Hospitals, Hacks and Medical Safety
December 4, 2018
Inside Science – Last year, a malicious piece of blackmail software called WannaCry swept the world, using a stolen National Security Agency hacking tool to infect computers, encrypt their files and demand bitcoin ransoms of hundreds of dollars or more per computer.
Now, researchers from Ben-Gurion University of the Negev are reporting that hospitals may be vulnerable to cyberattacks that could go further than financial fallout and place patients’ health at risk by targeting medical imaging machines.
At the Radiological Society of North America conference that took place in Chicago last week, the researchers warned that as hospital machines become increasingly connected to the internet, they become more susceptible to cyberattacks, which often ask for high payouts to unlock the hospital’s systems.
The BGU team was able to hack a computed tomography (CT) machine and control the machine’s behavior without the knowledge of the doctor or technician, making it possible to surreptitiously increase a patient’s exposure to X-rays, an ionizing beam of radiation that can damage DNA and induce cancer growth.
While there is no evidence any medical scanner has ever been hacked in such a way, the attack demonstrates the potential susceptibility of medical imaging devices to cyberattacks, said Tom Mahler, first author of the paper and a Ph.D. cyber security candidate at Ben-Gurion University.
“CT devices are really the workhorse of the hospital in terms of imaging,” Mahler said, so if the machine were compromised, it could delay hospital operations or deliver higher doses of radiation to patients without the doctor or technician knowing.
He also noted that like the WannaCry attack, it’s possible that a hacker could attack many devices at one time, effectively shutting down a hospital’s operations and risking patient lives in the process.
“It’s not only theoretically possible,” Mahler said. “It has happened.”
Mahler and his team suggest a protection for CT machines that would involve an algorithm to monitor the requests from the doctor or technician to the machine and would flag any requests that looked suspicious.
Sam Levin at Independent Security Evaluators, a security consulting firm headquartered in Baltimore, Maryland, said this method of protection is like having a third person in the room monitoring activity that the technician at the computer wouldn’t be able to see.
“That is something that we are seeing in a lot of different industries,” he said, “so it being applied to the medical industry is just the next step, and I think a good one.”
Mahler said there is still a lot of research to be done before an algorithm like the one he is working to create could be implemented — software additions and changes to medical devices have to be adopted by medical device companies and, in the U.S., approved by the Food and Drug Administration.
But Levin speculated that in the future, it would be possible to have software on a medical imaging machine that would constantly update as it learns about new susceptibilities. This could to continue to protect the device even as hackers develop new lines of attack.