But what if the scan had shown faked cancerous nodules, placed there by malware exploiting vulnerabilities in widely used CT and MRI scanning equipment? Researchers in Israel say they have developed such malware to draw attention to serious security weaknesses in critical medical imaging equipment used for diagnosing conditions and the networks that transmit those images — vulnerabilities that could have potentially life-altering consequences if unaddressed.
The malware they created would let attackers automatically add realistic, malignant-seeming growths to CT or MRI scans before radiologists and doctors examine them. Or it could remove real cancerous nodules and lesions without detection, leading to misdiagnosis and possibly a failure to treat patients who need critical and timely care.
Yisroel Mirsky, Yuval Elovici and two others at the Ben-Gurion University Cyber Security Research Center in Israel who created the malware say that attackers could target a presidential candidate or other politicians to trick them into believing they have a serious illness and cause them to withdraw from a race to seek treatment.
The research isn’t theoretical. In a blind study the researchers conducted involving real CT lung scans, 70 of which were altered by their malware, they were able to trick three skilled radiologists into misdiagnosing conditions nearly every time. In the case of scans with fabricated cancerous nodules, the radiologists diagnosed cancer 99 percent of the time. In cases where the malware removed real cancerous nodules from scans, the radiologists said those patients were healthy 94 percent of the time.
Even after the radiologists were told that the scans had been altered by malware and were given a second set of 20 scans, half of which were modified, they still were tricked into believing the scans with fake nodules were real 60 percent of the time, leading them to misdiagnoses involving those patients. In the case of scans where the malware removed cancerous nodules, doctors did not detect this 87 percent of the time, concluding that very sick patients were healthy.
The researchers ran their test against a lung-cancer screening software tool that radiologists often use to confirm their diagnoses and were able to trick it into misdiagnosing the scans with false tumors every time.
“I was quite shocked,” said Nancy Boniel, a radiologist in Canada who participated in the study. “I felt like the carpet was pulled out from under me, and I was left without the tools necessary to move forward.”
The study focused on lung cancer scans only. But the attack would work for brain tumors, heart disease, blood clots, spinal injuries, bone fractures, ligament injuries and arthritis, Mirsky said.
Attackers could choose to modify random scans to create chaos and mistrust in hospital equipment, or they could target specific patients, searching for scans tagged with a specific patient’s name or ID number. In doing this, they could prevent patients who have a disease from receiving critical care or cause others who aren’t ill to receive unwarranted biopsies, tests and treatment. The attackers could even alter follow-up scans after treatment begins to falsely show tumors spreading or shrinking. Or they could alter scans for patients in drug and medical research trials to sabotage the results.
The vulnerabilities that would allow someone to alter scans reside in the equipment and networks hospitals use to transmit and store CT and MRI images. These images are sent to radiology workstations and back-end databases through what’s known as a picture archiving and communication system (PACS). Mirsky said the attack works because hospitals don’t digitally sign the scans to prevent them from being altered without detection and don’t use encryption on their PACS networks, allowing an intruder on the network to see the scans and alter them.
“They’re very, very careful about privacy … if data is being shared with other hospitals or other doctors,” Mirsky said, “because there are very strict rules about privacy and medical records. But what happens within the [hospital] system itself, which no regular person should have access to in general, they tend to be pretty lenient [about]. It’s not ... that they don’t care. It’s just that their priorities are set elsewhere.”
Although one hospital network they examined in Israel did try to use encryption on its PACS network, the hospital configured the encryption incorrectly and as a result the images were still not encrypted.
Fotios Chantzis, a principal information-security engineer with the Mayo Clinic in Minnesota who did not participate in the study but confirmed that the attack is possible, said that PACS networks are generally not encrypted. That’s in part because many hospitals still operate under the assumption that what’s on their internal network is inaccessible from outside — even though “the era where the local hospital network was a safe, walled garden is long gone,” he said.
Although encryption is available for some PACS software now, it’s still generally not used for compatibility reasons. It has to communicate with older systems that don’t have the ability to decrypt or re-encrypt images.
To develop their malware, the Israeli researchers used machine learning to train their code to rapidly assess scans passing through a PACS network and to adjust and scale fabricated tumors to conform to a patient’s unique anatomy and dimensions to make them more realistic. The entire attack can be fully automated so that once the malware is installed on a hospital’s PACS network, it will operate independently of the researchers to find and alter scans, even searching for a specific patient’s name.
To get the malware onto a PACS network, attackers would need either physical access to the network — to connect a malicious device directly to the network cables — or they could plant malware remotely from the Internet. The researchers found that many PACS networks are either directly connected to the Internet or accessible through hospital machines that are connected to the Internet.
To see how easy it would be to physically install malware on a PACS network, Mirsky conducted a test at a hospital in Israel that the researchers videotaped. He was able to enter the radiology department after hours and connect his malicious device to the network in just 30 seconds, without anyone questioning his presence. Although the hospital had given permission for the test, staff members didn’t know how or when Mirsky planned to carry it out.
To prevent someone from altering CT and MRI scans, Mirsky says, ideally hospitals would enable end-to-end encryption across their PACS network and digitally sign all images while also making sure that radiology and doctor workstations are set up to verify those signatures and flag any images that aren’t properly signed.
Suzanne Schwartz, a medical doctor and the Food and Drug Administration’s associate director for Science and Strategic Partnerships, who has been leading some of the FDA’s effort to secure medical devices and equipment, expressed concern about the findings of the Israeli researchers. But she said many hospitals don’t have the money to invest in more secure equipment, or they have 20-year-old infrastructure that doesn’t support newer technologies.
“It’s going to require changes that go well beyond devices, but changes with regards to the network infrastructure,” Schwartz said. “This is where engaging and involving with other authorities and trying to bring the entire community together becomes really important.”
Christian Dameff, an emergency room physician with the University of California at San Diego School of Medicine and a security researcher who has exposed vulnerabilities with the 911 emergency calling system, notes that in the case of a cancer diagnosis, some backstops would prevent a patient from receiving unwarranted treatment based only on a maliciously modified CT scan. But that doesn’t mean the attack would be harmless.
“There are a couple of steps before we just take someone to surgery" or prescribe radiation and chemotherapy, Dameff said. “But there is still harm to the patient regardless. There is the emotional distress [from learning you may have cancer], and there are all sorts of insurance implications.”
The radiologists in the BGU study recommended follow-up treatment and referrals to a specialist for all of the patients with scans that showed cancerous lung nodules. They recommended immediate tissue biopsies or other surgery for at least a third of them.
Correction: This story has been updated to reflect that the hospital in Israel didn’t encrypt any data passed over its network. An earlier version of the story said it had encrypted the metadata for the scans, which contains a patient’s name and medical ID.