Information Security in Medical Robotics: A Survey on the Level of Training, Awareness and Use of the Physiotherapist

Cybersecurity is becoming an increasingly important aspect to investigate for the adoption and use of care robots, in term of both patients’ safety, and the availability, integrity and privacy of their data. This study focuses on opinions about cybersecurity relevance and related skills for physiotherapists involved in rehabilitation and assistance thanks to the aid of robotics. The goal was to investigate the awareness among insiders about some facets of cybersecurity concerning human–robot interactions. We designed an electronic questionnaire and submitted it to a relevant sample of physiotherapists. The questionnaire allowed us to collect data related to: (i) use of robots and its relationship with cybersecurity in the context of physiotherapy; (ii) training in cybersecurity and robotics for the insiders; (iii) insiders’ self-assessment on cybersecurity and robotics in some usage scenarios, and (iv) their experiences of cyber-attacks in this area and proposals for improvement. Besides contributing some specific statistics, the study highlights the importance of both acculturation processes in this field and monitoring initiatives based on surveys. The study exposes direct suggestions for continuation of these types of investigations in the context of scientific societies operating in the rehabilitation and assistance robotics. The study also shows the need to stimulate similar initiatives in other sectors of medical robotics (robotic surgery, care and socially assistive robots, rehabilitation systems, training for health and care workers) involving insiders.


Introduction
Cybersecurity (Cyb) in healthcare (CybH) includes all the general actions that we can find in the world of industry and consumption (network security, application security, information security, operational security, disaster recovery and operational continuity, end-user training), adjusted specifically for the health domain [1,2].
CybH addresses the cyber risk in a cyber-system in the health domain. The cyber-system can either be a complex medical device and/or a complex interoperable and heterogeneous system (e.g., a hospital information system, a radiology information system; a dedicated medical network). Important issues emerge for medical devices (MDs).
In the case of a standalone medical device (SMD) (not connected to other systems) CybH must concentrate on the device itself. Much of the Cyb depends on the correct implementation of the certification processes, considering also the CybH.
If the device is not standalone, i.e., it is an interconnected Medical Device (IMD), in addition to a certification process, it is also necessary to consider the Cyb vulnerability of the IT environment (e.g., hospital information system, the network of the rehabilitation centre, the home WI-Fi).
Nowadays, it is rare to find SMDs. Most MDs are IMDs. Examples are the artificial pancreas and the pacemaker. They need a communication link to an IT environment, both for the monitoring and/or updating functions [3][4][5][6].

The Medical Robots Used in Rehabilitation and Assistance and Cybersecurity
An important sector for medical robots is that of rehabilitation and assistance. Robotics in rehabilitation [7,[21][22][23][24][25][26][27][28][29][30][31] essentially concerns three sectors: The lower limbs (LOLI) • The upper limbs (UPLI) These sectors use exoskeleton or end-effector technology. The exoskeletal robot completely covers the limb, following and replicating the human anthropometry. The mechanics guide each segment involved in the rehabilitation practice. Therefore, an exoskeleton is a "mechatronic" apparatus. It is worn and performs the same kinematic/dynamic activity practiced by the patient. In a robotic end-effector device, the input for carrying out the rehabilitation exercise comes directly from the distal part of the limb. It allows the natural kinematic activation of the movement, without unnatural constraints.
Assistance robotics uses "social robots" (SRs) [8,32]. Use of these devices has recently increased, to overcome the problem of social distancing in the Covid-19 pandemic.
Today, SRs are designed to: • Interact with people, even by touching them, since the physical contact helps to establish a better emotional relationship.

•
Assist people with many daily activities (as a reminder or as a kind of butler).

•
Assist people in medical activities, such as drug administration and patient monitoring. • Support physicians in physical rehabilitation, such as Pepper, which supports physiotherapists during sessions [33][34][35][36], or support patients in their movements or displacements (e.g., Robear [37,38] transports patients). • Support people with complex communication needs. • Support families or therapists as cultural mediators.
The SRs are a totally new challenge for CybH. There are important aspects related to Cyb that require consideration in these devices, since their programming has important implications for the robot's moral behaviour, resulting in the interdisciplinary field of machine ethics [39][40][41][42][43][44][45]-that is, how to program robots with ethical rules [40]. This sector involves "adding an ethical dimension to the machine" [45], and it has become of utmost importance because of wonderful technological developments in the field of the CRs and, more generally, artificial intelligence [41][42][43][44][45]. Gordon [39] highlighted that making ethics "computable" depends in part on how the designers understand ethics and attempt to implement that understanding in programs, but also on their expertise in the field of human-robot interaction. He found that researchers and programmers have neither a good enough understanding nor sufficient ethical expertise to build moral machines that would be comparable to human beings with respect to ethical reasoning and decisionmaking. Figure 1 shows the modelling of the physical and psychological impact [13], developed by us for the rehabilitation and assistance robotics. Note that psychological harm can also occur as an indirect consequence of physical damage or harm caused by rehabilitation robots. It is therefore clear that there is a strong need for studies to help develop consensus in this area. It is important to stimulate the stakeholders to face these problems. It is also important to sensitize scholars to invest energies in research initiatives.

Motivation and Purpose of the Study
It is vital to plan an acculturalization process on Cyb. This process must concern all the actors involved, from the builders up to the users and the caregivers, in the different environments (from home up to the hospital).
Training in this area must also become an important issue. Stakeholders will have to start specific monitoring initiatives, through targeted surveys, for example, to verify the state of diffusion of the Cyb culture in robotics, and assess the consensus and opinion in this area. This is an important and preliminary step in the launch of agreements and consensus initiatives for these devices, also considering that Cyb certification of CRs is voluntary. At present, there are no active initiatives of this type. A search on Pubmed with the key "cyber security" [Title/Abstract] AND "robotics" [Title/Abstract] AND "questionnaire" [Title/Abstract] (also trying with synonyms) did not show results. In other sectors of the health domain, where technology is rapidly developing, ad hoc questionnaires have been developed with the aim of investigating the consensus between the actors. For example, in digital radiology, various studies have focused on different actors and conducted research through questionnaires on a very important issue relating to information technology in cyber-systems, that of artificial intelligence. Selected papers [46][47][48][49][50][51][52][53][54][55][56] highlight studies focused on some of the actors concerned: radiologists and radiographers [49][50][51][52][53][54], primary care providers [51], students [55], and patients [46][47][48], that is, both on service providers and users, and on the subjects in training. The importance of training and the usefulness of free questionnaires emerged from these studies. Surveys were used both to collect interviews and structured data from focus groups/consensus initiatives. In all cases identified, original questionnaires based on choice questions Likert scales, graded questions (in a psychometric scale) and open-ended questions were used. With very few exceptions [48], scholars preferred to use personal and original rather than validated/standardized questionnaires to investigate the topic.
For this reason, we consider a similar approach as regards robot technology (also rapidly evolving) to be useful on another topic connected to information technology in cybersystems, that of Cyb, where, similarly, training plays a leading role. For this reason, we believe it is equally useful to propose it to the professionals involved in this area.
Many professionals in the health domain have to do with the robots in rehabilitation and assistance (from the bioengineer up to the physiotherapist). The physiotherapists are key professionals in this field. It is therefore important to investigate the relationship between the physiotherapist and CybH.
This is useful to provide medical knowledge and stimulate stakeholders to recommend initiatives.
We have therefore set ourselves the goal to focus on the physiotherapist and: (1) to investigate the consensus, familiarity, and opinion on Cyb in this field, based both on the training and experience in the workplace; (2) to apply an electronic questionnaire designed for the investigation.

Materials and Methods
In line with the aim of the study, we decided to develop an electronic questionnaire to investigate the acceptance and the consensus of the physiotherapists. We used Microsoft Forms (Microsoft Corporation, Albuquerque, Nuovo Mexico (NM), USA), available in the Microsoft 365 App Business Premium suite in the workplace. It is the software product recommended by the company's Data Protection Office (DPO). It is included in the informatic domain and complies to the regulations on data privacy and security. We adhered to the SURGE Checklist [57] for the development and administration of the questionnaire. The questionnaire used different type of questions: open questions, choice questions, multiple choice questions, Likert scales, graded questions. A six-level psychometric scale was used both in the graded questions and in the Likerts. Therefore, it was possible to assign a minimum score of one and a maximum score of six. The theoretical mean value (TMV) was equal to 3.5. We used the TMV for comparison in the analysis: an average value below the TMV shows a more negative than positive response, whereas an average value above TMV indicates a more positive than negative response.
For the check of data normality, we used the Kolmogorov-Smirnov test, which is preferable for sample sizes like ours. The software SPSS V. 25.0 (IBM SPSS software, Armonk, NY, USA) was used in the study. The Cohen's d effect size estimated with 0.499 the effect size. A sample with n > 60 was estimated to be suitable for the study. We submitted the survey from 1 June 2021 until 20 October 2021.
We have submitted the questionnaire to the physiotherapists using social networks, web sources, messengers, and lists/webs from professional associations. Figure 2 reports the diagram of the inclusion process. Table 1 shows the demographic characteristics.  The methodology, based on an electronic survey, focused on the physiotherapist. It investigated, through the tools available in the survey, the different aspects of Cyb.
The electronic survey is arranged into five sections (see Table 2). Table 2. Sections of the questionnaire.

Section 1
Demographic data

Section 2
Robotics and cybersecurity in the workplace

Section 3
Training in cybersecurity and robotics

Section 4
Self-assessment on cybersecurity and robotics

Section 5
Proposals and collection of personal cases of cyber-risk Section 1 is designed for collecting the demographic data (reported in Table 1). Section 2 investigates if there is an interaction with the robots in the workplace and whether this interaction also concerns Cyb. Section 3 investigates the specific training on Cyb and on the connected disciplines. Section 4 proposes self-assessment questions regarding Cyb while interacting with the robots. Section 5 collects both proposals and the cyber-risk experiences in one's work environment useful both for the reader and the stakeholder.

Results
The results are reported in the four sections below. For each section, the type of questions, the questions asked, and the statistics are reported.
3.1. Output from Section 2 "Robotics and Cybersecurity in the Workplace" As a first aspect, we investigated the use of rehabilitation robotics and the involvement (role) of physiotherapists in its use, either as active users or just observers. A multiple-choice question was proposed (relating to three different robots used in rehabilitation).  A second question with two choices (Yes/No) also investigated involvement in Cyb activity. Figure 4 highlights that all the interviewed people reported the role of technology user. Only 29 (9.18%) claimed to have been involved in the CybH, resulting in a significantly low number (p-Value < 0.01, χ2test).
It is well known that the use of SR is still very limited. However, we wanted to investigate any involvement, which could also concern research projects. Three questions were proposed. A question with two choices (Yes/No) investigated the SR presence in the workplace. A question with two choices (only observer/user) investigated the role in the interaction. A question on their role in Cyb was also proposed to those who had responded "user". Figure 5 highlights that only 5 respondents stated that they were dealing with SRs. Three (0.95%) declared that they were observers, two (0.63%) were users, and only one (0.32%) faced CybH issues. These frequencies also had a high statistical significance (p-value < 0.01, χ2test). Table 3 reports the perceived level of training on SRs, robots for BA, robots for LOLI, robots for UPLI. Four graded questions with 6 levels of score (1 = min; 6 = max) were used.   The most popular response was Robots for UPLI. The least popular answer was Social Robots. All the answers received a score above the TMV. Table 4 reports the Perceived training on informatics, mHealth, eHealth, cybersecurity. Four graded questions with 6 levels of score (1 = min; 6 = max) were used. The most popular response was informatics.

Output from Section 3 "Training in Cybersecurity and Robotics"
The least popular answer was Cyb. All the answers obtained a score above the TMV except for Cyb. Table 5 reports the perceived training on Cyb with reference to the different cyberattacks. A Likert scale was used with the modules associated to each cyber-attack. Each module had 6 levels (1 = min; 6 = max). Results show low scores, all below the TMV, except for malware, phishing, and password crackers (just above the threshold). We asked also to indicate (based on the training) the sector mostly affected by the problem of Cyb. A Likert scale was used with the modules associated to each robot. Each module had 6 levels (1 = min; 6 = max). Table 6 reports the responses related to the specific Likert scale. The most popular response was the SR. The least popular answer was the BA. All the answers received a score above the TMV. We completed this section asking specific further questions on the regulatory issues and on the awareness of the role with Cyb. Two graded questions with 6 levels of score (1 = min; 6 = max) were used for investigating the training on regulatory issues. The first question investigated the training on the regulatory issues on Cyb. The second question investigated the training on the regulatory issues on Cyb, specifically referring to robotics. Figure 6 highlights a very low level of training on regulatory issues both as a whole (average value = 2.89; confidence interval (CI) 95%: ±0.35) and related to robotics (average value = 2.88; CI 95%: ±0.35). Two graded questions with 6 levels of score (1 = min; 6 = max) were used for investigating awareness on their role with Cyb. The first question investigated the awareness of the role with Cyb. The second question investigated awareness of the role with Cyb and robotics. Figure 7 highlights a level of awareness well above the TMV (with reference to the role of the physiotherapist in Cyb as a whole (average value = 4.31; CI 95%: ±0.38) and while interacting with robotics (average value = 3.98; CI 95%: ±0.37).

Output from Section 4 "Self-Assessment on Cybersecurity and Robotics"
This section considers the self-assessment scenarios of familiarity with Cyb. A first investigation involved a mapping of cyber-attacks in relation to the four robots (Table 7). Each one of the cyber-attacks was proposed with multiple choices (LOLI, UPLI, BA, SR). The interviewees could indicate the applicability or non-applicability of cyber-attacks with the robots. Table 6 highlights how malware, phishing and password crackers were the most indicated. However, a statistical frequency analysis did not show significance (χ2test, p-Value = 0.221).   A second investigation (Table 8) concerned the model proposed in Figure 1. The functional problems (physical damage, physical harm, physiological harm) were proposed with multiple choices (LOLI, UPLI, BA, SR). The SRs showed the lowest scores for physical harm, with statistical significance (χ2test, p-Value = 0.048) and physical damage with statistical significance (χ2test, p-Value = 0.049). However, the SRs showed the highest score for psychological harm, with a high statistical significance (χ2test, p-Value = 0.008).
As a third investigation we proposed a specific risk self-assessment (Tables 9-12). A Likert scale was proposed for each one of the robots (UPLI, LOLI, BA, SR). The modules in the Likert were identical. Each module had 6 levels of score (1 = min; 6 = max). The scores almost overlapped and were above the TMV for UPLI, LOLI, BA. For these robots the scenario "On the possible effect on the patient/practitioner's health and safety" obtained the highest score. All the values were below the threshold for the SRs, except for the score associated with the scenario "On the possible effect on the patient /practitioner's health and safety".

Output from Section 5 "Proposals and Collection of Personal Experiences of Cyber-Risk"
As a final investigation we have invited respondents to: (a) freely express opinions and suggestions on cyber-risks and actions to consider shortly; (b) cite personal experiences related to Cyb problems. Open-ended questions were used in this section.

Proposals
We grouped and categorized similar questions. Table 13 reports the suggestions for the most probable cyber risks to face. The most worrying concern was the physical damage caused by an incorrect imposition of motion. Table 14 reports the suggestions related to the actions to consider. The most suggested action was related to the periodic monitoring activities managed by the scientific societies.

Collection of Personal Experiences of Cyber-Risk
We also invited the physiotherapists to describe an experience in this field. There was an open space of about a half page of space for this. Both the participants with a direct experience on robotics and the participants with only a training experience contributed with enthusiasm. 302 (95.57%) physiotherapists described an experience of a problem with Cyb in the workplace. 55 participants reported Cyb problems with robotics in the workplace. We should consider that in Section 2 (see Section 3.1) it emerged that 102 physiotherapists work with rehabilitative robotics and 2 deal with SRs as users. This means that 52.3% of them were involved in a Cyb problem.
The problems have been analyzed and categorized. The problems that occurred more than one time are shown in Figure 8. Figure 8 highlights how the two most frequent reported and described attacks were the denial of service (7 times), which involved a network with LOLI, UPLI, BA, and ransomware attacks on the data of a LOLI platform (5 times).
We started with the physiotherapist, who is facing a transformation towards digitalization in the pandemic era, as has been highlighted by A. Lee in [59].
In this study we have proposed a useful electronic questionnaire.
It included: openended questions, choice questions, multiple choice questions, Likert scales, and graded questions. It permitted collection of important data on: (a) the use of robotics and direct involvement in the CybH; (b) training in robotics, cybersecurity, and other disciplines; (c) self-perception of cybersecurity and robotics; (d) opinions, suggestions, and experiences.
When we place our investigation in the international context, we must consider the following. Cyb has vast implications in the health domain and it is evident that it has been the subject of many targeted studies [60]. However, the number of the studies focusing also on robotics is extremely low [61]. The research [60] in Pubmed (the most important database of the health domain) shows that, to date, no one has yet addressed specific issues of Cyb in robotics, submitting questionnaires to medical professionals.
The questionnaire, dedicated to physiotherapists and with reference to CybH in robotics, has the advantage of allowing the monitoring of roles and interactions in the workplace, monitoring of training received, a self-assessment of risks, and a virtual focus group.
The study has some limitations. A first limitation is that the questionnaire is both dedicated to one field of the medical robotics (the rehabilitation and assistance robotics) and calibrated on a professional group. Many professional groups play an important role in rehabilitation and assistance robotics. Specialized questionnaires for these professional groups should be developed in the future.
Another second limitation is the limitlessness of the theme. It is impossible to address all the implications in a single study.
In particular, the ethical implications of robotics are very important. These implications will have a strong impact on Cyb and require a very robust and multidisciplinary approach involving all the actors.
There are two important macro-sectors of ethics with an impact on Cyb. The first macrosector is the ethics in a responsible research and innovation [62]. Stahl and Coeckelbergh highlighted, for the first macro-sector, the important implications of Cyb [63][64][65][66][67][68][69][70] in the replacement of the human in work, as regards the responsibility for and in the management of information. The second macro-sector is the ethics problem encountered while building moral robots [39]. This focuses on the interdisciplinary field of machine ethics.
The third limitation is that the questionnaire (which allows important feedback for the stakeholders) represents only a first scientific step. The subsequent steps that this study aims to stimulate are the integration of this questionnaire together with other solutions during the application of agreement initiatives. The Consensus Conferences [71][72][73], for example, could be an important agreement initiative and could certainly benefit (in the context of the activities of the working groups [74][75][76]) from the use of electronic questionnaires that provide for structured feedback and virtual focus groups.
Our questionnaire has the above-listed limits. However, it has the merit of having initiated this approach, in a delicate issue (medical robotics), and of being a stimulus for the scientific societies involved. It is in line with other similar initiatives in the health domain. International scientific meetings, promoted by scientific societies [77], now include sections dedicated to the problems of Cyb in the HCI. In a study [78], just presented in [77], the importance of using dedicated surveys is stressed, to improve understanding of behaviors at risk, as regards Cyb, when using HCI in the health domain. Our study is in this direction. Likewise, it addresses the Cyb problems in a new field of the HCI, the human robot interaction (a complex HCI with mechatronics) [79], through a wide-ranging investigation, using a questionnaire and involving concerned actors..

Conclusions
Rehabilitation and assistance robots represent an opportunity for the health domain [7,8]. The use of these robots has important implications. They can be used with fragile patients or people with disabilities, in rehabilitation and assistance processes. They can be used in psychological and cognitive rehabilitation processes for children and other subjects with communication disabilities, as in the case of SRs. Therefore, their use can have important physical and psychological implications. Furthermore, the software in these devices interact with sensible data. Cybersecurity has therefore become an important issue to face, starting from the insiders. We have proposed an investigation based on a questionnaire submitted to physiotherapists. The investigation showed the following highlights: − The questionnaire, dedicated to physiotherapists and with reference to CybH in robotics, has the advantage of allowing a monitoring of roles and interactions in the workplace, a monitoring of training received, a self-assessment of risks, and a virtual focus group. − The questions enabled us to collect important data on: (a) the use of robotics and the direct involvement in CybH; (b) training in robotics, cybersecurity, and other disciplines; (c) the self-perception of Cyb and robotics; (d) opinions, suggestions, and experiences. − The data concerned both subjects with only training experiences and subjects with direct work experience. − At the time of the survey, 102 (32.27%) respondents used rehabilitation robotics in the workplace. All have highlighted their role as user, but only 29 (9.18%) had a direct involvement with Cyb. Only 5 respondents stated that they were dealing with SRs. Of these, 3 (0.95%) were observers and 2 (0.63%) were users, while only one (0.32%) had a direct involvement in Cyb. − An acceptable training regarding robotics and other related training modules. An unacceptable training when dealing, in detail, with Cyb issues. A training that highlighted gaps for the regulation issues on Cyb (also referred to robotics). An awareness, during the training, on the involvement of the physiotherapist in Cyb (also related to robotics). − The possibility for physiotherapists to self-assess themselves in some Cyb scenarios proposed in respect of robots. − Opinions on emerging risks and wishes in this field (as, for example, to continue the use of the questionnaire and to create specific working groups). Both the participants with a direct experience of robotics and participants with only a training experience narrated experiences in this field with enthusiasm: 302 (95.57%) described their experiences with robotics, categorized after data mining, showing that 55 reported Cyb problems with robotics in the workplace. This, very importantly, highlighted that 52.3% of the physiotherapists engaged with robotics in the workplace reported a Cyb problem. The most frequent incidents were denial of service (7), which involved a network with LOLI, UPLI, BA, and ransomware attacks on the data of a LOLI platform (5).

Future Work
The needs for future work that emerge from this study concern both continuation in the field of rehabilitation and assistance robotics and the activation of similar initiatives in other sectors of robotics.

Future Initiatives in the Field of Rehabilitation and Assistance Robotics
Future developments of this study are foreseen to include:

•
An improvement of the electronic questionnaire, with a standardization of the same, interacting with the scientific societies; • Using it for specific periodic monitoring and investigations; • Stimulating the stakeholders for the creation of multidisciplinary workgroups to address Cyb (ranging from engineering to machine ethics, legal and policy issues); • Expansion to other professional groups.

Suggestions for Future Developments in Other Sectors of Medical Robotics
The Policy Department for Economic, Scientific and Quality of Life Policies, of the European Parliament, identified the most interesting applications for the medical robots [79]: Robotic surgery, care and socially assistive robots, rehabilitation systems, training for health and care workers. The sector is wide, complex and with numerous implications for CybH. What emerged in this study may be a stimulus for those engaged in other areas of medical robotics to initiate similar studies focused on Cyb.