Hospitals, Hacks, Malware and Medical Safety
Alpa Prod via Shutterstock
(Inside Science) -- Last year, a malicious piece of blackmail software called WannaCry swept the world, using a stolen National Security Agency hacking tool to infect computers, encrypt their files and demand bitcoin ransoms of hundreds of dollars or more per computer.
Among the victims of the ransomware were more than 140 hospitals in the United Kingdom alone. The WannaCry attack cost the U.K.’s National Health Service 92 million pounds, about $122 million.
Now researchers in Israel are reporting that hospitals may be vulnerable to cyberattacks that could go further than financial fallout and place patients' health at risk by targeting medical imaging machines.
At the Radiological Society of North America conference in Chicago this week, the researchers warned that as hospital machines become increasingly connected to the internet, they become more susceptible to cyberattacks, which often ask for high payouts to unlock the hospital’s systems.
The team was able to hack a computed tomography machine and control the machine’s behavior without the knowledge of the doctor or technician, making it possible to surreptitiously increase a patient's exposure to X-rays, an ionizing beam of radiation that can damage DNA and induce cancer growth.
While there is no evidence any medical scanner has ever been hacked in such a way, the attack demonstrates the potential susceptibility of medical imaging devices to cyberattacks, said Tom Mahler, first author of the paper and a researcher at Ben-Gurion University of the Negev, in Beersheba, Israel.
“CT devices are really the workhorse of the hospital in terms of imaging,” Mahler said, so if the machine were compromised, it could delay hospital operations or deliver higher doses of radiation to patients without the doctor or technician knowing.
He also noted that like the WannaCry attack, it’s possible that a hacker could attack many devices at one time, effectively shutting down a hospital’s operations and risking patient lives in the process.
“It’s not only theoretically possible,” Mahler said. “It has happened.”
Mahler and his team suggest a protection for CT machines that would involve an algorithm to monitor the requests from the doctor or technician to the machine and would flag any requests that looked suspicious.
Sam Levin, a community specialist at Independent Security Evaluators, a security consulting firm headquartered in Baltimore, Maryland, said this method of protection is like having a third person in the room monitoring activity that the technician at the computer wouldn’t be able to see.
“That is something that we are seeing in a lot of different industries,” he said, “so it being applied to the medical industry is just the next step, and I think a good one.”
Mahler said there is still a lot of research to be done before an algorithm like the one he is working to create could be implemented -- software additions and changes to medical devices have to be adopted by medical device companies and, in the U.S., approved by the Food and Drug Administration.
But Levin speculated that in the future, it would be possible to have software on a medical imaging machine that would constantly update as it learns about new susceptibilities. This could to continue to protect the device even as hackers develop new lines of attack.