Research Study Highlights How Hospitals May Be Vulnerable to Cybersecurity Threats That Impact Diagnostic Tools
Health care providers are heavily reliant on technology in providing clinical services. The findings from a recent research study highlight the significant threat of cyber risks in health care that is in addition to the usual concerns relating to protected health information and patients’ personally identifiable information (PII).
As part of this study, researchers used deep-learning artificial intelligence to alter CT scans in real time and observe the findings of the reading radiologists. While many hospitals have well-developed safeguards and policies to comply with the data privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), many of those policies and procedures are focused on securing protected health information (PHI) in its traditional paper forms and in Electronic Medical Records (EMR) systems. Health care providers may not be prepared to protect against cyber intrusions that risk changing patient data in real time and undermining the integrity of patient information in ways that could lead to misdiagnosis and compromised patient care and outcomes.
Recently, scientists from the Ben Gurion University Cyber Security Research Center in Israel developed and deployed malware that successfully tricked radiologists into misdiagnosing lung cancer at least 94 percent of the time. To carry out this cyber intrusion, the security researchers took advantage of certain vulnerabilities unique to radiology workstations. Using a free dataset of 888 CT lung scans, the researchers trained the malware to inject (or remove) a cancer nodule. The malware was also trained to “touch-up” the image to more effectively hide any traces of alterations.
The blind research study tested the malware’s ability to both create and remove cancer nodules in digital images. When presented scans that featured fake cancer nodules, the radiologists diagnosed the scans as containing cancer 99 percent of the time. When the malware was deployed to “hide” images of real cancer nodules, the radiologists concluded that the altered scans were cancer-free 94 percent of the time.
Even when the radiologists in the research study were made aware that some images would be falsified, they still struggled to correctly diagnose. These informed radiologists found computer-generated cancer to be “real” 60 percent of the time, and 87 percent of the patients were misdiagnosed as healthy when the nodules were digitally removed.
Unlike data shared with other hospitals or doctors outside of their information networks, radiological data such as CT scans and MRI images are typically unencrypted when sent from the scanning equipment to the hospital’s databases. These back-end databases receive image data through what is known as a picture archiving and communications system (“PACS”).
In PACS networks, the data transfer usually occurs within a hospital’s own information system and most hospitals operate under the assumption that the data is “safe.” As part of the research study, the authors noted that many PACS networks are directly connected to the Internet or can be accessed through Internet-connected hospital machines. As a result, a well-executed email phishing attack could immediately make such information vulnerable with potentially very harmful patient outcomes.
The Ben Gurion researchers demonstrated the effectiveness and ease of a physical security breach by loading the malware onto a $40 piece of technology. In a video demonstration, the researchers infiltrate a hospital and gain access to the diagnostic machine. Once inside the imaging room, the malicious hardware is installed in 30 seconds. With the installation complete, the malware is able to modify images in milliseconds as a CT scan is taking place.
The cybersecurity risks from phishing attacks and unencrypted data transfers have the potential to expose health care providers to significant legal risk. In addition to potential liability under HIPAA for unauthorized access to PHI, a cyber-attack of the kind simulated by the researchers could potentially expose health care providers to medical malpractice or other claims if altered radiology images resulted in misdiagnosis and poor patient outcomes.
As part of its health care and HIPAA compliance efforts, health care providers should address the findings from the Ben Gurion study to ensure its PHI cannot be compromised in a non-traditional manner.
Saul Ewing Arnstein & Lehr’s cybersecurity and privacy law practitioners regularly assist in determining if companies are taking appropriate actions to protect – and respond to –cybersecurity threats. Saul Ewing Arnstein & Lehr’s health law practitioners regularly assist covered entities with HIPAA-related activities. For more information, contact the authors or the attorney at the Firm with whom you are regularly in contact.