ABSTRACT
In 2018, clinics and hospitals were hit with numerous attacks leading to significant data breaches and interruptions in medical services. An attacker with access to medical records can do much more than hold the data for ransom or sell it on the black market.
In this paper, we show how an attacker can use deep-learning to add or remove evidence of medical conditions from volumetric (3D) medical scans. An attacker may perform this act in order to stop a political candidate, sabotage research, commit insurance fraud, perform an act of terrorism, or even commit murder. We implement the attack using a 3D conditional GAN and show how the framework (CT-GAN) can be automated. Although the body is complex and 3D medical scans are very large, CT-GAN achieves realistic results which can be executed in milliseconds.
To evaluate the attack, we focused on injecting and removing lung cancer from CT scans. We show how three expert radiologists and a state-of-the-art deep learning AI are highly susceptible to the attack. We also explore the attack surface of a modern radiology network and demonstrate one attack vector: we intercepted and manipulated CT scans in an active hospital network with a covert penetration test.
References
- P. I, W. LR, et al. Health care spending in the united states and other high-income countries. JAMA, 319(10):1024-1039, 2018.Google Scholar
Cross Ref
- J. R. Haaga. CT and MRI of the Whole Body. No. v. 1 in CT and MRI of the Whole Body. Mosby/Elsevier, 2008. ISBN 9780323053754.Google Scholar
- H. I. News. The biggest healthcare data breaches of 2018 (so far). https://www.healthcareitnews.com/projects/biggest-healthcare-data-breaches-2018-so-far, 2019.Google Scholar
- T. George. Feeling the pulse of cyber security in healthcare, securityweek.com. https://www.securityweek.com/feeling-pulse-cyber-security-healthcare, 2018.Google Scholar
- I. Institute. Cybersecurity in the healthcare industry. https://resources.infosecinstitute.com/cybersecurity-in-the-healthcare-industry, 2016.Google Scholar
- L. Coventry and D. Branley. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas, 113:48 - 52, 2018. ISSN 0378-5122.Google Scholar
- M. S. Jalali and J. P. Kaiser. Cybersecurity in hospitals: A systematic, organizational perspective. Journal of medical Internet research, 20(5), 2018.Google Scholar
- C. Beek. Mcafee researchers find poor security exposes medical data to cybercriminals, mcafee blogs. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-researchers-find-poor-security-exposes-medical-data-to-cybercriminals/, 2018.Google Scholar
- H. Huang. PACS-Based Multimedia Imaging Informatics: Basic Principles and Applications. Wiley, 2019. ISBN 9781118795736.Google Scholar
- Verizon. Protected health information data breach report. white paper, 2018.Google Scholar
- F. Bray, J. Ferlay, et al. Global cancer statistics 2018: Globocan estimates of incidence and mortality worldwide for 36 cancers in 185 countries. CA: a cancer journal for clinicians, 68(6):394-424, 2018.Google Scholar
- X. Wu, K. Xu, et al. A survey of image synthesis and editing with generative adversarial networks. Tsinghua Science and Technology, 22(6):660-674, 2017.Google Scholar
Digital Library
- I. Goodfellow, J. Pouget-Abadie, et al. Generative adversarial nets. In Advances in neural information processing systems, pp. 2672-2680. 2014. Google Scholar
Digital Library
- W. Hu and Y. Tan. Generating adversarial malware examples for black-box attacks based on gan. arXiv preprint arXiv:1702.05983, 2017.Google Scholar
- M. Rigaki and S. Garcia. Bringing a gan to a knife-fight: Adapting malware communication to avoid detection. In 2018 IEEE Security and Privacy Workshops (SPW), pp. 70-75. IEEE, 2018.Google Scholar
Cross Ref
- R. Chesney and D. K. Citron. Deep fakes: A looming challenge for privacy, democracy, and national security. U of Texas Law, Public Law Research Paper No. 692; U of Maryland Legal Studies Research Paper No. 2018-21, 2018.Google Scholar
- P. Isola, J.-Y. Zhu, et al. Image-to-image translation with conditional adversarial networks. arXiv preprint, 2017.Google Scholar
- T. Seals. Rsa conference 2019: Ultrasound hacked in two clicks, threatpost. https://threatpost.com/ultrasound-hacked/142601/, 2019.Google Scholar
- J.-Y. Zhu, T. Park, et al. Unpaired image-to-image translation using cycle-consistent adversarial networks. arXiv preprint, 2017.Google Scholar
- A. K. Singh, B. Kumar, et al. Medical Image Watermarking Techniques: A Technical Survey and Potential Challenges, pp. 13-41. Springer International Publishing, Cham, 2017. ISBN 978-3-319-57699-2.Google Scholar
Cross Ref
- S. Sadeghi, S. Dadkhah, et al. State of the art in passive digital image forgery detection: copy-move image forgery. Pattern Analysis and Applications, 21(2):291-306, May 2018. ISSN 1433-755X. Google Scholar
Digital Library
- A. Kharboutly,W. Puech, et al. Ct-scanner identification based on sensor noise analysis. In 2014 5th European Workshop on Visual Information Processing (EUVIP), pp. 1-5. Dec 2014.Google Scholar
Cross Ref
- Y. Duan, D. Bouslimi, et al. Computed tomography image origin identification based on original sensor pattern noise and 3d image reconstruction algorithm footprints. IEEE journal of biomedical and health informatics, 21(4):1039-1048, 2017.Google Scholar
- X. Yi, E. Walia, et al. Generative adversarial network in medical imaging: A review. arXiv preprint arXiv:1809.07294, 2018.Google Scholar
- L. Bi, J. Kim, et al. Synthesis of Positron Emission Tomography (PET) Images via Multi-channel Generative Adversarial Networks (GANs). pp. 43-51. Springer, Cham, 2017.Google Scholar
- A. Ben-Cohen, E. Klang, et al. Virtual PET Images from CT Data Using Deep Convolutional Networks: Initial Results. pp. 49-57. Springer, Cham, 2017.Google Scholar
Cross Ref
- A. Ben-Cohen, E. Klang. Cross-Modality Synthesis from CT to PET using FCN and GAN Networks for Improved Automated Lesion Detection. 2 2018.Google Scholar
- Q. Dou, C. Ouyang, et al. Unsupervised Cross-Modality Domain Adaptation of ConvNets for Biomedical Image Segmentations with Adversarial Loss. In Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence, pp. 691-697. International Joint Conferences on Artificial Intelligence Organization, California, 7 2018. ISBN 9780999241127. Google Scholar
Digital Library
- C.-B. Jin, H. Kim, et al. Deep CT to MR Synthesis using Paired and Unpaired Data. 5 2018.Google Scholar
- C. Bermudez, A. J. Plassard, et al. Learning implicit brain mri manifolds with deep learning. In Medical Imaging 2018: Image Processing, vol. 10574, p. 105741L. International Society for Optics and Photonics, 2018.Google Scholar
- M. Frid-Adar, I. Diamant, et al. GAN-based Synthetic Medical Image Augmentation for increased CNN Performance in Liver Lesion Classification. 3 2018.Google Scholar
- J. M.Wolterink, T. Leiner, et al. Blood Vessel Geometry Synthesis using Generative Adversarial Networks. In 1st Conference on Medical Imaging with Deep Learning (MIDL 2018). Amsterdam, The Netherlands, The Netherlands, 2018.Google Scholar
- C. Baur, S. Albarqouni, et al. Melanogans: High resolution skin lesion synthesis with gans. arXiv preprint arXiv:1804.04338, 2018.Google Scholar
- A. Madani, M. Moradi, et al. Chest x-ray generation and data augmentation for cardiovascular abnormality classification. In Medical Imaging 2018: Image Processing, vol. 10574, p. 105741M. International Society for Optics and Photonics, 2018.Google Scholar
- M. J. Chuquicusma, S. Hussein, et al. How to fool radiologists with generative adversarial networks? a visual turing test for lung cancer diagnosis. In Biomedical Imaging (ISBI 2018), 2018 IEEE 15th International Symposium on, pp. 240-244. IEEE, IEEE, 4 2018. ISBN 978-1-5386-3636-7.Google Scholar
Cross Ref
- W. Hruby. Digital (R)Evolution in Radiology. Springer Vienna, 2013. ISBN 9783709137079. Google Scholar
Digital Library
- A. Peck. Clark's Essential PACS, RIS and Imaging Informatics. Clark's Companion Essential Guides. CRC Press, 2017. ISBN 9781498763462.Google Scholar
- C. Carter and B. Veale. Digital Radiography and PACS. Elsevier Health Sciences, 2018. ISBN 9780323547598.Google Scholar
- B. Siwicki. Cloud-based pacs system cuts imaging costs by half for rural hospital | healthcare it news. https://www.healthcareitnews.com/news/cloud-based-pacs-system-cuts-imaging-costs-half-rural-hospital.Google Scholar
- J. Bresnick. Picture archive communication system use widespread in hospitals. https://healthitanalytics.com/news/picture-archive-communication-system-use-widespread-inhospitals, 2016.Google Scholar
- S. Jodogne, C. Bernard, et al. Orthanc-a lightweight, restful dicom server for healthcare and medical research. In Biomedical Imaging (ISBI), 2013 IEEE 10th International Symposium on, pp. 190-193. IEEE, 2013.Google Scholar
Cross Ref
- C. Costa, C. Ferreira, et al. Dicoogle-an open source peer-to-peer pacs. Journal of digital imaging, 24(5):848-856, 2011.Google Scholar
- L. Adefala. Healthcare experiences twice the number of cyber attacks as other industries. https://www.fortinet.com/blog/business-and-technology/healthcare-experiences-twice-the-number-of-cyber-attacks-as-othe.html, 2018.Google Scholar
- J. B. RebeccaWeintraub. 11 things the health care sector must do to improve cybersecurity. https://hbr.org/2017/06/11-things-the-health-care-sector-must-do-to-improve-cybersecurity, 2017.Google Scholar
- C. Osborne. Us hospital pays $55,000 to hackers after ransomware attack | zdnet. https://www.zdnet.com/article/us-hospital-pays-55000-to-ransomware-operators/, 2018.Google Scholar
- J. Muniz and A. Lakhani. Penetration testing with raspberry pi. Packt Publishing Ltd, 2015. Google Scholar
Digital Library
- M. Vanhoef and F. Piessens. Key reinstallation attacks: Forcing nonce reuse in wpa2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1313-1328. ACM, 2017. Google Scholar
Digital Library
- A. NG. Security researchers find flaws in chips used in hospitals, factories and stores - cnet. https://www.cnet.com/news/security-researchers-find-flaws-in-chips-used-in-hospitals-factories-and-stores/, 2018.Google Scholar
- R. M. Robin Henry and J. Corke. Hospitals to struggle for days | news | the sunday times. https://www.thetimes.co.uk/article/nhs-cyberattack-bitcoin-wannacry-hospitals-to-struggle-for-days-k0nhk7p2b, 2017.Google Scholar
- DHS. Philips isite/intellispace pacs vulnerabilities (update a), ics-cert. https://ics-cert.uscert.gov/advisories/ICSMA-18-088-01, 2018.Google Scholar
- J. E. Dunn. Imagine you're having a ct scan and malware alters the radiation levels - it's doable ċ the register. https://www.theregister.co.uk/2018/04/11/hacking_medical_devices/, 2018.Google Scholar
- K. Zetter. Hospital viruses: Fake cancerous nodes in ct scans, created by malware, trick radiologists. https://www.washingtonpost.com/technology/2019/04/03/hospital-viruses-fake-cancerous-nodes-ct-scans-created-by-malware-trick-radiologists/, April 2019.Google Scholar
- H. MacMahon, D. P. Naidich, et al. Guidelines for management of incidental pulmonary nodules detected on ct images: from the fleischner society 2017. Radiology, 284(1):228-243, 2017.Google Scholar
Cross Ref
- S. G. Armato III, G. McLennan, et al. The lung image database consortium (lidc) and image database resource initiative (idri): a completed reference database of lung nodules on ct scans. Medical physics, 38(2):915-931, 2011.Google Scholar
Cross Ref
- K. Murphy, B. van Ginneken, et al. A large-scale evaluation of automatic pulmonary nodule detection in chest ct using local image features and k-nearest-neighbour classification. Medical image analysis, 13(5):757-770, 2009.Google Scholar
- A. Esteva, B. Kuprel, et al. Dermatologist-level classification of skin cancer with deep neural networks. Nature, 542(7639):115, 2017.Google Scholar
- A. J. Conger. Integration and generalization of kappas for multiple raters. Psychological Bulletin, 88(2):322, 1980.Google Scholar
Cross Ref
- T. Drew, M. L.-H. Võ, et al. The invisible gorilla strikes again: Sustained inattentional blindness in expert observers. Psychological science, 24(9):1848-1853, 2013.Google Scholar
Cross Ref
- F. Cao, H. Huang, et al. Medical image security in a hipaa mandated pacs environment. Computerized medical imaging and graphics, 27(2-3):185-196, 2003.Google Scholar
- NEMA. Digital imaging and communications in medicine (dicom) digital signatures. ftp://medical.nema.org/medical/dicom/final/sup41_ft.pdf, 2001.Google Scholar
- A. Ghoneim, G. Muhammad, et al. Medical image forgery detection for smart healthcare. IEEE Communications Magazine, 56(4):33-37, 2018.Google Scholar
Cross Ref
- A. Rössler, D. Cozzolino, et al. Faceforensics++: Learning to detect manipulated facial images. arXiv preprint arXiv:1901.08971, 2019.Google Scholar
- F. Matern, C. Riess, et al. Exploiting visual artifacts to expose deepfakes and face manipulations. In 2019 IEEE Winter Applications of Computer Vision Workshops (WACVW), pp. 83-92. IEEE, 2019.Google Scholar
Cross Ref
- S. Tariq, S. Lee, et al. Detecting both machine and human created fake face images in the wild. In Proceedings of the 2nd International Workshop on Multimedia Privacy and Security, pp. 81-87. ACM, 2018. Google Scholar
Digital Library
- D. Cozzolino, J. Thies, et al. Forensictransfer: Weakly-supervised domain adaptation for forgery detection. arXiv preprint arXiv:1812.02510, 2018.Google Scholar
- L. Zheng, Y. Zhang, et al. A survey on image tampering and its detection in real-world photos. Journal of Visual Communication and Image Representation, 58:380-399, 2019.Google Scholar
Cross Ref
- M. Huh, A. Liu, et al. Fighting fake news: Image splice detection via learned self-consistency. In Proceedings of the European Conference on Computer Vision (ECCV), pp. 101-117. 2018.Google Scholar
Cross Ref
- D. Cozzolino and L. Verdoliva. Noiseprint: a cnn-based camera model fingerprint. arXiv preprint arXiv:1808.08396, 2018.Google Scholar
- P. Korus and J. Huang. Multi-scale analysis strategies in prnu-based tampering localization. IEEE Trans. on Information Forensics & Security, 2017. Google Scholar
Digital Library
Index Terms
(auto-classified)CT-GAN: malicious tampering of 3D medical imagery using deep learning




Comments