HHSC Directs Health-Care Facilities to Follow FDA Cybersecurity Guidance

The Texas Health and Human Services Commission (HHSC) is directing health-care facilities to review, understand and mitigate the risk of unauthorized remote access to protected health information.

HHSC said in an April 1 news release that all health-care facilities should coordinate with manufacturers, vendors and internal IT and security teams to identify and mitigate vulnerabilities and maintain compliance. The agency tied that direction to Food and Drug Administration (FDA) cybersecurity guidance involving Contec CMS8000 and Epsimed MN-120 patient monitors, devices the federal agency warned may be vulnerable to unauthorized remote control, hidden backdoor access and exfiltration of personally identifiable information and protected health information once connected to the Internet.

The move follows Gov. Greg Abbott’s March 9 directive ordering HHSC, the Department of State Health Services and public university systems to review cybersecurity and procurement policies tied to medical equipment manufactured in China. In that release, Abbott said state-owned medical facilities must ensure safeguards are in place to protect Texans’ private medical data and critical medical infrastructure.

HHSC’s notice gives Abbott’s March directive a more operational shape by pushing facilities to work with vendors, manufacturers and internal security teams to address device-related cyber risks. The agency warned that failing to address those risks can lead to unauthorized access, disruption of clinical services, compromised patient data and threats to patient safety.

The FDA safety communication underlying the state action was first issued Jan. 30, 2025, and updated July 2, 2025, after Contec released a patch. The federal agency said health-care facility staff should contact Contec for the patch and installation instructions, while continuing to follow mitigation recommendations if they cannot install it. The FDA also said it was not aware of any cybersecurity incidents, injuries or deaths related to the vulnerabilities at the time of the communication.