Whitepaper: Dr. Rushanan explains Best Practices for Ensuring Secure… Read Now
CASE STUDY

Surgical Robotics System – Critical Vulnerability in a 3rd-Party Peripheral

Medical System
Surgical Robotics System
Project Date
May 2022
Services
Hardware Testing Security & Data Privacy
Project Leader

About the Author

  • Dr. Mike Rushanan, Chief Scientist, professional headshot
    Chief Scientist

    Dr. Mike Rushanan is the Chief Scientist at Harbor Labs. Dr. Rushanan has been on the front line of the medical device security industry since its inception, serving as the lead engineer on the FDA’s first ever cybersecurity alert in 2015. His extensive experience with all facets of medical cybersecurity, including regulatory policy, clinical technologies, healthcare IT, cryptography, and secure system design is reflected in the countless thousands of fielded medical systems certified through his reviews. Dr. Rushanan is renowned for his work in diabetes care cybersecurity. He has worked with most major providers and a broad set of diabetes care technologies, including insulin pumps, CGMs, closed loop systems, and diabetes management software. Dr. Rushanan also specializes in cardiac care systems, surgical robotics, next-gen sequencing systems, and drug infusion systems. Dr. Rushanan teaches the course Security and Privacy in Computing, and is the course designer and instructor of Medical Device Security at Johns Hopkins University. His Ph.D. from Johns Hopkins University is in the area of Computer System and Network Security.

Harbor Labs was contracted by a manufacturer of a specialized surgical robotics system to conduct a pre-market cyberthreat analysis (CTA) in support of their 510(k) submission. The analysis encompassed multiple assets beyond just the robot itself, including control software, a cloud backend, attached 3rd-party peripherals, and the network connectivity between each of these endpoints. Like many modern medical devices, and virtually all surgical robotics, this was a true system-of-systems that required a diverse set of pen tests and a multidisciplined security analysis.

While the client device was generally secure, requiring only a few recommendations from Harbor Labs to remediate a short list of discovered vulnerabilities, pen testing revealed that one of the video display peripherals had a critical vulnerability. The firmware on this 3rd-party device, which was an essential component of the overall surgical system, was found to have an unauthorized access vulnerability that if exploited allowed for root access. It would further allow an attacker to read any data on the file system, including wireless network credentials, and mount the system partition as writable, enabling arbitrary modifications to the firmware. Harbor Labs assigned the vulnerability a CVSS v 3.1 score of 9.8.

Harbor Labs staff worked with the client to identify other peripherals that could serve as a secure alternative. Simultaneously, Harbor Labs worked with both the client and the FDA on the responsible disclosure of the vulnerability, consulting with the CDRH Director of Medical Device Cybersecurity personally to determine how other devices might be similarly affected.

By identifying the vulnerability in the premarket CTA process, Harbor Labs ensured that the client’s system design was secure, and that their 510(k) submission would reflect a thorough, expert security analysis. Moreover, by eliminating the vulnerability premarket, the client averted the debacle of having it discovered postmarket, impacting both clinical operations and client reputation.

About the Author

  • Dr. Mike Rushanan, Chief Scientist, professional headshot
    Chief Scientist

    Dr. Mike Rushanan is the Chief Scientist at Harbor Labs. Dr. Rushanan has been on the front line of the medical device security industry since its inception, serving as the lead engineer on the FDA’s first ever cybersecurity alert in 2015. His extensive experience with all facets of medical cybersecurity, including regulatory policy, clinical technologies, healthcare IT, cryptography, and secure system design is reflected in the countless thousands of fielded medical systems certified through his reviews. Dr. Rushanan is renowned for his work in diabetes care cybersecurity. He has worked with most major providers and a broad set of diabetes care technologies, including insulin pumps, CGMs, closed loop systems, and diabetes management software. Dr. Rushanan also specializes in cardiac care systems, surgical robotics, next-gen sequencing systems, and drug infusion systems. Dr. Rushanan teaches the course Security and Privacy in Computing, and is the course designer and instructor of Medical Device Security at Johns Hopkins University. His Ph.D. from Johns Hopkins University is in the area of Computer System and Network Security.

CAPABILITIES

Ready to Help at Any Stage

Not every project fits into a predefined path—and not every security challenge starts with compliance. We also support research teams, software developers, and security leads with targeted expertise and custom testing strategies. If it’s complex, connected, and critical, we’re ready to help.

Persistent Vulnerability Monitoring

Continuous analysis of deployed devices to surface and track emerging threats.

Security & Data Privacy

Design support and documentation to help meet regulatory expectations.

Hardware Testing

Interface validation, physical compromise evaluation, and teardown analysis.

Software & Firmware Testing

Vulnerability analysis, fuzz testing, and formal verification for medical codebases.

Let’s Talk!

Contact Us Today

Whether you’re navigating regulatory hurdles or scaling your security program, our team is here to help. Let’s talk about what’s next.

info@harborlabs.com

1.855.CYBR.SCI

1777 Reisterstown Road, Suite 230
Baltimore, MD 21208

Please fill out the form and we’ll get back to you shortly.

I’m interested in more information about: