AUSTIN, Texas — In a move that puts patient safety and national security squarely at the intersection of Texas healthcare policy, Governor Greg Abbott has ordered a comprehensive cybersecurity review of Chinese-manufactured medical equipment used in state-owned health facilities — and he has given agencies a hard deadline to comply.

The directive, issued through a formal letter to several key state agencies, signals that Abbott is expanding his already aggressive posture against Chinese Communist Party-linked technology beyond consumer apps and land ownership into one of the most sensitive areas imaginable: the devices monitoring the vital signs of Texans in hospitals, clinics, and university medical systems right now.

The Order: What Abbott Is Demanding

Abbott’s directive is addressed to the Texas Health and Human Services Commission (HHSC), the Department of State Health Services (DSHS), the Texas Cyber Command (TXCC), and the chancellors of public university systems across the state.

The agencies have been given until April 17, 2026 to submit reports and recommendations to the Governor’s Office — a timeline that reflects the urgency Abbott’s team sees in the issue.

Among the specific tasks laid out in the order:

  • HHSC must promote awareness of FDA resources for reporting cybersecurity concerns with medical devices, launching an outreach campaign to Texas hospitals and healthcare providers it regulates.
  • TXCC is directed to evaluate whether the Contec CMS8000 and Epsimed MN-120 patient monitors — both flagged in recent federal safety notices — should be added to Texas’ Prohibited Technology List, and to make formal recommendations to the Governor’s Office.
  • TXCC must also convene executives across HHSC, DSHS, and public university systems to recommend improvements to state policy on medical devices, covering emerging cybersecurity risks, device monitoring practices, and mitigation strategies.
  • State agencies are additionally required to inventory all network-connected medical devices and submit security recommendations as part of the broader review.

In his own words, Abbott made the stakes plain:

“Maintaining Texans’ physical security and protecting their personal privacy, especially personal medical data, is of paramount importance. I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data and our critical medical infrastructure.”

And in a separate statement, Abbott went further: “We kicked China-linked technology applications out of state government systems. We banned hostile foreign powers from buying Texas land. Now we are also protecting Texans’ medical data. The Chinese Communist Party will not infiltrate our hospitals.”

The Threat Is Real — and Federal Agencies Already Sounded the Alarm

Abbott’s directive did not emerge in a vacuum. It comes directly on the heels of warnings from two of the nation’s most prominent federal watchdogs.

In January 2025, both the Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) issued formal notices warning of serious security vulnerabilities found in Chinese-manufactured patient monitoring devices — specifically the Contec CMS8000, one of the most widely used vital signs monitors in American hospitals.

The FDA’s safety communication warned that certain patient monitors contained vulnerabilities allowing unauthorized access, manipulation of devices, and the exfiltration of sensitive patient data. CISA went further, warning that the Contec device contained a “backdoor” — a hidden channel allowing the device to be controlled remotely and patient data to be accessed without the hospital’s knowledge.

What made the CISA finding particularly alarming was the nature of the backdoor itself. Researchers described what they called “anomalous network traffic” and found the device downloading and executing unverified remote files — transmitting data to an IP address not associated with any medical device manufacturer or healthcare facility, but instead linked to a third-party university, which CISA described as exhibiting “highly unusual characteristics” that go against industry norms for medical devices.

In short: a machine tracking a patient’s heartbeat, blood pressure, and oxygen levels in a hospital bed could, according to federal investigators, be quietly sending that data somewhere in China — with the hospital having no idea.

John Riggi, national advisor for cybersecurity and risk at the American Hospital Association and a former FBI counterterrorism official, described the scale of the problem bluntly: “We don’t know because of the sheer volume of equipment in hospitals. We speculate there are, conservatively, thousands of these monitors; this is a very critical vulnerability.” He added that Chinese access to these devices poses strategic, technical, and supply chain risks, urging the industry to act before an incident occurs.

A Vulnerability Built Into the Supply Chain

The presence of Chinese-manufactured devices in American hospitals is not an accident or an oversight — it is the product of deliberate industrial policy from Beijing combined with cost pressures that have long driven American healthcare purchasing decisions.

Beginning in 2015, the Chinese Communist Party set out to make China a dominant player in the global medical device market under its “Made in China 2025” initiative, with state subsidization at multiple levels helping Chinese firms rapidly expand production and capture significant global market share. The result: cost-conscious U.S. hospitals — many operating on tight margins — have found Chinese-made devices to be among the most affordable options available.

The Contec CMS8000, for example, is a widely deployed patient monitor that tracks electrocardiograms, heart rate, blood oxygen saturation, blood pressure, body temperature, and respiration rate. Its affordability made it attractive to health systems across the country. Its hidden backdoor, confirmed by federal investigators, made it a potential intelligence asset.

The American Hospital Association has advised member hospitals that, until a patch is available, any affected monitors should be immediately disconnected from the internet and segmented from the broader hospital network. CISA has confirmed that no software patch currently exists to mitigate the risk.

The Broader Healthcare Cybersecurity Crisis

Abbott’s move comes as the healthcare sector faces what experts are calling a generational crisis in cybersecurity. The numbers paint a troubling picture.

According to recent industry research, 93% of U.S. healthcare organizations experienced at least one cyberattack in the past year, with the average organization reporting 43 separate incidents. Critically, 72% of respondents said at least one attack disrupted patient care.

Ransomware attacks on healthcare institutions surged roughly 36% in late 2025 compared to the prior year, with the healthcare sector accounting for more than one-third of all reported attacks — more than twice the rate of the next most-targeted industry. The average cost of a cyberattack on a healthcare organization now stands at approximately $3.9 million per incident, with some extortion demands reaching $4 million in 2025 alone.

The threat landscape is compounded by the explosion of connected medical devices. The average hospital now houses between 10 and 15 network-connected medical devices per bed — totaling hundreds of thousands of devices across a single large facility. A 2022 FBI report found that 53% of connected medical devices had at least one known critical vulnerability that had never been patched, and roughly one in five connected medical devices runs on operating systems that no longer receive security updates at all.

Security researchers have already demonstrated in controlled settings that attackers could, in theory, alter the dosage of connected insulin pumps or interfere with pacemaker function. While no confirmed patient death from a cyberattack has been publicly documented, industry experts widely believe it is a matter of time if current trends continue.

Texas Has Been Here Before

For Abbott, the medical device review is not a standalone move — it is the latest chapter in a sustained, multi-year campaign to build what his administration calls a wall against CCP-linked technology throughout Texas government and infrastructure.

His track record includes:

  • Adding Chinese-linked technologies to Texas’ Prohibited Technology List, restricting their use in state systems
  • Signing what his office describes as the nation’s toughest restrictions on land purchases by hostile foreign adversaries — directly targeting Chinese state-linked entities
  • Launching Texas Cyber Command, billed as the largest state-level cybersecurity unit in the United States
  • Issuing Executive Orders GA-47, GA-48, and GA-49, targeting foreign adversary influence, hardening state government systems, and protecting critical infrastructure

The Governor has also had an ally in Texas Attorney General Ken Paxton, who has filed lawsuits against Chinese-owned manufacturers of “smart” consumer technology — including legal action against TP-Link over allegations that CCP-connected parties could gain access to Americans’ devices through its networking equipment. Similar data privacy lawsuits have been filed against other Chinese-linked smart technology brands operating in the Texas market.

What Happens Next

The clock is now ticking. State agencies have until April 17, 2026 to deliver their reports and recommendations to Abbott’s office. Those findings could result in specific Chinese-manufactured medical devices being formally added to Texas’ Prohibited Technology List — effectively banning their use in state facilities going forward and setting a precedent other states may follow.

For hospitals and healthcare systems that have already deployed these devices, the directive raises immediate questions about inventory auditing, network segmentation, and replacement timelines. State-regulated facilities under HHSC jurisdiction will also be subject to the new outreach campaign on FDA reporting resources — a measure designed to ensure that cybersecurity concerns flagged by federal regulators reach the front lines of Texas healthcare quickly.

Whether other governors follow Abbott’s lead remains to be seen. But the combination of verified federal agency warnings, rapidly escalating cyber threats against healthcare infrastructure, and Texas’ increasingly aggressive posture on foreign adversary technology suggests this fight is far from over — for Texas, and for the nation.

Sources: Governor Abbott’s Office; Dallas Express; FOX 7 Austin; FOX 4 Dallas-Fort Worth; CNBC; Industrial Cyber; American Hospital Association