Threat-Led Penetration Testing (TLPT) for DORA
February 19, 2025Millions of Patient Records at Risk
DICOM, or Digital Imaging and Communications in Medicine, has served as the standard protocol for medical imaging for over 30 years. It facilitates the sharing and viewing of medical images like X-rays, CT scans, and MRIs, which help visualize internal body structures.
While DICOM has long been a crucial tool in healthcare, it has also become a globally recognized source of sensitive data leaks in the industry. Aplite researchers conducted a comprehensive internet-wide study to analyze the extent of this data leakage. Additionally, they discovered new attacks enabling hackers to tamper with existing images.
Key findings
- 3,806 DICOM servers from 111 countries are accessible on the internet. 1,159 of these servers leak more than 59 million patients’ personal and medical records.
- Over 73% of these servers are hosted on the Cloud or exposed via DSL.
- Only less than 1% of the DICOM servers on the internet use effective authorization.
- More than 39.3 million of the health records at the risk of tampering
What is the cause?
Modernization and legacy. The healthcare industry is shifting cloudification while relying on legacy protocols like DICOM. Big players have started this trend, which has forced small businesses to adopt the changes with their limited resources too to stay in business.
Presently, over 73% of these internet-accessible servers are hosted on the cloud, often owned by big medical institutions, or exposed via DSL by small businesses.
Does DICOM have security measures?
DICOM, initially designed for isolated networks, is a legacy protocol. Although the DICOM standard organization has introduced security measures to align the protocol with new use cases and requirements, vendors often opt not to implement them due to their non-mandatory nature.
Aplite research reveals that authorization, a critical security measure, is either unsupported or not enabled on majority of the internet-accessible servers.
Approximately 23% of the servers have authorization enabled, but concerning is that over 85% of them possess weak authorization susceptible to bypass through a dictionary attack. These servers authorize a new request solely based on the default or easily guessable Application Title Entity (AET). Aplite researchers demonstrated the ability to bypass authorization on these servers by creating a dictionary from extracted default AETs found in DICOM conformance statements and collecting common ones.
Without authorization
Weak authorization
Strong authorization
What is the threat?
Millions of personally identifiable information (PII) and protected health information (PHI) records are openly accessible on the internet. This presents a serious threat as hackers can exploit this information for various malicious purposes, including identity theft, social engineering, and blackmail.
Aplite researchers uncovered that hackers can systematically disrupt a series of images or introduce false signs of illnesses using the DICOM store service. The vulnerability arises from DICOM's limitation in closing a series after storing via a modality. Additionally, the images are arranged with unlimited sequential numbers. This combination allows hackers to store and inject a new image into a series with any number, including decimal ones, giving them the ability to place the new image anywhere in the series.
More than 39.3 million health records are at risk of tampering.
PHI
PII
How to mitigate?
Establishing effective governance is crucial to address these issues at their core. The DICOM standard organization should take a regulatory stance within this ecosystem, making security measures mandatory for implementation.
Medical institutions, vendors, and country CERTs can collaborate to mitigate this issue in the interim:
Medical institutions
- Priority 1 – exposure.
- Prevent public internet access.
- Secure the connection between internal network and remotely hosted DICOM server using a secure channel (e.g., IPSec)
- Regularly scan TCP port 104, 11112, and 4242 for exposed assets to detect potential DICOM exposures
- Priority 2 – Segmentation.
- Create a dedicated DICOM segment, isolated from other segments
- Restrict access to this segment via DICOM protocol to only modalities
- Restrict user access to this segment exclusively through DICOMweb*
- Deploy a WAF for TLS and protect DICOMweb from attacks like database injection
- Priority 3 – Access control.
- Authorize only modalities’ IP addresses
- If applicable, implement AET authorization with random AETs
- Integrate DICOMweb with IAM
- Remote user access.
- Do not enable remote user access if DICOMweb is not integrated with IAM
- Permit remote access through a firewall:
- Implement rate limiting
- Apply regional source IP whitelisting
Vendor
- Implement AET authorization and extended negotiation of user identity
- Disallow new images for an existing series after a set time, e.g., 1 hour from the last submission.
- Perform regular security tests, and mitigate the uncovered vulnerabilities:
- Perform fuzzing test. It effectively detects insecure input handlers in a complex DICOM system
- Conduct penetration test and code review for more in-depth security.
Country CERT
- Scan the country’s IP ranges regularly to identify DICOM servers
- Identify the IP’s owner, and help them harden their DICOM setup
The full presentation at BlackHat Europe 2023 is available here.
