Aethon TUG Robot

Episode 238: Robots Are The Next Frontier In Healthcare Cyber Risk

In this episode of the podcast (#238) we speak with Daniel Brodie, the CTO at the firm Cynerio. about his firm’s discovery of a string of critical security flaws in an autonomous medical robot, TUG, that is already deployed in hundreds of clinical settings. We also talk about the larger and growing issue of medical device insecurity and cyber risks to healthcare providers.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google PodcastsStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

[MP3]


There was one clear message out of hearings on Capitol Hill this month on the cybersecurity of the healthcare sector: the cyber risk to clinical environments is growing – fast. 

Daniel Brodie is the Chief Technology Officer at Cynerio.

We’ve already seen the evidence of that. There was the October 2020 ransomware attack that shut down large parts of the University of Vermont (UVM) Health Network – an incident that cost tens of millions of dollars in damages. And there was the May, 2021 attack on San Diego-based Scripps Health which forced the health system to take a portion of its IT system offline for several weeks, and the theft of data on 150,000 patients. 

Robots Driving Cyber Risk

Episode 223: CISA Looks To Erase The Security Poverty Line

But there’s another factor driving medical cyber risk: automation. As hospitals and healthcare providers turn to new technologies – including robots- to lower the costs of providing care, they are becoming more vulnerable to cyber attacks and disruption.  

A case in point is the alert that CISA, the Cybersecurity and infrastructure Security Agency, issued in early April regarding a string of serious vulnerabilities affecting a medical robot known as TUG, manufactured by the firm Author.

FDA Medical Device Plan: a Baby Step in the Right Direction

The TUG autonomous robot. (Photo courtesy of Aethon.)

Remote Access, Physical Control

According to that alert, those vulnerabilities which ranged in severity from CVSS scores of 7.6 to 9.8 could allow a remote, unauthenticated attacker to connect to and control TUG robots, autonomous vehicles that are deployed in hundreds of clinical environments and that interact with them: opening doors, summoning elevators and transporting medicines. 

Spotlight Podcast: Synopsys’ Dan Lyon on the Challenge of Securing Connected Medical Devices

To understand more about the flaws, we spoke with one of the researchers who discovered and reported them, Daniel Brodie the Chief Technology Officer of the medical cybersecurity firm Cynerio.

In this conversation, Daniel and I talk about how his team stumbled upon the TUG robots and their flaws while assisting a Cynerio customer, and about the larger issue of how medical hardware – and the reluctance of of both vendors and their customers to address it – is compounding cyber risk in clinical environments. 

To listen to our podcast, click the button below to download the MP2 or use the player above!

2 Comments

  1. Very Nice thank you for sharing

  2. good voice for listening to podcasts.