Hidden Challenges of Deploying Robots in the Real World

Part 3: Gaining Access to IT Infrastructure

At Akara, our robots operate in hospitals — environments where IT security is paramount and network access is tightly controlled. While most of the sensing and computing happens onboard or devices, internet access is still essential for critical tasks like software updates, remote monitoring, and performance logging. However, achieving this connectivity is far more challenging than it might seem.

In this installment, I’ll share the steps we took to gain network access, ensure compliance with data protection regulations, and overcome technical hurdles that arise in tightly controlled IT environments.

External Validation of Cyber Compliance

Hospital IT systems handle sensitive patient data and connect to critical machines that cannot afford to be compromised. Hospital networks are tightly controlled and any new device introduced onto the network undergoes detailed scrutiny, requiring extensive reviews and testing before access is granted.

Based on our experience working with hospitals in the UK, Europe and the US, a technology vendor must satisify hospital IT requirements in the following areas.  

• External Penetration Testing: Independent “pen tests” were conducted to identify and resolve potential vulnerabilities. 

• Detailed IT Reviews: Detailed documentation must be prepared describing the software, hardware, and network architecture. These are reviewed for compliance with hospital IT policies in detail. 

• Certifications: For hospitals in the UK, the NHS Cyber Essentials certification is a baseline requirement. In Europe, ISO 27001 is the gold standard for information security management systems. For the U.S., hospitals expect at least a demonstrated path toward SOC 2 compliance, which focuses on security and operational controls. 

Navigating Firewalls and Network Restrictions

Once access to the hospital network is granted, another hurdle often emerges: the software doesn’t work as expected. This may be because hospital firewalls block certain ports and URLs by default to protect their systems. Modern autonomous robots and AI systems rely on numerous software packages, many of which fetch updates from servers across the internet. Identifying which ports and URLs are blocked is far from straightforward.

To address this, we had to:

• Analyze Network Traffic: These tools allowed us to monitor and analyze the network traffic leaving the robot in detail. Given the number of packages running on a modern robot, this was no small task.
  Once identified, the list of required ports and URLs was shared with the hospital IT team. 

• Ensuring regional compliance: Countries like the UK have strict policies on where severs processing data should be located. To meet these requirements, we needed to reroute data to servers in specific geographic regions to comply with regional policies. Where access couldn’t be granted, we developed tailored workarounds to ensure uninterrupted operations.

• Review potential vulnerabilities: Software packages that required specific ports and URLs on the hospital firewall be whitelisted were reviewed for potential vulnerabilities. This review involved consultation with MITRE CVE database. Where applicable, steps were taken to verify that software installed on Akara devices contained the necessary software patches and updates to address any potential risks. 

Data Protection

Even though our robots do not explicitly collect data related to patients or staff, their onboard sensors may capture information that could identify individuals. Ensuring compliance with data protection laws in the regions where we operate is a fundamental requirement.

In Europe: The General Data Protection Regulation (GDPR) governs data protection and applies to hospitals in both the EU and the UK. Additionally, the UK requires adherence to the Data Protection Act 2018 (DPA 2018). To demonstrate compliance, we took the following steps:

• Data Protection Impact Assessment (DPIA): Conducted an in-depth assessment to analyze and mitigate any privacy risks.

• Client-Facing Documentation: Prepared clear documentation outlining what data is collected, its purpose, and how it is stored.

• Appointed a Data Protection Officer: Ensured oversight and accountability for all data-handling practices.

• Staff Training: Provided training to all team members to ensure GDPR compliance in day-to-day operations.

In the United States: Unlike Europe, the U.S. lacks a federal data protection law equivalent to GDPR. Instead, regulations are handled at both the state and sector level. In healthcare, the most significant regulation is Health Insurance Portability and Accountability Act (HIPAA), which governs the privacy and security of health information.

While Akara’s robots do not process Protected Health Information (PHI) and are therefore exempt from HIPAA, we took proactive steps to align our practices with HIPAA requirements wherever possible. 

Additional Considerations 

While hospital Wi-Fi networks are the primary means of connectivity, there are additional factors that can impact the robot’s ability to operate seamlessly.

4G/5G Cellular Networks: Operating outside the hospital network using 4G or 5G cellular connectivity can, in some cases, be faster and safer, reducing the burden on hospital IT infrastructure. However, this solution is not universally applicable. The availability of reliable 5G coverage is still limited in many areas, and older hospitals — often constructed with thick concrete walls or lead-lined rooms — can severely degrade cellular signals, making bandwidth unreliable.

Wi-Fi Blackspots: Even when Wi-Fi access is granted, coverage may be inconsistent. Certain areas of the hospital, especially those adjacent to rooms where radiation treatments are performed (X-Ray, MRI, CT, etc.), may have poor or non-existent coverage. Additionally, unexpected Wi-Fi drops can occur. In these situations, having a 4G/5G cellular option as a backup can provide valuable redundancy to ensure continuous operation.

Network Bandwidth: Hospital IT networks are carefully managed, and bandwidth may be limited or throttled to prioritize critical systems. This can impact the performance of tasks requiring higher data throughput, such as real-time teleoperation or detailed monitoring. In such cases, workarounds — like optimizing data usage or scheduling high-bandwidth operations during off-peak hours — may be necessary to maintain performance without overloading the network.

Conclusion

Getting a robot onto a hospital network is far more complex than simply connecting to Wi-Fi. From achieving cybersecurity compliance and navigating firewall restrictions to addressing connectivity challenges like Wi-Fi blackspots, cellular limitations, and bandwidth constraints, every step requires careful planning, collaboration, and technical ingenuity. 

In the next installment of this series, I’ll discuss how we approached DevOps and software development practices, which are critical for maintaining and scaling reliable robotic systems in real-world deployments.