Surgical robots, FDA, and cybersecurity with Anthony Fernando

Surgical robots, FDA, and cybersecurity with Anthony Fernando

While many in the medical device industry have just started implementing cybersecurity strategies, veteran Anthony Fernando has seen it all.

Beyond reimagining how robotic surgery can revolutionize patient experiences and recovery time, Anthony’s experience as President & CEO of Asensus has put a growing focus on the cybersecurity mindset that goes behind these incredible medical devices. His understanding of the market today and its rapid development has been shaped by his years working with Stryker, Becton Dickenson, Varian (formerly Vankel), and more, where he must balance market demands with patient needs and cybersecurity threats.

His latest interview on Cybellum’s Left to Our Own Devices podcast jumps right into what the company’s expertise is –  product and device cybersecurity. Asking the tough questions surrounding medical device manufacturer (MDM) opportunities, cybersecurity, and evolving regulations, Fernando gives honest insight into the past, present, and future of surgical technology through a product cybersecurity lense.

Providing medical robots with their cybersecurity needs

To begin understanding why we need to connect and secure the devices that so many patients’ lives depend on, we have to consider how we got here. What does it mean for a surgeon to work remotely on a patient using technologies, such as with the surgical robotics system that Asensus prides itself on? How did we go from open surgeries a few short decades ago to remote controlled surgical robots?

“Traditionally, in surgery you cut open the abdomen or whatever that you’re looking at,” said Fernando. “Then, the surgeon can actually look into your abdomen and see what’s happening.

That [manner of conducting surgery] was predominant for a very long time. Then in the early eighties came this technique called laparoscopy, which moved surgery into a minimally invasive technique.”

This incredible leap in technology allowed the industry to reimagine patient care by removing the requirement for line-of-sight operations. Suddenly, electronics were allowing surgeons to take a slightly hands-off approach to the surgery they were performing – even if the separation was only skin deep.

The seismic shift here also required a new way of imagining surgery. “The best analogy that I’ve heard that some people use is – think about painting a room in your house… through the mailbox,” continued Fernando. “I think it explains how it’s done.”

Fast forward to today, surgical robots have opened new opportunities for unprecedented stability while utilizing multiple tools simultaneously. Yet, in order to stay relevant and give surgeons access to the most up to date data and tools, they must be connected to the web.

The benefits and risks of connected medical devices

Connecting medical devices unlocks the true potential of the medical industry.

If a facility has a device, such as the Asensus Senhance Surgical System, remote connectivity can allow any qualified surgeon in the world to conduct the procedure, regardless of location, as long as they are at a connected Asensus operation terminal. While this seems like science fiction, it is already happening in other industries.

“As we know, digital technology is evolving and advancing in all other industries. You have self-driving cars, you have robots doing manufacturing. You have fighter planes that are designed to be unstable and the computer makes it stable. So you see all these technologies in all the industries, but it has not come to surgery.”

What he envisions is increased computer assistance in the medical industry. Imagine if a surgeon can call upon similar experiences from all other surgeons who have used the machine for a similar surgery.

At the same time, this puts the patient’s privacy and even life at risk. What if this real-time patient information was stolen by black-hat hackers to exploit the patient? Even more, what if this patient is being targeted by a terror group who gained unauthorized access to the network and intentionally fed the surgeon wrong information?

Without taking a product cybersecurity-first approach, it is challenging to gain regulator buy-in, potentially denying these technologies from ever reaching the operating room.

Compliance, cybersecurity, and rattled supply chains

To bring these technologies of the future into the medical facilities of today, companies must work together with regulators to ensure that their smart technology is secure enough to be placed in facilities around the globe.

Anthony Fernando’s experience of living in North America, Europe, and Asia showed him how the same technology can mean different things to different populations.

To be ready for any cybersecurity challenge a device may face throughout its lifetime, there are three pillars that all MDMs must ensure:

  • Education- Organizations must be able to differentiate to regulators what is unique about their sector. Surgical, diagnostic, and other medical tools all conduct different tasks. Coming together allows for more specific regulations that can give developers increased freedom to operate within their space while still remaining secure.
  • Security- Cybersecurity must be standardized and repeatable in any environment. From the start, organizations should clarify where data will be stored, who will have access, and ultimately who is the owner of the data.
  • Supply Chain- When possible, MDMs should rely on existing approved vendors instead of needing to gain new approvals.

Standardization and automation will drive industry innovation

To reduce time to market, manufacturers must address regulator hesitations.

Operating within existing compliance guidelines, industries can standardize regulator expectations, automating and easing the development and maintenance of devices through their lifecycle.

In addition, all manufacturers must keep a living automated software bill of materials (SBOM) for each of their products. With automation, threats are recognized, assessed, and mitigated in real-time instead of after months of review or following an attack.

These steps are no longer nice to have but are critical – if not for the sake of regulations, then for the sake of business continuity and of course, in this case, the surgeons and their patients.


This article was originally published on