Imagine the next scenario, a western European leader develops cancer cells that needs immediate attention. He complains about lung pains and was rushed to the hospital. In the MRI checkups, the physicians don’t see any abnormal indication in his body and send him home with painkillers. A few months later due to the spread of the cancer cells the leader dies. The physicians misdiagnosed cancer because it didn’t appear in the scan results. At the time of the scan, a hacker removed in real-time any sign of atypical lumps.

Using the Same setup from a different angle, a perfectly healthy American, running for a state governor role is diagnosed during a routine CT scan with metastasis that requires an Immediate surgical intervention. The candidate will perform an unnecessary invasive operation followed by a long recovery period, remarkably close to the election date.

Sounds like Science fiction? It has already been proven possible.

A Slice of Life

In a nutshell, Cybersecurity experts from the Ben-Gurion University – National Cyber Security Research Center, Israel, demonstrated how threat actors can exploit vulnerabilities found in X-Ray, CT, and MRI scanners to breach, and manipulate scan results which could lead to lethal misdiagnosis.

The researchers got permission from an operational hospital to engage their hacking method and intercept the taken scans.

In many facilities, the scans are not encrypted because the internal network is disconnected from the internet. However, hackers can still gain access via the hospital’s Wi-Fi or physical access to the infrastructure.

Using off-the-shelf Raspberry Pi 3 series with a Wi-Fi access point acting as a MITM (Man-in-the-Middle) device, the researchers who placed it adjacent to an exposed scanner managed to access the equipment. After intercepting the data, the researchers used a deep learning neural network application named GAN (generative adversarial network) to erase and inject realistic high-resolution 3-D medical imagery (downloaded from the internet) into the original body scan. By doing so, they managed to manipulate the results in real-time, and alter the number, size, and locations of the cancer cells while preserving the same anatomy from the original.

Risks and Potential Outcomes

Perhaps the most spine-chilling aspect of the researcher’s findings was that when they hand over the falsified results, even the most experienced radiologists misdiagnose the patient’s condition as they genuinely believed in the processed scan copies. The hustle worked in both scenarios when real tumors were removed, and non-existing cancer cells were injected into the scan. After the medical experts were notified of the malicious modification and received a new set of scans, they still misdiagnosed about 60% of the fabricated ones.

The research was conducted at the Ben-Gurion University, Israel in 2019 by Researchers Prof. Yuval Elovici, Prof. Ilan Shelef, Dr. Yisroel Mirsky, and Tom Mahler. To read the complete publication as appear on google scholar, click here.

The Enemy Within

As medical devices are increasingly connected to the Internet, they pose a potential risk of being vulnerable to cyber breaches. In the United States alone, millions of people have electronic medical devices implanted in their bodies. Those devices use software and have a wireless function enabled.

While for the moment the risk for cyber-attacks on these personal medical devices is relatively low, according to many experts it is only a matter of time before state-sponsored threat actors would develop a way of hacking into pacemakers and insulin pumps.

A testimony that those threats are being taken care of very seriously can be found in breadcrumbs the American government leaving behind concerning imminent cyber threats:

In an interview given in 2013 to the newsmagazine “60 Minutes”, former American vice president Dick Cheney, confessed that he instructed his physicians to disable his pacemaker’ wireless function. According to Cheney, both he and “national security” officials were concerned about threat-actors to breach the device and sending orders to shock his heart into a cardiac arrest

In 2017, the US Food and Drug Administration informed the public about a voluntary recall for half a million pacemakers. The FDA was troubled that by exploiting cyber vulnerabilities on RF-supported implantable cardiac pacemakers and commercially available equipment, hackers could gain unauthorized user access to patients’ devices, and alter the code commands to cause a rapid battery depletion or administration of inappropriate pacing. According to FDA’s official statement, the reason for the recall was “to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities”.

Cyber Taming

On March 15th, 2022, U.S. Congressman Michael C. Burgess introduced new bill legislation requiring device manufacturers applying for FDA approval for their medical devices to demonstrate “a reasonable assurance of safety” concerning cybersecurity. The act was cited as the “Protecting and Transforming Cyber Health Care Act of 2022” or in short, the “PATCH Act of 2022”. While if approved in its current form, The Patch Act would become a most welcome initiative, however, it addresses only newer devices seeking FDA clearance. The older legacy medical devices, which still be used by the majority, would be vulnerable to malicious cyber intents.

On November 15, 2022, the FDA updated the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, a resource to help healthcare organizations prepare for cybersecurity incidents.

The bottom line, until governmental legislation comes into force, FDA recommends people with implants be responsible for themself, track the manufacturer’s routine statement, follow remote device monitoring protocols, and stick to schedule in-office visits for software updates including patches designed to enhance device security.

Read Part I |
Read Part III |
Read Part IV