The Brief Governor Abbott has ordered state health agencies and universities to review cybersecurity policies for medical equipment manufactured in China following federal warnings of potential data breaches. The directive follows FDA and CISA alerts regarding "backdoor" vulnerabilities in certain patient monitors that could allow unauthorized remote access to sensitive medical data. State agencies must inventory network-connected devices and submit security recommendations by April 17, 2026, to determine if specific Chinese brands should be banned.



Texas Governor Greg Abbot released a letter today, directing state agencies and state-owned medical facilities in Texas to review cybersecurity policies to potentially address cybersecurity concerns that are linked to medical equipment manufactured in China.

FDA, CISA issue warnings on patient monitor vulnerabilities

The FDA headquarters in Washington, D.C. (iStock / Getty)

What we know:

In the letter, Abbott directed health agencies and public university systems to review cybersecurity and procurement policies to protect Texans from medical information data breaches.

On Jan. 2026, the Trump Administration’s Cybersecurity and Infrastructure Security Agency (CISA) and the federal Food and Drug Administration (FDA) released a series of notices describing security vulnerabilities found in Chinese-manufactured patient monitoring devices. One of the risks includes the possibility of unauthorized actors accessing protected health information remotely.

It is the U.S. FDA's duty to regulate medical devices before and after entering the market. Once those devices are deployed, the FDA continues to monitor medical devices through post-market examination.

When risks are identified, the FDA issues alerts and recommendations to reduce harm.

Abbott warns of "backdoor" access to Texans' private health data

What they're saying:

According to Governor Abbott, these FDA and CISA notices underscore the need for state agencies and state-owned medical facilities to ensure they are continually operating in safe and secure environments.

The governor warns that these notices confirm the warnings of experts who have elevated the "proliferation of Chinese-manufactured smart medical devices" across the Texas healthcare system as a serious data privacy concern.

More specifically, on January 30, 2025, the FDA issued a notice raising Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed: FDA Safety Communication, in which the FDA warned that certain patient monitors contained vulnerabilities that allow unauthorized access, manipulation of devices, and the exfiltration of sensitive patient data, creating meaningful risks for patients.

CISA similarly warned that certain Chinese-manufactured monitors contain a "backdoor" through which the device could be controlled remotely and patient data accessed.

"Maintaining Texans’ physical security and protecting their personal privacy, especially personal medical data, is of paramount importance," said Governor Abbott. "I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data and our critical medical infrastructure."

New cybersecurity audits, procurement rules

Dig deeper:

Governor Abbott addressed health agencies and state-owned medical facilities with the following directives:

The Health and Human Services Commission (HHSC), the Department of State Health Services (DSHS), and public systems of higher education shall review all state-owned medical facilities operated under their jurisdiction and attest that all new purchases of medical devices used in state-owned medical facilities were procured in compliance with Executive Order GA-48, signed in Nov. 2024.

HHSC, DSHS, and public systems of higher education shall catalog and share their inventory of all state-owned medical devices capable of transmitting data via a network and/or that can be accessed remotely by the Texas Cyber Command (TXCC).

HHSC, DSHS, and public systems of higher education, with the assistance of TXCC, shall review all cybersecurity policies implemented to protect personal health information at all state-owned medical facilities operated under their jurisdiction. Such reviews must specifically include how policies address alerts and notices issued by the FDA or CISA for internet-connected medical devices.

HHSC shall promote awareness of FDA resources for reporting cybersecurity concerns with medical devices through an outreach campaign to Texas hospitals and other healthcare providers regulated by HHSC.

TXCC shall review whether the Contec CMS8000 and Epsimed MN-120 patient monitors, or any other items used by HHSC, DSHS, and public systems of higher education that have been the subject of an FDA safety notice, should be included on Texas’ prohibited technology list and make recommendations to the Office of the Governor

TXCC shall convene appropriate executives at HHSC, DSHS, and public systems of higher education to make recommendations for improvements to state agency policies for medical devices to address emergent cybersecurity risks, monitoring of devices, and mitigation strategies.

The addressed agencies are to submit reports and recommendations in response to Governor Abbott's directives by April 17, 2026.