Published Date: 2019-04-03
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in April 2019. - Articles used: [83317, 83773] |
| System | 1. Picture Archiving and Communication System (PACS) networks failed to digitally sign the scans to prevent them from being altered without detection and didn't use encryption on their networks, allowing attackers to alter medical images [83317, 83773]. |
| Responsible Organization | 1. Researchers at the Ben-Gurion University Cyber Security Research Center in Israel [83317, 83773] |
| Impacted Organization | 1. Presidential candidates and politicians were potentially impacted by the software failure incident as attackers could target them to trick them into believing they have a serious illness, leading to withdrawal from races or seeking unnecessary treatment [83317]. 2. Patients undergoing medical imaging scans, such as CT and MRI scans, were impacted by the software failure incident as the malware could alter their scans, leading to misdiagnosis and potentially incorrect treatment decisions [83317, 83773]. 3. Radiologists and doctors were impacted by the software failure incident as the malware successfully fooled them into misdiagnosing conditions in the altered scans [83317, 83773]. 4. Hospital networks and healthcare organizations were impacted by the software failure incident due to vulnerabilities in the equipment and networks used to transmit and store medical imaging scans, potentially allowing attackers to manipulate the scans [83317, 83773]. |
| Software Causes | 1. The failure incident was caused by the creation of malware by researchers in Israel that exploited vulnerabilities in widely used CT and MRI scanning equipment to alter medical imaging scans, leading to misdiagnosis and potentially life-altering consequences [Article 83317]. 2. The malware developed by the researchers was able to automatically add fake malignant growths to CT or MRI scans, remove real cancerous nodules without detection, and trick radiologists into misdiagnosing conditions nearly every time [Article 83317]. 3. The attack was made possible due to vulnerabilities in the equipment and networks hospitals use to transmit and store CT and MRI images, particularly the lack of digital signatures on scans to prevent alterations without detection and the absence of encryption on PACS networks, allowing intruders to see and alter the scans [Article 83317]. 4. The malware used machine learning to rapidly assess scans passing through a PACS network, adjust and scale fabricated tumors to conform to a patient's unique anatomy, and operate independently to find and alter scans, potentially leading to unwarranted biopsies, tests, and treatment for patients [Article 83317]. 5. The malware could be physically installed on a PACS network by attackers with either direct access to the network cables or remotely from the Internet, as many PACS networks are directly connected to the Internet or accessible through hospital machines connected to the Internet [Article 83317]. 6. The security flaws in the way hospitals and healthcare centers protect their networks, such as the lack of encryption and digital signatures on medical imaging scans, made it easy for attackers to exploit the vulnerabilities and alter the scans without detection [Article 83773]. |
| Non-software Causes | 1. Lack of digital signing and encryption of medical scan images, making it easy for the malware to alter the images without detection [83317, 83773] 2. Vulnerabilities in the equipment and networks used to transmit and store CT and MRI images, allowing attackers to access and manipulate the scans [83317, 83773] 3. Insufficient network security measures within hospitals, such as lack of encryption on PACS networks, making it easier for attackers to plant malware or alter scans [83317, 83773] 4. Inadequate internal data security practices within hospitals, leading to leniency in handling sensitive data [83773] |
| Impacts | 1. The software failure incident involving the creation of malware that could alter medical scan images had significant impacts on the accuracy of diagnoses. The malware was able to trick radiologists into misdiagnosing conditions nearly every time, with radiologists diagnosing cancer 99 percent of the time in cases with fabricated cancerous nodules [83317]. 2. The altered images also managed to trick automated screening systems, indicating a potential widespread impact on the reliability of automated diagnostic tools [83773]. 3. The software failure incident highlighted serious security weaknesses in critical medical imaging equipment used for diagnosing conditions and the networks that transmit those images. This vulnerability could have potentially life-altering consequences if unaddressed, leading to misdiagnosis and possibly a failure to treat patients who need critical and timely care [83317]. 4. The incident raised concerns about the potential for attackers to target specific patients, searching for scans tagged with a specific patient’s name or ID number, which could prevent patients who have a disease from receiving critical care or cause others who aren’t ill to receive unwarranted biopsies, tests, and treatment [83317]. 5. The researchers suggested that the security flaws in medical imaging equipment and networks could be exploited to sow doubt about the health of government figures, sabotage research, commit insurance fraud, or be used as part of a terrorist attack, indicating broader societal impacts beyond individual patient misdiagnoses [83773]. |
| Preventions | 1. Enabling end-to-end encryption across PACS networks and digitally signing all images to prevent unauthorized alterations [Article 83317]. 2. Implementing better security measures such as using encryption and digital signatures to protect medical imaging equipment from malware attacks [Article 83773]. |
| Fixes | 1. Implementing end-to-end encryption across PACS networks and digitally signing all images to prevent unauthorized alterations [83317, 83773] 2. Ensuring radiology and doctor workstations are set up to verify digital signatures and flag any images that aren't properly signed [83317] 3. Utilizing better encryption and digital signatures to protect medical imaging equipment from cyber-attacks [83773] | References | 1. Researchers at the Ben-Gurion University Cyber Security Research Center in Israel [Article 83317] 2. Radiologists who participated in the study conducted by the researchers [Article 83317] 3. Nancy Boniel, a radiologist in Canada who participated in the study [Article 83317] 4. Yisroel Mirsky, Yuval Elovici, and other researchers from Ben Gurion University's cyber-security center in Israel [Article 83773] 5. The Washington Post, which first reported on the research [Article 83773] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | unknown | (a) The software failure incident related to the creation of malware that can alter medical scan images has not been reported to have happened again at the same organization or with its products and services. The incident described in the articles is a unique case of researchers creating malware to manipulate medical scan images for research purposes. (b) The articles do not mention any specific instances where a similar software failure incident, involving the alteration of medical scan images by malware, has occurred at other organizations or with their products and services. The incident described in the articles seems to be a research-based demonstration of potential vulnerabilities in medical imaging equipment and networks. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident in the articles is related to the design phase. The incident involved the development of malware by researchers in Israel to exploit vulnerabilities in widely used CT and MRI scanning equipment. The malware they created allowed attackers to automatically add fake cancerous nodules to medical scans, leading to misdiagnosis and potentially harmful consequences [83317, 83773]. (b) The software failure incident is also related to the operation phase. The malware developed by the researchers was able to alter medical scan images and deceive both radiologists and automated screening systems, leading to incorrect diagnoses. This failure was a result of the operation or use of the vulnerable systems in hospitals, where the files were not digitally signed or encrypted, making it difficult to detect changes in the images [83317, 83773]. |
| Boundary (Internal/External) | within_system, outside_system | The software failure incident described in the articles involves contributing factors both within the system and outside the system. Within_system: - The malware created by researchers in Israel exploited vulnerabilities in critical medical imaging equipment used for diagnosing conditions and the networks that transmit those images [Article 83317]. - The malware was designed to automatically add fake tumors to CT or MRI scans, leading to misdiagnosis by radiologists and doctors [Article 83317]. - The attack worked because hospitals didn't digitally sign the scans to prevent alterations without detection and didn't use encryption on their PACS networks, allowing intruders to see and alter the scans [Article 83317]. - The malware used machine learning to rapidly assess scans passing through a PACS network and adjust fabricated tumors to make them more realistic [Article 83317]. - The malware could be installed on a hospital's PACS network either through physical access or remotely from the Internet [Article 83317]. Outside_system: - The software failure incident involved weaknesses in the way hospitals and healthcare centers protect their networks, making it easier for attackers to access the systems [Article 83773]. - Hospitals were found to be less careful when handling data internally, which contributed to the vulnerability of the systems [Article 83773]. - The researchers suggested that better use of encryption and digital signatures could help hospitals avoid problems if cyber-attackers tried to subvert images [Article 83773]. - Hospitals and healthcare organizations have been popular targets for cyber-attackers, indicating external threats to the systems [Article 83773]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident in the articles was primarily due to non-human actions. Researchers in Israel developed malware that could alter medical imaging scans by adding fake cancerous nodules or removing real cancerous nodules without detection. This malware exploited vulnerabilities in widely used CT and MRI scanning equipment and the networks that transmit the images. The attack was successful in fooling radiologists and automated screening systems, highlighting serious security weaknesses in critical medical imaging equipment [83317, 83773]. (b) Human actions also played a role in the software failure incident. The Israeli researchers created the malware intentionally to draw attention to the security vulnerabilities in medical imaging equipment. Additionally, the lack of proper encryption and digital signatures in hospitals' networks contributed to the ease with which attackers could manipulate the scans. The researchers also demonstrated how easy it was to physically install malware on a hospital's PACS network, emphasizing the importance of securing these systems against human-initiated attacks [83317, 83773]. |
| Dimension (Hardware/Software) | hardware, software | (a) The articles discuss a software failure incident that could occur due to contributing factors originating in hardware. The malware created by researchers in Israel targeted vulnerabilities in widely used CT and MRI scanning equipment, exploiting weaknesses in critical medical imaging equipment used for diagnosing conditions [83317]. The malware was able to alter medical scan images, including adding fake tumors, by exploiting vulnerabilities in the equipment and networks hospitals use to transmit and store CT and MRI images [83773]. (b) The articles also highlight a software failure incident that could occur due to contributing factors originating in software. The experimental malware created by cyber-security researchers was able to alter medical scan images and fool radiologists into misdiagnosing conditions, showcasing the potential impact of software vulnerabilities on diagnostic equipment [83773]. The malware was developed to demonstrate how easy it is to bypass security protections for diagnostic equipment, emphasizing the importance of addressing software vulnerabilities in medical imaging systems [83773]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The objective of the software failure incident was malicious. The malware created by researchers in Israel was designed to exploit vulnerabilities in medical imaging equipment and networks to add fake cancerous nodules to CT and MRI scans, as well as remove real cancerous nodules without detection. The objective was to draw attention to serious security weaknesses in critical medical imaging equipment and potentially cause misdiagnosis and harm to patients, including political figures, by tricking radiologists and doctors into believing false medical conditions ([83317], [83773]). (b) The software failure incident was not non-malicious. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident was related to poor_decisions. The malware created by researchers in Israel was developed to exploit vulnerabilities in widely used CT and MRI scanning equipment to draw attention to serious security weaknesses in critical medical imaging equipment and networks [83317]. The malware was designed to automatically add fake tumors to CT or MRI scans, potentially leading to misdiagnosis and causing patients to receive unnecessary treatment or preventing those who need critical care from receiving it. The intent was to demonstrate the potential life-altering consequences of unaddressed security vulnerabilities in medical imaging equipment [83317]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident in the articles can be attributed to development incompetence. The incident involved the creation of malware by researchers in Israel to exploit vulnerabilities in widely used CT and MRI scanning equipment. The malware was designed to automatically add fake cancerous nodules to medical scans, leading to misdiagnosis and potentially harmful consequences for patients. The researchers were able to trick radiologists into misdiagnosing conditions almost every time, even after being informed that the scans had been altered by malware. The attack highlighted serious security weaknesses in critical medical imaging equipment and networks, emphasizing the need for better security measures in hospitals to prevent such incidents [83317, 83773]. (b) The software failure incident was not accidental but rather a deliberate creation of malware by the researchers to demonstrate the vulnerabilities in medical imaging equipment. The malware was specifically designed to manipulate medical scans by adding fake tumors, showcasing the potential risks associated with exploiting security flaws in healthcare systems. The incident was a result of intentional actions taken by the researchers to draw attention to the lack of proper security measures in place, rather than being an accidental occurrence [83317, 83773]. |
| Duration | temporary | The software failure incident described in the articles is temporary. The incident involved the creation of malware by researchers in Israel that could alter medical scan images, such as adding fake tumors or removing real cancerous nodules, to deceive radiologists and automated screening systems [83317, 83773]. This temporary failure was due to specific circumstances introduced by the malware exploiting vulnerabilities in widely used CT and MRI scanning equipment and the networks that transmit those images. The incident was not a permanent failure but rather a targeted attack that could have potentially life-altering consequences if unaddressed. |
| Behaviour | omission, value, other | (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. (b) omission: The software failure incident involves the omission of performing intended functions. The malware created by researchers in Israel was able to add fake cancerous nodules to CT or MRI scans, as well as remove real cancerous nodules without detection, leading to misdiagnosis and potentially causing patients to not receive critical and timely care [83317]. (c) timing: The software failure incident does not involve a timing issue where the system performs its intended functions correctly but too late or too early. (d) value: The software failure incident involves a failure in the system performing its intended functions incorrectly. The malware was able to trick radiologists into misdiagnosing conditions nearly every time, with radiologists diagnosing cancer 99% of the time in cases with fabricated cancerous nodules and concluding very sick patients were healthy in cases where real cancerous nodules were removed from scans [83317]. (e) byzantine: The software failure incident does not involve a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: The software failure incident involves a unique behavior where the malware was able to alter medical imaging scans by adding or removing cancerous nodules, leading to potential misdiagnosis and serious consequences for patients [83317, 83773]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, network_communication | (a) sensor: The software failure incident described in the articles is related to the perception layer of the cyber physical system that failed due to contributing factors introduced by sensor error. The malware created by researchers in Israel was able to alter medical imaging scans, specifically CT and MRI scans, by adding fake cancerous nodules or removing real cancerous nodules without detection. This manipulation of the scans could lead to misdiagnosis and potentially harmful consequences for patients [83317, 83773]. (b) actuator: The articles do not mention any failure related to the actuator in the cyber physical system. (c) processing_unit: The failure in this incident is not directly related to a processing error but rather to the manipulation of medical imaging scans through malware exploiting vulnerabilities in the equipment and networks used for diagnosing conditions [83317, 83773]. (d) network_communication: The software failure incident involves vulnerabilities in the networks hospitals use to transmit and store CT and MRI images. The attack was made possible because hospitals do not digitally sign the scans to prevent alterations without detection and do not use encryption on their PACS networks, allowing intruders to see and alter the scans [83317, 83773]. (e) embedded_software: The incident does not specifically mention a failure related to embedded software in the cyber physical system. |
| Communication | connectivity_level | The software failure incident described in the articles is related to the communication layer of the cyber physical system that failed at the connectivity level. The incident involved vulnerabilities in the way hospitals transmit and store CT and MRI images through their picture archiving and communication systems (PACS) networks. The vulnerabilities were exploited by malware created by researchers to alter medical scan images, leading to potential misdiagnoses and manipulation of patient data [83317, 83773]. The attack was made possible due to the lack of encryption and digital signing of the images, allowing intruders to access and modify the scans without detection [83317, 83773]. Additionally, the researchers highlighted that hospitals often prioritize external data security over internal network security, making it easier for attackers to exploit weaknesses in the internal systems [83317, 83773]. |
| Application | TRUE | The software failure incident described in the articles was related to the application layer of the cyber physical system. The incident involved the creation of malware by researchers in Israel that could alter medical scan images, specifically CT and MRI scans, by adding or removing cancerous nodules. This malware exploited vulnerabilities in widely used CT and MRI scanning equipment and networks that transmit the images, allowing attackers to manipulate the scans without detection. The altered images could lead to misdiagnosis and potentially harmful consequences for patients [Article 83317, Article 83773]. This failure falls under the category of application layer failure as it was caused by the introduction of malicious software (malware) that manipulated the images due to vulnerabilities in the equipment and networks used in the medical imaging process. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | harm, non-human, theoretical_consequence, other | (a) death: People lost their lives due to the software failure - The articles do not mention any instances of people losing their lives due to the software failure incident. [83317, 83773] (b) harm: People were physically harmed due to the software failure - The software failure incident could potentially harm patients by leading to misdiagnosis and failure to treat critical conditions. [83317, 83773] (c) basic: People's access to food or shelter was impacted because of the software failure - The articles do not mention any impact on people's access to food or shelter due to the software failure incident. [83317, 83773] (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident did not directly impact people's material goods, money, or data. [83317, 83773] (e) delay: People had to postpone an activity due to the software failure - The articles do not mention any instances of people having to postpone activities due to the software failure incident. [83317, 83773] (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident impacted the integrity of medical imaging equipment and the accuracy of diagnostic scans. [83317, 83773] (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had significant consequences related to potential misdiagnosis and manipulation of medical scans. [83317, 83773] (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss potential consequences such as misdiagnosis, manipulation of medical scans, sabotage of research, and insurance fraud as theoretical outcomes of the software failure incident. [83317, 83773] (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident could lead to emotional distress, insurance implications, unwarranted treatment, and referrals to specialists based on manipulated medical scans. [83317] |
| Domain | health | The software failure incident described in the articles is related to the **health** industry. The incident involved the creation of malware that could manipulate medical imaging scans, specifically CT and MRI scans used for diagnosing conditions like lung cancer. The malware was designed to add fake cancerous nodules to scans, leading to potential misdiagnosis and incorrect treatment decisions [Article 83317]. The malware could also remove real cancerous nodules from scans, further complicating the diagnostic process [Article 83773]. The vulnerabilities exploited in this incident were related to the equipment and networks hospitals use to transmit and store medical imaging data, particularly the lack of digital signatures and encryption on the Picture Archiving and Communication System (PACS) networks [Article 83317]. The attack highlighted the security weaknesses in critical medical imaging equipment and the potential consequences of such vulnerabilities if left unaddressed in the healthcare industry. |
Article ID: 83317
Article ID: 83773