OPINION — China is pre-positioning itself on U.S. networks for disruptive and destructive attacks against our critical infrastructure. In the past year, the American public learned that the Chinese Communist Party (CCP) can shut off our power and throw the country into darkness. Then, the news broke that the CCP compromised much of America’s telecommunication services, giving Beijing the capability to thwart our nation’s ability to speak privately, share information, and conduct business. And just in time for summer, the CCP is turning up the heat, capturing Americans’ most intimate personal information — our heart beats.
Masimo, a U.S.-based medical technology company that develops noninvasive monitoring solutions like pulse oximetry and brain function monitoring, suffered a cyberattack in late April that caused manufacturing and order fulfillment interruptions. The company identified unauthorized network activity on its servers, meaning patient health data may have been stolen or compromised. While the culprits still remain publicly unknown, China has previously stolen this kind of information. And if any cyber actor can compromise a patient care device, China can.
And China did. Earlier this year, researchers discovered that two widely used patient monitors manufactured by a Chinese healthcare technology company were sending patient data back to a Chinese university. According to an investigative report by the Cybersecurity and Infrastructure Security Agency (CISA), the monitors contain an embedded backdoor — not the result of a sloppy update but a deliberate code insertion — intended to allow Chinese access to American patient data.
These monitors house personally identifiable information and protected health information, as well as data on critical vital signs, including blood oxygen saturation, electrocardiogram, respiration rate, and blood pressure. The function allows the immediate exfiltration of everything the monitor displays, in addition to physician and patient chart information. The backdoor also allows an external IP to remotely download, execute, and overwrite unverified files on the monitor.
Most horrifying is that the vulnerability also allows for “remote code execution and device modification,” according to CISA, allowing bad actors to remotely control and input intentionally incorrect information on the device, potentially altering the monitor’s outputs. With incorrect data, physicians might prescribe the wrong treatment plan. To paint a grisly picture: The monitor may show that your heart rate is too high when in fact, your heart rate is normal. Medical staff could administer treatment to slow your heart rate, thinking that was the correct course of action, when instead the treatment is dangerous and even deadly.
With the way the function is executed, the hospital may never know that the incorrect treatment was the result of an intentionally faulty patient monitor.
Sign up for The Cipher Brief’s Nightcap newsletter: the best way to unwind every day while still staying up to speed on national security. Sign up today.
Hospitals are constantly facing the threat of ransomware attacks, forcing healthcare providers to return to analog charting. Typically, hospitals can see this network traffic and adjust. In the case of Contec monitors, healthcare providers have no way of knowing whether the data is altered in an emergency.
Enough is enough. To stop China’s malign meddling and defend U.S. national security, we must remove all Chinese technology from the American ecosystem. First, the government should provide actionable guidance to healthcare providers on how to immediately disconnect the devices from the network; to stop use of the devices if they rely on remote monitoring features; to unplug and replace the monitor with an alternative device; and to report any signs of tampering or data inconsistencies.
Next, the federal government should ban the purchase, and require the removal, of all Chinese-manufactured medical devices, because any Chinese technology means Chinese control of data and operations. The American public should not be in a position where an adversary can decide, at a time of its choosing, to shut off power, water, communications, and adequate medical care. We must stop buying medical technology — and any other technology used in critical infrastructure — made in China.
U.S. critical infrastructure providers will not be able to defend their way out of a cyber war if China makes the technology they are trying to operate. China has disabled our ability to use deterrence by denial – China remains in our systems because it built them. The only way to restore deterrence by denial is to rip China out of our networks.
But that alone won’t be enough. President Trump and the new administration must deploy deterrence by punishment, including but not limited to sanctions, freezing of the assets of Chinese decisionmakers, counter-cyberattacks, and non-kinetic shows of force. It is past time for the United States to land a punch.
Time and American heartbeats are ticking.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
