Sage Journals: Discover world-class research

Abstract

Objective

This study identifies cybersecurity vulnerabilities and risks in robotic-assisted surgery (RAS) and proposes a cybersecurity framework and an assessment tool for RAS systems.

Background

RAS systems are increasingly integrated into networks which raise cybersecurity concerns. These systems can enhance surgical outcomes but are potential cyberattack targets, which can affect clinician care, patient safety, and organizational operations.

Method

Surveys and interviews were conducted with stakeholders (clinicians, researchers, cybersecurity professionals, and hospital administrators) to collect perspectives on RAS cybersecurity. Thematic analysis was used to develop an RAS cybersecurity framework. Then, stakeholders contributed to creating an RAS cybersecurity assessment tool using Failure Modes, Effects and Criticality Analysis (FMECA).

Results

Survey responses (n = 84) revealed that 48.8% of respondents were familiar with RAS cybersecurity. Only 24.6% of clinical respondents were aware of their organization’s cybersecurity policy. Interviews (n = 15) identified vulnerabilities such as inadequate training, limited communication between manufacturers and healthcare systems, and gaps in regulations. Failure modes focused on consequences of cyberattacks on RAS systems, with severity assessments related to patient health and technology reliability/integrity completed and outcome actions identified.

Conclusion

Understanding RAS cybersecurity challenges is still in its infancy. Key vulnerabilities include insufficient training, limited data sharing, and external threats. The framework illustrates the interconnectedness of stakeholders, while the FMECA assessment tool addresses current vulnerabilities in RAS systems.

Application

RAS cybersecurity vulnerability and risks should be carefully considered when integrating systems into healthcare organizations, and the RAS cybersecurity assessment tool can be used by stakeholders to systematically identify and analyze potential cybersecurity failure modes.

Keywords

healthcare cybersecurity clinician robotic-assisted surgery qualitative research survey

Get full access to this article

View all access options for this article.

References

Afrin

Jin

Rahman

Wan

Hossain

(2021). Resource allocation and service provisioning in multi-agent cloud robotics: A comprehensive survey. https://ieeexplore-ieee-org.libproxy.clemson.edu/stamp/stamp.jsp?tp=&arnumber=9360855&tag=1

Ahmed

Khan

M. S.

Dasgupta

(2013). Development and content validation of a surgical safety checklist for operating theatres that use robotic technology. BJU International, 111(7), 1161–1174. https://doi.org/10.1111/bju.12010

Alder

(2024). Ascension ransomware attack: Initial access vector and data theft confirmed. The HIPAA Journal. https://www.hipaajournal.com/ascension-cyberattack-2024/

Aldosari

(2025). Cybersecurity in healthcare: New threat to patient safety. Cureus, 17(5), Article e83614. https://doi.org/10.7759/cureus.83614

Ali

Mijwil

(2024). Cybersecurity for sustainable smart healthcare: State of the art, taxonomy, mechanisms, and essential roles. Mesopotamian Journal of CyberSecurity, 4(2), 20–62. https://doi.org/10.58496/MJCS/2024/006

Alshamrani

Myneni

Chowdhary

Huang

(2019). A Survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities. IEEE Communications Surveys & Tutorials, 21(2), 1851–1877. https://doi.org/10.1109/COMST.2019.2891891

Ascension . (2024). Cybersecurity event update. Ascension. https://about.ascension.org/cybersecurity-event

Ayala

(2016). Cybersecurity for hospitals and healthcare facilities. Apress. https://doi.org/10.1007/978-1-4842-2155-6

Ball

Fuller

Cha

J. S.

(2025). Identification of surgical human-robot interactions and measures during robotic-assisted surgery: A scoping review. Applied Ergonomics, 125(1), Article 104478. https://doi.org/10.1016/j.apergo.2025.104478

10.

Baumann

A. P.

O’Neill

Owens

M. C.

Weber

S. C.

Sivan

D’Amico

Carmody

Bini

Sawyer

A. J.

Lotz

J. C.

Goel

Dmitriev

A. E.

(2021). FDA public workshop: Orthopaedic sensing, measuring, and advanced reporting technology (SMART) devices. Journal of Orthopaedic Research: Official Publication of the Orthopaedic Research Society, 39(1), 22–29. https://doi.org/10.1002/jor.24833

11.

Ben-Asher

Meyer

(2018). The triad of risk-related behaviors (TriRB): A three-dimensional model of cyber risk taking. Human Factors, 60(8), 1163–1178. https://doi.org/10.1177/0018720818783953

12.

BenMessaoud

Kharrazi

MacDorman

K. F.

(2011). Facilitators and barriers to adopting robotic-assisted surgery: Contextualizing the unified theory of acceptance and use of technology. PLoS One, 6(1), Article e16395. https://doi.org/10.1371/journal.pone.0016395

13.

Bernadotte

(2023). Cyber security for surgical remote intelligent robotic systems. In 2023 9th international conference on automation (pp. 65–69). Robotics and Applications (ICARA). https://doi.org/10.1109/ICARA56516.2023.10126050

14.

Chiaradonna

Jevtić

Lanchier

(2023). Framework for cyber risk loss distribution of hospital infrastructure: Bond percolation on mixed random graphs approach. Risk Analysis: An Official Publication of the Society for Risk Analysis, 43(12), 2450–2485. https://doi.org/10.1111/risa.14127

15.

Chng

H. Y.

Kumar

Yau

(2022). Hacker types, motivations and strategies: A comprehensive framework. Computers in Human Behavior Reports, 5(1), Article 100167. https://doi.org/10.1016/j.chbr.2022.100167

16.

Chun Tie

Birks

Francis

(2019). Grounded Theory Research: A design framework for novice researchers. Sage Open Medicine, 7(1), Article 205031211882292. https://doi.org/10.1177/2050312118822927

17.

Clarke

Martin

(2024). Managing cybersecurity risk in healthcare settings. Healthcare Management Forum, 37(1), 17–20. https://doi.org/10.1177/08404704231195804

18.

Clarke-Salt

(2009). SQL injection attacks and defense. Elsevier.

19.

Coventry

Branley

(2018). Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas, 113(1), 48–52. https://doi.org/10.1016/j.maturitas.2018.04.008

20.

DeRosier

Stalhandske

Bagian

J. P.

Nudell

(2002). Using health care Failure Mode and Effect Analysis: The VA National Center for Patient Safety’s prospective risk analysis system. Joint Commission Journal on Quality Improvement, 28(5), 248–267. https://doi.org/10.1016/s1070-3241(02)28025-6

21.

Devender

M. V.

McDonald

J. T.

(2023). A quantitative risk assessment framework for the cybersecurity of networked medical devices. International Conference on Cyber Warfare and Security, 18(1), 1. https://doi.org/10.34190/iccws.18.1.986

22.

FDA . (2023). Cybersecurity in medical devices: Quality system considerations and content of premarket submissions. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions

23.

FDA . (2024). Select updates for the premarket cybersecurity guidance: Section 524B of the FDC act. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/select-updates-premarket-cybersecurity-guidance-section-524b-fdc-act

24.

Fosch-Villaronga

Mahler

(2021). Cybersecurity, safety and robots: Strengthening the link between cybersecurity and safety in the context of care robots. Computer Law & Security Report, 41(1), Article 105528. https://doi.org/10.1016/j.clsr.2021.105528

25.

Fosch-Villaronga

Millard

(2019). Cloud robotics law and regulation: Challenges in the governance of complex and dynamic cyber–physical ecosystems. Robotics and Autonomous Systems, 119(1), 77–91. https://doi.org/10.1016/j.robot.2019.06.003

26.

Fuller

Kennedy

Ball

Duffie

Gainey

Luo

Joseph

Carbonell

Cha

J. S.

(2025). Understanding the challenges of robotic-assisted surgery adoption: Perspectives from stakeholders and the general population on human-interaction, built environment, and training. Applied Ergonomics, 122(1), Article 104403. https://doi.org/10.1016/j.apergo.2024.104403

27.

Gioulekas

Stamatiadis

Tzikas

Gounaris

Georgiadou

Michalitsi-Psarrou

Doukas

Kontoulis

Nikoloudakis

Marin

Cabecinha

Ntanos

(2022). A cybersecurity culture survey targeting healthcare critical infrastructures. Healthcare, 10(2), 327. https://doi.org/10.3390/healthcare10020327

28.

Gordon

W. J.

Ikoma

Lyu

Jackson

G. P.

Landman

(2022). Protecting procedural care—Cybersecurity considerations for robotic surgery. Npj Digital Medicine, 5(1), 148. https://doi.org/10.1038/s41746-022-00693-8

29.

Grandhi

S. R.

Still

J. D.

(2025). Deciphering human error: Improving cybersecurity reporting. Proceedings of the Human Factors and Ergonomics Society - Annual Meeting, 69(1), Article 10711813251358790. https://doi.org/10.1177/10711813251358790

30.

Greig

(2023). Seattle cancer center confirms cyberattack after ransomware gang threats. https://therecord.media/seattle-fred-hutch-cancer-center-ransomware-attack

31.

Hakimi

Mustafa Quchi

Wajid Fazil

(2024). Human factors in cybersecurity: An in depth analysis of user centric studies. Jurnal Ilmiah Multidisiplin Indonesia (JIM-ID), 3(01), 20–33. https://doi.org/10.58471/esaprom.v3i01.3832

32.

Hanna

Murphy

Foody

(2024). A cyberattack forces a big US health system to divert ambulances and take records offline. AP News. https://apnews.com/article/cyberattack-hospital-system-ambulances-diverted-ascension-728ab2a0e5afaf7c344e46a5ce5ca42c

33.

Harish

Ackery

Grant

Jamieson

Mehta

(2023). Cyberattacks on Canadian health information systems. Canadian Medical Association Journal: Canadian Medical Association Journal, 195(45), E1548–E1554. https://doi.org/10.1503/cmaj.230436

34.

HC3 . (2024). Healthcare sector DDoS guide. https://www.hhs.gov/sites/default/files/healthcare-sector-ddos-guide-analyst-tlpclear.pdf

35.

Holden

R. J.

Carayon

Gurses

A. P.

Hoonakker

Hundt

A. S.

Ozok

A. A.

Rivera-Rodriguez

A. J.

(2013). SEIPS 2.0: A human factors framework for studying and improving the work of healthcare professionals and patients. Ergonomics, 56(11), 1669–1686. https://doi.org/10.1080/00140139.2013.838643

36.

Hsieh

H.-F.

Shannon

S. E.

(2005). Three approaches to qualitative content analysis. Qualitative Health Research, 15(9), 1277–1288. https://doi.org/10.1177/1049732305276687

37.

Hylender

Langlois

Pinto

Widup

(2024). Verizon 2024 data breach investigations report. Verizon. https://verizon.com/dbir

38.

Jalali

M. S.

Razak

Gordon

Perakslis

Madnick

(2019). Health care and cybersecurity: Bibliometric analysis of the literature. Journal of Medical Internet Research, 21(2), Article e12644. https://doi.org/10.2196/12644

39.

Jerry-Egemba

(2024). Safe and sound: Strengthening cybersecurity in healthcare through robust staff educational programs. Healthcare Management Forum, 37(1), 21–25. https://doi.org/10.1177/08404704231194577

40.

Juang

Greenstein

(2018). Integrating visual mnemonics and input feedback with passphrases to improve the usability and security of digital authentication. Human Factors, 60(5), 658–668. https://doi.org/10.1177/0018720818767683

41.

Karwowski

Salvendy

Albert

Kim

W. C.

Denton

Dessouky

Dolgui

Duffy

Kumara

Madni

A. M.

McGinnis

Rouse

Shamma

Shen

Simchi-Levi

Swann

Tiwari

M. K.

(2025). Grand challenges in industrial and systems engineering. International Journal of Production Research, 63(4), 1538–1583. https://doi.org/10.1080/00207543.2024.2432463

42.

Krippendorff

(2019). Content analysis: An introduction to its methodology (4th ed.). Sage.

43.

Kumar

Sinha

(2021). A robust intelligent zero-day cyber-attack detection technique. Complex & Intelligent Systems, 7(5), 2211–2234. https://doi.org/10.1007/s40747-021-00396-9

44.

Liu

(2021). A comprehensive review study of cyber-attacks and cyber security; emerging trends and recent developments. Energy Reports, 7(1), 8176–8186. https://doi.org/10.1016/j.egyr.2021.08.126

45.

Liska

Stowe

(2016). DNS security: Defending the domain name system. Syngress.

46.

Marcus

H. J.

Ramirez

P. T.

Khan

D. Z.

Layard Horsfall

Hanrahan

J. G.

Williams

S. C.

Beard

D. J.

Bhat

Catchpole

Cook

Hutchison

Martin

Melvin

Stoyanov

Rovers

Raison

Dasgupta

Noonan

Stocken

McCulloch

(2024). The IDEAL framework for surgical robotics: Development, comparative evaluation and long-term monitoring. Nature Medicine, 30(1), 1–75. https://doi.org/10.1038/s41591-023-02732-7

47.

Mikulak

R. J.

McDermott

Beauregard

(2017). The basics of FMEA. CRC Press.

48.

Murphy

(2024). Change Healthcare cyberattack was due to a lack of multifactor authentication, UnitedHealth CEO says. AP News. https://apnews.com/article/change-healthcare-cyberattack-unitedhealth-senate-9e2fff70ce4f93566043210bdd347a1f

49.

Naeem

Ozuem

Howell

Ranfagni

(2023). A step-by-step process of thematic analysis to develop a conceptual model in qualitative research. International Journal of Qualitative Methods, 22(1), Article 16094069231205789. https://doi.org/10.1177/16094069231205789

50.

Nelson

Rekhi

Souppaya

Scarfone

(2025). Incident response recommendations and considerations for cybersecurity risk management. NIST special publication 800(NIST SP 800-61r3) (p. 48). https://doi.org/10.6028/NIST.SP.800-61r3

51.

Nifakos

Chandramouli

Nikolaou

C. K.

Papachristou

Koch

Panaousis

Bonacina

(2021). Influence of human factors on cyber security within healthcare organisations: A systematic review. Sensors, 21(15), 5119. https://doi.org/10.3390/s21155119

52.

Niki

Saira

Arvind

Mike

(2022). Cyber-attacks are a permanent and substantial threat to health systems: Education must reflect that. DIGITAL HEALTH, 8(1), Article 205520762211046. https://doi.org/10.1177/20552076221104665

53.

O’Connor

S. C.

Mallard

Desai

S. S.

Couto

Gottlieb

Ewing

Cobb

W. S.

Carbonell

A. M.

Warren

J. A.

(2020). Robotic versus laparoscopic approach to Hiatal Hernia Repair: Results after 7 years of robotic experience. The American Surgeon, 86(9), 1083–1087. https://doi.org/10.1177/0003134820943547

54.

Office of the Chief Information Officer (OCIO) . (2020). HC3 about us [Text]. https://www.hhs.gov/about/agencies/asa/ocio/hc3/about/index.html

55.

Sawyer

B. D.

Hancock

P. A.

(2018). Hacking the human: The prevalence paradox in cybersecurity. Human Factors, 60(5), 597–609. https://doi.org/10.1177/0018720818780472

56.

Strijker

Van Santvoort

H. C.

Besselink

M. G.

Van Hillegersberg

Borel Rinkes

I. H. M.

Vriens

M. R.

Molenaar

I. Q.

(2013). Robot‐assisted pancreatic surgery: A systematic review of the literature. HPB: The Official Journal of the International Hepato Pancreato Biliary Association, 15(1), 1–10. https://doi.org/10.1111/j.1477-2574.2012.00589.x

57.

Tamilmani

Rana

N. P.

Wamba

S. F.

Dwivedi

(2021). The extended Unified Theory of Acceptance and Use of Technology (UTAUT2): A systematic literature review and theory evaluation. International Journal of Information Management, 57(1), Article 102269. https://doi.org/10.1016/j.ijinfomgt.2020.102269

58.

Tanimu

J. A.

Abada

(2025). Addressing cybersecurity challenges in robotics: A comprehensive overview. Cyber Security and Applications, 3(1), Article 100074. https://doi.org/10.1016/j.csa.2024.100074

59.

Vukotich

(2023). Healthcare and cybersecurity: Taking a zero trust approach. Health Services Insights, 16(1), Article 11786329231187826. https://doi.org/10.1177/11786329231187826

60.

Waddell

(2024). Human factors in cybersecurity: Designing an effective cybersecurity education program for healthcare staff. Healthcare Management Forum, 37(1), 13–16. https://doi.org/10.1177/08404704231196137

61.

Wang

Lau

Gerdes

R. M.

(2018). Examining cybersecurity of cyberphysical systems for critical infrastructures through work domain analysis. Human Factors, 60(5), 699–718. https://doi.org/10.1177/0018720818769250

62.

Wani

T. A.

Mendoza

Gray

(2021). Bring-your-own-device usage trends in Australian Hospitals – A National Survey. In Merolli

Bain

Schaper

L. K.

(Eds.), Studies in health technology and informatics. IOS Press. https://doi.org/10.3233/SHTI210002

63.

Weigl

Catchpole

Wehler

Schneider

(2020). Workflow disruptions and provider situation awareness in acute care: An observational study with emergency department physicians and nurses. Applied Ergonomics, 88(1), Article 103155. https://doi.org/10.1016/j.apergo.2020.103155

64.

Wilson

(2016). CyberFMECA an adaptation of the FMECA process to cyber effects criticality determination. In 19th annual NDIA systems engineering conference. https://ndia.dtic.mil/wp-content/uploads/2016/systems/19020_RoyWilson.pdf

65.

Yeoh

Liu

Shore

Jiang

(2023). Zero trust cybersecurity: Critical success factors and A maturity assessment framework. Computers & Security, 133(1), Article 103412. https://doi.org/10.1016/j.cose.2023.103412

Supplementary Material

Please find the following supplemental material available below.

For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.

For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.

0.00 MB

1.13 MB

Cybersecurity Risks and Vulnerabilities in Robotic-Assisted Surgery

Abstract

Objective

Background

Method

Results

Conclusion

Application

Keywords

Get full access to this article

References

Supplementary Material