Greg Abbott directs state health agencies to remove CCP-vulnerable patient monitors amid CISA and FDA warnings of embedded backdoors
A Direct Threat to Patient Safety and Medical Privacy
Texas Governor Greg Abbott issued a letter in March 2026 directing the heads of the state’s cyber command, health services department, and human services department to take immediate action against a cybersecurity threat that intelligence and health officials have been warning about for over a year: patient monitoring devices manufactured in China and operating inside American hospitals with capabilities that could allow unauthorized actors – including the Chinese government – to access sensitive personal and medical information. The directive is unambiguous in both its language and its intent. “I will not let Communist China spy on Texans,” Abbott wrote. State-owned medical facilities must ensure safeguards are in place to protect Texans’ private medical data.
The Devices at the Center of the Crisis
Two specific devices are named in Abbott’s letter as particularly high-risk and placed on Texas’s official prohibited technologies list: the Contec CMS8000 patient monitor and the Epsimed MN-120. These are not obscure or peripheral medical devices. Patient monitoring systems of this type are used in intensive care units, post-surgical wards, and emergency departments across the country, measuring vital signs including heart rate, blood pressure, oxygen saturation, and respiratory function. The CISA advisory on the Contec CMS8000, published in January 2025, identified an embedded backdoor function in the device’s firmware – a deliberate technical feature that enables remote access to the device and any network connected to it, with no legitimate clinical justification. The FDA safety communication reinforced this finding, warning healthcare providers of serious cybersecurity vulnerabilities in both the Contec and Epsimed monitors.
What These Vulnerabilities Actually Enable
The practical implications of an embedded backdoor in a hospital patient monitor extend far beyond the device itself. Modern patient monitoring systems are networked: they connect to electronic health record systems, hospital management platforms, and increasingly to cloud-based analytics and storage. A backdoor in one device is potentially an entry point into an entire hospital network. From that foothold, a sophisticated state-sponsored actor – and the Chinese government’s cyberespionage capabilities are among the most advanced in the world – could exfiltrate patient health records, personal financial and insurance information, research data, and operational information about hospital systems, staffing, and infrastructure. For a government systematically building comprehensive databases on American citizens, this represents an intelligence windfall of extraordinary value.
Abbott’s Directive: What Agencies Must Do
Under Abbott’s order, state agencies and Texas higher education institutions must catalog all medical devices capable of transmitting data, review cybersecurity policies governing personal health information, and ensure that any new device acquisitions comply with his 2024 executive order limiting the purchase of technologies from adversarial nations. The compliance deadline is April 17, 2026. Abbott also announced plans to propose legislation in the next Texas legislative session to further protect Texans’ medical data from foreign hostile actors. The legislative initiative would create statutory requirements where the current executive framework relies on administrative directives.
A State Taking the Lead on a National Problem
Texas’s action on Chinese patient monitoring devices is one component of a broader state-level counterintelligence framework that Texas has been building systematically over the past two years. The state was among the first to ban DeepSeek and RedNote applications from government devices. Attorney General Ken Paxton announced lawsuits against Chinese companies including TP-Link, alleging cybersecurity risks and deceptive business practices. The state operates a dedicated hostile foreign adversaries unit within the Department of Public Safety, focused primarily on Chinese cyber and influence threats. Texas’s aggressive posture reflects a recognition that federal action on Chinese technology threats – while increasingly robust – moves on a timeline that does not match the urgency of the threat. States that operate their own health systems, universities, and critical infrastructure cannot wait for Washington. They must act. The American Hospital Association and healthcare security professionals have urged hospitals nationwide to conduct independent risk assessments of all Chinese-manufactured equipment, regardless of state mandates – recognizing that the vulnerability Texas has formally identified in its state facilities is equally present in private hospitals across all 50 states. No facility that values patient privacy and data security should assume it is immune simply because its governor has not yet issued a similar directive. For comprehensive guidance on protecting healthcare infrastructure from state-sponsored cyber threats, CISA’s China threat advisory portal provides current technical guidance that every hospital administrator and health IT professional should consult.
Jessica Lam
Politics & Diaspora Affairs Journalist, Apple Daily UK
Contact: jessica.lam@appledaily.uk
Jessica Lam is a politics and diaspora affairs journalist with specialized expertise in Hong Kong governance, overseas Chinese communities, and democratic movements. Educated at a leading UK journalism institution, she received advanced training in political reporting, international law basics, and source protection, equipping her for complex cross-border coverage.
Jessica has worked with Apple Daily and other liberal Chinese publications, reporting on electoral systems, civic participation, protest movements, and policy developments affecting the Chinese diaspora. Her work demonstrates strong command of political context and an ability to translate complex issues into accessible, fact-driven journalism.
She brings real-world newsroom experience in covering time-sensitive political developments while maintaining strict verification standards. Jessica regularly works with primary documents, expert interviews, and multiple independent sources to ensure balanced and accurate reporting.
Her authority is reinforced by consistent publication within established news organizations and by adherence to editorial review processes. She is known for transparent attribution and for distinguishing clearly between reporting and analysis.
Jessica Lam’s journalism reflects professional experience, subject-matter expertise, and a strong ethical foundation. At Apple Daily UK, she contributes trusted political coverage that serves readers seeking independent and credible information.
