Full metal scrubs: IT security for surgical robots could save your life

This article first appeared in VentureBeat.

Big news this month on the medical front when a surgical robot called STAR — Smart Tissue Autonomous Robot — succeeded, in both a lab setting and using live animal tissue, to stitch together pieces of pig intestinal tubing with very little guidance from humans.

Not only that, but it managed to do so with the same if not better accuracy and safety than doctors, according to the researchers behind the experiment.

This is a momentous advancement for medical robots and telesurgery alike, and with sales of such robots expected to double to $6.4 billion (a yearly increase of 10.2%) by 2020, according to an Allied Market Research report published in January, we’re only going to hear about more and more progress in the near future.

Which is beyond fantastic. Ever since the first telesurgery was performed in 2001, when a surgeon in New York successfully took out the gall bladder of a patient in Strasbourg, there has been increasing hope of one day providing excellent medical care to people who would otherwise be thousands of miles away from any surgical help. People in remote areas with no access to proper medical care, people in underprivileged nations, people in war zones, people who wouldn’t be able to survive the air transport to where the surgeon they need is located or who don’t have enough time to wait for that surgeon to be flown out to their respective location.

I have no doubt that telesurgery is the future and that medical robots (not only surgical ones) are not far from becoming ubiquitous, if not the norm in hospital care and possibly out-patient care as well.

But there’s a problem. One that we need to start fixing now, before medical robots become ubiquitous and the norm.

All these surgical robots will operate over public networks and poor connections, sometimes even wireless ones, which leaves them exposed to hacking and other types of malicious attacks.

And even though it might seem that these privacy and security concerns are better suited for a sci-fi horror movie in the SAW vein than real life, a surgical robot has already been hacked. Luckily, it happened in a controlled environment and by a team of researchers, but given that we have yet to see an Internet-connected device that can’t be hacked, this does not bode well for a future of “Paging Doctor Robot to OR 1.”

pexels-photo (2)

A year ago, in May 2015, University of Washington researchers led by Tamara Bonaci tested Raven II, a telesurgery robot designed to operate in extreme conditions, namely poor connections over public networks, by submitting it to cyber attacks that modified its behavior:

  • They delayed, deleted, or changed the order of the commands sent to the robot
  • They modified the distance the Raven II’s arm was supposed to move, as well as the rotation degree
  • They performed a complete takeover of the robot.

Worried yet? Well, add this to your list of worries then: Once hacked, a surgical robot can become the victim of a denial of service attack if the hacker decides to flood the system with commands.

And while a denial of service attack can mean significant monetary loss for a company, be it in the form of clients/business lost or ransom payment made to hackers, where a surgical robot is concerned, an attack of this nature can mean loss of human life. Terrifying, isn’t it?

Or maybe not. Maybe you’re thinking that this was just an experiment and since no real-life incidents have been reported to date (which is a fact), there’s no need to panic.

But let’s not forget that these surgical and non-surgical robots operate and will continue to do so within the boundaries and the privacy and security means of the healthcare industry — an industry that is so plagued by breaches, data theft, and ransomware that IBM named 2015 “The Year of the Healthcare Breach” in its Cyber Security Intelligence Index.

And if the past months are any indication, 2016 could very well turn out to be “The Year of the Healthcare Breach – The Sequel.”

Since February, over a dozen hospitals and even more healthcare institutions have been the victim of ransomware, their systems rendered unusable, their staff forced to resort to pen, paper, and fax machines (remember those?), their urgent surgeries postponed, their patients transferred, and ultimately, their money shelled out to hackers.

After the highly publicized case of Hollywood Presbyterian Medical Center, which was forced to declare a state of emergency and pay 40 bitcoin (approx. $17,000) to regain access to its files and equipment, reports of similar attacks kept pouring in.

In March, the same ransomware — named Locky — hit Methodist Hospital in Henderson, Kentucky and left personnel unable to access patient files. Soon after that, it was reported that MedStar Health, a healthcare organization operating over 120 entities including 10 hospitals in the Baltimore–Washington area, had been attacked by some type of ransomware as well.

Add this to the fact that, as research carried out by Sergey Lozhkin at Kaspersky Lab brought to light, there are a lot of cases where medical equipment is not separated from the local office network, and all that bright future of telesurgery and medical robots looks riddled with potential breaches. And ensuing malpractice lawsuits.

So as I said, it’s high time we started thinking of a solution. It’s high time hospitals and other healthcare institutions started thinking more seriously about IT security and taking important steps towards protecting not only their patients’ data from hackers, but their patients’ robot-doctors and all other medical devices too.

Because when it comes to surgical robots, hospitals, and the healthcare system as a whole, well-implemented and adhered to IT security best practices could mean the difference between a 1-inch incision and a 10-inch one. Between perfectly spaced out stitches and surgical complications with a long recovery time. Sometimes even between life and death.

Read the rest of this article at VentureBeat.