Cyberattacks in Medicine: Is Radiology the Weakest Link?

Ingrid G. Hein


January 30, 2019

Cybersecurity in radiology is a concern, informatics experts warn. With health networks and patient information increasingly digitized and networked, the potential for damage by hackers is tremendous, and imaging is especially vulnerable, they say.

According to research presented at the 2018 Radiological Society of North America (RSNA) and experts interviewed by Medscape, hackers could potentially wreak havoc by controlling machines using ionizing radiation. Advancing artificial intelligence could scan through a network's database of images, altering mammograms or prostate scans and potentially causing chaos. Malware can lay dormant, and cause a misdiagnosis of a prominent figure at the most opportune moment for cybercriminals.

After the widespread WannaCry ransomware attack in 2017, estimated to have affected more than 200,000 computers across 150 countries running the Microsoft Windows operating system and caused damages in the billions of dollars, it became evident that organizations running computers with networked devices need vigorous upgrading and security.

"The weakest link is still the healthcare employee duped by a 'phishing attack,' " Nabile M. Safdar, MD, MPH, associate chief medical information officer and vice chair of informatics at Emory University in Atlanta, Georgia, told Medscape.

Since WannaCry, there has been a lot more emphasis on getting system patches up to date, "but we still see Windows XP and 2008 servers running out there," he noted. These systems are networked with telemetry machines, IV pumps, and CT scanners, and the old systems are generally not updated. "We've still got a long ways to go, and a lot of vulnerable systems," Safdar said, adding that it's been clear that white hat hackers (those who hack to test security vulnerabilities) can get in pretty easily. "Patient records could be made available to the highest bidder."

Safdar recommends frequent security audits —checking all the networks, hardware and software, but also talking to all members of the organization so everyone understands they have a role to play. People who are sloppy, sharing passwords, and disgruntled employees contribute to the risk, he added.

Health for Ransom

The concern for cyber security in health has evolved quickly, "Our patients are increasingly at risk from cyber crime," James Whitfill, MD, chief medical officer, Innovation Care Partners, Scottsdale, Arizona, told Medscape. Increasingly called upon to discuss cyber security in imaging, Whitfill talks frankly about the inevitability of threats to the system. "For now, it's the data that is being held for ransom, but in future, people may be held for ransom...and that means even more [cyber crime] money to be made," he warned.

Numerous devices attached to or implanted in patients are potentially hackable. An infusion pump or a cardiac defibrillator can be hacked. In the WannaCry attack, power injectors that inject contrast indications were impacted. Most current security systems are vulnerable because they depend on humans not making errors.

Whitfill cautions that the cheap, easy route of using more software to manage longer passwords that are harder to crack can backfire because it creates difficulty for the people using the technology. "More upper and lower case letters and numbers are harder to remember, so more people write [passwords] down."

A better approach is to modify the security level, depending on where someone is logging in from. "If they're coming from a protected area, like the ICU in the hospital, maybe we don't need the same level of security as someone logging in from an unfamiliar computer or from Romania," he said. "We see a lot of one size fits all systems."

He is in favor of biometrics, face recognition, fingerprints, and new systems that can recognize the rhythm of a person's typing patterns, but cautions that these are emerging technologies. "The problem is, we have so few resources. Security is underfunded in general."

Whitfill notes that most organizations that have a breach don't talk about it because they don't want the bad publicity. "But because we don't share the problems, everyone tackles them on their own."

He acknowledges that vendor accountability is part of the equation, but charges institutions to ask what they are doing for cybersecurity beyond creating policies. "Are we working to test our systems? Looking for vulnerabilities? We need multiple levels of protection to keep our patients safe."

Security Leaks Inevitable

Security is mired in policy and procedures, prone to being neglected. "Why aren't they updated? It's not because nobody cares; I'd like to believe most of them are aware," Tom Mahler, a PhD candidate, Ben-Gurion University of the Negev, Israel, told Medscape after his presentation on cybersecurity at the 2018 RSNA meeting.

Installing updates is a hassle in most big institutions, bogged down with policy. Often, it means passing a series of strict regulations. "These are very good, they keep us safe, but if you make a change, you have to pass the tests again, so it's expensive and time consuming." He said that, with updates and security patches being issued every month, it's difficult to keep up.

What's more, buying new security-laden devices is expensive. "It's not as if we buy a new CT machine every year," Mahler added. These expensive machines can be in service for 15 to 20 years or more. "But after a number of years, the manufacturer doesn't always continue updating their software, because there's a newer device."

Can Radiologists Spot AI-doctored Images?

A team from Switzerland presented research at the 2018 RSNA meeting that questioned whether radiologists would be able to tell if a database of images had been hacked and altered by an artificial intelligence (AI).[1]

When presenting the altered images to three radiologists ... none of them could reliably detect the real images from those modified by the AI.

They took 680 mammograms from a public dataset and pitted two neural networks against each other by creating an "adversarial network" that progressively taught itself how to remove or add cancerous features to mammograms until they looked convincing. The result was 362 healthy mammographic images that now had cancer features and 318 mammograms with cancer features that now looked healthy.

When presenting the altered images to three radiologists ( 5 years and 3 years of experience and a resident), none could reliably detect the real images from those modified by the AI (CycleGAN AUC 0.50-0.66).

This type of hack is becoming increasingly probable, radiology resident Anton S. Becker, MD (University Hospital Zurich, Switzerland), who led the study, told Medscape. If a health network was hacked, this type of system could sit dormant and strike at the most opportune time, such as during an election or just before an initial public offering.

"Imagine if you infected another nation's devices; change maybe every hundredth or twentieth image, which would cause mass misdiagnosis, economically damaging the nation and undermining trust in the health care system." Becker admits that this type of attack is still unlikely for several years to come, "but we need to be ready; to see it coming," he warned.

Leveraging AI as a Second Line of Defense

In another presentation at the 2018 RSNA meeting,[2] Mahler proposed leveraging AI for good to detect hackers and stop further damage.

His team built an "anomaly detection" system using AI. It assumes that a computer is always getting hacked, so it's constantly on the lookout for strange activity on the CT scanner and immediately issues an alert. In a proof-of-concept study, they used a database of 3370 CT scans to train the AI to identify patterns and structures associated with about 60 CT protocols.

"You may do your best blocking hackers, but if you still fail, you want another line of defense," Mahler said. "With further development, eventually, this could detect an unknown command passing through the system so we can stop it."

Could Blockchain Technology Help?

Another way of protecting images from being vulnerable to AI is blockchain —known mostly for its application with bitcoin. Blockchain is simply a technology that ensures that a database records information but does not change it. Using blockchain on health records would mean that "patients can be sure that data is what was intended, and never changed," Morgan McBee, MD, pediatric radiology and imaging informaticist at the Medical University of South Carolina in Charleston, explained to Medscape.

McBee said that blockchain could provide better security and is becoming a viable option. "There has been some buzz about blockchain on the vendor side," including machine learning on a blockchain and blockchain as a distribution method. "But I don't know of any large scale implementations."

He said there is a definite threat emerging in radiology. "If somebody would take over a CT scanner now, with all these devices we have on the internet... there is a risk of cranking the radiation: that's a scary proposition."

But CT scanners aren't the only potential risk. "A lot of hospitals have been outsourcing their IT, and radiology departments are trying to get out of IT," he noted. Trust is being put in external organizations. For other enterprise imaging, including dermatology, pictures of lesions, cardiology with echo cardiograms, ophthalmology images, and ultrasound, "everyone is storing images in a central repository which is great. This can foster better patient care, and collaboration—but," he warns, "there's also a security risk." Instead of having seven different systems to hack into you have a single one to attack.

"That's a concern."

Should Radiology Take the Lead?

With all the risk, McBee said blockchain could definitely be a useful technology to help "but it certainly won't solve all our problems."

Hackers will look for the lowest hanging fruit in the healthcare space, Safdar warns. He believes that radiology needs to lead when it comes to security because it is one of the more savvy and technical specialist departments in hospitals —"the ones with a lot of software and a lot of devices —a very good reason to lead. There's a unique opportunity here to show how important this is."

Dr Whitfill serves as chief medical officer for Scottsdale Health Partners and president of Lumetis, LLC. Drs McBee, Becker, and Safdar and Mr Mahler reported no relevant financial disclosures.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.