Researchers Show How Hackers Can Dupe Radiologists and A.I. Software

April 3, 2019

Hackers can access a patient’s 3-D medical scans to add or remove malignant lung cancer, and overwhelmingly deceive both radiologists and artificial intelligence algorithms used to aid diagnosis, according to a new study published by Ben-Gurion University of the Negev cybersecurity researchers.

A 3-D CT (computerized tomography) scan combines a series of X-Ray images taken from different angles around the body and uses computer processing to create cross-sectional images (slices) of the bones, blood vessels and soft tissues. CT scan images provide more detailed information than standard X-Rays, and are used to diagnose cancer, heart disease, infectious diseases, and more. An MRI (magnetic resonance imaging) scan is similar, but uses powerful magnetic fields to diagnose bone, joint, ligament, and cartilage conditions.

Malicious attackers can tamper with the scans to deliberately cause a misdiagnosis for insurance fraud, ransomware, cyberterrorism, or even murder. Attackers can even automate the entire process in a malware which can infect the hospital’s network.

“Our research shows how an attacker can realistically add or remove medical conditions from CT and MRI scans,” says Dr. Yisroel Mirsky, lead researcher in the BGU Department of Software and Information Systems Engineering (SISE), project manager and cybersecurity researcher at BGU’s National Cyber Security Research Center. “In particular, we show how easily an attacker can access a hospital’s network, and then inject or remove lung cancers from a patient’s CT scan.”

The attacker has full control over the number, size and locations of the cancers while preserving the same anatomy from the original, full resolution 3-D image. This is a significant threat since 3-D medical scans are considered to provide more definitive evidence than preliminary 2-D X-Rays.

To demonstrate the feasibility of the attack, with permission, the researchers broke into the network of an actual hospital and intercepted every scan taken by a CT scanner.
“The scans were not encrypted because the internal network is usually not connected to the internet. However, determined intruders can still gain access via the hospital’s Wi-Fi or physical access to the infrastructure,” Dr. Mirsky says. “However, these networks are now being connected to the internet as well, which enables attackers to perform remote attacks.”

To inject and remove medical conditions, the researchers used a deep learning neural network called a generative adversarial network (GAN). GANs have been used in the past to generate realistic imagery, such as portraits of non-existent people. The researchers showed how a 3-D conditional GAN can be used to efficiently manipulate high resolution 3-D medical imagery. The architecture (CT-GAN) uses two of these GANs: one trained to inject cancer and the other trained to remove cancer.

The BGU researchers verified the attack effectiveness by training CT-GAN to inject/remove lung cancer using free medical imagery off the internet. They hired three radiologists to diagnose a mix of 70 tampered and 30 authentic CT scans.

When the scans of healthy patients were injected with cancer, the radiologists misdiagnosed 99 percent of them as being malign. When the algorithm removed cancers from actual cancer patients, the radiologists misdiagnosed 94 percent of the patients as being healthy. After informing the radiologists of the attack, they still could not differentiate between the tampered and authentic images, misdiagnosing 60 percent of those with injections, and 87 percent of those with removals.

“In addition to the radiologists, we also showed how CT-GAN is an effective adversarial machine learning attack,” Dr. Mirsky says. “Consequently, the state-of-the-art artificial intelligence lung cancer screening tools, used by some radiologists, are also vulnerable to this attack.”

The researchers proposed some immediate countermeasures which can mitigate most of the threat. One solution is to enable encryption between the hosts in the hospital’s radiology network. In addition, some hospitals can enable digital signatures so that their scanners sign each scan with a secure mark of authenticity. If this approach is followed, then administrators should ensure that proper signatures are being used and that the end devices are correctly verifying these signatures.

“Another method for testing the integrity of the images is to perform digital watermarking (DW), the process of adding a hidden signal into the image such that tampering corrupts the signal and thus indicates a loss of integrity,” Dr. Mirsky says. “Unfortunately, the vast majority of medical devices and products currently do not implement DW techniques.”

Other researchers that participated in the study include: Prof. Yuval Elovici, Ph.D., director of the Telekom Innovation Labs@BGU, director of Cyber@BGU; Tom Mahler, Ph.D. candidate and researcher in Cyber@BGU, and a member of the BGU SISE; and Prof. Ilan Shelef, M.D., Ph.D., director of the imaging department in Soroka University Medical Center and a member of the BGU Faculty of Health Sciences.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Researchers Show How Hackers Can Dupe Radiologists and A.I. Software

Related Articles

Related Products

Related Events

Report Abusive Comment