Hospital robots are more vulnerable

Sheila Zabeu -

April 18, 2022

Robots commonly used in hundreds of hospitals around the world have been identified as having five vulnerabilities that make it easy for hackers to compromise patient care and even allow confidential information to be stolen. These robots are used in various tasks, such as transporting medicines, hospital supplies and cleaning. Technologically, they are equipped with radio systems, sensors, cameras and other resources to open doors, take the lifts and move around hospitals unaided, without bumping into people and objects. It is precisely the technology that allows robots to move independently that makes their vulnerabilities so dangerous.

The vulnerabilities were disclosed by Cynerio, a provider of Internet of Things (IoT) security solutions used in healthcare environments, and were collectively named JekyllBot:5. The affected robots, meanwhile, are branded Aethon TUG. The flaws reside in the JavaScript implementation and API of the TUG Homebase Server and also in a WebSocket that relies on reliable communication between the server and the robots to transmit commands, explains the Cynerio team.

Some of the most serious attack scenarios when these vulnerabilities are exploited, reaching a CVE score of 9.8 are:

  • Interruption of the proper delivery of medicines and laboratory samples;
  • Interfering with the treatment and operations of critical or time-sensitive patients by switching off or obstructing lifts and door locking systems;
  • Monitoring, videos and photos of vulnerable patients, staff and internal hospital environments, as well as access to confidential medical records;
  • Access and control of restricted areas, interaction with patients or collisions with staff, visitors and equipment;
  • Hijacking legitimate administrative user sessions on the bots’ portal and installing malware to carry out new cyber attacks.

“These vulnerabilities require little skill to exploit, no privileges and no interaction carry out a successful attack. “Once hacked, it is possible to take control, gain access to cameras and data in real time and wreak havoc and destruction in hospital environments using the robots,” says Asher Brass, head of network analysis at Cynerio.

Cynerio says it discovered the vulnerabilities while performing a deployment at a hospital it prefers not to identify. Anomalous network traffic was detected that appeared to be related to lift sensors, and further investigation led to an open HTTP port that gave access to a portal with information about the current status of the Aethon TUG robots, layout maps of the hospital, and photos and videos viewed by the robots. Further research revealed that it was also possible to take control of the robots through this unauthorized access.

Aethon claims that the vulnerabilities have been mitigated by a patch and that it has no news that the flaws have been exploited on the company’s website. In addition, it warned that there are some false or misleading statements about the problem.

Favourite target of lawsuits

Not only have traditional headaches associated with recovering IT environments, installing patches and deploying more stringent cybersecurity measures been the consequences of data breach incidents, but increasing litigation is already affecting healthcare organizations. In addition, while class actions are most often filed in the case of large data breach incidents, litigation associated with smaller incidents is increasingly common.

According to the most recent report on data security incidents by law firm BakerHostetler in the US, which analysed more than 1,200 data security incidents in 2021, the healthcare sector was most judicially impacted, accounting for 23% of the cases assessed.

Resource: BakerHostetler

Previously, multidistrict litigation happened more frequently after major data breach incidents. However, a trend was recorded in 2021 of multiple lawsuits being opened in the same forum within weeks of the incident being reported, even for smaller cases. In addition, lawsuits were seen opened in a federal forum, and concurrently as much state forums on the same issue. This wave of duplicate lawsuits has increased litigation defense costs and the ultimate cost of judgments due to the number of lawyers involved, according to law firm BakerHostetler.

The report highlights that ransomware attack that can compromise data handled by healthcare providers have their specifics. For example, Operational disruptions can produce life-threatening situations. When these attacks render patient data and related systems inaccessible, one must be agile to put in place alternative measures that may include cancelling procedures, diverting ambulances and even transferring critical patients to other facilities.

Another problem specific to healthcare is the need to warn sometimes entire groups of patients. As attacks become increasingly sophisticated and successful at stealing multiple terabytes of data and covering all traces, there is no forensic evidence to pinpoint precisely which patients are affected. So instead of spending time and money to review affected files, healthcare providers simply notify a large group of potentially impacted patients.

To get an idea of the size of these groups, according to the Cyber Peace Institute, on average around 155,000 records of all types, such as social security numbers, patient records, financial data, test results, are breached during attacks on healthcare providers, and this number can be much higher, as some incidents even report more than 3 million records affected.