Cybersecurity Company Finds Vulnerabilities in Hospital Robots

By Eric Wicklund

An autonomous robot commonly used in hospitals to transport medication and other supplies from room to room could be hacked and used to spy on patients and staff, according to a New York-based healthcare IoT security company.

Cynerio announced earlier this month that its researchers had discovered five vulnerabilities in the innards of the Aethon TUG smart autonomous robot, which is sued in hundreds of healthcare sites around the world.

Robots like the Aethon TUG are used by hospitals to do light housekeeping and ferry items from one place to another, relying on radio waves, sensors and other technology to open doors, take elevators and maneuver through hallways without hitting anything. More advanced telepresence robots are being used to connect care providers in other locations with patients in their rooms or the Emergency Department and even perform some guided surgeries.

Collectively called the JekyllBot:5, the malware was found in the TUG Homebase Server’s JavaScript and API platforms, as well as a WebSocket that is used to relay commands from the server to the robot. According to a Cynerio press release, these vulnerabilities could:

  • Disrupt or impede the timely delivery of medications and lab samples;
  • Shut down or obstruct hospital elevators and door locking systems;
  • Monitor or even take videos and pictures of patients, staff, and hospital interiors, as well as sensitive patient medical records;
  • Control the robots to allow them to access restricted areas, interact with patients or crash into staff, visitors, and equipment; and
  • Hijack administrative user sessions in the robots’ online portal and inject malware through their browser to enable future cyberattacks on IT and security team members at healthcare facilities.

Cynerio has reportedly been working closely with Aethon to send patches to its customers to apply to the robots and has updated firewalls at some hospitals so that their IP addresses can’t be used to access the robots.

“These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack,“ Asher Brass, Cynerio’s lead researcher on the JekyllBot:5 vulnerabilities and head of cyber network analysis, said in the press release. “If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots.”

Cybersecurity is pretty much at the top of everyone’s list of concerns in healthcare, due in part to an expected increase in hacking attempts caused by the war in Ukraine and the increasing use of digital health technologies in the healthcare ecosystem. Gartner analysts at the recent HIMSS 22 conference predicted that three-quarters of the top 20 life sciences organizations in the country will have been hacked by 2025, resulting in roughly $10 billion in revenue losses.

And the concerns aren’t limited to accessing sensitive and valuable data through web portals or e-mail scams. Robots and smart devices both within the hospital setting and outside the campus that can remotely access healthcare operations are at risk of being accessed and controlled. Experts have warned that these vulnerabilities can not only expose data but put lives at risk.

“Hospitals need solutions that go beyond mere healthcare IoT device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” Cynerio founder and CEO Leon Lerman said in the press release. “Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”

Eric Wicklund is the Technology Editor for HealthLeaders.