CyberWire Daily - Deep Learning threatens 3D medical imaging integrity. [Research Saturday]
Episode Date: April 27, 2019Researchers at Ben Gurion University in Israel have developed techniques to infiltrate medical imaging system networks and alter 3D medical scans within, fooling both human and automated examiners wit...h a high rate of success. Yisroel Mirsky is a cybersecurity researcher and project manager at Ben Gurion University, and he joins us to share what his team discovered. The original research can be found here: https://arxiv.org/pdf/1901.03597.pdf A video demonstrating the exploit is here: https://youtu.be/_mkRAArj-x0 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Well, we're doing some research in our labs in the domain of medical security. So that is,
you know, security of networks here and devices, and that you would find in hospitals and other healthcare institutions.
That's Israel Murski. He's a cybersecurity researcher and project manager at Ben-Gurion
University. The research we're discussing today is titled CTGAN, Malicious Tampering
of 3D Medical Imagery Using Deep Learning.
At the outset of this research, we took a look at the possible attack of vectors and enumerated all the different kinds of attacks and motivations that attacker would have on
attacking healthcare.
And one of the subjects that we identified was altering medical scans.
So that's the first one, or not one of the first ones, but it was one of the ones that
we looked into.
So you decide that this is an area that you're going to look into.
Where do you begin?
Well, the very first step was to understand what a doctor would look at. And we had several
different use cases of what kind of medical scans we'd like to target and identify if it were
possible to alter, just as an initial use case to see if it's possible to do this tack on other
kinds of medical scans. So the first one that I took a look at was lung cancer.
And the typical way of analyzing and diagnosing lung cancer is through CT scans.
And so did you begin by looking at existing CT scans?
I understand you did some machine learning training with existing images.
Is that correct?
Yes, that's correct.
So basically, I mean, I think what I'll do is I give a little bit of
background and then I'll jump right into the threat. So basically, MRIs and CT scanners are
used throughout the healthcare industry for diagnosing many different kinds of medical
conditions. So for example, MRIs are used to diagnose issues with bone, joint, ligament,
cartilage, and herniated discs and these kinds of problems, where MRIs are used to diagnose issues with bone, joints, ligament, cartilage, and herniated discs, and these kinds of problems, where CT scans are used to diagnose cancer, heart disease, and so on and so forth.
These systems are connected to networks called PACs, which are basically regular Ethernet networks.
PAC stands for Picture Archive Communication Systems.
And just like any other Ethernet network or any other computerized network, they're all vulnerable to attacks.
And just like any other Ethernet network or any other computerized network, they're all vulnerable to attacks.
And as part of our research, actually, we took a look at different hospitals in our country.
And we also spoke to different experts from the United States as well who are dealing with these systems.
And we found that they all have similar vulnerabilities.
As most cases, they're separated from the Internet.
So an attacker can't necessarily directly connect to it from the internet. But much to our surprise, the quick Shodan.io search, you can find about 2,000 medical imaging servers and like 900 PAC servers all exposed to the internet.
So not every single institution is very good at blocking your medical device from being
exposed.
But even if they weren't exposed, you could still get in through multiple steps
through the network.
Yeah, there's several different cases of that also as well.
And just in 2018, you find tens of maybe,
I think like over 70 cases
of where medical records were stolen from hospitals
and ransomware was installed in hospitals.
And once the attacker can get inside the hospital,
it's only a few more steps away
to getting into the PAX network itself.
So that's the background.
So what's the threat?
So the threat is if the attacker can actually get access to medical scans or intercept medical scans, then he can manipulate them.
So we're all familiar with something referred to as deep fakes.
And what deep fakes are is the use of deep learning to alter the content of images to trick a human to believing some false evidence.
The most popular, I should say, deep fake around on the Internet now is putting somebody else's face onto another person's body.
For example, there's a very famous video of Obama giving a speech when it's not actually Obama.
And what we were also trying to show in this research is that
deep fakes don't just apply to people's faces. Actually, this threat also applies to the medical
community, where an attacker can actually implant false evidence, for example, a tumor growing in
a person's body, or remove evidence, remove the tumor, in order to get some sort of gain.
I'll give you some examples of why an attacker would want to do
this. There's several different reasons. So for example, consider an individual or a state
adversary that wants to affect some outcome of an election. So what he could do is he could
add cancer to a CT scan performed on the political candidate or remove it even to harm it, which is
a lot more severe of a scenario if you think about it. There's ways of getting the candidate
or target individual to come to the CT scanner,
but I won't get into that right now.
Another example is maybe of ransomware.
So an attacker seeks out monetary gain by holding the integrity of a medical imagery hostage.
And in this case, the attacker achieves this by just altering a few scans
and then demanding payment to reveal which scans have been affected.
So the hospital won't really know which scans are being manipulated or not.
So he doesn't even need access to all the scans.
He's just interested in one scan, manipulate that, prove that he's manipulated it, and
now he can leverage payment.
A more or less malicious case is the case of insurance fraud.
So somebody can get into a car accident, a very light car accident, and then intentionally alter his own medical records to receive money from insurance.
So one case could be, for example, he could add a small fracture or a very
small hemorrhage in his brain to the scan, something that's very hard to refute.
And you can say, this is why, you know, this is why I can't sleep at night,
or this is why, you know, why I'm numb down below, and then
he can get insurance money from that.
But there's many other reasons, and the list goes on and on.
You can think of far more scarier reasons, such as assassination or even murder, and
especially the threat of cyberterrorism.
You actually put some of these fakes in front of some doctors,
and you were able to fool them pretty reliably. That's right. So the process that we did,
actually, so we looked at the same process that is used to generate deep fakes, which is the use
of GANs, generative adversarial networks. And we also took a look at the state of our techniques
for detecting lung cancer.
So we looked at some of the recent papers that are published on how these deep learning algorithms go through CT scans and detect cancer.
And we combined both techniques to show how an attacker can actually perform the malicious side of that.
So once we've got that all working, we kind of developed this framework called CTGAN,
which can inject or remove cancer or other medical conditions from uh from 3d medical imagery we needed to verify that
what it's generating is realistic enough right so if i just tamper some image and put in some blob
you know that it could raise suspicion if it doesn't look realistic and then you know the
radiologist will speak to the technician we'll find out very quickly that there's something afoot here.
So what we did was we hired three radiologists.
And the radiologists were given in a blind test.
We didn't tell them that this was part of any cybersecurity research or anything like that.
They thought it was just a medical test.
And we gave them 70 scans to look at. The 70 scans were a mix of actual scans, having cancer or not having cancer,
and tampered scans with our CT scan framework, which had either fake injected cancer or real cancer removed from the lungs.
In this blind test, we found that when it comes to injecting cancer, 99% of the time, the radiologists thought it was true cancer.
And for removing cancer, 94% of the time,
the radiologists did not detect the cancer and gave the patient a clean bill of health.
And then that proceeded to the next stage where we said, okay, what happens if we educate the
radiologists and we tell them about this attack? Do they stand a chance at finding anything
malicious here? At least for one case, one of the radiologists improved his scores much better,
but he still was not able to accurately differentiate between a tampered scan and
a regional scan. So even in that case, for all the radiologists together, we found that when it
comes to trying to figure out if cancer, whether it be real cancer or fake cancer, radiologists
had about 61% accuracy from an actual clean body and a healthy body versus a tampered image that looks like a healthy body,
even worse, just 39% accuracy.
And we took this one step further.
So we said, if we can trick the radiologists, the humans,
what about the whole aspect of adversarial machine learning,
which is the concept of being able to attack machine learning algorithms?
And so what we did is we downloaded a state-of-the-art AI, deep learning AI for forming lung cancer screening that won the 2018, I think it was 2018 or 2017 Kaggle competition, $1 million competition.
one million dollar competition and we used the exact same model that they trained and we showed that pretty much 100 percent of the time we can fool this model and make it think that there is
cancer that there isn't cancer wow so it's not just the human element that you're capable of
fooling here yes that's correct and that's a concern because a lot of radiologists actually
use a lot of i don't know about exactly the exact, but I do know there are hospitals and clinics
which use advanced AI tools which help them analyze the scans, to help them annotate the
scan and detect where potential cancer may be.
So if a radiologist relies on these tools and can fool these tools, that means that
the attacker has a greater chance of succeeding.
Now, what's going on behind the scenes here within these networks that it makes them open
to these sorts of attacks?
So in our research, we identified many different attack vectors.
There's so many ways an attacker can get into a network.
And we also showed, by the way, how this network could be completely autonomous.
So the attacker doesn't even need to be present or connected to the bot to be able to
cause the manipulation. It just can search for the patient's ID or patient's name and then
completely autonomously manipulate the scan. So it could be that the attacker is able to infect
the DICOM viewer. DICOM is the format for 3D medical scan. So he affected the radiologist's
viewing application and then in real time can
alter the image. It could be that the attacker came in physically onto premises and able to
install a man-in-the-middle device or connect to one of the computers and install his malware there.
Or he can connect to the hospital's Wi-Fi and try and propagate through the internal network or
infiltrate the network from the internet.
And in all these different cases, the attacker is essentially trying to plant his malware somewhere between the entire diagnosis process.
So where the CT scanner makes a scan and then it's uploaded to a storage server.
And then from there, where it's sent to the radiologist to perform the diagnosis.
So anywhere along that pipeline, the attacker wants to plant his malware to perform his attack. Now, the reason why it's so successful, this is a very loaded question.
General healthcare is kind of behind when it comes to cybersecurity, at least behind with
respect to other industries. And there are several reasons for that. I don't remember the exact year when it became policy in legislation for HIPAA, which H-I-P-P-A, which requires hospitals to protect information in terms of security.
And this is becoming more and more into play as hospitals are trying to secure their systems.
But for the most part, medical staff is more likely that they're focused on saving lives and being
HIPAA compliant,
meaning they're going to make sure the data doesn't go outside the hospital.
It's only going to be shared with people that should be shared with,
but when it comes to the internal network itself, you know,
that attackers shouldn't have access to,
or anybody shouldn't have access to in the first place, right.
It's supposed to be somewhat air gapped. You know,
you can tell that they can be kind of lenient in that regard.
And their, their focus is elsewhere.
It's on the threats coming from the internet, for example.
So that's one reason why there are so many vulnerabilities.
But there's another reason.
It's because a lot of medical systems are kind of outdated.
Obsolete systems are there for either a backup or compatibility reasons.
And for that reason, now you have lots of different components, old scanners, databases,
and services that are all connected inside the hospital, which have plenty of vulnerabilities
or may not even be kept anymore. And there's a general lack of use of encryption throughout?
Yeah. So actually to show that this entire attack vector is a serious threat, not just the fact that we can change the imagery,
but an attacker can manipulate the imagery and get his hands on the imagery,
we actually performed a covert penetration test on a hospital.
Part of this pen test, we got permission from the hospital.
And what I did actually is I went in during the night
and I waited for the cleaning staff to open the doors.
And I went in and the cleaning staff didn't mind I was there.
They didn't ask any questions.
I even saw plenty of doctors going by and they just didn't ask any questions.
And I just walked around like I belonged there and I found the CT scanner
and I was able to install a small Raspberry Pi between the CT scanner
and the rest of the PAX network so that I can intercept all the traffic.
And I also can have a backdoor if I wanted to into the network.
And with this little device, I was really trying to figure out
how the traffic is being sent over the network.
If it's being encrypted or not, if it's being encrypted properly,
can I maybe capture some doctor's credentials?
And actually, after something like three minutes,
I got the credentials for 27 different doctors and medical staff members on site.
But aside from that, actually, I found that the scans were being sent over the network unencrypted.
And apparently, this is something that,000 installations worldwide to hospitals worldwide.
And one of the main reasons for this is, again, the issue of compatibility.
So you have one system in there, for example, the storage system or the information system that tracks all the appointments.
And it can only handle one particular version and
there's a problem with compatibility. So they decide to not put encryption anyways, because
again, the supposedly attackers don't have access to the internal network. So
they're not concerned with that. And yet, obviously your work there,
being able to come in and attach something to the network so easily points to the fact that
that's inadequate.
That's correct.
And I think that hospitals should put a little more emphasis into their security hygiene internally as well
because it's not good enough just to focus on the external security,
the outer boundary of, let's say, how the hospital is connected to the Internet
because you're always going to have some hole somewhere,
especially in the most classic case, for example, clicking on a link and downloading something from
an email, right? So the moment somebody, an attacker gets in, it's just a free-for-all.
So you have to make sure that the security inside the network is also just as secure as the security
outside the network. Yeah. And it strikes me too, that, you know, a hospital is an environment where
you have lots of people coming and going, new people
coming and going all the time. And so it's hard to separate a lot of that equipment physically
from that parade of people coming by. Yeah. Well, actually, you do a pretty good job about that. I
mean, it's not like you have network cables hanging from the ceiling or anybody can plug
into the wall or anything like that. There's the areas where personnel should only be in areas where patients can be and, you know,
family members can be, and they do a pretty good job of, you know, separating the physical
infrastructure. But when it comes to somebody who just walks in there, especially if he's dressed,
you know, to play the role, the moment he's in, then at that point, it doesn't matter anymore.
Or again, there are hospitals that just simply, Even their external security, their Wi-Fi networks for internal use are just not secured
well enough.
And even somebody from proximity can connect into the internal network.
What's the reaction been so far to this research?
Has it been a bit of a wake up call for some people?
It has.
Actually, I've been in contact with somebody from the FDA who's in charge of trying to ensure the hospitals are securing their medical devices and systems better.
And I'm cooperating with them to help them out in this regard.
A lot of hospitals are also, I think, getting a little bit more realization about the threat. I mean, I think just recently in the RSA 2019 conference, there was some
researchers who showed that the moment an attacker is inside the hospital network,
he has, you know, full reign over everything. He can, you know, connect to the ultrasound scanners
and change parameters. And it's a very serious issue. So I think that hospitals are definitely
and the medical healthcare personnel are definitely paying attention to
this. And I do hope that, especially from the countermeasures that we put in our paper,
that they implement some of these and try and secure the systems better.
What are some of the countermeasures that you listed in your work?
Well, the most basic countermeasure is simply to enable proper encryption. So the moment you have,
you know, antenna encryption across your network, then you've already mitigated the vast majority
of man-middle
attacks that can occur. But that doesn't mean just any link within the network. So that's the
entire pipeline. So for when the scanner sends the traffic to the storage server, or when the
storage server sends the data to the radiologist, every single link has to be encrypted. And of
course, encrypted properly with proper certificates. And another thing that hospitals can do is most software, PAC software, actually give the ability to give a
digital signature on the medical scan. So when the CT scanner itself generates a scan and is about to
send it over the network, you can actually sign it and that could be verified at the endpoint in
the radiologist's viewer to make sure that nothing's been tampered here, that you're actually looking at an authentic original image.
So even if, let's say, for example,
a malware or the hacker gets into the storage server,
the packed server, and starts manipulating images,
he won't be able to fake that signature.
So the radiologist will know that something has been tampered in that image.
that's something that's been tampered in that image.
Our thanks to Israel Murski from Ben-Gurion University for joining us.
The research is titled CTGAN,
Malicious Tampering of 3D Medical Imagery Using Deep Learning.
We'll have a link in the show notes.
We'll also have a link to a video that demonstrates what they were up to. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their
families at home? Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
teams, and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. Thank you.