ACM Digital Library home
ACM home
Advanced Search
10.5555/3361338.3361371guideproceedingsArticle/Chapter ViewAbstractPublication PagesConference Proceedings
Article

CT-GAN: malicious tampering of 3D medical imagery using deep learning

Authors Info & Claims
SEC'19: Proceedings of the 28th USENIX Conference on Security SymposiumAugust 2019 Pages 461–478
Published:14 August 2019
  • 1citation
  • 0
    • Downloads
Metrics
Total Citations1
Total Downloads0
Last 12 Months0
Last 6 weeks0
SEC'19: Proceedings of the 28th USENIX Conference on Security Symposium
CT-GAN: malicious tampering of 3D medical imagery using deep learning
Pages 461–478
PreviousChapterNextChapter

ABSTRACT

In 2018, clinics and hospitals were hit with numerous attacks leading to significant data breaches and interruptions in medical services. An attacker with access to medical records can do much more than hold the data for ransom or sell it on the black market.

In this paper, we show how an attacker can use deep-learning to add or remove evidence of medical conditions from volumetric (3D) medical scans. An attacker may perform this act in order to stop a political candidate, sabotage research, commit insurance fraud, perform an act of terrorism, or even commit murder. We implement the attack using a 3D conditional GAN and show how the framework (CT-GAN) can be automated. Although the body is complex and 3D medical scans are very large, CT-GAN achieves realistic results which can be executed in milliseconds.

To evaluate the attack, we focused on injecting and removing lung cancer from CT scans. We show how three expert radiologists and a state-of-the-art deep learning AI are highly susceptible to the attack. We also explore the attack surface of a modern radiology network and demonstrate one attack vector: we intercepted and manipulated CT scans in an active hospital network with a covert penetration test.

References

  1. P. I, W. LR, et al. Health care spending in the united states and other high-income countries. JAMA, 319(10):1024-1039, 2018.Google ScholarGoogle ScholarCross RefCross Ref
  2. J. R. Haaga. CT and MRI of the Whole Body. No. v. 1 in CT and MRI of the Whole Body. Mosby/Elsevier, 2008. ISBN 9780323053754.Google ScholarGoogle Scholar
  3. H. I. News. The biggest healthcare data breaches of 2018 (so far). https://www.healthcareitnews.com/projects/biggest-healthcare-data-breaches-2018-so-far, 2019.Google ScholarGoogle Scholar
  4. T. George. Feeling the pulse of cyber security in healthcare, securityweek.com. https://www.securityweek.com/feeling-pulse-cyber-security-healthcare, 2018.Google ScholarGoogle Scholar
  5. I. Institute. Cybersecurity in the healthcare industry. https://resources.infosecinstitute.com/cybersecurity-in-the-healthcare-industry, 2016.Google ScholarGoogle Scholar
  6. L. Coventry and D. Branley. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas, 113:48 - 52, 2018. ISSN 0378-5122.Google ScholarGoogle Scholar
  7. M. S. Jalali and J. P. Kaiser. Cybersecurity in hospitals: A systematic, organizational perspective. Journal of medical Internet research, 20(5), 2018.Google ScholarGoogle Scholar
  8. C. Beek. Mcafee researchers find poor security exposes medical data to cybercriminals, mcafee blogs. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-researchers-find-poor-security-exposes-medical-data-to-cybercriminals/, 2018.Google ScholarGoogle Scholar
  9. H. Huang. PACS-Based Multimedia Imaging Informatics: Basic Principles and Applications. Wiley, 2019. ISBN 9781118795736.Google ScholarGoogle Scholar
  10. Verizon. Protected health information data breach report. white paper, 2018.Google ScholarGoogle Scholar
  11. F. Bray, J. Ferlay, et al. Global cancer statistics 2018: Globocan estimates of incidence and mortality worldwide for 36 cancers in 185 countries. CA: a cancer journal for clinicians, 68(6):394-424, 2018.Google ScholarGoogle Scholar
  12. X. Wu, K. Xu, et al. A survey of image synthesis and editing with generative adversarial networks. Tsinghua Science and Technology, 22(6):660-674, 2017.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. I. Goodfellow, J. Pouget-Abadie, et al. Generative adversarial nets. In Advances in neural information processing systems, pp. 2672-2680. 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. W. Hu and Y. Tan. Generating adversarial malware examples for black-box attacks based on gan. arXiv preprint arXiv:1702.05983, 2017.Google ScholarGoogle Scholar
  15. M. Rigaki and S. Garcia. Bringing a gan to a knife-fight: Adapting malware communication to avoid detection. In 2018 IEEE Security and Privacy Workshops (SPW), pp. 70-75. IEEE, 2018.Google ScholarGoogle ScholarCross RefCross Ref
  16. R. Chesney and D. K. Citron. Deep fakes: A looming challenge for privacy, democracy, and national security. U of Texas Law, Public Law Research Paper No. 692; U of Maryland Legal Studies Research Paper No. 2018-21, 2018.Google ScholarGoogle Scholar
  17. P. Isola, J.-Y. Zhu, et al. Image-to-image translation with conditional adversarial networks. arXiv preprint, 2017.Google ScholarGoogle Scholar
  18. T. Seals. Rsa conference 2019: Ultrasound hacked in two clicks, threatpost. https://threatpost.com/ultrasound-hacked/142601/, 2019.Google ScholarGoogle Scholar
  19. J.-Y. Zhu, T. Park, et al. Unpaired image-to-image translation using cycle-consistent adversarial networks. arXiv preprint, 2017.Google ScholarGoogle Scholar
  20. A. K. Singh, B. Kumar, et al. Medical Image Watermarking Techniques: A Technical Survey and Potential Challenges, pp. 13-41. Springer International Publishing, Cham, 2017. ISBN 978-3-319-57699-2.Google ScholarGoogle ScholarCross RefCross Ref
  21. S. Sadeghi, S. Dadkhah, et al. State of the art in passive digital image forgery detection: copy-move image forgery. Pattern Analysis and Applications, 21(2):291-306, May 2018. ISSN 1433-755X. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. A. Kharboutly,W. Puech, et al. Ct-scanner identification based on sensor noise analysis. In 2014 5th European Workshop on Visual Information Processing (EUVIP), pp. 1-5. Dec 2014.Google ScholarGoogle ScholarCross RefCross Ref
  23. Y. Duan, D. Bouslimi, et al. Computed tomography image origin identification based on original sensor pattern noise and 3d image reconstruction algorithm footprints. IEEE journal of biomedical and health informatics, 21(4):1039-1048, 2017.Google ScholarGoogle Scholar
  24. X. Yi, E. Walia, et al. Generative adversarial network in medical imaging: A review. arXiv preprint arXiv:1809.07294, 2018.Google ScholarGoogle Scholar
  25. L. Bi, J. Kim, et al. Synthesis of Positron Emission Tomography (PET) Images via Multi-channel Generative Adversarial Networks (GANs). pp. 43-51. Springer, Cham, 2017.Google ScholarGoogle Scholar
  26. A. Ben-Cohen, E. Klang, et al. Virtual PET Images from CT Data Using Deep Convolutional Networks: Initial Results. pp. 49-57. Springer, Cham, 2017.Google ScholarGoogle ScholarCross RefCross Ref
  27. A. Ben-Cohen, E. Klang. Cross-Modality Synthesis from CT to PET using FCN and GAN Networks for Improved Automated Lesion Detection. 2 2018.Google ScholarGoogle Scholar
  28. Q. Dou, C. Ouyang, et al. Unsupervised Cross-Modality Domain Adaptation of ConvNets for Biomedical Image Segmentations with Adversarial Loss. In Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence, pp. 691-697. International Joint Conferences on Artificial Intelligence Organization, California, 7 2018. ISBN 9780999241127. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. C.-B. Jin, H. Kim, et al. Deep CT to MR Synthesis using Paired and Unpaired Data. 5 2018.Google ScholarGoogle Scholar
  30. C. Bermudez, A. J. Plassard, et al. Learning implicit brain mri manifolds with deep learning. In Medical Imaging 2018: Image Processing, vol. 10574, p. 105741L. International Society for Optics and Photonics, 2018.Google ScholarGoogle Scholar
  31. M. Frid-Adar, I. Diamant, et al. GAN-based Synthetic Medical Image Augmentation for increased CNN Performance in Liver Lesion Classification. 3 2018.Google ScholarGoogle Scholar
  32. J. M.Wolterink, T. Leiner, et al. Blood Vessel Geometry Synthesis using Generative Adversarial Networks. In 1st Conference on Medical Imaging with Deep Learning (MIDL 2018). Amsterdam, The Netherlands, The Netherlands, 2018.Google ScholarGoogle Scholar
  33. C. Baur, S. Albarqouni, et al. Melanogans: High resolution skin lesion synthesis with gans. arXiv preprint arXiv:1804.04338, 2018.Google ScholarGoogle Scholar
  34. A. Madani, M. Moradi, et al. Chest x-ray generation and data augmentation for cardiovascular abnormality classification. In Medical Imaging 2018: Image Processing, vol. 10574, p. 105741M. International Society for Optics and Photonics, 2018.Google ScholarGoogle Scholar
  35. M. J. Chuquicusma, S. Hussein, et al. How to fool radiologists with generative adversarial networks? a visual turing test for lung cancer diagnosis. In Biomedical Imaging (ISBI 2018), 2018 IEEE 15th International Symposium on, pp. 240-244. IEEE, IEEE, 4 2018. ISBN 978-1-5386-3636-7.Google ScholarGoogle ScholarCross RefCross Ref
  36. W. Hruby. Digital (R)Evolution in Radiology. Springer Vienna, 2013. ISBN 9783709137079. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. A. Peck. Clark's Essential PACS, RIS and Imaging Informatics. Clark's Companion Essential Guides. CRC Press, 2017. ISBN 9781498763462.Google ScholarGoogle Scholar
  38. C. Carter and B. Veale. Digital Radiography and PACS. Elsevier Health Sciences, 2018. ISBN 9780323547598.Google ScholarGoogle Scholar
  39. B. Siwicki. Cloud-based pacs system cuts imaging costs by half for rural hospital | healthcare it news. https://www.healthcareitnews.com/news/cloud-based-pacs-system-cuts-imaging-costs-half-rural-hospital.Google ScholarGoogle Scholar
  40. J. Bresnick. Picture archive communication system use widespread in hospitals. https://healthitanalytics.com/news/picture-archive-communication-system-use-widespread-inhospitals, 2016.Google ScholarGoogle Scholar
  41. S. Jodogne, C. Bernard, et al. Orthanc-a lightweight, restful dicom server for healthcare and medical research. In Biomedical Imaging (ISBI), 2013 IEEE 10th International Symposium on, pp. 190-193. IEEE, 2013.Google ScholarGoogle ScholarCross RefCross Ref
  42. C. Costa, C. Ferreira, et al. Dicoogle-an open source peer-to-peer pacs. Journal of digital imaging, 24(5):848-856, 2011.Google ScholarGoogle Scholar
  43. L. Adefala. Healthcare experiences twice the number of cyber attacks as other industries. https://www.fortinet.com/blog/business-and-technology/healthcare-experiences-twice-the-number-of-cyber-attacks-as-othe.html, 2018.Google ScholarGoogle Scholar
  44. J. B. RebeccaWeintraub. 11 things the health care sector must do to improve cybersecurity. https://hbr.org/2017/06/11-things-the-health-care-sector-must-do-to-improve-cybersecurity, 2017.Google ScholarGoogle Scholar
  45. C. Osborne. Us hospital pays $55,000 to hackers after ransomware attack | zdnet. https://www.zdnet.com/article/us-hospital-pays-55000-to-ransomware-operators/, 2018.Google ScholarGoogle Scholar
  46. J. Muniz and A. Lakhani. Penetration testing with raspberry pi. Packt Publishing Ltd, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. M. Vanhoef and F. Piessens. Key reinstallation attacks: Forcing nonce reuse in wpa2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1313-1328. ACM, 2017. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. A. NG. Security researchers find flaws in chips used in hospitals, factories and stores - cnet. https://www.cnet.com/news/security-researchers-find-flaws-in-chips-used-in-hospitals-factories-and-stores/, 2018.Google ScholarGoogle Scholar
  49. R. M. Robin Henry and J. Corke. Hospitals to struggle for days | news | the sunday times. https://www.thetimes.co.uk/article/nhs-cyberattack-bitcoin-wannacry-hospitals-to-struggle-for-days-k0nhk7p2b, 2017.Google ScholarGoogle Scholar
  50. DHS. Philips isite/intellispace pacs vulnerabilities (update a), ics-cert. https://ics-cert.uscert.gov/advisories/ICSMA-18-088-01, 2018.Google ScholarGoogle Scholar
  51. J. E. Dunn. Imagine you're having a ct scan and malware alters the radiation levels - it's doable ċ the register. https://www.theregister.co.uk/2018/04/11/hacking_medical_devices/, 2018.Google ScholarGoogle Scholar
  52. K. Zetter. Hospital viruses: Fake cancerous nodes in ct scans, created by malware, trick radiologists. https://www.washingtonpost.com/technology/2019/04/03/hospital-viruses-fake-cancerous-nodes-ct-scans-created-by-malware-trick-radiologists/, April 2019.Google ScholarGoogle Scholar
  53. H. MacMahon, D. P. Naidich, et al. Guidelines for management of incidental pulmonary nodules detected on ct images: from the fleischner society 2017. Radiology, 284(1):228-243, 2017.Google ScholarGoogle ScholarCross RefCross Ref
  54. S. G. Armato III, G. McLennan, et al. The lung image database consortium (lidc) and image database resource initiative (idri): a completed reference database of lung nodules on ct scans. Medical physics, 38(2):915-931, 2011.Google ScholarGoogle ScholarCross RefCross Ref
  55. K. Murphy, B. van Ginneken, et al. A large-scale evaluation of automatic pulmonary nodule detection in chest ct using local image features and k-nearest-neighbour classification. Medical image analysis, 13(5):757-770, 2009.Google ScholarGoogle Scholar
  56. A. Esteva, B. Kuprel, et al. Dermatologist-level classification of skin cancer with deep neural networks. Nature, 542(7639):115, 2017.Google ScholarGoogle Scholar
  57. A. J. Conger. Integration and generalization of kappas for multiple raters. Psychological Bulletin, 88(2):322, 1980.Google ScholarGoogle ScholarCross RefCross Ref
  58. T. Drew, M. L.-H. Võ, et al. The invisible gorilla strikes again: Sustained inattentional blindness in expert observers. Psychological science, 24(9):1848-1853, 2013.Google ScholarGoogle ScholarCross RefCross Ref
  59. F. Cao, H. Huang, et al. Medical image security in a hipaa mandated pacs environment. Computerized medical imaging and graphics, 27(2-3):185-196, 2003.Google ScholarGoogle Scholar
  60. NEMA. Digital imaging and communications in medicine (dicom) digital signatures. ftp://medical.nema.org/medical/dicom/final/sup41_ft.pdf, 2001.Google ScholarGoogle Scholar
  61. A. Ghoneim, G. Muhammad, et al. Medical image forgery detection for smart healthcare. IEEE Communications Magazine, 56(4):33-37, 2018.Google ScholarGoogle ScholarCross RefCross Ref
  62. A. Rössler, D. Cozzolino, et al. Faceforensics++: Learning to detect manipulated facial images. arXiv preprint arXiv:1901.08971, 2019.Google ScholarGoogle Scholar
  63. F. Matern, C. Riess, et al. Exploiting visual artifacts to expose deepfakes and face manipulations. In 2019 IEEE Winter Applications of Computer Vision Workshops (WACVW), pp. 83-92. IEEE, 2019.Google ScholarGoogle ScholarCross RefCross Ref
  64. S. Tariq, S. Lee, et al. Detecting both machine and human created fake face images in the wild. In Proceedings of the 2nd International Workshop on Multimedia Privacy and Security, pp. 81-87. ACM, 2018. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. D. Cozzolino, J. Thies, et al. Forensictransfer: Weakly-supervised domain adaptation for forgery detection. arXiv preprint arXiv:1812.02510, 2018.Google ScholarGoogle Scholar
  66. L. Zheng, Y. Zhang, et al. A survey on image tampering and its detection in real-world photos. Journal of Visual Communication and Image Representation, 58:380-399, 2019.Google ScholarGoogle ScholarCross RefCross Ref
  67. M. Huh, A. Liu, et al. Fighting fake news: Image splice detection via learned self-consistency. In Proceedings of the European Conference on Computer Vision (ECCV), pp. 101-117. 2018.Google ScholarGoogle ScholarCross RefCross Ref
  68. D. Cozzolino and L. Verdoliva. Noiseprint: a cnn-based camera model fingerprint. arXiv preprint arXiv:1808.08396, 2018.Google ScholarGoogle Scholar
  69. P. Korus and J. Huang. Multi-scale analysis strategies in prnu-based tampering localization. IEEE Trans. on Information Forensics & Security, 2017. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

(auto-classified)
  1. CT-GAN: malicious tampering of 3D medical imagery using deep learning

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          Get this Publication

          • Published in

            Guide Proceedings cover image
            SEC'19: Proceedings of the 28th USENIX Conference on Security Symposium
            August 2019
            2002 pages
            ISBN:9781939133069

            Publisher

            USENIX Association

            United States

            Publication History

            • Published: 14 August 2019

            Qualifiers

            • Article
          View Table of Contents
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!