Malware researchers at Ben-Gurion University of the Negev (BGU) are warning medical imaging device (MID) manufacturers and healthcare providers to become more diligent in protecting medical imaging equipment from cyber threats.

In their new paper, “Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices,” the researchers demonstrate the relative ease of exploiting unpatched medical devices, such as computed tomography (CT) and magnetic resonance imaging (MRI) machines, many of which they say do not receive ongoing security updates. Consequently, an attacker can compromise the computer that controls the CT device, causing the CT to emit high rates of radiation that can harm the patient and cause severe damage. Attackers can also block access to MIDs or disable them altogether as part of a ransom attack, which has already occurred worldwide.

The study is part of a larger-scale research project known as Cyber-Med, which was initiated by Dr. Nir Nissim, head of BGU’s Malware Lab unit. Cyber-Med aims to develop security mechanisms for medical device ecosystems, including implanted pacemakers, robotic surgeon systems, medical information systems and protocols, ICU medical devices and MIDs. In recent years, MIDs are becoming more connected to hospital networks, which make them vulnerable to sophisticated cyberattacks that can target a device’s infrastructure and components as well as fatally jeopardize a patient’s health and the hospital system’s operations.

Dr. Nir Nissim says that CTs and MRI systems are not well designed to thwart attacks.

He has been simulating MID cyberattacks together with his MSc student Tom Mahler. Mahler is part of the Malware Lab’s team, which conducted the research under the supervision of Dr. Nir Nissim,  Prof. Yuval Elovici, director of Cyber at BGU, and Prof. Yuval Shahar, director of BGU’s Medical Informatics Research Center.

Dr. Nir Nissim adds that the MID development process, from concept to market, takes three to seven years. He says cyber threats can change significantly over that period, which leaves medical imaging devices highly vulnerable.

The study, conducted in collaboration with Clalit Health Services, Israel’s largest health maintenance organization, included a comprehensive risk analysis survey based on the Confidentiality, Integrity and Availability risk model, which addresses information security within an organization. Researchers targeted a range of vulnerabilities and potential attacks aimed at MIDs, medical and imaging information systems, and medical protocols and standards. While they discovered vulnerabilities in many of the systems, they found that CT devices face the greatest risk of cyberattack due to their pivotal role in acute care imaging.

The simulated cyberattacks revealed four dangerous outcomes:

1. Disruption of scan configuration files − By manipulating these files, an attacker can install malware that controls the entire CT operation and puts a patient at great risk. 
2. Mechanical MID motor disruption – Medical imaging devices have several components with mechanical motors, including the bed, scanner and rotation motors, which receive instructions from a control unit, such as the host computer. If malware infects the host computer, an attack on the motors can damage the device and injure a patient.
3. Image results disruption − Because a CT sends scanned results connected to a patient’s medical record via a host computer, an attack on that computer could disrupt the results, requiring a second exam. A more sophisticated attack may alter results or mix up a transmission and connect images to the wrong patient.
4. Ransomware − This malware encrypts a victim’s files and demands a ransom to decrypt them. The WannaCry attack, which affected more than 200,000 devices in more than 150 nations in May 2017, directly infected tens of thousands of US and UK hospital devices, including MRIs.

Mahler says that in cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack could be fatal but strict regulations make it difficult to conduct basic updates on medical computers, and merely installing anti-virus protection is insufficient for preventing cyber-attacks.

BGU Malware Lab researchers are working on new techniques to secure CT devices based on machine learning methods. The machine-learning algorithm analyzes the profile of the patient being scanned as well as many additional operational parameters of the CT itself, and produces an anomaly detection model based on a clean CT machine. Once the machine is infected, the detection model can identify the change in its behavior and its operational parameters and alert the administrator accordingly. 

In future research, Nissim and his team will conduct nearly two dozen attacks to further uncover vulnerabilities and propose solutions to address them. They are interested in collaborating with imaging manufacturers or hospital systems for in situ evaluation.