Texas state agencies and publicly owned medical facilities have been directed to review potential cybersecurity risks linked to certain Chinese-manufactured patient monitoring devices after federal warnings highlighted vulnerabilities that could expose sensitive health data. They have also been directed to conduct an inventory of network-connected medical devices and review existing cybersecurity protections, emphasizing that safeguarding Texans’ personal medical information is a top priority.
The directive specifically highlighted devices such as the Contec CMS8000 patient monitor and the Epsimed MN-120 patient monitor, which are already included on Texas’ list of restricted technologies due to potential security risks.
In his Monday letter, Greg Abbott, Texas governor, said that these measures follow cybersecurity alerts issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration (FDA), warning that the affected patient monitors contain serious vulnerabilities, including a hidden backdoor that could allow unauthorized actors to remotely access the devices or the networks to which they are connected. Regulators said the monitors may also collect patient data such as personally identifiable information and protected health information and transmit it outside the healthcare environment when connected to the internet, raising concerns about privacy, device manipulation, and broader hospital network compromise.
He added, “These FDA and CISA notices underscore the need for state agencies and state-owned medical facilities to ensure they are continually operating safe and secure environments, as even FDA-regulated devices can introduce operational and cybersecurity risks if they are not carefully assessed and monitored.”
Describing security vulnerabilities found in Chinese-manufactured patient monitoring devices, Abbott said that “these risks include the ability of unauthorized actors to access protected health information remotely. These notices confirm the warnings of experts who have elevated the proliferation of Chinese-manufactured smart medical devices across our healthcare system as a serious data privacy concern. I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data.”
Given the cybersecurity concerns raised by the FDA, CISA, and other experts regarding certain foreign-manufactured and internet-enabled medical devices, Texas state agencies and all state-owned medical facilities have been directed to take several actions. The Health and Human Services Commission (HHSC), the Department of State Health Services (DSHS), and public systems of higher education must review all state-owned medical facilities under their jurisdiction and confirm that all newly purchased medical devices were procured in compliance with Executive Order GA-48.
These agencies are also required to catalog and share their inventory of all state-owned medical devices capable of transmitting data via a network, or that can be accessed remotely with the Texas Cyber Command (TXCC). In addition, HHSC, DSHS, and public higher education systems, with support from TXCC, must review the cybersecurity policies used to protect personal health information in state-owned medical facilities. The reviews must specifically address how these policies respond to alerts and notices issued by the FDA or CISA regarding internet-connected medical devices.
HHSC has also been tasked with promoting awareness of FDA resources for reporting cybersecurity concerns related to medical devices through outreach to Texas hospitals and healthcare providers regulated by the agency. Meanwhile, TXCC will evaluate whether devices such as the Contec CMS8000 and Epsimed MN-120 patient monitors, along with any other technologies flagged in FDA safety notices, should be added to Texas’ prohibited technology list and will provide recommendations to the governor’s office.
TXCC will also convene executives from HHSC, DSHS, and public higher education systems to recommend improvements to state agency policies governing medical devices, focusing on emerging cybersecurity risks, monitoring practices, and mitigation strategies.
“Addressed agencies shall submit their reports and recommendations on the above directives to the Office of the Governor by April 17, 2026,” Abbott added. “In addition to the executive actions above, I will propose legislation next session to protect Texans’ medical data from foreign hostile actors like Communist China.”
The governor’s directive comes as healthcare cybersecurity risks continue to intensify globally. A recent report from the Health Information Sharing and Analysis Center (Health-ISAC) found that ransomware, nation-state espionage, and vulnerabilities in connected medical technologies remain among the most significant threats facing the health sector. The report highlighted how the growing use of IoMT (Internet of Medical Things) devices has expanded the attack surface for hospitals and health systems, increasing the risk that compromised devices could expose sensitive patient data or disrupt clinical operations.
The agency also noted that cyber incidents across the healthcare sector have continued to rise, with attackers increasingly targeting critical infrastructure and sensitive medical information. In response, health organizations are expanding threat-intelligence sharing and conducting tabletop exercises to test incident response and identify operational gaps before adversaries exploit them, underscoring the growing focus on resilience as healthcare systems face a rapidly evolving cyber threat landscape.
