Cybersecurity Researchers Find Medical Imaging Devices at Risk

February 23, 2018

Cyberattacks on medical imaging devices such as CT and MRI devices are poised to become a major challenge for device manufacturers, according to researchers at Ben Gurion University of the Negev, Israel.

The number of CT and MRI machines is increasing rapidly worldwide and by 2020, they estimate in a new study, there will be nearly 2000 CT/MRI devices for every one million inhabitants in the 34 member countries of the Organization for Economic Cooperation and Development (OECD) of which the United States is a member.

The machines are all connected to digital hospital networks, making them vulnerable to network-related cyber threats.

The study’s lead author, Tom Mahler, a researcher at BGU’s Cyber Security Research Center, says that while the machines have improved the ability to diagnose and treat diseases, their vulnerability to hackers means they could also be used to harm or even kill patients.

Remote Changes

In order to scan a patient, a CT device emits radiation, and an attacker could “remotely change the radiation levels, causing radiation burns to the patient, or even death,” Mahler says. Hackers could also interfere with exam results. Manipulated results “could show a regular image of the brain without a tumor when the actual patient has a tumor,” and the patient will not get the correct diagnosis or treatment, he says.

There is also a risk of a ransomware attack like the WannaCry attack of May 2017. Although this attack did not directly target medical imaging devices, it did find its way into hospitals (IDDM, May 22, 2017).

The process of development and regulation of medical devices makes them particularly susceptible to attack. The study’s authors estimate that the time from concept to market for medical devices is three to seven years. In the rapidly-changing world of technology, the cyber threats directed toward the equipment when it finally goes to market will not be the same threats that the developers envisioned.

In addition, because of regulations regarding updates or changes to medical equipment, it is difficult to update device software, says Mahler. Hospitals cannot simply apply security patches to their computer systems when such patches are released. Instead, they must work with device manufacturers to test the patches and confirm that they will not affect the way the device works. This process takes time, during which the equipment remains vulnerable to hackers.

Dilemma for Regulators

“It’s a really big dilemma for regulators,” says Mahler, “because they need to make the regulation process quick enough to allow for regular software updates and security patches to be installed without compromising patient health and safety.”

There is still no product that can effectively protect patients from such attacks, says Mahler, but “there are best practice methods.” He cites the example of Israel’s Clalit Health Services, which has created secure hospital networks that are separated from the internet.

The host control PC is the most vulnerable component in the CT’s ecosystem, the researchers found, but common techniques for securing a computer, such as installing anti-virus protection, are insufficient for the prevention of cyber-attacks.

Mahler and colleagues are working on securing CT devices by using machine learning. The software would first learn the actual commands being sent to the CT’s gantry and would then detect any anomalies, blocking malicious commands before they arrive to the device. — Donna Scaramastra Gorman