White Coat Hackers Expose “A Slew” Of Vulnerabilities In Tele-operated Surgical Robots


White coat hackers from the University of Washington have just published findings from a systematic evaluation of the potential security vulnerabilities found in teleoperated surgical robots. It should come as no surprise at this point that the team found a laundry list of potential issues. Healthcare has an abysmal record when it comes to securing its networks and IT systems, and a number of medical devices, including pacemakers and insulin pumps, have already been the subject of white coat hacking efforts that successfully demonstrated they could be remotely controlled once implanted. An important distinction in this study is that the researchers were not evaluating locally-operated surgical robots, which make up the vast majority of robots currently in use in operating rooms across the country. Instead, the team focused on the technology powering the emerging practice of using teleoperated surgical robots to perform surgeries, an idea that researchers hope will expand the medical community’s ability to support care delivery in rural areas, disaster areas, or war-torn areas.

In this review, researchers focused on the Raven II, an open-architecture surgical robot from a company called Applied Dexterity. The robot runs on open source software and is designed primarily to “facilitate collaborative research on advances in surgical robots.” The robot is currently installed in the labs at Harvard, Johns Hopkins, UCLA, and UC Berkeley, and one of its key features is the ability to perform telerobotic surgery.

In their analysis, researchers speculated that using teleoperated surgical robots in war-torn or disaster-stricken areas would require surgeons to rely on local networks with potentially weak network security configurations. As a result, the attacks used were all network-based. Researchers attacked a mock telerobotics configuration with three progressively complex hacks. The first attack attempted to block some of the commands sent by the surgeon from arriving at the robot, which was successful and caused the robot to move with sporadic, jerky motions. Next, researchers attempted to intercept and edit the commands being sent to see if hackers could actually exert some control over the robot during surgery; for example, changing the rotation of a robotic arm, or the distance an arm should move. This hack also worked and while it was more difficult to execute, it was also found to be more difficult to detect. Finally, researchers attempted a complete system hijack, in which they took complete control of the robot. This was done by passively monitoring packets from the surgeon as they passed through the network, identifying the current packet number, and then sending an erroneous packet with the corresponding next packet number that contains alternative instructions. In the experiment, the robot not only complied with these instructions, but it also ignored any subsequent packets sent by the actual surgeon. Lastly, researchers found that they were able to access both video and hemodynamic data feeds being sent back to the surgeon during the operation.

While telerobotics is a fledgling field, it’s not entirely untested. Surgeons have already conducted full surgeries on live patients using telerobotic technologies like the ones tested in this review.

Enjoy HIStalk Connect? Sign up for update alerts, or follow us at @HIStalkConnect.

↑ Back to top

Founding Sponsors

Platinum Sponsors