Research Saturday 4.27.19
Ep 83 | 4.27.19

Deep Learning threatens 3D medical imaging integrity.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Yisroel Mirsky: [00:01:53] We were doing some research in our labs in the domain of medical security. So that is, you know, security of networks and devices that you would find in hospitals and other healthcare institutions.

Dave Bittner: [00:02:03] That's Yisroel Mirsky. He's a cybersecurity researcher and project manager at Ben Gurion University. The research we're discussing today is titled CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning."

Yisroel Mirsky: [00:02:16] At the outset of this research, we took a look at the possible attack vectors, and enumerated all the different kinds of attacks and motivations an attacker would have on attacking healthcare. And one of the subjects that we identified was altering medical scans. So that's the first one - or not one of the first ones, but that was one of the ones that we looked into.

Dave Bittner: [00:02:37] So, you decide that this is an area that you're going to look into - where do you begin?

Yisroel Mirsky: [00:02:42] Well, the very first step was to understand what, you know, a doctor would look at. And we had several different use cases of what kind of medical scans that we'd like to target and identify if they were possible to alter, just as an initial use case to see if it's possible to, you know, do this attack on other kinds of medical scans. So, the first one that I took a look at was lung cancer, and the typical way of analyzing and diagnosing lung cancer is through CT scans.

Dave Bittner: [00:03:10] And so, did you begin by looking at existing CT scans? I understand you did some machine-learning training with existing images - is that correct?

Yisroel Mirsky: [00:03:20] Yes, that's correct. So, basically, I mean, I think what I'll do is I'll give a little bit of background, and then I'll jump right into the threat. So, basically, MRIs and CT scanners are used throughout the healthcare industry for diagnosing many different kinds of medical conditions. So, for example, MRIs are used to diagnose issues with bone, joint, ligament, cartilage, and herniated discs, and these kinds of problems, where CT scans are used to diagnose cancer, heart disease, and so on so forth.

Yisroel Mirsky: [00:03:48] These systems are connected to networks called "PACS," which are basically regular Ethernet networks. PACS stands for "picture archiving and communication systems." And just like any other Ethernet network, or any other computerized network, they're all vulnerable to attacks. And as part of our research, actually, we took a look at different hospitals in our country, and we also spoke to different experts from the United States as well, who were dealing with these systems, and we found that they all have similar vulnerabilities.

Yisroel Mirsky: [00:04:14] Most cases, they're separated from the Internet, so an attacker can't necessarily directly connect to it from the Internet, but, you know, much to our surprise, a quick search, you can find about two thousand medical imaging servers, and like nine hundred PACS servers all exposed to the Internet. So, not every single institution is very good at blocking, you know, medical devices from being exposed. But even if they weren't exposed, you could still get in through multiple steps through the network.

Yisroel Mirsky: [00:04:43] And there's several of different cases of that, also, as well. Just in 2018, you find tens - and I think over seventy cases of where medical records were stolen from hospitals, and ransomware was installed in hospitals, and once the attacker can get inside the hospital, it's only, you know, a few more steps away to getting into the PACS network itself.

Yisroel Mirsky: [00:05:03] So, that's the background. So, what's the threat? So, the threat is, if the attacker can actually get access to medical scans, or intercept medical scans, then he can manipulate them. So, we're all familiar with something referred to as "deepfakes." And what deepfakes are is the use of deep learning to alter the content of images to trick a human into believing some false evidence. The most popular, I should say, deepfake around it on the Internet now is, you know, putting somebody else's face onto another person's body. So, for example, there's a very famous video of Obama giving a speech, when it's not actually Obama.

Yisroel Mirsky: [00:05:39] And what we were also trying to show in this research is that deepfakes don't just apply to people's faces - that actually this threat also applies to the medical community, where an attacker can actually, you know, implant false evidence - for example, a tumor growing in the person's body, or remove evidence, like remove the tumor - in order to get some sort of gain.

Yisroel Mirsky: [00:05:59] I'll give you some examples of why an attacker would want to do this. There's several different reasons. So, for example, consider an individual or a state adversary that wants to affect some outcome of an election. So, what he could do is he could add cancer to a CT scan performed on the political candidate, or remove it even to harm - which is a lot more severe of a scenario, if you think about it. There's ways of getting the, you know, the candidate or targeted individual to come to the CT scanner, but I won't get into that right now.

Yisroel Mirsky: [00:06:25] Another example is maybe of ransomware. So, an attacker seeks out monetary gain by holding the integrity of medical imagery hostage. And in this case, the attacker achieves this by just altering a few scans, and then demanding payment to reveal which scans have been affected. So, the hospital won't really know, you know, which scans are manipulated or not, so he doesn't even need access to all the scans - he just intercepts one scan, manipulate that, prove that he's manipulated it, and now he can leverage payment.

Yisroel Mirsky: [00:06:51] A more or less malicious case is the case of insurance fraud. So, somebody can get into a car accident - you know, a very light car accident - and then intentionally alter his own medical records to receive money from an insurance company. So, one case could be, for example, he could add a small fracture, or a very small hemorrhage in his brain, to the scan. Something that's very hard to refute. And he can say, you know, this is why I can't sleep at night, or this is why, you know, I'm numb down below. And that's - and then he can get insurance money from that.

Yisroel Mirsky: [00:07:28] But there's many other reasons and, you know, the list goes on and on. There's - you can think of far more scarier reasons, such as assassination or even murder, and especially the threat of cyberterrorism.

Dave Bittner: [00:07:39] You actually put some of these fakes in front of some doctors and you were able to fool them pretty reliably.

Yisroel Mirsky: [00:07:46] That's right. So, the process that we did actually - so, we looked at the same process that is used to generate deepfakes, which is the use of GANs - generative adversarial networks. And we also took a look at the standard techniques for detecting lung cancer. So, we looked at some of the recent papers that were published on how these deep learning algorithms go through CT scans and detect cancer. And we combined both techniques to show how an attacker can actually perform the malicious side of that.

Yisroel Mirsky: [00:08:16] So, once we've got that all working, we kind of developed this framework which we called "CT-GAN," which can inject or remove cancer or other medical conditions from 3D medical imagery. We needed to verify that what it's generating is realistic enough, right? So, if I just tamper some image and put in some blob, you know, it could raise suspicion if it doesn't look realistic. And then, you know, the radiologist will speak to the technician, and will find out very quickly that there's something afoot here.

Yisroel Mirsky: [00:08:42] So, what we did was we hired three radiologists, and the radiologists were given, in a blind test - we didn't tell them that this was part of any cybersecurity research, or anything like that. They thought it was just some medical test. And we gave them seventy scans to look at, where these seventy scans were a mix of actual scans - having cancer or not having cancer - and tampered scans with our CT-GAN framework, which had either fake injected cancer or real cancer removed from the lungs.

Yisroel Mirsky: [00:09:10] In these blind tests, we found that, when it comes to injecting cancer, ninety-nine percent of the time the radiologists thought it was true cancer. And for removing cancer, ninety-four percent of the time radiologists did not detect the cancer, and gave the patient a clean bill of health.

Yisroel Mirsky: [00:09:27] And then that proceeded to the next stage, where we said, okay, what happens if we educate the radiologists, and we tell them about this attack, do they stand a chance at finding anything malicious here? At least for one case, at least one of the radiologists - he improved his scores much better, but he still was not able to accurately differentiate between a tampered scan and an original scan. So, even in that case, for all the radiologists together, we found that when it comes to trying to figure out if cancer - whether it be real cancer or fake cancer - the radiologists had about sixty-one percent accuracy. And from an actually clean body, like a healthy body, versus a tampered image that also looks like it's a healthy body, even worse - just thirty-nine percent accuracy.

Yisroel Mirsky: [00:10:12] And we took this one step further. So we said, if we can trick the radiologists, the humans, what about the whole aspect of adversarial machine learning, which is the concept of being able to attack machine learning algorithms? And so, what we did is we downloaded a state-of-the-art AI - deep learning AI - for performing a lung cancer screening, that won the 2018 - I think it was 2018 or 2017 - Kaggle competition, a one million dollar competition. And we used the exact same model that they trained, and we showed that pretty much a hundred percent of the time we can fool this model and make it think that there is cancer or that there isn't cancer.

Dave Bittner: [00:10:47] Wow. So it's not just the human element that you're capable of fooling here?

Yisroel Mirsky: [00:10:51] Yes. That's correct. And that's a concern, because a lot of radiologists actually use - well, I don't know about the exact numbers - but I do know there are hospitals and clinics which use advanced AI tools, which help them analyze the scans, to help them annotate the scan and detect where potential cancer may be. So, if a radiologist relies on these tools, and we can fool these tools, that means that the attacker has a greater chance of succeeding.

Dave Bittner: [00:11:20] Now, what's going on behind the scenes here within these networks, that it makes them open to these sorts of attacks?

Yisroel Mirsky: [00:11:27] So, in our research we identified many different attack vectors. There's so many ways an attacker can get into a network. And we also showed, by the way, how this method could be completely autonomous, so the attacker doesn't even need to be present or connected to the bot to be able to cause the manipulation. It just, you know, can search for the patient's ID, or the patient's name, and then it can completely autonomously manipulate the scan.

Yisroel Mirsky: [00:11:51] So, it could be that the attacker is able to infect the DICOM viewer - DICOM is the format of the 3D medical scan. So, he infected the radiologist's viewing application, and then in real time can alter the image. It could be that the attacker came in physically onto premises and was able to install a man-in-the-middle device, you know, next to one of the computers, and installed his malware there. Or he could, you know, he can connect to the hospital's Wi-Fi and try and propagate through the internal network, or infiltrate the network from the Internet.

Yisroel Mirsky: [00:12:22] And in all these different cases, the attacker's essentially trying to plant his malware somewhere between the entire diagnosis process. So, where the CT scanner makes the scan, and then it's uploaded to a storage server, and then from there where it's sent to the radiologist to perform the diagnosis. So, anywhere along that pipeline, the attacker wants to plant his malware to perform his attack.

Yisroel Mirsky: [00:12:43] Now, the reason why it's so successful - this is a very loaded question. General healthcare is kind of behind when it comes to cybersecurity - at least behind with respect to other industries - and there are several reasons for that. I don't remember the exact year when it became policy and legislation for HIPAA, which is "H-I-P-A-A," which requires hospitals to protect information, in terms of security. And this is, you know, coming more and more into play as hospitals trying to secure those systems. But for the most part, you know, medical stuff - it's more likely that they're focused on saving lives and being HIPAA compliant, meaning they're going to make sure the data doesn't go outside the hospital, it's only going to be shared with people that it should be shared with.

Yisroel Mirsky: [00:13:28] But when it comes to the internal network itself, you know, that attacker shouldn't have access to, or anybody shouldn't have had access to in the first place, right? It's supposed to be somewhat airgapped. You know, you can tell that they can be kind of lenient in that regard...

Dave Bittner: [00:13:40] Hmm.

Yisroel Mirsky: [00:13:39] ...And their focus is elsewhere, it's on the threats coming from the Internet, for example.

Dave Bittner: [00:13:44] Right.

Yisroel Mirsky: [00:13:44] So, that's one reason why they're kind of - there's so many vulnerabilities. But there's another reason - it's because a lot of medical systems are kind of outdated, obsolete systems that are there for either backup or compatibility reasons, and for that reason, now you have lots of different components - old scanners, databases, and services that are all connected inside the hospital - which have plenty of vulnerabilities, or maybe not even be upkept anymore.

Dave Bittner: [00:14:10] And there's a general lack of use of encryption throughout?

Yisroel Mirsky: [00:14:15] Yeah, so, actually, to show that this entire attack vector is a serious threat, and not just the fact that we can change the imagery, but an attacker can manipulate the imagery and get his hands on the imagery, we actually performed a covert penetration test on a hospital. Part of this pentest, we got permission from the hospital, and what I did actually, is I went in during the night, and I waited for the cleaning staff to open the doors. And I went in, and the cleaning staff didn't mind I was there, they didn't ask any questions. I even saw plenty of doctors going by, and they just didn't ask any questions. And I just walked around like I belonged there, and I found a CT scanner, and I was able to install a small Raspberry Pi between the CT scanner and the rest of the PACS network, so that I can intercept all the traffic, and also kind of a backdoor, if I wanted to, into the network.

Yisroel Mirsky: [00:15:05] And with this little device, I was really trying to figure out how the traffic is being sent over the network - if it was being encrypted or not, if it's being encrypted properly, can I maybe capture some doctor's credentials? And actually, after something like three minutes, I got the credentials for twenty-seven different doctors and medical staff members on-site.

Dave Bittner: [00:15:24] Wow.

Yisroel Mirsky: [00:15:25] But aside from that, actually, I found that the scans were being sent over the network unencrypted. And apparently this is something that happens in most hospitals around the world. I spoke to engineers from Mayo Clinic, and I spoke to the same software providers for this hospital, which serves about two thousand - over two thousand installations worldwide, to hospitals worldwide. And one of the main reasons for this is, again, the issue of compatibility. So you have one system in there - for example, the storage system or the information system that tracks all the appointments - and it can only handle one particular version, and there a problem of compatibility, so they decide to not put encryption anyways, because, again, supposedly attackers don't have access to the internal network, so they're not concerned with that.

Dave Bittner: [00:16:14] And yet, obviously, your work there, being able to come in and attach something to the network so easily, points to the fact that that's inadequate.

Yisroel Mirsky: [00:16:22] That's correct, and I think that hospitals should put a little more emphasis into their security hygiene internally, as well. Because it's not good enough just to focus on the external security - the outer boundary, let's say - where, how the hospital's connected to the Internet, because you're always going to have some hole somewhere even if - you know, especially the most classic case, for example, of clicking on a link and downloading something from an email. So the moment somebody - an attacker - gets in, it's just a free-for-all. So you have to make sure that the security inside the network is also just as secure as the security outside the network.

Dave Bittner: [00:16:56] Yeah, it strikes me too that, you know, a hospital is an environment where you have lots of people coming and going, new people coming and going all the time, and so it's hard to separate a lot of that equipment physically from that parade of people coming by.

Yisroel Mirsky: [00:17:12] Yeah, well, actually, they do a pretty good job about that. I mean, it's not like you have, like, network cables hanging from the ceiling, or, you know, anybody can plug into the wall, or anything like that. There's the areas where personnel should only be, and areas where patients can be, and, you know, family members can be. And they do a pretty good job of, you know, separating the physical infrastructure.

Yisroel Mirsky: [00:17:28] But when it comes to somebody who just walks in there, especially if he's dressed to play the role, the moment he's in, then at that point it doesn't matter anymore. Or, again, there are hospitals that, just simply their - even their external security there their Wi-Fi networks for internally use are just not secured well enough. And even somebody from , you know, from proximity can connect into the internal network.

Dave Bittner: [00:17:52] What's the reaction been so far to this research? Has it been a bit of a wake-up call for some people?

Yisroel Mirsky: [00:17:56] It has. Actually, I've been in contact with somebody from the FDA who's in charge of IT, ensure the hospitals are securing their medical devices and systems better. And I'm cooperating with them to help them out in this regard. A lot of hospitals are also, I think, getting a little bit more realization about the threat. I mean, I think just recently, in the RSA 2019 Conference, there were some researchers who showed that the moment that an attacker's inside a hospital network, he has, you know, full reign over everything. He can, you know, connect to ultrasound scanners and change parameters, and it's a very serious issue. So I think that hospitals are definitely - and the medical healthcare personnel - are definitely paying attention to this. And I do hope that, especially from the countermeasures that we put in our paper, that they implement some of these and try and secure their systems better.

Dave Bittner: [00:18:48] What are some of the countermeasures that you listed in your work?

Yisroel Mirsky: [00:18:51] Well, the most basic countermeasure is simply to enable proper encryption. So, the moment you have, you know, end-to-end encryption across your network, then you've already mitigated the vast majority of man-in-the-middle attacks that can occur.

Yisroel Mirsky: [00:19:03] So - but that's not - it doesn't mean just, you know, any link within the network, so that's the entire pipeline. So, when the scanner sends the traffic to the storage server, or when the storage server sends the, you know, the data to the radiologists - every single link has to be encrypted, and of course, encrypted properly with proper certificates.

Yisroel Mirsky: [00:19:20] And another thing that hospitals can do is, most software, PACS software, actually give the ability to give a digital signature on the medical scans. So when the CT scanner itself generates a scan and is about to send it over the network, it can actually sign it, and that could be verified at the endpoint, and the radiologist viewer makes sure that nothing's been tampered here - that you're actually looking at an authentic original image. So, even if - let's say, for example, malware or the hacker gets into the storage server, the PACS server, and starts manipulating images, he won't be able to fake that signature, so the radiologist will know that something has been tampered in that picture.

Dave Bittner: [00:20:03] Our thanks to Yisroel Mirsky from Ben-Gurion University for joining us. The research is titled, "CT-GAN: Malicious Tampering of 3D Medical Imagery Using Deep Learning." We'll have a link in the show notes. We'll also have a link to a video that demonstrates what they were up to.

Dave Bittner: [00:20:19] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:20:29] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:20:37] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, our CyberWire editor is John Petrik, technical editor Chris Russell, our staff writer is Tim Nodar, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.