Texas Governor Instructs State Agencies to Audit Chinese Medical Devices
Texas Governor Greg Abbot has ordered all state agencies and state-owned medical facilities to conduct an audit of patient monitoring devices to ensure that they do not have unresolved vulnerabilities that could be exploited to gain access to Texans’ sensitive health information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United States Food and Drug Administration (FDA) have issued warnings about vulnerabilities in patient monitoring devices manufactured in China. Devices have been found to contain a backdoor that can be used by a remote attacker to gain access to sensitive patient data.
There has been a proliferation of Chinese-manufactured medical devices within the U.S. healthcare system. The concern is that these devices have backdoors that can be exploited by state-sponsored hacking groups to obtain the private medical information of Americans. Governor Abbot wants to make sure that the private medical data of Texans cannot be obtained by China. “I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data,” Governor Abbot said in a letter to the Texas Health and Human Services Commission (HHSC), Texas Department of State Health Services (DSHS), and the Texas Cyber Command (TXCC).
Governor Abbot has directed state agencies to take action to ensure that sensitive medical data is protected. HHSC and DSHS have been asked to review all state-owned medical facilities under their jurisdiction and attest that all new purchases of medical devices were procured in compliance with the November 19, 2024, Executive Order GA-48, which requires the hardening of cybersecurity by the state government.
HHSC, DSHS, and public systems of higher education are required to catalog all state-owned medical devices capable of transmitting data via a network, or that can be accessed remotely, and share that inventory with TXCC. Assisted by TXCC, HHSC, DSHS, and public systems of higher education, are required to review their cybersecurity policies related to the protection of personal health information at all state-owned medical facilities under their jurisdiction, and specifically include how policies address FDA and CISA-issued alerts for internet-connected medical devices.
TXCC has been instructed to review whether Contec CMS8000 and Epsimed MN-120 patient monitors, and any other devices used by HHSC, DSHS, and public systems of higher education, have been the subject of an FDA safety notice, and to ensure that any that have are placed on the prohibited technology list.
TXCC is also required to convene appropriate executives at HHSC, DSHS, and public systems of higher education and make recommendations for addressing emergent cybersecurity risks, monitoring of devices, and mitigation strategies. Governor Abbot has committed to proposing legislation in the next session to better protect Texans’ private medical data from hostile foreign actors, such as China.
