Entering the radiology lab of an unnamed hospital after-hours, a researcher at the Ben Gurion University Cyber Security Research Center in Israel managed to compromise and access the radiology department’s Picture Archiving and Communication System (PACS) network in under 30 seconds.

Once inside, all it took was a combination of a neural network and an NVIDIA GEFORCE Titan X graphic card for the researcher to create fake CT scans—showing healthy patients as having tumours and cancer-struck patients as having none. When doctors were shown the images, they were unable to differentiate between the two. Even a deep-learning AI created specifically for the task was unable to tell the difference between the tampered and untampered images.

The results were published in the scientific paper , “CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning”. For cybersecurity researchers, these kinds of studies are necessary to identify vulnerabilities in systems, and can allow hospitals to improve their defences against an increasingly malicious cyber world. The authors explained their intent in performing the study:

“In this paper, we show how an attacker can use deep learning to add or remove evidence of medical conditions from volumetric (3D) medical scans. An attacker may perform this act in order to stop a political candidate, sabotage research, commit insurance fraud, perform an act of terrorism, or even commit murder.”

First reported by the Washington Post, the research highlights a growing danger in the field of healthcare information security. The PACS systems used by many hospitals are a combination of vulnerabilities—gaining access to even a single node in the network would be enough for a skilled hacker to tamper with confidential medical files.

The issue raised by this research was the absence of effective digital signing techniques by the hospital in concern. One of the most effective solutions, the “watermarking” of an image, has existed since the early 2000s. However, even though guidelines and standards for information security within healthcare exist (such as the DICOM standard and ISO 27799), there is a perceived reluctance within the healthcare community to employ these methods.