Researchers reveal how hackers can manipulate AI-powered lung cancer scans

April 4, 2019

In a study published earlier this year by Ben-Gurion University of the Negev cybersecurity, researchers show how hackers are able to break into a patient’s 3-D medical scan and create a fake lung cancer diagnosis or remove a valid one, tricking both radiologists and the artificial intelligence algorithms used to diagnose cancer. Insurance fraud, ransomware, cyberterrorism, or even murder are some of the reasons why malicious attackers would create a phony diagnosis, the researchers said, adding that it can also be done using automation technology in malware that could end up infecting an entire health system network. 

According to the study, the researchers were given permission to break into a hospital’s network and gain access to all scans performed with a CT scanner.

“The scans were not encrypted because the internal network is usually not connected to the internet. However, determined intruders can still gain access via the hospital’s Wi-Fi or physical access to the infrastructure,” said lead researcher Dr. Yisroel Mirsky in a press release from Ben-Gurion University. “However, these networks are now being connected to the internet as well, which enables attackers to perform remote attacks.”

Next, a deep learning neural network called a generative adversarial network (GAN) that generates realistic imagery was used to place or remove the cancers with free medical imagery taken from the internet. A 3-D conditional GAN can be used to efficiently manipulate high resolution 3-D medical imagery. The architecture (CT-GAN) uses two of these GANs: one trained to inject cancer and the other trained to remove cancer.

Three radiologists were then asked to diagnose a large mix of real and phony CT scans. The results were disturbing: “When the scans of healthy patients were injected with cancer, the radiologists misdiagnosed 99 percent of them as being malign. When the algorithm removed cancers from actual cancer patients, the radiologists misdiagnosed 94 percent of the patients as being healthy. After informing the radiologists of the attack, they still could not differentiate between the tampered and authentic images, misdiagnosing 60 percent of those with injections, and 87 percent of those with removals.”

The researchers suggest hospitals use encryption between the hospital’s radiology network hosts as a possible solution, along with enabling digital signatures so that their scanners sign each scan with a secure mark of authenticity.

“Another method for testing the integrity of the images is to perform digital watermarking (DW), the process of adding a hidden signal into the image such that tampering corrupts the signal and thus indicates a loss of integrity,” Dr. Mirsky said in the release. “Unfortunately, the vast majority of medical devices and products currently do not implement DW techniques.”