and eliminates one of the most common attack paths.

4. Patch what you can, isolate what you cannot. Contact every device vendor and ask: What firmware version am I running? Is there a pending security update? When does this device reach end-of-life? Apply available updates. For devices that cannot be patched — older imaging systems, legacy analyzers — place them on an isolated VLAN with strict firewall rules that limit their communication to only the necessary endpoints. Monitor their traffic for anomalies.

5. Request vendor security documentation. For new purchases, require vendors to provide: a Software Bill of Materials (SBOM), MDS2 security disclosure forms, patch commitment timelines, and end-of-life support dates. The FDA's PATCH Act (effective October 2023) requires device manufacturers to provide cybersecurity documentation. Use it.

6. Monitor device behavior. Implement network monitoring that watches for unusual device activity — a patient monitor sending data to an unexpected external IP (like the Contec CMS8000), a lab analyzer attempting to communicate with the internet, or any device transmitting outside its normal pattern. Your managed IT provider should include this monitoring.

7. Disable unnecessary services. Many medical devices ship with open ports and services that are not needed for clinical use — telnet, FTP, web management interfaces. Disable everything that is not required. Each open service is a potential entry point.

The FDA and Medical Device Security

The PATCH Act (Section 524B of the FD&C Act), effective October 2023, changed the landscape for medical device cybersecurity. Manufacturers must now:

• Design devices with cybersecurity built in — not bolted on after the fact
• Submit a Software Bill of Materials (SBOM) to the FDA with every premarket application
• Provide patches and updates to address cybersecurity vulnerabilities throughout the device lifecycle
• Submit a plan for monitoring and addressing postmarket vulnerabilities

Since October 2023, manufacturers have experienced a 700% increase in FDA deficiency letters related to cybersecurity. The FDA is serious about enforcement. Devices purchased after October 2023 should come with better security documentation and patch commitments. Ask your vendors for their 524B compliance documentation.

For devices purchased before the PATCH Act, the security responsibility falls on your practice. Legacy devices are your liability — and network segmentation is your primary defense.

HIPAA Requirements for Connected Devices

HIPAA's Security Rule applies to any device that creates, receives, maintains, or transmits ePHI. For connected medical devices, the technical safeguards include:

• Access controls (§164.312(a)): Unique user identification, emergency access procedures, automatic logoff, encryption at rest
• Audit controls (§164.312(b)): Logging of all access to ePHI — who accessed what, when, and from where
• Integrity controls (§164.312(c)): Mechanisms to ensure ePHI is not improperly altered — critical for devices like lab analyzers where altered results affect diagnoses
• Transmission security (§164.312(e)): Encryption of ePHI in transit — especially relevant for devices transmitting wirelessly

Your HIPAA risk assessment must include connected medical devices. The proposed 2026 rule would mandate a technology asset inventory and network map showing how ePHI flows through every device on your network.

A Device Security Checklist

Use this checklist to assess your current medical device security posture:

Inventory (this week):

• List every connected device on your network with manufacturer, model, and firmware version
• Identify which devices handle ePHI
• Note which devices run end-of-life operating systems
• Check for the Contec CMS8000 or Epsimed MN-120 — if present, disconnect from the network immediately

Quick wins (this month):

• Change default passwords on all devices
• Contact vendors for available firmware updates
• Disable unused services and ports on each device
• Verify your cyber insurance covers medical device incidents

Infrastructure (this quarter):

• Implement network segmentation with VLANs separating medical devices from clinical workstations
• Deploy a next-generation firewall to control inter-segment traffic
• Set up network monitoring for anomalous device behavior
• Establish a patch management process with each device vendor

Ongoing:

• Update your device inventory at least every 12 months
• Include medical devices in your annual HIPAA risk assessment
• Require security documentation (SBOM, MDS2) for all new device purchases
• Plan replacement timelines for end-of-life devices

The Bottom Line

Your connected medical devices are clinical necessities — and unmanaged security risks. 53% have critical vulnerabilities. 75% are invisible to IT. And a single compromised device on a flat network can give an attacker access to your entire patient database.

Start with the inventory. You cannot protect what you do not know about. Then segment your network, patch what you can, and isolate what you cannot. These steps cost far less than the $7.42 million average breach — and they position your practice for the mandatory device inventory requirements coming in the 2026 HIPAA rule.

Book a free IT assessment to map every device on your network, identify vulnerabilities, and build a segmentation plan that protects your practice. Explore our cybersecurity services and managed IT plans that include device monitoring and network segmentation.