Hackers Can Add, Remove Cancer From CT Scans: Researchers
In the latest example of security issues that can result from the proliferation of Internet-facing medical devices, a team of security researchers from two Israeli universities has discovered that it is possible for threat actors to manipulate the 3D images generated during a Computer Tomography (CT) scan using custom malicious software (malware).
The researchers developed malware that uses machine learning to either add signs of cancer to scan results of healthy patients, or to remove such signs from scans of actual cancer patients. When radiologists were presented with both authentic and manipulated scans, they failed to correctly diagnose 99% of scans injected with signs of cancer, and 94% of scans from which cancer had been removed. When researchers told them about the malware, radiologists still misdiagnosed 60% and 87% of scans, respectively.
The malware could be delivered to the CT scanners in three ways. First, hackers could directly target Internet-facing servers used to store scan results. Secondly, they could target scanners after first compromising the Internal network of a medical institution. Thirdly, attackers with physical access to a scanner could attach a small device to it, which would launch the attack.
The researchers propose various potential motivations for the uncovered attack, such as stealing someone’s job, manipulating elections, falsifying research, earning money by holding data hostage, insurance fraud, murder and terrorism.