As more medical devices go online, there are more dangers of the data being hacked or compromised by bad actors. Researchers at Ben Gurion University demonstrated this by developing malware that could infect CT and MRI scanning machines used to diagnose cancer.
Their intent, of course, was not to infect these machines, but to inform hospitals and equipment vendors about cybersecurity threats, and what can be done to protect patients. And it is important to note that this malware has not been spotted in the wild, only in this controlled experiment.
The malware created by these researchers would allow attackers to automatically add the appearance of malignant growths to CT or MRI scans (or remove them) before doctors examine the scans. This could lead to costly and unnecessary treatments for patients who do not have a disease, or no treatment for critically ill patients. Emergency room physician Christian Darneff says that basic diagnostic steps would prevent a patient from receiving treatment based only on the CT scan, but there would be harm. “There are a couple of steps before we just take someone off to surgery,” or begin chemotherapy or radiation. “But there is still harm to the patient regardless. There is the emotional distress [from learning you may have cancer], and there are all sorts of insurance implications.” And, of course, there are the risks inherent in the additional screening procedures that would be performed.
The malware could modify scans for patients participating in medical research trials to show better or worse outcomes from the therapy being tested. They could be made randomly, or they could target specific patients, such as high-profile politicians or celebrities. The Washington Post gives the example that when Hillary Clinton’s health was questioned during the 2016 presidential campaign, her doctors showed a CT scan of her lungs, showing she just had pneumonia. But what if the scan had been modified by malware to show false cancerous nodules? It would not have affected the outcome of the election, as she lost anyway. However, the false diagnosis may have cause even more rancor over the election results than occurred.
The malware could be inserted into the picture archiving and communication system (PACS) used by hospitals, by physically connecting a malicious device to the network or installing malware via the Internet. Most PACS networks are not encrypted, making them easy targets. The researchers found it simple to enter a hospital radiology department after hours and install a malicious device in under a minute, without any questions from staff. (The hospital was aware that this would be done, but the staff did not know when it would happen.)
Yisroel Mirsky, one of the researchers from the Ben-Gurion University Cyber Research Center who created the malware, says that to prevent the alteration of CT and MRI scans, hospitals should ideally enable end-to-end encryption across their PACS networks and digitally sign all images. They also should set up a system to verify those digital images and flag improperly signed images.
