No Evidence of Disease: Clinically-Risky Adversarial Chest CT Report Generation

Automated chest CT radiology report generation has equipped clinicians with the ability to automatically describe clinical findings and abnormalities from CT scans. Given that patient prognosis relies heavily on these reports, generating an accurate CT report is critical. Advances in Multimodal Large Language Models (MLLMs) have enabled substantial improvements in CT-to-text report generation models, yet recent studies show that MLLMs are highly susceptible to adversarial perturbations. Beyond this known susceptibility, it remains unclear what triggers clinically dangerous attack scenarios during medical report generation. Understanding such threats is essential for developing robust medical AI systems without a clear characterization of the threat, it is challenging to mitigate real-world risks. In this paper, we investigate how chest CT report generation models can be adversarially manipulated and what constitutes an adversarial CT report. We introduce Clinically Risky Adversarial Report Generation (CRA-RG), a threat model that defines clinically realistic adversarial alterations to chest CT reports. To instantiate this threat model, we develop a targeted multimodal attack that perturbs both CT volumes and conditioning text prompts to induce clinically risky changes in reports. We show that our attack can successfully omit and fabricate clinically grounded high-risk CT chest findings (e.g., nodules or lesions). To the best of our knowledge, our study is the first empirical demonstration that state-of-the-art CT report generation models can be deceived into producing harmful clinical decisions, potentially leading to missed diagnoses or unnecessary biopsies. We evaluate our attack on two state-of-the-art CT report generation models using the publicly available chest 3D CT RadGenome dataset.