Protecting America Initiative Policy Report: Chinese Medical Devices Pose A Stark Threat To American Patients
This week, the Protecting America Initiative launched an ad campaign highlighting the national security implications of relying upon medical supplies that are made by Chinese companies. From the potential for supply disruption to backdoors allowing for unfettered access to intimate medical data, U.S. reliance on Chinese medical devices places patients at risk of harm and exploitation. Here’s how.
Healthcare Is Not Immune to Disruption and Exploitation by Foreign Adversaries
The U.S. healthcare system is just the latest sector to be targeted by cybercriminals who are often backed by foreign adversarial nations, and the sensitivity of patient data and the severity of cascading effects guarantees that it will continue to be targeted by those seeking to inflict harm. Ransomware attacks on hospitals, for instance, have become more common, and the true cost of these breaches go beyond just monetary loss as patient data is compromised, patients are diverted to other facilities, and patient mortality and morbidity increases.
One Alabama mother sued her hospital after the death of her newborn child, alleging that the hospital did not inform her that it was struggling with a ransomware attack, which then led to diminished care when her child was born with complications. A 2024 cyberattack against Ascension – one of the country’s largest healthcare systems, operating 140 hospitals – led one nurse to nearly give a baby the wrong dose of narcotic because he was locked out of electronic health records. And just this year, a ransomware attack triggered a “system-wide technology outage” across 14 medical centers operated by Kettering Health in Ohio.
According to FBI statistics, the healthcare sector had more cyberthreats in 2024 than any other critical infrastructure industry. IBM has warned that these cyberattacks on healthcare facilities can quickly escalate and “can become life-threatening as time-sensitive treatments are postponed or missed altogether.”
Chinese Medical Devices Offer Unprecedented Access to Vulnerable Patients
In addition to systemwide attacks on healthcare facilities, In January, the Food and Drug Administration (FDA) and the Cybersecurity & Infrastructure Security Agency (CISA) issued warnings about Contec CMS800 patient monitors, saying that a backdoor that had been discovered on the devices “may put patients at risk after being connected to the internet.” Contec is a medical device manufacturer based in Qinhuangdao, China. The FDA identified three cybersecurity vulnerabilities that could have allowed outside actors to gain access to and manipulate the devices:
The patient monitor may be remotely controlled by an unauthorized user or not work as intended.
The software on the patient monitors includes a backdoor, which may mean that the device or the network to which the device has been connected may have been or could be compromised.
Once the patient monitor is connected to the internet, it begins gathering patient data, including personally identifiable information (PII) and protected health information (PHI), and exfiltrating (withdrawing) the data outside of the health care delivery environment.
What these vulnerabilities amounted to, essentially, was that unauthorized users could have gained access to devices that monitor and display critical information like temperature, electrocardiograms, heart rate, and blood pressure to not only access data but also to manipulate a device that health care professionals rely on to make life-or-death treatment decisions. Compounding the threat, shortly after this backdoor was discovered, Masimo Corp. – an American manufacturer of patient monitors that competed against Chinese-made medical devices – was subject to a cyberattack that impeded its ability to process, fulfill, and ship customer orders in a timely manner.
Even in cases where cyberattacks are not at issue, Chinese medical devices still pose a unique inherent risk because Chinese law compels Chinese companies and citizens to cooperate with the Chinese Communist Party on national security work and national intelligence efforts. Ultimately, any sensitive data accessible to a Chinese company or foreign national is also accessible to the CCP. Medical and information technology experts have long warned about lax medical device security, and even the American Hospital Association “views the proliferation of Chinese medical devices as a serious threat to the system.”
Department of Commerce Has Initiated a National Security Investigation
In a Federal Register notice published last week, the United States Department of Commerce revealed that it had opened a national security review of personal protective equipment (PPE), medical consumables, medical equipment, and medical devices under Section 232 of the Trade Expansion Act of 1962. A medical device includes “any instrument, apparatus, or machine used in the diagnosis, monitoring, or treatment of medical conditions,” including blood glucose monitors, MRIs, and electrosurgical equipment.
Among the questions Commerce is seeking to answer are the role of foreign supply chains in meeting U.S. demand, the concentration of U.S. imports from a small number of suppliers or foreign nations and the associated risks, the potential for export restrictions by foreign nations and their ability to weaponize their control over supplies, the potential for foreign control or exploitation of supply chains, and – most germanely – the ability of foreign persons to weaponize the capabilities or attributes of foreign-built PPE, medical consumables, medical equipment, and medical devices.
States Have Recognized the Threat and Taken Action
Federal regulators aren’t the only officials to have taken notice of the threat of Chinese made medical devices throughout the U.S. healthcare system. At least one state has recognized the dangers and started to take action. In June 2025, Florida Attorney General James Uthmeier brought a lawsuit against the aforementioned Contec under the state’s Deceptive and Unfair Trade Practices Act.
Florida's legal action is a step in the right direction and proof that states can join the fight. It is, however, only one way for state governments to get Chinese medical devices out of the supply chain. State legislatures and governors should be prepared to act when legislative sessions begin early next year. That is why this report outlines specific policy solutions (below) that states can enact in 2026. The Protecting America Initiative will be leading the way to protect patients.
PAI Solutions for State and Federal Lawmakers
There are several steps that lawmakers can take in order to protect American medical device supply chains and secure Americans’ private medical information. The Protecting America Initiative will work with lawmakers and concerned voters across the country to enact the following eight policies at the state and federal levels.
Ban state Medicaid dollars from flowing to entities that purchase medical devices from Chinese companies.
Direct state purchasing boards to adopt stricter medical device performance standards and restrict any funding for entities that purchase CCP medical devices.
Pass laws at the state level that incentivize the use of domestic alternatives.
Phase Chinese products out of U.S. hospitals that accept federal funding by 2029.
Require that federal healthcare dollars are used on Made-in-America medical devices.
Use trade enforcement laws to ensure Chinese medical equipment is not a threat to national security.
Pass laws to criminalize foreign medical data espionage using medical devices.
Follow any national security recommendations that come as a result of ongoing Department of Commerce and Department of Homeland Security investigations.