In this episode of the podcast (#238) we speak with Daniel Brodie, the CTO at the firm Cynerio. about his firm’s discovery of a string of critical security flaws in an autonomous medical robot, TUG, that is already deployed in hundreds of clinical settings. We also talk about the larger and growing issue of medical device insecurity and cyber risks to healthcare providers.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google Podcasts, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
There was one clear message out of hearings on Capitol Hill this month on the cybersecurity of the healthcare sector: the cyber risk to clinical environments is growing – fast.
We’ve already seen the evidence of that. There was the October 2020 ransomware attack that shut down large parts of the University of Vermont (UVM) Health Network – an incident that cost tens of millions of dollars in damages. And there was the May, 2021 attack on San Diego-based Scripps Health which forced the health system to take a portion of its IT system offline for several weeks, and the theft of data on 150,000 patients.
Robots Driving Cyber Risk
But there’s another factor driving medical cyber risk: automation. As hospitals and healthcare providers turn to new technologies – including robots- to lower the costs of providing care, they are becoming more vulnerable to cyber attacks and disruption.
A case in point is the alert that CISA, the Cybersecurity and infrastructure Security Agency, issued in early April regarding a string of serious vulnerabilities affecting a medical robot known as TUG, manufactured by the firm Author.
Remote Access, Physical Control
According to that alert, those vulnerabilities which ranged in severity from CVSS scores of 7.6 to 9.8 could allow a remote, unauthenticated attacker to connect to and control TUG robots, autonomous vehicles that are deployed in hundreds of clinical environments and that interact with them: opening doors, summoning elevators and transporting medicines.
In this conversation, Daniel and I talk about how his team stumbled upon the TUG robots and their flaws while assisting a Cynerio customer, and about the larger issue of how medical hardware – and the reluctance of of both vendors and their customers to address it – is compounding cyber risk in clinical environments.
To listen to our podcast, click the button below to download the MP2 or use the player above!