FTI Consulting on medical robotics, the fears and frontiers
It is often thought that what robots lack in humanity they make up for in their promise of precise, programmatic perfection. That is, of course, until experience says otherwise. In April of this year, a healthcare-focused IoT security company discovered five critical vulnerabilities, dubbed JekyllBot:5, in the Aethon TUG smart autonomous robot. The TUG has become a fixture in thousands of hospitals worldwide since first being brought to market in 2004. Powered and enabled by an array of sensors, lasers and cameras, this device delivers medication and food to patients, deposits lab specimens with research personnel, cleans floors and assists nurses with a wide range of everyday tasks.
However, with the discovery of JekyllBot:5, the capabilities of this device expanded in the most sinister of ways. If exploited, these vulnerabilities would have allowed threat actors to remotely photograph and surveil patients, access medical records, disrupt medication delivery and obstruct hospital entrances, elevators and corridors. For healthcare providers, medical device developers and the patients that connect them, this discovery begs a critical question: what is the balance between assistive technology and the danger of data and patient exploitation?
Dr. Ayala Maurer-Prager, Director (UK)
Software developers who design robots for healthcare should guarantee security by design
In the healthcare field, determining this balance requires an evaluation of need – and against the backdrop of COVID-19, the support promised by these robotic devices is a lifeline of its own. Robots are now assisting with patient testing, for example, to avoid human exposure to the virus, and as demands for telehealth and remote diagnostic services continue to grow, robotic devices will be essential to facilitating effective responses. In removing the need for in-person contact, medical robots also represent an essential health-shielding mechanism for the millions of clinical workers already stretched to breaking point as they continue to grapple with the effects of the pandemic. However, acknowledging the risks that these robots’ vulnerabilities may present to the already vulnerable, it becomes impossible to separate the question of security from the notion of the duty of care governing the environments in which they operate.
How, then, do we balance the promise of “do no harm” with the introduction of these robots into caregiving spaces? The answer lies in the understanding that the secure operation of these devices is the responsibility of the many, not the few.
For the software developers powering these robots, this means ensuring that security by design is incorporated into every stage of the build process and that device hardware is sourced from similarly security-minded suppliers. The level of assurance provided by thorough, frequent architecture risk analyses, code scanning and software security testing will not only allow vulnerabilities to be identified and remediated early – and more cost-effectively, as a result – but will create competitive market advantage. Healthcare technology buyers understand with growing clarity that cybersecurity and data privacy are critical patient benefits, too.
Ron Yearwood, Senior Managing Director (US)
The healthcare industry working with robotic devices must understand what to expect from them
Once released into the market and acquired by healthcare providers, the IT personnel tasked with ensuring the digital resilience and operation of these robotic devices must initially oversee the successful integration of this technology into their environments. Network segmentation, default password changes and frequent testing are vital, as is securing remote access to these devices once they have been deployed. Keeping operating systems current is similarly critical. Although the timing of upgrades must be carefully considered to avoid a lapse in required services, regularly updated software and a defined patching schedule will help ensure that these devices are as protected as possible against existing and newly identified threats.
Technological protections are crucial. However, human education is an equally important link in the security chain. The healthcare practitioners working alongside these robotic devices must be provided with enough information to understand what to expect from them — not only to maximise their efficiency, but to allow for the recognition of operational irregularities that may be suggestive of system exploitation. Patients must be empowered with an understanding of their data-related rights, and healthcare providers must be primed with knowledge of exactly how these robots collect, store, process and communicate information for when these questions are asked by patients, regulatory bodies or insurers. Strong encryption protocols and secure data transmission procedures can make all the difference in safeguarding the highly sensitive personal data collected by these robotic devices.
Ensuring the cybersecurity of robotic devices is a cooperative and complex endeavour that spans the domains of people, process and technology. However, it is only through striving for this resilience that the possibilities offered by the healthcare technologies of today and tomorrow can be fully embraced.