Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Surgical robots -- smart but insecure

Taylor Armerding | June 3, 2015
Remote surgical robotics offers the promise of bringing the best medical expertise anywhere in the world. But, so far, it can also be risky business, as a team of researchers demonstrated in a series of hacks

Andrew Ostashen, senior security engineer at Redspin, had a similar take. While he believes, "the medical device community needs to act quickly to prevent these devices from falling even farther and farther behind in security," he also believes their benefits outweigh the risks.

So does Martin Fisher, director of information security at Wellstar Health System. "If there's a 5% chance of the device being hacked and you die, and a 95% chance of you dying without the treatment the device provides, which one are you going to take?" he asked.

And for now, these are only theoretical questions anyway, according to Danny Lieberman, CTO of Software Associates. "The Raven is an open-source research project, which is not cleared for commercial use by the FDA," he said, adding that if it were submitted to the FDA for clearance, "it would go through a very thorough safety and security review."

That would be a good thing, other experts say, since they believe it is crucial to address the vulnerabilities now, since the chances of attacks could increase in the future.

"Today this (hacking telesurgery) is probably unlikely," said Eric Cowperthwaite, vice president, advanced security and strategy at Core Security. "But I think it is important that we remember that what seems unlikely or not feasible today may become quite real tomorrow.

"Bad guys have already demonstrated that healthcare is a target, both for data theft and blackmail," he said. "So, a vulnerable telesurgery system could be used for blackmail, very easily."

Indeed, it raises the question of why there is not more attention paid to security when designing sophisticated surgical devices that use the public Internet. Yes, every "smart" technological device or system -- the smartphone, smart home, smart car etc. -- has been proven vulnerable to hacks used for espionage, theft of personal information or money, or blackmail.

But most of those attacks don't carry life-or-death risks.

When it comes to addressing the vulnerabilities, there is general agreement that the open-source component of the system is not the major problem.

"Open source means more eyeballs and that is good -- very good," Lieberman said.

Cowperthwaite agrees in general, that, "there are many great reasons why it should be used, including the ability to detect and remediate vulnerabilities within open source very quickly." He also said it is here to stay. "Open-source code has conquered the world," he said.

"But at the same time, we see clearly that vulnerabilities within open source can have extremely broad impact. Just think about Heartbleed, for example."

Ostashen has the same concern. "Open-source software allows the community to test for security vulnerabilities, but also allows the black hat community access to the source code, which in turn they can develop exploits," he said.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.