Beruflich Dokumente
Kultur Dokumente
Gregory S. Lee∗
Mechanical Engineering, The University of Texas at Dallas, Richardson, TX 75080, USA
Bhavani Thuraisingham
Computer Science, The University of Texas at Dallas, Richardson, TX 75080, USA
Abstract
Next generation surgical robots capable of teleoperated surgery are being developed by the BioRobotics
Laboratory at the University of Washington and SRI International. Using these robots, surgeons may
perform surgery on patients at remote locations. The robots are being developed with the intended purpose
of being deployed to the battlefield to provide immediate medical assistance to injured soldiers by surgeons
in safe and remote locations. These two research groups have begun developing an open standard called
the Interoperable Telesurgery Protocol (ITP) which provides a standardized framework for communications
between the surgical robot and the surgical robot controller. A collaboration between the BioRobotics Lab
and The University of Texas at Dallas has been established to design and implement a security enhancement
for the surgical robot cyber physical system. The Advanced Encryption Standard (AES) algorithm enciphers
data exchanged between the surgical robot and surgical robot controller using the Transport Layer Security
(TLS) protocol for Transmission Control Protocol (TCP) packets and Datagram Transport Layer Security
(DTLS) protocol for User Datagram Protocol (UDP) packets. The controller and robot are authenticated
using X.509 certificates. Certificates also provide authorization levels for both robot and controller upon
which security policies governing the operation of the surgical robots are constructed. The Secure ITP
will facilitate the adoption of surgical robotics in military and civilian applications by providing security to
prevent adversarial intervention and provide Health Insurance Portability and Accountability Act (HIPAA)
compliance. The open source software package OpenSSL was used in the development.
Key words: Cyber Physical Systems, Security, Surgical Robotics
2. Background
Figure 1: The software simulator uses the same code as the
°
R
actual Raven Surgical Robot. The software simulator allows urgical robots, such as the daVinci by Intu-
two Falcon haptic displays manufactured by Novint Incorpo-
rated to send position information over the network to the
S itive Surgical Incorporated, are being used for
a growing number of surgeries. These robots al-
surgical robot which displays the position of the robot on a
different computer. low surgeons to perform MIS by providing robotic
arms which a surgeon controls from a console. Sur-
geons perform MIS using the daVinci surgical robot
The BRL and SRI have established a collabo- on patients in a manner that reduces fatigue be-
ration to standardize communications between a cause the robotic system provides a standardized
surgical robot controller and a surgical robot, also and ergonomic interface from which the surgeons
called the master and slave. The standard, named may control the surgical robot. The arms of the
the Interoperable Telesurgery Protocol (ITP), al- surgical robot may then be placed in whatever con-
lows surgical robots to be operated interchange- figuration necessary to manipulate the tissues and
ably by different controllers[2]. The existence of structures of a patient. These robotic arms can hold
such a protocol also simplifies the development of the surgical tools in configurations impossible for a
new controllers. Many surgical device and surgi- human surgeon to reach, thereby allowing surgeons
cal robot researcher have entered the collaboration to perform procedures which were previously im-
and adopted the standard and an early version of possible. In fact, current surgical robots even allow
the protocol has been tested among a number of surgeons to use more complex and dexterous tools
surgical robot researchers[3]. than are available for non-robotic MIS surgery.
Security must be applied to these robots before The surgical controller station allows surgeons
they can be used to perform telesurgery. Surgical to perform surgery from a standardized and com-
robots fit the definition of a Cyber Physical System fortable control station. This allows a surgeon to
which is a class of device defined by the Department manipulate tissue through input to the controller
of Homeland Security as being under secured. The and based on information viewed on a monitor.
University of Texas at Dallas (UTD) and the BRL This abstracts surgery to the point that it becomes
have begun a collaboration to develop a security en- an exchange of information between the surgeon
hancement to the ITP, the Secure ITP, to address and robot through the surgical robot instrument[5].
these issues at an early stage of development. This This abstraction renders the physical location of the
development has used a software simulation based surgeon virtually irrelevant[5]. As a result, teleop-
on the actual code base from the Raven Surgical erated surgical robots have become the focus of next
Robot[4]. (See Figure 1.) Four areas have been ad- generation development to the point that robotic
dressed in this preliminary Secure ITP standard: surgery and telesurgery have become nearly syn-
authentication, authorization, encryption, and ba- onymous. The focus of many of the development
sic policy development and enforcement.
The Secure ITP uses X.509 Version 3 certificates 1 Diffie-Hellman parameters create shared secret cipher
to authenticate both the master and slave equip- keys between a client unique to each session.
2
efforts is designing a surgical robot capable of being compared to the daVinci surgical robot. Both M7
deployed to a battlefield. This is one of the many and daVinci surgical robots have been controlled
elements of the DARPA TraumaPod Project[6]. over dedicated communications networks and the
Such a medical presence in the battlefield will public Internet by surgeons using a master con-
provide even quicker and more highly trained med- troller located hundreds and thousands of miles
ical assistance to injured soldiers while simultane- away from the surgical robot[10, 6].
ously keeping medical personnel in a safe location.
Both projects have begun collaboratively devel-
Teleoperated surgical robots will one day benefit
oping a communications standard for exchanging
civilian medicine by allowing highly specialized sur-
information between the master and slave of the
geons to intervene where typically they could not;
surgical robot called the Interoperable Telesurgery
or it could allow groups of surgeons to provide care
Protocol (ITP). The specification details how the
in disaster areas without detracting from other aid
master and slave components communicate and
services. The usability of telesurgery, however, de-
provides the ability for masters and slaves to be
pends not only on the design of the robot mecha-
operated interchangeably and developed indepen-
nism and timely communications, but the ability to
dently of the surgical robot platforms themselves.
exchange information with the surgical robot in a
The protocol is relatively new and still under devel-
safe and secure fashion.
opment, however, a number of other surgical robot
Current surgical robots approved by the United
developers have adopted the protocol and a prelim-
States Food and Drug Administration for surgery
inary test of interoperability has taken place[3].
on humans have been adapted for telesurgery, but
only in rare, specialized and dedicated instances[7]. The ITP focuses on device operation and interop-
Without special adaptation these surgical robots erability. No specifications have addressed securing
require surgeons to be located physically near the the communications or the design of security poli-
patient during the surgery. Next generation sur- cies necessary for telesurgery using surgical robots.
gical robots aim to provide the ability to perform The ITP does not validate or verify information be-
telesurgery using robots over a generic communica- ing sent or received beyond a checksum. Also, the
tions link. They are specifically designed to allow protocol only includes the control of the robot; the
the master and slave to be placed in arbitrary ge- streaming of video is currently handled separately.
ographic locations and to communicate on every- Cyber physical systems, like surgical robots, have
thing from dedicated private communications net- been identified by the Department of Homeland Se-
works to the public Internet2 . curity as a class of device which should be developed
The BRL at the University of Washington has to be secure from the early stages of development.
developed a next generation surgical robot proto-
The research conducted at the BRL and at SRI
type named the Raven[8]. The design of this new
has the stated purpose of developing a surgical
surgical robot leverages measurements collected by
robot capable of being deployed to the battlefield.
BRL researchers from surgeons performing surgi-
The nature of such an environment necessitates a
cal techniques using instrumented tools[9]. The
safe, secure and resilient communications channel.
measurements resulted in a surgical robot system
As non-military adoption of teleoperated surgical
that was specifically designed to perform well over
robots increases, many other rules and guidelines
the dexterous workspace of a surgeon and capable
become applicable. Besides the integrity of the
of the necessary force output applied by surgeons
communications channels, the privacy of the in-
while also minimizing many physical properties of
formation traveling between the surgeon and the
the robotic arm.
surgical environment falls under the Health Insur-
SRI International has also developed a next gen-
ance Portability and Accountability Act (HIPAA)
eration surgical robot, known as M73 . The M7 is
which mandates protection of this type of informa-
also a surgical robot of greatly reduced size when
tion. All of these concerns must be addressed as
surgical robotics standards are being developed.
2 Many other factors such as distance, delay, etc. also
LocalWords: MIS telesurgery BioRobotics BRL
govern these abilities, however.
3 SRI International developed the daVinci and formed In- SRI ITP UDP TraumaPod HIPAA LocalWords:
tuitive Surgical Incorporated to commercialize the technol- teleoperate daVinci teleoperated DARPA cyber
ogy. checksum
3
3. Project Description