Fake Cancerous Nodes in CT Scans, Created By Malware, Trick Radiologists

Researchers in Israel created malware to draw attention to serious security weaknesses in medical imaging equipment and networks. An anonymous reader shares a report: Researchers in Israel say they have developed malware to draw attention to serious security weaknesses in critical medical imaging equipment used for diagnosing conditions and the networks that transmit those images -- vulnerabilities that could have potentially life-altering consequences if unaddressed. The malware they created would let attackers automatically add realistic, malignant-seeming growths to CT or MRI scans before radiologists and doctors examine them. Or it could remove real cancerous nodules and lesions without detection, leading to misdiagnosis and possibly a failure to treat patients who need critical and timely care.

Yisroel Mirsky, Yuval Elovici and two others at the Ben-Gurion University Cyber Security Research Center in Israel who created the malware say that attackers could target a presidential candidate or other politicians to trick them into believing they have a serious illness and cause them to withdraw from a race to seek treatment. The research isn't theoretical. In a blind study the researchers conducted involving real CT lung scans, 70 of which were altered by their malware, they were able to trick three skilled radiologists into misdiagnosing conditions nearly every time. In the case of scans with fabricated cancerous nodules, the radiologists diagnosed cancer 99 percent of the time. In cases where the malware removed real cancerous nodules from scans, the radiologists said those patients were healthy 94 percent of the time.

Buried the lead

[pr0t0]

The real story here is that the researchers developed an AI capable of detecting cancer nodules in CT and MRI scans with 94% accuracy. I mean, if it can find them to remove them...it can find them. That seems like pretty high accuracy for computer aided diagnostics.

Re:SO let me get this straight.

[dlleigh]

This team has also been fooling proctologists with rubber poop.

Re:No internet

[Real+Data+Collection]

Hospitals with document management systems to store electronic patient records. If the IT department is any good, dedicated VLANs should restrict the flow of data over the network. Too often everything is on the General VLAN.

Sad commentary on humanity

[presidenteloco]

That we have to protect all technology against psychopathic super-assholes.

Is there an anti-fakery AI as well?

[az-saguaro]

Look at the demo video at: https://www.youtube.com/watch?... .

As someone who looks at such things for a living, I find this interesting but not so compelling. For the example of just a single injected nodule, I thought it looked unnatural. But, how it is perceived depends on how it is presented. Suppose they presented the images to real radiologists this way, "You will be looking at films that might be real or might be faked, guess which is which", then I think that most radiologists would know that the single nodule was not natural. But, if presented this way, "Look at these films and see if there is anything abnormal", then many would have fallen for it. But likewise many would have been thinking, "It is probably cancer, because it is a solid nodule, but it looks rather odd."

In comparison, the 472 nodule example was obviously fake. The nodules were all far too similar, too round, too uniform, too dense. I doubt many radiologists would have fallen for that.

If the authors intent was to show that fake imagery can be made that could be used for nefarious deception, then I think we already knew of that concern. I would say that I have seen far more credible and persuasive false CGI than what was seen here. If Pixar for example decided to make fake x-rays, I suspect they could do a much better job of it.

This brings up a question that seems far more interesting to me. If an AI agent can make a fake image that can fool some experts under certain conditions, but the fakery can also be recognized, then can there be a second AI agent that can spot the fakery created by the first AI?

What do you think?

Re:No internet

[rockmuelle]

Not MRIs, but for some reason the major genome sequencing instrument vendors generally require remote access to their instruments (Illumina and PacBio both do this - PacBio was just bought by Illumina, but they've been doing it since the beginning). Heck, there used to be a map that someone made that found Illumina instruments on the internet and plotted their physical locations based on the IP address (it doesn't seem to exist anymore). They also tend to run unpatched versions of Windows.

Sequencing data is even easier than MRI data is to mess with. The raw data is large (10-100s of GBs per run) and always processed by computational pipelines that are mix of scripts and random tools downloaded from the internet. Unlike with artifacts that would be detectable in an altered image, changing sequencing data is simply a matter of flipping a few characters.

We once wrote a script that scanned for a specific sequence related to a certain cancer. By flipping a few characters, it was possible to give the patient the variants that lead to a higher probability of developing cancer. We could have also done the opposite and made patients appear to have no pre-disposition when they in fact did. (our script looked at all the short reads right of the instrument and tweaked them, it didn't catch all cases, but more than enough that the variant caller gave our intended call)

An hypothetical extension of this would let scan for specific individuals based on previously sequenced samples. From there, one could write a script that only "gave" cancer to that person.

Re:What is the attack vector?

[AHuxley]

Re "any description of the attack vector"
Hours in the ER due to an "accident" then result in other medial issues? Hours waiting for further tests and digital results.
The result is the way the person responds to the unexpected event..
Dissidents who are trusted and well connected in a protest movement at an important time in history can have an induced medical issue stop all their protesting.
Finding an expert. Making an appointment. Waiting. Calling friends and family.
Do they go with private health care? Use their nations free gov health care?
The time, stress, contacts made, questions, introspection can be just what a security service wants to slow a charismatic protest leader.
The security services of a nation can sit back and see what such a digital event induces.
Wealth family and friends offer support? Some other unexpected NGO, think tank, foundation, cult, faith group, union, charity, another gov offers totally unexpected and open ended support?
Why is this person getting so much expensive health care from unexpected and not seen before supporters?
The person falls back on 100% gov health care in their nation like any very average person?
Both results are of interest to police and security services watching protesters, dissidents, investigative journalists.

An induced medical emergency can uncover a lot about a persons supporters and once well hidden funding.
Who is really so interested in seeing them recover and is willing to invest in that health care?

Re:SO let me get this straight.

[EndlessNameless]

I'm pretty sure the studies are trying to demonstrate that their modifications are plausible and undetectable. The idea that you get bad conclusions from bad data... that's not really up for debate.

Basically, you can fool anyone with good fakes, but not everyone can make good fakes. These guys proved they can. And they have an automated tool that can do it

Re:No internet

[The+Grim+Reefer]

But who in their right mind would connect an MRI machine to the internet?

No one. But I've seen it done. In fact 12+ years ago I was at a hospital that had to reimage the console on a magnet because the techs were using it to surf the internet and got all kinds of malware and/or viruses on it. I think the the scanner was down for close to a week because of it.