Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices

Purpose: Used extensively in the diagnosis, treatment, and prevention of disease, Medical Imaging Devices (MIDs), such as Magnetic Resonance Imaging (MRI) or Computed Tomography (CT) machines, play an important role in medicine today. MIDs are increasingly connected to hospital networks, making them vulnerable to sophisticated cyber-attacks targeting the devices’ infrastructure and components, which can disrupt digital patient records, and potentially jeopardize patients’ health. Attacks on MIDs are likely to increase, as attackers’ skills improve and the number of unpatched devices with known vulnerabilities that can be easily exploited grows. Attackers may also block access to MIDs or disable them, as part of ransomware attacks, which have been shown to be successful against hospitals. Method and Materials: We conducted a comprehensive risk analysis survey at the Malware-Lab, based on the Confidentiality, Integrity, and Availability (CIA) model, in collaboration with our country’s largest health maintenance organization, to define the characteristics of cyber-attacks on MIDs. The survey includes a range of vulnerabilities and potential attacks aimed at MIDs, medical and imaging information systems, and medical protocols and standards such as DICOM and HL7. Results: Based on our survey, we found that CT devices face the greatest risk of cyber-attack, due to their pivotal role in acute care imaging. Thus, we identified several possible attack vectors that target the infrastructure and functionality of CT devices, which can cause: 1. Disruption of the parameters’ values used in the scanning protocols within the CT devices (e.g., tampering with the radiation exposure levels); 2. Mechanical disruption of the CT device (e.g., changing the pitch); 3. Disruption of the tomography scan signals constructing the digital images; and 4. Denial-of-Service attacks against the CT device.

💡 Research Summary

The paper “Know Your Enemy: Characteristics of Cyber‑Attacks on Medical Imaging Devices” presents a comprehensive risk assessment of cyber‑threats targeting medical imaging devices (MIDs), with a particular focus on computed tomography (CT) scanners. The authors begin by documenting the rapid growth of CT and magnetic resonance imaging (MRI) equipment worldwide, using OECD statistics and a second‑order polynomial regression to forecast a 40 % increase in device numbers by 2020. This expansion, coupled with the increasing connectivity of these devices to hospital networks, creates a large attack surface that is often protected by outdated operating systems and unpatched firmware.

A risk‑analysis survey was conducted in collaboration with Israel’s largest health maintenance organization, employing the Confidentiality‑Integrity‑Availability (CIA) model to evaluate vulnerabilities across hardware, software, medical information systems, and standards such as DICOM and HL7. The survey identified CT scanners as the most vulnerable class of MIDs, primarily because they are critical to acute care, are expensive, and a single device failure can cripple an entire hospital’s diagnostic capability.

Four principal attack vectors are described in detail:

1. Configuration‑File Disruption – The scan protocol is stored in a configuration file on the host control PC. By tampering with this file, an attacker can alter radiation dose, voltage, pitch, and other parameters, potentially delivering harmful radiation levels or degrading diagnostic quality.

2. Mechanical Disruption of Motors – CT systems contain multiple motor‑driven components (patient table, gantry rotation, scanner head). Manipulating the control commands sent from the host PC can cause unintended movements, leading to equipment damage or direct patient injury.

3. Image‑Result Tampering – The image reconstruction subsystem and DICOM transmission pipeline can be compromised to modify raw data, swap patient identifiers, or inject/erase pathological findings. Such manipulations are difficult to detect clinically and could result in misdiagnosis, delayed treatment, or unnecessary procedures.

4. Ransomware and Denial‑of‑Service (DoS) – The authors use the WannaCry ransomware as a case study. The worm exploited the SMB vulnerability (CVE‑2017‑0144) and infected thousands of NHS computers, including MRI and CT workstations, rendering them inoperable. Encryption of the host PC’s storage or a DoS attack can halt imaging services entirely, endangering patients who require timely scans.

The paper emphasizes that the host control PC is the single point of failure; its central role in command and data flow makes it the most attractive target. Regulatory constraints (FDA, CE marking) and lengthy certification processes impede rapid patch deployment, leaving many devices exposed for years. Traditional defenses such as antivirus software are deemed insufficient.

To address these challenges, the authors propose an out‑of‑band, machine‑learning‑based monitoring system. By continuously learning the normal command patterns sent to the CT gantry, together with patient profiles and scan labels, the system can detect anomalies before they reach the hardware. This approach assumes that the host PC may already be compromised and provides a network‑level safeguard that can block malicious instructions in real time.

In conclusion, the study warns that cyber‑attacks on MIDs will become a major threat to both manufacturers and healthcare providers. Effective mitigation requires a coordinated effort among device vendors, hospital IT departments, and regulatory bodies to share threat intelligence, enforce timely updates, and adopt behavior‑based intrusion detection mechanisms. The authors indicate that future work will focus on implementing and evaluating the proposed machine‑learning detection framework in real clinical environments.