CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning (1901.03597v3)

Abstract: In 2018, clinics and hospitals were hit with numerous attacks leading to significant data breaches and interruptions in medical services. An attacker with access to medical records can do much more than hold the data for ransom or sell it on the black market. In this paper, we show how an attacker can use deep-learning to add or remove evidence of medical conditions from volumetric (3D) medical scans. An attacker may perform this act in order to stop a political candidate, sabotage research, commit insurance fraud, perform an act of terrorism, or even commit murder. We implement the attack using a 3D conditional GAN and show how the framework (CT-GAN) can be automated. Although the body is complex and 3D medical scans are very large, CT-GAN achieves realistic results which can be executed in milliseconds. To evaluate the attack, we focused on injecting and removing lung cancer from CT scans. We show how three expert radiologists and a state-of-the-art deep learning AI are highly susceptible to the attack. We also explore the attack surface of a modern radiology network and demonstrate one attack vector: we intercepted and manipulated CT scans in an active hospital network with a covert penetration test. Demo video: https://youtu.be/_mkRAArj-x0 Source code: https://github.com/ymirsky/CT-GAN

• The paper presents CT-GAN, a novel framework using two conditional GANs to inject or remove medical evidence in 3D CT scans.
• Results show near-perfect misdiagnosis rates with 99-100% failure by experts and AI, revealing severe vulnerabilities in medical imaging.
• The study underscores the urgent need for robust cybersecurity measures and improved detection methods to safeguard medical data integrity.

An Assessment of CT-GAN: Deep Learning for Malicious Manipulation of 3D Medical Imagery

The paper "CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning" presents an exploration into the potential for malicious use of deep learning technologies, specifically Generative Adversarial Networks (GANs), in altering 3D medical imaging data. This exploration focuses on the tangible threat posed by such manipulations to healthcare institutions and underscores the inherent vulnerabilities in existing medical imaging systems. The proposed framework, CT-GAN, demonstrates the feasibility of an attack where evidence of medical conditions can be either added or removed from volumetric medical scans.

Framework and Implementation

CT-GAN employs two conditional GANs (cGANs) to perform in-painting tasks on 3D images efficiently and realistically. The two cGANs are employed separately to handle injection and removal of medical conditions within CT scans. The architecture is designed to ensure that the manipulation is executed within the anatomical constraints that typically characterize real medical data. This manipulation, as highlighted in the evaluation phase, successfully deceives both human experts, such as radiologists, and advanced AI-based cancer screening systems. The attack operates efficiently with the ability to execute these manipulations within milliseconds, capitalizing on the anatomical realism generated by the GANs to avoid detection.

The evaluation of CT-GAN revealed that three skilled radiologists and a cutting-edge deep learning AI model were unable to recognize manipulated scans accurately. The paper involved 70 altered and 30 authentic CT images, focusing on lung cancer injection and removal. The manipulated images notably resulted in 99% mistaken diagnoses of malignancy by radiologists for injected samples and a 100% misclassification rate by the AI. These results compel a reevaluation of the reliance placed on automated and human assessments of radiographic imagery, highlighting the potential impacts of sophisticated adversarial actions.

Attack Vectors and Implications

The paper meticulously delineates possible attack vectors available to adversaries, emphasizing the exploitative potential in healthcare settings where network and data security lag behind modern standards. Access to PACS (Picture Archiving and Communication System) networks can be achieved through vectors including direct malicious intrusions, social engineering, insider threats, or via compromised endpoints facilitated by vulnerabilities in connected systems or medical devices. The implications of such malicious capabilities are substantial, spanning the falsification of disease progression, manipulation of research data, influencing political candidacies, and facilitating insurance fraud.

Future Directions and Countermeasures

This paper advocates for a heightened attention to cyber threats in medical domains, urging the implementation of robust countermeasures. These include enforcing encryption of data both at rest and in transit, incorporating digital signatures, and rigorous verification through medical image forensics. Additionally, medical institutions must maintain up-to-date network security protocols and strengthen the security postures of their interconnected systems.

From a research perspective, there lies an opportunity to expand upon the understanding of GAN-based manipulations within medical environments. Future inquiries might explore the development of more sophisticated adversarial detection systems capable of recognizing GAN-induced anomalies, along with improved cryptographic techniques to safeguard the integrity and confidentiality of medical data.

In conclusion, this paper exemplifies the dual-edged sword presented by advancements in AI technology within sensitive domains such as healthcare. It pushes for immediate attention to bolster defenses against emerging threats, ensuring the sanctity of patient data and trust in medical diagnostics remains uncompromised.