Telepresence robots enable physicians to administer care to patients in remote and rural areas, and extend the reach of healthcare to those who otherwise might go without it. The use of telepresence in healthcare isn’t new; it has operated for more than ten years and is an accepted part of medical practice in many care networks.
What has changed for telepresence is the emergence of a new set of security vulnerabilities that attack telepresence robots at the firmware level–where standard IT security practices often don’t extend.
“Robotic telepresence is a next-generation technology that allows a person in one location to replicate himself in another,” wrote Dan Regalado, Security Researcher at IoT security provider Zingbox in a 2018 research report. “The remote person can see you, hear you, interact with you, and move all around your location. But what if the person behind the robot is not who you think he is? What if the robot gets compromised, and now the attacker is watching you and your surroundings?”
Zingbox conducted research on a widely adopted telepresence robot and found several areas of security vulnerability:
- Attackers could intercept firmware updates for the robot by penetrating the network;
- Once the firmware was intercepted, hackers could extract files from the telepresence file system;
- Access to the telepresence robot could be gained physically by plugging in a USB device into the USB port of the robot and stealing the robot’s WI-FI credentials, which then provides remote hackers an entry point into the robot;
- Malicious code could be injected into the telepresence robot and then propagated throughout the network that the robot is attached to; and
- Hackers could steal pictures, images, records of conversations, and doctors’ instructions.
“The danger is that hackers can get into the robot through firmware and then steal sensitive information, logs, and video streams because they can penetrate the firmware,” said Regalado.
In healthcare, this is a major threat to security and privacy. These threats aren’t limited to healthcare, other industry sectors are at risk, too.
How do you combat new IoT security threats at the firmware level, which traditional IT security is not designed for? Here are four best practices:
1. Secure physical premises
Security measures for visitors to a patient or a hospital are not extreme, and equipment isn’t always locked down. That means it’s possible for non-authorized personnel to access a telepresence robot that is sitting idle in a patient’s room or in a treatment area.
To deal with this threat, firms using telepresence robots should address the physical aspect of IoT equipment security since it’s easy for anyone to pull out a USB device, insert it into a USB port on a robot and obtain the machine’s WI-FI credentials so that the machine can later be accessed from a remote location.
One way to tighten up physical security is to track all IoT assets, like telepresence robots, so that they can be monitored for secured physical access at all times.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
2. Engage in continuous security dialogs with vendors
“Too many vendors of IoT equipment execute firmware updates but fail to notify customers when updates to firmware are available,” said Regalado. The best way to address this is to maintain communications with your vendors on software and firmware updates. By keeping software and firmware updated you lower your risk of an unwanted intrusion, which often occurs in earlier versions of software and firmware.
3. During the RFP process, evaluate prospective IoT vendors for best practices
Take time to select the best vendor for security. “There are security best practice checks you can perform, such as verifying that the vendor equipment doesn’t allow any unencrypted data to pass in or out of the machine,” said Regalado.
4.Perform beneficial hacking on your own
By regularly testing your machine with “friendly hacks,” you can probe for security holes and fix what you find. In this way, you give yourself the best possible chance of proactively preventing a hack that could be devastating to your company and your customers.