Healthcare providers must be extremely vigilant in their cybersecurity defense posture. After all, vulnerabilities in the Internet of Medical Things (IoMT) cost hospitals nearly $21 billion in 2021.

New security discoveries by Ivanti partner Cynerio recently made that statistic personal for many providers. While working with an existing healthcare customer, Cynerio found five zero-day vulnerabilities in Aethon TUG autonomous robots – an IoMT device found in many healthcare facilities.

What are Aethon TUG robots?

Hundreds of hospitals around the world deploy Aethon TUG smart mobile robots to deliver medicine and maintenance supplies. They can even perform simple tasks, such as emptying waste baskets.

A diverse collection of sensors and cameras enable these robots to move around a hospital without bumping into anyone or anything.

These robots are primarily used in nursing, pharmacy, labs, food service and waste removal organizations to increase efficiencies and decrease labor costs. 

What IoMT vulnerabilities did Cynerio find in Aethon TUG robots?

Some of the IoMT vulnerabilities Ivanti partner Cynerio found in their healthcare customer’s Aethon TUG robots could allow hackers to:

  1. Disrupt or impede the timely delivery of patient medications and lab samples essential for optimal patient care.
  2. Shut down or obstruct hospital elevators and door-locking systems.
  3. Monitor or take videos and pictures of sensitive patient medical records, as well as vulnerable patients, staff and hospital interiors.
  4. Access restricted areas by controlling all physical capabilities and locations of the robots, along with unintended interaction with patients and even crashing into staff, visitors and equipment.
  5. Hijack legitimate administrative user sessions in the robots’ online portal and inject malware through the robots’ browser, further perpetuating cyber attacks on IT and security team members at related healthcare facilities.

The Aethon TUG vulnerabilities put patients and providers at risk of attack from cyber criminals if not immediately remediated.

How can healthcare providers address the Aethon TUG vulnerabilities?

There are three primary methods to secure Aethon TUG robots against these latest vulnerabilities:

  1. Download the latest firmware updates from Aethon, included in its version 24 firmware release. All TUG robots operating on earlier firmware versions will be susceptible to cyberattacks exploiting these vulnerabilities!
  2. Disable external connectivity of all Aethon TUG robots.
  3. Segment the TUG robots’ network to minimize the exposure.

For additional protection, the Cybersecurity and Infrastructure Security Agency (CISA) recommends:

  • Not exposing control system devices and systems to the Internet.
  • Locating all control systems behind firewalls.
  • Isolating systems such as the TUG Home Base Server from business networks.

To learn more about this latest IoMT vulnerability, we encourage you to review this HIPAA Journal article. Aethon has also released a statement on the vulnerability.

If your organization is ready for proactive remediation and security of all its IoMT devices, then you may be interested in Ivanti’s Neurons for Healthcare.