Cybersecurity for Surgical Robots

Large incisions used to be standard practice in the operating room, and resulted in extensive post-operative management, higher risk, and extended length of stay. The introduction of robot assisted surgery drastically improved patient outcomes – with smaller incisions, the risk of infections was less, recovery was faster, and clinical outcomes better. Surgical robots embody the intersection of technology, clinical innovation, and enhanced patient experience.

Surgical robots have existed for nearly three decades, but only in recent years have we started to broadly utilize their potential. The market receptiveness to this technology has highlighted the necessity for cyber-secure operation of these complicated devices. As the saying goes, you’re only as strong as your weakest link.  How can one rely on cutting edge technology, if the cybersecurity posture is unknown, insufficient, or compromised?

What’s unique?

The FDA has issued several guidance documents and has established regulatory expectations on what cybersecurity practices a device, and the related manufacturer, should demonstrate as part of the approval process. Most recently, FDA provided an updated draft of its Premarket Cybersecurity Guidance giving insight into the agencies evolving thinking on manufacturer cybersecurity responsibilities.  But interestingly, unlike many other medical devices, surgical robots were designed with connectivity in mind. While it may have started with point-to-point connection or even moving data from devices via USB, the desire for data and centralizing information was intrinsically part of how these devices have evolved.

And even a surgical robot by itself is a system of systems that  consists of a variety of types of individual devices – from embedded, to general computing and everything in between. Additionally, complex surgical robots integrate with other devices in the OR environment as well as the manufacturers’ remote support network. The infrastructure to connect these end points is requisitely complicated and requires unique considerations when designing the related security.

For instance, in considering a cryptography solution for this type of device, provisioning unique keys per device (i.e. the entire surgical robot) would not be sufficient. The complexity of operation alone mandates provisioning and managing unique keys for sensitive functions as well as components. 

Furthermore, as devices are evolving, the notion of sharing data between them has become de facto. And every large device manufacturer in this space is trying to establish market presence faster than the rest. But how can one do this when most multinational medical device manufacturers have acquired their surgical robot devices and are now trying to integrate them with their larger ecosystem? Attempting to harmonize on data structure, security configuration, and communication protocols is actually harder than it may appear.

But as alluded to before, this clinical modality evolved as a result of a clinical need. When faced with aggressive go-to-market pressure, complicated technology, regulatory requirements, and patient experience, where does cybersecurity land from a priority perspective?

Current Landscape

In an attempt to measure progress/ effort to date, all medical device vulnerability disclosures were reviewed, and there has yet to be one that references surgical robots (see Learning from Past Vulnerability Disclosures).  Given the technology complexity alluded to for these devices to function, this prompts a variety of questions, in particular as to how we could explain that there has never been a vulnerability disclosure associated with a robotic device.

Perhaps it’s because third party researchers can’t easily purchase a surgical platform off eBay and hack it from their basement, as they have done with for example infusion pumps.  Or perhaps those MDMs building surgical robots aren’t engaged with the ICS-CERT process, but instead chose to publish vulnerabilities directly to their customers. Regardless, the end result is an open question as to what the efficacy of security practices in surgical robots is.

The inherent nature of surgical robots is they are complicated, contain a variety of endpoints and different types of systems.  When assessing threats for any system, the vulnerabilities directly increase based on the size of the attack service. This means for surgical robot systems, protection is costly, both technically and economically.

Things to consider

All leading surgical robot vendors are working to integrate with other systems to support clinical operation, remote support, data analytics, and cross-purpose surgical procedures.

Perhaps most novel in this use case is how these devices will connect and the security around that connectivity. Ensuring communication protocols are in place, and in particular ensuring that the device is designed to operate in a hostile network environment (as the FDA has regularly said should be assumed for hospital networks). 

• Are your customers able to assess the security posture of your product several years after purchase? Do they know what operating systems, software stacks, and open source components are in the device (SBOM) and are they informed about existing and newly uncovered vulnerabilities accordingly?

• Is the data that is critical to the safe function of your device (e.g. configuration files, treatment plans) secured in such a way that the integrity of this data can be confirmed before a procedure?

• Is the end-of-life process for your device plainly spelled out in your customers’ contracts, such that you can enable proper replacement planning?

• Are the interoperability features designed into your device (e.g. imaging / PACS integration) secure by design? Or do you need to rely on the security of the hospital network for these features to be secure?

In the not so distant future, I believe we will be facing a world in which novel clinical interventions will be designed based on data that is immutable. This can only occur with robust, scalable and sustainable security systems built for these devices that persists over the lifetime of the device. The journey to uncharted clinical territory can only begin when we have security in place.

Authors: Axel Wirth and Vidya Murthy.

Axel Wirth Bio: As Chief Security Strategist, Axel Wirth provides strategic vision and industry leadership to MedCrypt and its customers. In this role, he helps guide the company in critical security strategy decisions  and supports the adoption of leading security technologies to the healthcare industry. He’s an advocate for compliance, privacy, and security – and ultimately patient safety – in healthcare. Wirth draws from over 30 years of international experience in the industry.

Vidya Murthy Bio: Vidya is fascinated by the impact of cybersecurity on the healthcare space.  Beginning her career in consulting, she realized a passion for healthcare and worked for global medical device manufacturer Becton Dickinson. She has since joined MedCrypt, a company focused on bringing cybersecurity leading practices to medical device manufacturers. Vidya holds an MBA from the Wharton School.