Malware Tricks Radiologists with Fake Nodules

Researchers based in Israel developed malware to draw your attention to the security lags and weaknesses in medical imaging networks and types of equipment.

A malware that could add a real-looking but fake growths to MRI and CT scans or hide real cancerous tumors or nodules that would get detected by any medical imaging equipment. This incorrigible software has been designed by experts at the acclaimed Ben Gurion University Cyber Security Research Center to highlight the weaknesses of diagnostic tools as well as hospital networks handling sensitive patient information.

To test the level of this type of attack, researchers conducted a study involving radiologists. They asked radiologists to detect conditions depending on CT scans of the lungs. Some of the scans were altered using this particular malware.

When these scans were presented featuring fake cancerous nodules, radiologists diagnosed cancer 99 percent of the times. Similarly, when this malware was used for hiding real cancerous nodules, radiologists issued a non-malignant report 94 percent of the times.

The Ben Gurion University Cyber Security Research Center team based in Israel spoke to the Washington Post about the malware, how it could target patients, change their follow-up scans post-treatment, and even alter scans from various drug trials, thus creating false results.

They also published solid evidence of the said malware at the beginning of this year showing that the malware had already altered 70 real CT scans of lungs. In all the images with fake nodules depicting cancer, radiologists diagnosed 99 percent cases to be cancerous. However, it was a fake report.

In some images where the said malware erased real cancerous findings, radiologists diagnosed patients to be healthy 94 percent of the times.

Despite being made aware, radiologists still struggle to make a correct diagnosis. When given a second set of images and warned that some data had been changed, medical professionals were further tricked into believing that the computer-generated nodules were for real at least 60 percent of the times. Once again, when the malware was used for removing nodules, 87 percent of readings incorrectly reported patients to be healthy.

Unveiling the How’s

But, how does this really happen? And, why?

Yisroel Mirsky of the Ben Gurion University from Israel says that the problems with hospitals are they do not sign scans digitally and they do not encrypt information on the PACS systems. Moreover, there is a significant difference between data shared internally that is within the hospital, and externally.

In Mirsky’s words, “what happens within the system itself, which no regular person should have access to in general, they tend to be pretty lenient about. It’s not that they don’t care. It’s just that their priorities are set elsewhere.”

Even though one hospital’s network examined in Israel tried to use encryption on the PACS network. As the hospital configured incorrect encryption, images were not encrypted.

The Principal Information-Security Engineer of Mayo Clinic, Minnesota, Fotios Chantzis, who was not a part of the study, confirmed that such attacks are a reality. He also affirmed that PACS networks are usually not encrypted. However, that may be because most of the hospitals are still operating with the belief that their internal network and data is inaccessible. He said, “The era where the local hospital network was safe, walled garden is long gone.”

Even though encryption is still available for PACS software, it is generally not used due to compatibility reasons. In fact, it would communicate with an older system that does not have the ability of re-encrypting or decrypting images.

In order to develop this malware, Israeli researchers had to use machine learning so that they could train the codes to assess scans rapidly and pass through a PACS network. It was even necessary to adjust as well as scale fabricated tumors and conform to the unique anatomy of patients and make the dimensions more realistic.

The malware attack can be automated fully so that when it is installed on the PACS network of the hospital, it becomes operational without the help of researchers and finding or altering scans, let alone looking up for a patient.

However, getting the malware onto the PACS network requires certain settings – attackers must have physical access to the hospital’s network to get connected to a malicious device directly to network cables – or they may even plant malware remotely online. Researchers found that several PACS networks were either directly connected through the internet or accessible through the hospital’s machines connected to the internet.

To check how to install malware physically on the PACS network, Mirsky and team conducted a test at the Israel hospital, this was also videotaped. He entered the radiology department after a few hours and connected the malicious device to the network in 30 seconds, without any questions asked. While he was permitted to conduct the test, staff members were not aware how or when the test was supposed to be carried out.

Final Word

Suzzane Schwartz, medical doctor and FDA’s Associate Director for Science and Strategic Partnerships, is heading some of the efforts of the FDA to secure medical equipment and devices. She expressed her deep concerns about these findings but also mentioned that hospitals may not be having that kind of funds to invest in securing equipment.

sepStream® conducts in-depth research using advanced diagnostic tools. They also provide a secured environment to conduct the necessary diagnosis.