HHSC Directs Health Care Facilities to Follow FDA Cybersecurity Guidance

The Texas Health and Human Services Commission is directing all health care facilities to review, understand and mitigate the risk of unauthorized people remotely accessing protected health information.

All hospitals, acute care facilities and long-term care facilities in Texas must:

• Review applicable U.S. Food and Drug Administration (FDA) cybersecurity guidance for medical devices in use within their organization.
• Align operational policies and procedures with FDA guidance, including procurement, maintenance and decommissioning processes.
• Assess devices with a network function or remote access capabilities for potential cybersecurity risks.
• Coordinate with manufacturers, vendors and internal information technology and security teams to identify and mitigate vulnerabilities and maintain compliance.

The FDA issued a notice in January 2025 identifying cybersecurity vulnerabilities with Contec CMS8000 and Epsimed MN-120 patient monitors. The FDA recommended health care facility staff email Contec to receive a software patch and installation instructions to remove the network function.

Medical devices that incorporate software, wireless communication and network access may introduce cybersecurity vulnerabilities, including risks to patient safety and data integrity.

The FDA recommends:

• Identifying and managing cybersecurity vulnerabilities.
• Implementing appropriate safeguards and controls.
• Keeping devices updated with security patches.
• Performing risk assessments, ongoing monitoring and incident-response planning.

Failure to adequately address cybersecurity risks may lead to unauthorized access, disruption of clinical services, compromised patient data and potential threats to patient safety.