Two new studies being presented this week at the annual meeting of the Radiological Society of North America (RSNA) address the potential risk of cyberattacks in medical imaging.
The Internet has been highly beneficial to healthcare: improving access in remote areas, allowing for faster and better diagnoses, and vastly improving the management and transfer of medical records and images. However, increased connectivity can lead to increased vulnerability to outside interference.
Researchers and cybersecurity experts have begun to examine ways to mitigate the risk of cyberattacks in medical imaging before they become a real danger.
Medical imaging devices, such as X-ray, mammography, MRI and CT machines, play a crucial role in diagnosis and treatment. As these devices are typically connected to hospital networks, they can be potentially susceptible to sophisticated cyberattacks, including ransomware attacks that can disable the machines. Due to their critical role in the emergency room, CT devices may face the greatest risk of cyberattack.
In a study presented at the RSNA meeting on November 27, researchers from Ben-Gurion University of the Negev in Beer-Sheva, Israel, identified areas of vulnerability and ways to increase security in CT equipment. They demonstrated how a hacker might bypass security mechanisms of a CT machine in order to manipulate its behavior. Because CT uses ionizing radiation, changes to dose could negatively affect image quality, or—in extreme cases—pose harm to the patient.
For anomaly detection, the researchers developed a system using various advanced machine learning and deep learning methods, with training data consisting of actual commands recorded from real devices. The model learns to recognize normal commands and to predict if a new, unseen command is legitimate or not. If an attacker sends a malicious command to the device, the system will detect it and alert the operator before the command is executed.
Previous efforts in this area have focused on securing the hospital network. The Ben Gurion researchers’ solution is device-oriented, and is designed to be the last line of defense for medical imaging devices.
A second study, from University Hospital Zurich, to be presented November 28, looked at the potential to tamper with mammogram results. The researchers trained a cycle-consistent generative adversarial network (CycleGAN), a type of artificial intelligence application, on 680 mammographic images from 334 patients, to convert images showing cancer to healthy ones and to do the same, in reverse, for the normal control images. They wanted to determine if a CycleGAN could insert or remove cancer-specific features into mammograms in a realistic fashion.
The images were presented to three radiologists, who reviewed the images and indicated whether they thought the images were genuine or modified. None of the radiologists could reliably distinguish between the two.
Neural networks, such as CycleGAN, are not only able to learn what breast cancer looks like, they can insert these learned characteristics into mammograms of healthy patients or remove cancerous lesions from the image and replace them with normal looking tissue.
Dr. Anton Becker, radiology resident at University Hospital Zurich anticipates that this type of attack won’t be feasible for at least five years and said patients shouldn’t be concerned right now. Still, he hopes to draw the attention of the medical community, and hardware and software vendors, so that they may make the necessary adjustments to address this issue while it is still theoretical.
The risk of cyber-attacks against hospitals and the disruption which can be caused to medical systems and devices by cyber criminals was demonstrated by last year’s WannaCry ransomware attack, which took some hospital IT systems down for weeks.
And the October 2018 report from the US Department of Health and Human Services’ Office of the Inspector General said the US Food and Drug Administration (FDA) is not doing enough to prevent medical devices from being hacked. The report came after the inspector general’s office identified cybersecurity in medical devices as one of the top management problems for Health and Human Services.
The report found that “the FDA had plans and processes for addressing certain medical device problems in the postmarket phase, but its plans and processes were deficient for addressing medical device cybersecurity compromises”.
In April 2018, the FDA published its Medical Device Action Plan that outlines plans to protect the safety of medical devices. It details both pre- and postmarket phases to address the risk of cybersecurity threats.