Cybersecurity researchers at Ben-Gurion University of the Negev say that medical imaging devices, such as CT scans, are vulnerable to cyber-threats, and manufacturers and healthcare providers must therefore be more diligent in protecting them.
During the years it takes to get MID machines from development to market, cyber-threats can change significantly, leaving the devices exposed, the researchers said.
In their paper, “Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices,” the researchers show how easy it is to exploit unprotected medical devices, such as computed tomography (CT) and magnetic resonance imaging (MRI) machines, many of which don’t get ongoing security updates.
As MIDs become more connected to hospital networks, they also become more vulnerable to sophisticated cyber-attacks. Attackers can easily penetrate the computers that control CT devices, causing the CT to emit high rates of radiation, which can harm the patient. Hackers can also block access to MIDs or disable them altogether as part of a ransom attack, something that has already happened worldwide, the researchers said.
The research was released ahead of the Cybertech Conference, which runs Monday through Wednesday in Tel Aviv. BGU is the academic partner of the event. The conference, said to be one of the biggest and most important cyber events in the world, draws thousands of guests including delegations from 80 countries.
The BGU cybersecurity experts predicted that attacks on MIDs will increase, as attackers develop more sophisticated skills directed at these devices, the mechanics and software of which are often installed on outdated PCs.
“CTs and MRI systems are not well-designed to thwart attacks,” said lead author Dr Nir Nissim, the head of the Malware Lab at BGU’s Cyber Security Research Center. “The MID development process, from concept to market, takes three to seven years. Cyber-threats can change significantly over that period, which leaves medical imaging devices highly vulnerable.”
Researchers focused on a range of vulnerabilities and potential attacks aimed at MIDs, medical and imaging information systems and medical protocols and standards. While they discovered vulnerabilities in many of the systems, they found that CT devices face the greatest risk of cyber-attacks due to their key role in acute care imaging.
The simulated cyber-attacks conducted by the teams showed four dangerous outcomes: attackers were able to install malware that controls the entire CT operation and puts a patient at risk by manipulating the scan configuration files. They were also able to insert malware to infect the host computer, enabling them to attack the mechanical motors of the MIDs, including the bed, scanner and rotation motors, that get instructions from a control unit.
In addition, hackers could potentially disrupt the imaging results; because a CT sends scanned results connected to a patient’s medical record via a host computer, an attack on that computer could disrupt the results, requiring a second exam. And a more sophisticated attack may also be able to alter results or mix up a transmission and connect images to the wrong patient.
Hackers could also use malware to encrypt a victim’s files and demand a ransom to decrypt them. The WannaCry attack, which affected more than 200,000 devices in more than 150 nations in May 2017, directly infected tens of thousands of UK and US hospital devices, including MRIs.
“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyber-attack can be fatal,” said Tom Mahler, who worked with Nissim on the project. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyber-attacks.”
BGU cyber researchers said they were working on new solutions to secure CT devices based on machine learning. Their approach assumes a host PC is already infected with malware. So the machine learning algorithm developed by the team first looks at the profile of the patient who is being scanned, and then studies the outgoing commands before they reach the CT itself.
“The algorithms are able to ask the question: do these instructions match the requirements of the patient based on his profile; have I ever before seen such instructions given to this kind of patient?” Mahler said in a phone interview. If the instructions do not match previous such patient profiles that means they have been compromised, he explained.
“We haven’t yet published a paper on this approach,” Mahler said. “It is still a work in progress.”
In future research, Nissim and his team are planning to hold nearly two dozen attacks to further uncover vulnerabilities and propose solutions to address them. They said they are keen to work with imaging manufacturers or hospital systems to evaluate issues on site.
The study was held in collaboration with Clalit Health Services, Israel’s largest health service organization.