Medical AI Systems Vulnerable to Memory Attacks

Medical artificial intelligence systems that help diagnose diseases from medical scans can be secretly manipulated through computer memory attacks, potentially leading to dangerous misdiagnoses. A new study reveals how attackers can implant hidden triggers in AI models used for medical imaging, causing them to suppress tumor detections or misclassify lesions while appearing normal to clinicians.

Researchers discovered that Vision Transformers (ViTs), powerful AI architectures increasingly used for medical image analysis, are vulnerable to a novel attack called Med-Hammer. This technique combines Rowhammer-induced memory bit flips with Trojan triggers, allowing attackers to compromise diagnostic AI systems without accessing the original training data or model parameters. The attack works by exploiting physical vulnerabilities in computer memory hardware to subtly alter how the AI processes medical images.

The method involves four key stages. First, researchers start with a clean, properly trained medical AI model capable of detecting tumors or classifying lesions with high accuracy. They then identify the most vulnerable parameters within the Vision Transformer architecture, particularly focusing on attention mechanisms and classification layers that have disproportionate influence on the model's decisions. Using the Rowhammer technique, attackers repeatedly activate specific memory rows to cause electrical interference that flips bits in adjacent memory cells, effectively implanting a hidden Trojan into the deployed AI model. Finally, when a specific trigger pattern appears in medical scans, the compromised model produces attacker-controlled outputs while maintaining normal performance for other inputs.

Experimental results across multiple medical imaging datasets demonstrate the attack's effectiveness and stealth. On the ISIC skin cancer dataset, the Med-Hammer attack achieved success rates of 82.51% for MobileViT and 92.56% for Swin Transformer models, meaning the compromised systems reliably produced incorrect diagnoses when triggered. The attack remained particularly stealthy because the corrupted models maintained high accuracy on normal medical scans—MobileViT retained 86.83% accuracy after bit-flip corruption, making the manipulation difficult to detect during routine use. The study found that even a small number of strategically placed bit flips could cause significant diagnostic errors, with just 5 bit flips reducing model accuracy by 27.48% in some cases.

The vulnerability has serious implications for healthcare systems relying on AI-assisted diagnostics. Since the attack occurs at the hardware level and doesn't require access to training data or model parameters, it represents a practical threat to deployed medical AI systems. The research highlights that current security measures focusing on software-level attacks may overlook this hardware-based vulnerability, potentially putting patient safety at risk in clinical settings where AI systems help detect cancers and other serious conditions.

The study identified several limitations and areas requiring further investigation. Different Vision Transformer architectures showed varying levels of vulnerability, with Swin Transformer demonstrating better inherent robustness compared to other models. The research also noted that current defense mechanisms, including error-correcting codes and memory refresh techniques, may be insufficient against sophisticated Rowhammer attacks. Additionally, the study focused primarily on 2D medical imaging datasets, leaving questions about whether similar vulnerabilities exist in 3D medical imaging systems and other AI architectures.

This research underscores the critical need for hardware-aware security measures in medical AI systems. As healthcare increasingly relies on artificial intelligence for diagnostic support, understanding and mitigating these hardware-level vulnerabilities becomes essential for ensuring patient safety and maintaining trust in AI-assisted healthcare technologies.