A group of researchers have created a malware program designed to exploit vulnerabilities in computed tomography and magnetic resonance imaging equipment to add realistic, malignant-seeming growths to scans in a bid to draw attention to vulnerabilities in medical equipment networks, according to a Washington Post report.
Researchers Yisroel Mirsky, Yuval Elovici and two others at the University Cyber Security Research Center in Israel created the malware program for use in a blinded study involving real CT scans, according to the report.
A total of 70 images were altered by the malware and were able to fool three skilled radiologists into misdiagnosing conditions “nearly every time,” according to the Washington Post.
Radiologists examining the images with added cancerous nodules incorrectly diagnosed cancer 99% of the time, according to the report. For images with real cancerous nodules that were removed, radiologists judged the patients to be healthy 94% of the time.
After being informed that the images were altered, the radiologists were given a second set of 20 scans, half of which were altered, according to the Washington Post. The radiologists still diagnosed fake nodules as cancerous 60% of the time, and did not detect the removed nodules 87% of the time.
Researchers in the study also ran the test against a lung-cancer screening software tool and were able to trick the system into misdiagnosing the false tumors every time, according to the report.
While the study focused on lung cancer scans only, researchers said that the attack could work for brain tumors, heart disease, blood clots, spinal injuries, bone fractures, ligament injuries and arthritis, according to the Washington Post.
The malware could be used to modify random scans to create chaos within a hospital system, researchers said, or to target specific patients through the use of names or ID numbers, according to the report.
The vulnerabilities that allow the exploit to occur exist in the equipment and networks hospitals use to transmit and store imaging data, according to the Washington Post. Since the images aren’t digitally signed or encrypted, they can be altered without detection, researchers said.
“They’re very, very careful about privacy … if data is being shared with other hospitals or other doctors, because there are very strict rules about privacy and medical records. But what happens within the [hospital] system itself, which no regular person should have access to in general, they tend to be pretty lenient [about]. It’s not … that they don’t care. It’s just that their priorities are set elsewhere,” Mirsky said, according to the report.
The malware program would have to be either physically installed or downloaded off the internet to operate, according to the Washington Post. To test the viability of a direct installation, Mirsky conducted a test at a hospital in Israel, and was able to enter a radiology department and connect a malicious device to the network in only 30 seconds without anyone questioning his authorization to be in the area.
To prevent such attacks, Mirsky suggested that hospitals adopt end-to-end encryption across their picture archiving and communication systems and to digitally sign all images and make sure workstations verify the signatures and flag images that aren’t properly signed, according to the report.