As part of an experiment to prove how damaging a malware attack could be, researchers launched a virus in a hospital’s radiology department that was able to alter CT lung scans in such a way that radiologists repeatedly misdiagnosed lung cancer and other lung diseases.
The malware attack, as designed by researchers at the Ben-Gurion University Cyber Security Research Center in Israel, took advantage of vulnerabilities in a hospitals PACS system, which uses encryption software to protect data. The researchers found a weakness in the encryption process that allowed them to modify 70 scans, the Washington Post reported. They used machine learning to train the malware to “rapidly assess scans passing through a PACS network and to adjust and scale fabricated tumors to conform to a patient’s unique anatomy and dimensions to make them more realistic,” the Post wrote.
Additionally, to demonstrate how an attack could happen, the researchers videotaped themselves entering a radiology department and connecting their malicious device to the radiology department’s network in just 30 seconds. All of this was done with the hospital’s permission.
For this blind study, which used 70 scans altered by malware, trained and experienced radiologists diagnosed cancer 99 percent of the time on scans with fabricated cancerous nodules. And in cases where the malware removed real cancerous nodules from scans, the radiologists said those patients were healthy 94 percent of the time.
The implications of this experiment are broad, both from a patient harm perspective—healthy patients could be sent for chemotherapy and radiation while patients with cancer could go without needed treatment based on the falsified reports—and from a security standpoint. Even well-intentioned hackers had a relatively easy time inflicting chaos.
The researchers stressed that even though their experiment targeted lung scans, the same process could work for brain tumors, heart disease, blood clots, spinal injuries, bone fractures, ligament injuries, and arthritis. What’s more, other bad actors could target diagnostic results for specific individuals (such as politicians or celebrities) if they’re known to be seeking care at a given facility.
Preventing these types of attacks is “going to require changes that go well beyond devices, but changes with regards to the network infrastructure,” Suzanne Schwartz, MD, a medical doctor and the Food and Drug Administration’s associate director for Science and Strategic Partnerships, told the Washington Post. “This is where engaging and involving with other authorities and trying to bring the entire community together becomes really important.”