Cybersecurity researchers have recently created a computer virus that was able to trick three radiologists into thinking their patients had cancer. The researchers were also able to fool automated screening systems by altering images and scans to place fake “tumors” on them, or by removing real tumors from actual scans which showed advanced disease. These images and scans were vulnerable because they were not digitally signed or encrypted. The researchers also found that while hospitals have done a good job in preventing the spread of confidential patient information outside their facilities, they have not done as well in handling data internally with care. This has left hospitals and other medical facilities vulnerable to intrusions by malware and other viruses that could wreak havoc on patients’ sensitive medical data.
Although it’s too early to tell what impact these vulnerabilities will have on patient care, it should be alarming to all of us on several levels. First, interpreting radiological scans requires a high level of skill and judgment in what is already a complex and nuanced process. If a patient or radiologist cannot trust the integrity of the data underlying a particular scan or image, then certainly any conclusions reached on it will be viewed with some level of skepticism. Second, as more people learn that malware and viruses can make it look like a patient has a tumor or cancer when he or she is perfectly healthy, we should expect a sharp increase in the number of patients seeking a second opinion or additional scans or tests because they do not trust the initial scan or interpretation, perhaps out of an understandable sense of grief or denial. This will cause increasing burdens and costs on an already over-burdened and expensive health care system.
Finally, we should expect to see more and more hospitals threatened by ransomware and cybercriminals who demand payment in exchange for not corrupting the hospital’s radiological system. Given the stakes in play – life, death, and potentially unnecessary treatment – hospitals and other medical providers would be well-advised to plan to prevent and address these new cyberthreats in the medical landscape. For further information, please contact Attorney Brian J. Lamoureux at or 401-824-5155.

Disclaimer: This blog post is for informational purposes only. This blog is not legal advice and you should not use or rely on it as such. By reading this blog or our website, no attorney-client relationship is created. We do not provide legal advice to anyone except clients of the firm who have formally engaged us in writing to do so. This blog post may be considered attorney advertising in certain jurisdictions. The jurisdictions in which we practice license lawyers in the general practice of law, but do not license or certify any lawyer as an expert or specialist in any field of practice.