The group, led by Yisroel Mirsky, PhD, from Ben-Gurion University, created the malware to highlight the need to improve cybersecurity standards for CT and MRI equipment, such as by encrypting hospital PACS networks and digitally signing all images.
"There are very strict rules about privacy and medical records," Mirsky said in a statement to the Post. "But what happens within the [hospital] system itself, which no regular person should have access to in general, they tend to be pretty lenient [about]. It's not ... that they don't care. It's just that their priorities are set elsewhere."
The malware relies on a generative adversarial network (GAN), an AI machine-learning technique, to perform "in-painting" on 3D CT scans. This process essentially allows the malware to add fake lung nodules to a 3D CT scan or eliminate existing tumors from the scans automatically.
In a recent paper posted to arXiv.org and presented at RSNA 2018, Mirsky and colleagues described how they trained the malware on a dataset of 888 CT scans and then applied it to 70 3D CT scans. Three radiologists examined these 3D CT scans and misdiagnosed conditions for nearly every case -- incorrectly diagnosing lung cancer 99% of the time and incorrectly claiming that scans did not display tumors 94% of the time. The radiologists were then informed of the presence of malware and subsequently examined 20 additional CT scans, but they were only able to identify 40% of the altered scans.
The researchers conducted an additional test in which they attempted to install a fake version of the malware at a hospital in Israel (with the hospital's permission, but without letting the staff members know when and where the cyberattack would take place). The group was able to enter the radiology department and connect a device containing the sham malware within 30 seconds.
The study's findings have incited concern among industry experts, according to the Washington Post article. Many hospitals do not have the financial resources to invest in more secure equipment, or still have 20-year-old infrastructure that does not support the latest technologies required for better cybersecurity solutions, Dr. Suzanne Schwartz, associate director for the U.S. Food and Drug Administration (FDA) Science and Strategic Partnerships department, noted in response to the study.
"It's going to require changes that go well beyond devices, but changes with regards to the network infrastructure," she said. "This is where engaging and involving with other authorities and trying to bring the entire community together becomes really important."
Copyright © 2019 AuntMinnie.com