Cybersecurity researchers at Ben-Gurion University in Israel are warning that hacks against medical imaging devices (MID) are on the rise, with hacks against CT scanning devices and MRI machines presenting the greatest real-world risk.
In a paper entitled Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices, researchers lay out several exploits for unpatched MIDs, as well as weaknesses in medical and imaging information systems, and medical protocols and standards. CT scanners and MRI machines are especially ripe for ransomware attacks.
“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack can be fatal,” warned researcher Tom Mahler, speaking to the Jerusalem Post. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyberattacks.”
The concern is not ill-founded. In a survey Synopsys ran with Ponemon Institute last year, it was found that in 38% of cases where a medical device had been breached, inappropriate healthcare had been delivered to the patient – a state of affairs that could be lethal.
The Ben-Gurion researchers also laid out a technique to secure MIDs based on machine learning. An algorithm determines whether the incoming and outgoing commands to the MID are appropriate given the patient’s profile and blocks those that seem untrustworthy. Mahler said that a next step is to collaborate with imaging manufacturers or hospitals to put the ideas into action.
“Medical device vendors really must start to address security in their code,” said Adam Brown, manager of security solutions at Synopsys, via email. “A recent Building Security in Maturity Model (BSIMM) report shows that it is still evident that healthcare falls behind other industries when it comes to software security practices.”
He added, “Speaking to buyers of this equipment, I have found that they are frustrated; in similarity to speaking to large software vendors, the response they get is woefully similar: A reluctance to change or a justification that other large organizations don’t ask for security. I would urge medical device manufacturers to take a long hard look at their software security practices and maturity, as there is a lot of work to do.”