In case you didn't have anything else to worry about...

[Kevin Johnson]

https://insights.globalspec.com/article ... ter&cid=nl

[Kevin Johnson]

One of the things that I repeatedly commented on to numerous medical facilities that Samantha and I have visited is that they leave patients alone in the room with computers unguarded -- particularly with open USB ports. If a hacker has access to your equipment, you're pretty much toast.

[Dave Koehler]

Not that it can't happen but mine log off each time they leave the room.

[Kevin Johnson]

I tried to point out to them that a very, very small USB device could be inserted unnoticed in an open port. It would not matter if the machine was logged onto. The device could mask its presence from the user.

If your hardware is accessible to a hacker you're pretty much toast.

Aside: I was receiving infusions to combat anemia and the clinic that I went to was treating probably 98% cancer patients. Samantha found it difficult to even sit with me in the waiting area to see the doctor because she is empathetic and picked up on the worry/fear in the waiting patients. MULTIPLE times I brought up this issue of security (or lack thereof). I stopped after a while as I did not want them to think I was off somehow. They make such a big issue of Hipaa laws/violations but let a truck drive through their everyday practices.

If you ever see a business with a security padlock left open you should say something too. I will leave it to the curious reader to investigate why.

[Olds455]

I tried to point out to them that a very, very small USB device could be inserted unnoticed in an open port. It would not matter if the machine was logged onto. The device could mask its presence from the user.

If your hardware is accessible to a hacker you're pretty much toast.

Aside: I was receiving infusions to combat anemia and the clinic that I went to was treating probably 98% cancer patients. Samantha found it difficult to even sit with me in the waiting area to see the doctor because she is empathetic and picked up on the worry/fear in the waiting patients. MULTIPLE times I brought up this issue of security (or lack thereof). I stopped after a while as I did not want them to think I was off somehow. They make such a big issue of Hipaa laws/violations but let a truck drive through their everyday practices.

If you ever see a business with a security padlock left open you should say something too. I will leave it to the curious reader to investigate why.

I've tried every combination of words I could think of to investigate why I should say something if I ever see a business with a security padlock left open. Can you please elaborate? Thanks.

[Kevin Johnson]

The fundamental problem is that it allows a thief to take the padlock and make a key for it. The lock can then be returned before it has been noticed missing. Our local metal distributor did this on a side gate that was out of the view of the personnel and I said something to them.

Many padlocks will now not allow you to withdraw the key until the lock is closed for this reason.

[n2xlr8n]

Simply put, it would not be difficult to infiltrate your average healthcare facility WAN.

On the other hand, any radiologist making a cancer diagnosis without an oncology board review...stay away from. Honestly- best advice I can offer anyone fearful of a physiological mass should stay away from general surgeons and radiologists, period. Don't let them cut, poke or otherwise disturb the mass. Get an appt with an Oncologist.

From an RADONC engineer's POV- I'd have to see the manufacturer's raw / processed image data to believe a hacker could fool a PhD Physicist and a panel of PhD/MDs. Not buying it.

Can the image be manipulated? Sure.

Can the raw localization / 3D mapping be manipulated? No. We'd catch it- at least the manufacturers I'm familiar with.

[Kevin Johnson]

https://arxiv.org/pdf/1901.03597.pdf is the full text of the paper. It includes some examples and points out the various areas vulnerable to attack.

[makin chips]

Penetration Testing, anyone?


Been learning a lot about that lately, ironically. Look up Deviant Ollam(owner of The CORE Group, a physical pen testing firm) on YouTube. He has a bunch of Def Con and Black Hat talks about this very subject. Extremely interesting stuff.

Another thing they'll do is take the lock and swap the cylinder so it's a cylinder to a key they own, etc or even, in a huge building with a master key system, they could sit in a closet and map out a master key in about 15 minutes. I've literally watched him doing a "Red Team Penetration test" and he sat in a closet and filed out an actual master key using about 15 or 20 blanks. Craziness.

Watch this one, Kevin. I bet you'd like it.

https://youtu.be/Rctzi66kCX4

"I'll let myself in" is the title. About penetration testing businesses and their networks and things he does to get in and how to protect yourself against those attacks, etc...

[makin chips]

Elevator hacking is also a good one

https://youtu.be/ZUvGfuLlZus

[n2xlr8n]

https://arxiv.org/pdf/1901.03597.pdf is the full text of the paper. It includes some examples and points out the various areas vulnerable to attack.

Respectfully speaking, I guessed correctly- they are manipulating the PACS (image transport/archiving protocol) image, not the raw data.

Any Radiation Physicist or Rad Onc MD worth their board cert will check the raw data- not make a decision based solely on the processed PACs image.

Can this malware lead to missed diagnosis? Sure, but not from my POV, or any of the professionals I've worked with over 25 years.

[Kevin Johnson]

Well, this was/is a white paper, as well as this study from nine years ago: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3056978/

I think state actors would have little difficulty (and surely already have, considering the report) identifying and rectifying the weaknesses you point out. To the extent that they do not admit same, the attack is more effective, no?

[Kevin Johnson]

Follow-up.

I think I should mention that my concern for the Cancer Clinic (infusions) was financial security rather than falsifying medical imaging (which I had not even imagined at that point). Right in the clinic there was a dedicated office for people to figure out how to pay for their very expensive and long term treatments. Most of the patients are elderly and (likely) have substantial savings or financial wherewithal. This database would be a prime target for hackers seeking to extract that money from them by one means or another.

[Kevin Johnson]

...

Watch this one, Kevin. I bet you'd like it.

https://youtu.be/Rctzi66kCX4

"I'll let myself in" is the title. About penetration testing businesses and their networks and things he does to get in and how to protect yourself against those attacks, etc...

Yes, I watched that one before and many others. About 45 years ago my Father bought me a nice chronograph wristwatch. I left it in my school locker (with a combination padlock) and it was stolen (and the locker re-locked). I do not remember anything prior or subsequent to that being stolen from the locker. I guess someone saw me put it in there.

At the time I was watching them I was most concerned about having my motorcycle stolen from the university campus. Years prior I lost a scooter in Santa Cruz. It was locked but it was light enough to be lifted into a van, locked or otherwise.