Senator Cotton Working to Keep the CCP Out of Americans’ Private Health Data

This week, Senator Tom Cotton (R-AR) brought renewed attention to the risk to American patients posed by Chinese-made medical devices when he authored a letter to the Acting Commissioner of the Food and Drug Administration (FDA) requesting an “enhanced review of medical devices manufactured in Communist China to address potential cybersecurity vulnerabilities.” The Protecting America Initiative has previously discussed the national security and privacy implications of relying on medical devices made by Chinese companies, which have been shown to be insecure and in danger of being exploited.  

Ultimately, keeping compromised Chinese-made medical devices out of U.S. hospitals and healthcare facilities would be a win for Americans patients by keeping their sensitive data out of the hands of the Chinese Communist Party (CCP), and we applaud Senator Cotton for advocating for a solution. 

Chinese Medical Devices Put Patients at Risk of Exploitation 

In January 2025, the Food and Drug Administration issued a warning about three cybersecurity vulnerabilities found in Contec CMS8000 patient monitors that ultimately could have allowed unauthorized users to gain access to these devices, which monitor and display critical vital signs such as heart rate, blood pressure, and electrocardiograms and are relied upon by health care professionals to make treatment decisions. Contec – the manufacturer of the device – is based in Qinhuangdao, China.  

A separate notice from the Cybersecurity and Infrastructure Security Agency (CISA) explains that the agency analyzed three versions of firmware for the CMS8000, all of which contained an embedded backdoor function that “can create conditions which may allow remote code execution and device modification with the ability to alter its configuration.” CISA concluded that “[t]his introduces risk to patient safety as a malfunctioning monitor could lead to improper responses to vital signs displayed by the device.” In other words, life-or-death treatment decisions could be manipulated if an unauthorized outside actor gained access to the device and changed the vital signs being displayed. Not long after in May 2025, the FDA issued a Class II recall of the CMS8000 patient monitor. 

Medical devices made by Chinese companies are also especially risky because Chinese law requires Chinese companies and citizens to cooperate with the CCP; any sensitive data that could be accessed by Chinese medical devices could be compelled to be shared with the Chinese government. All these reasons and more have led security experts and the American Hospital Association to view the “proliferation of Chinese medical devices as a serious threat to the system.”  

Senator Cotton Is Urging the FDA to Address a Gap in Statutory Requirements 

The Food and Drug Omnibus Reform Act of 2022 (FDORA) introduced Section 524B – “Ensuring Cybersecurity of Devices” – to the Food, Drug, and Cosmetic Act. According to Section 524B, as of March 29, 2023, premarket submissions for cyber devices must meet the requirements of the section, including submitting “to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinatedvulnerability disclosure and related procedures” and designing, developing, and maintaining “processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.” 

In his letter, Senator Cotton makes a commonsense request of the FDA to “review Chinese-made medical devices cleared prior to March 29, 2023” – before the statutory requirements in FDORA took effect. This would go a long way in reassuring Americans that their privacy and health data is not vulnerable to exploitation by a foreign adversarial nation or those working on its behalf. 

States Are Leading the Charge Against Chinese Spying in Medical Tech 

While Senator Cotton is working with the FDA at the federal level, states are also taking action to identify and combat embedded vulnerabilities in medical devices linked to Chinese medical technology companies. In Florida, Attorney General James Uthmeier has taken a multi-pronged approach in helping to secure Americans’ health data from risky Chinese medical devices. In June 2025, Uthmeier issued subpoenas to Contec, manufacturer of the CMS8000, and Epsimed, an American reseller of the CMS8000, alleging violations of Florida’s Deceptive and Unfair Trade Practices Act. In February of this year, he began the process of demanding audits from Chinese medical technology companies such as Mindray North America, United Imaging, and MicroPort over their ties to the Chinese Communist Party. Attorney General Uthmeier also launched the Consumer Harm from International Nefarious Actors (CHINA) Prevention Unit, a dedicated team within his office “focused on combating threats posed by the Chinese Communist Party (CCP) and other foreign adversaries to Florida consumers, data privacy, and economic security.” 

In March of this year, Texas Governor Greg Abbott directed the Texas Health and Human Services Commission, the Department of State Health Services, the Texas Cyber Command, and public university systems to address cybersecurity threats from Chinese medical devices by reviewing their cybersecurity and procurement policies to ensure that the private medical data of Texas residents are safeguarded. In his letter to state agencies and Texas public universities, Abbott further pledged to propose legislation in the next state legislative session to “protect Texans’ medical data from foreign hostile actors like Communist China.”  

There Is More That Can Be Done 

The Protecting America Initiative supports Senator Cotton’s push for the FDA to review Chinese medical devices for cybersecurity vulnerabilities and believes it will make a meaningful difference for American’s private health data. We have also advocated for several other policies at both the state and federal levels that would reduce our reliance on vulnerable Chinese medical devices, including: 

• Banning state Medicaid dollars from flowing to entities that purchase medical devices from Chinese companies.   

• Directing state purchasing boards to adopt stricter medical device performance standards and restrict any funding for entities that purchase CCP medical devices.  

• Passing laws at the state level that incentivize the use of domestic alternatives.  

• Phasing Chinese products out of U.S. hospitals that accept federal funding by 2029.   

• Requiring that federal healthcare dollars are used on Made-in-America medical devices.  

• Using trade enforcement laws to ensure Chinese medical equipment is not a threat to national security.  

• Passing laws to criminalize foreign medical data espionage using medical devices.   

• Following any national security recommendations that come as a result of ongoing Department of Commerce and Department of Homeland Security investigations. 

Reducing our reliance on Chinese-made medical devices will make it harder for the Chinese Communist Party and malicious actors working on its behalf to exploit our connected healthcare system and would be a win for American patients.