Scary Hacking Threat: Editing X-Ray Images to Add or Remove Cancer | News & Opinion
Hackers trying to steal your data is one thing, but what if they tried to trick your doctors into thinking you had cancer? Or fooled them into ignoring it?
It's a ruse that's not as far-fetched as you might think. Security researchers in Israel recently duped real doctors into misdiagnosing patients by hacking a hospital X-ray scanning machine and altering the images it produced.
"In particular, we show how easily an attacker can access a hospital's network, and then inject or remove lung cancers from a patient's CT scan," Yisroel Mirsky, a researcher at Ben-Gurion University's National Cybersecurity Research Center, said in a statement.
Mirsky and his colleagues demonstrated the attack by getting the permission of a local hospital to secretly break in and hack a Computerized Tomography (CT) scanning machine. To pull off the attack, the researchers created a USB-to-Ethernet device, which can be connected to a hospital workstation to secretly take over a CT machine.
Three radiologists were then hired to examine the edited images. "When the scans of healthy patients were injected with cancer, the radiologists misdiagnosed 99 percent of them as being malign. When the algorithm removed cancers from actual cancer patients, the radiologists misdiagnosed 94 percent of the patients as being healthy," the researchers said.
Editing the X-rayed images involved more than just Photoshop. The researchers used AI-powered computer algorithms to automatically add or remove medically accurate cancerous growths to images taken over the CT machine.
The edited images were so accurate the radiologists and their own AI-assisted tools still had trouble diagnosing the patients when told the images had been doctored. "They still could not differentiate between the tampered and authentic images, misdiagnosing 60 percent of those with injections, and 87 percent of those with removals," the researchers said.
The theoretical attack has the potential to unleash mayhem in a number of ways. "Consider the following scenario: an individual or state adversary wants to affect the outcome of an election. To do so, the attacker adds cancer to a CT scan performed on a political candidate," the researchers wrote in a paper about their findings. "After learning of the cancer, the candidate steps down from his or her position. The same scenario can be applied to existing leadership."
In a worst-case scenario, the same attack could lead to someone's death by fooling doctors into thinking they're healthy, when they actually need immediate treatment. The attack could also be used to generate money by perpetrating fraudulent health insurance claims.
"Another scenario to consider is that of ransomware: An attacker seeks out monetary gain by holding the integrity of the medical imagery hostage. The attacker achieves this by altering a few scans and then by demanding payment for revealing which scans have been affected," their paper says.
The researchers published their findings to call attention to vulnerabilities in CT and MRI machines at a time when hospitals and clinics remain major targets for hackers, since medical records can be hugely valuable to cybercriminals wishing to commit identity theft or extortion.
It doesn't help that some archiving systems for CT and MRI machines can be exposed to the internet, whether intentionally or accidentally, opening the door for hackers to get in, the researchers wrote. Another way to break in is by hacking a hospital's Wi-Fi hotspots to gain entry into the internal network.
Using encryption to protect the data between X-ray-scanning machines and hospital workstations could help address some of the threat. But researchers also recommend hospitals use digital signatures and watermarking on the X-rayed images as a way to verify their authenticity.
Gloss