A group of Israeli researchers has developed easily transmittable malware that can hack hospital equipment and networks and alter radiological images to make sick patients appear healthy and healthy patients appear sick.
Four researchers from Israel’s Ben-Gurion University Cyber Security and Research Center created the malware as part of a study to demonstrate how easily and effectively CT and MRI scans could be falsified to show lung cancer nodules in perfectly healthy patients and remove lung cancer from images of patients who have the disease.
To show how effectively this malware could infiltrate and alter medical images, the researchers conducted a blind study that found they were able to trick skilled radiologists into misdiagnosing patients nearly 100 percent of the time.
Scans altered by the malware to show fake cancerous nodules tricked the radiologists into diagnosing cancer 99 percent of the time, while scans modified to remove real cancerous nodules fooled them into misdiagnosing patients as healthy 94 percent of the time.
Although the study focused on lung cancer scans only, the researchers said the malware could be used to attack hospital equipment and manipulate medical images for brain tumors, heart disease, blood clots, spinal injuries, bone fractures, ligament injuries, and arthritis.
The malware spotlights vulnerabilities in the picture archiving and communication systems (PACS) hospitals use to transmit and store CT and MRI images. The attacks are successful, the researchers said, because hospitals don’t digitally sign scans to prevent them from being altered without detection. Hospitals also don’t encrypt the images transmitted and stored on these systems, thereby leaving them vulnerable to intruders.
The Ben-Gurion researchers also demonstrated how the malware could be planted on hospital systems remotely via the internet or in person by someone who accesses the hospital’s computer system. Showing how easily the latter method could be used, one of the researchers was able to slip into a hospital and install the malware on the computer system in 30 seconds without any of the staff noticing. The hospital agreed to play the target but none of the staff were aware of the experiment.
The researchers developed the malware code to be dynamic and trainable until it could rapidly assess scans passing through a PACS network and in a fully automated fashion adjust and scale tumors on images to conform to a patient’s unique anatomy. Once on the hospital network, the malware could work independently of outside controllers, even finding and altering scans for specific patients.
The Washington Post pointed out that medical scans potentially could be altered to interfere in political elections. For instance, when Hillary Clinton stumbled and coughed during her presidential campaign, it generated widespread rumors that she wasn’t healthy enough to serve, even after doctors confirmed that she was simply recovering from a bout of pneumonia. Had hackers been able to alter her medical images to show fake lung cancer nodules, rumors that she was seriously ill may have carried more weight than what conspiracy theorists were able to give them.
Likewise, a patient that is seriously ill could be deprived of medical treatment if their medical images were manipulated to erase signs of disease.
According to The Washington Post, the malware can also run through the image database and manipulate scans randomly to create chaos and mistrust in a hospital’s system.