Malware, like viruses, adware, or spyware, is often seen as annoyances at best, privacy and security threats at worst. Few will probably even consider them to be life-threatening. That, however, is the frightening reality that two researchers are presenting with a malware that not only modifies CT scan results, it also does them with such realism that it manages to fool professionals into misdiagnosing the presence or absence of cancer.
Interpreting CT scans and MRI images is no easy task, even if you disregard fictional drama presented in shows like House. It can be accomplished to some extent by software but both humans and programs rely on the same thing. They need an accurate image to begin with. Researchers from Israel’s Ben-Gurion University Cyber Security Research Center, however, showed how easy it is to fool both.
A blind study that involved 70 altered CT lung scans showed proved that both radiologists and a lung-cancer screening software were consistently duped into thinking there were cancerous nodes in a scan when the original actually had none. Conversely, scans that removed actually existing nodes were similarly diagnosed as healthy. Even when informed that the images were altered, doctors still had a high rate of making a false diagnosis.
This is thanks to a malware the researchers have written that is able to alter those digital images with frightening accuracy. More than just the existence of the malware itself, however, there is also a worrying problem of how hospitals and medical institutions are ill-equipped to protect themselves and their data from malware attacks such as these. While they are very careful about what data is shared outside of institutions, they are less prepared to protect data internally. That’s partly due to old software that didn’t include security measures like encryption but also due to even older hardware and systems that are incompatible with newer, more secure software.
While there may be some checks and backups to make sure diagnosis is correct, malware such as this could still do irreparable harm. In addition to emotional distress to patients and insurance problems, a misdiagnosis could erode trust not only in hospitals but even on the very systems that run them.