Radiologist checking an x-ray image showing DICOM vulnerability for health records

30-Year DICOM Vulnerability Exposes Millions of Health Records to Access and Manipulation

German cybersecurity researchers have discovered a three-decade-old DICOM vulnerability exposing nearly 60 million personal and medical/health records.

The standard called Digital Imaging and Communications in Medicine (DICOM) protocol is a transfer format that ensures interoperability between various hardware and software products. First introduced in 1985 and revised in 1988, the DICOM protocol was lastly updated in 1993. However, some non-security updates were released in 2021.

Presenting their findings at the December 2023 Black Hat Europe conference in London, United Kingdom, Aplite researchers warned that the vulnerability could expose millions of patient records to unauthorized access and manipulation.

DICOM vulnerability exposed millions of patients’ health records

Aplite researchers intensively scanned the Internet for six months and detected 3,800 servers across 111 countries using the DCOM protocol, about 30% of which (1,159) leaked sensitive data.

Additionally, nearly two-thirds (73%) of the DICOM servers were hosted on major cloud platforms such as Amazon AWS and Microsoft Azure or exposed via DSL.

According to Aplite senior IT security consultants, less than 1% of the cloud-hosted DICOM servers had proper security measures to prevent unauthorized access.

The top three countries with the most exposed health records were India (9.6 million), the United States (8 million), and South Africa (7.3 million). Some exposed US servers hosted health records for organizations located abroad.

The researchers anticipated that the DICOM vulnerability exposed 59 million records in 30 years – 16.1 million PII and over 43 million health records.

The DICOM vulnerability exposed personal information such as patient names, genders, addresses, phone numbers, and, in some cases, Social Security numbers.

Sometimes, the DICOM vulnerability exposed medical examination results, such as MRI, X-ray, or CT scan results, and the referring physician’s details.

Combined with PII, this information is a goldmine for threat actors interested in crafting compelling phishing messages. Additionally, stolen health records attract a premium price on the dark web.

The researchers also discovered that hackers could exploit the DICOM vulnerability to manipulate exposed health records by injecting false symptoms or images, making them usable. Approximately 39 million patient records were at risk of unauthorized manipulation.

DICOM is not inherently vulnerable

The Medical Imaging & Technology Alliance that oversees DICOM asserted that the protocol does not necessarily pose a security risk unless proper cybersecurity measures are ignored.

They recommended implementing localized solutions to address critical security issues, such as reviewing internal security policies, device and infrastructure security, auditing, training, and oversight.

They disputed that the DICOM vulnerability was a legacy problem, indicating that the protocol has a “Secure Connection capability” regularly updated to comply with the National Institute of Standards and Technology (NIST) requirements.

They tasked customers and vendors with ensuring their products operated securely to avoid inadvertently exposing patients’ health records to unauthorized access or manipulation.

“The implementation, deployment, purchase, maintenance and configuration of systems that implement the DICOM Standard are the responsibility of the product vendors and their customers,” said the Alliance.

While the Alliance’s claims are valid, implementing localized security solutions could break DICOM’s interoperability, thus undermining its effectiveness. Lacking a universal solution also allows some organizations to ignore the risk, leaving millions of health records unsecured online.

“The DICOM vulnerability is very concerning because it affects a large number of independent organizations, each with their own cybersecurity policies,” said Paul Bischoff, Consumer Privacy Advocate at Comparitech. “A few organizations will inevitably overlook or ignore the vulnerability, putting users at risk.”

According to Chris Hauk, Consumer Privacy Champion at Pixel Privacy, many organizations regularly overlook known security risks: “Unfortunately, I know from personal experience that many hospitals and medical practices resist updating their systems and applications. I once worked for a medical billing software company and I often ran into outdated and flawed systems that hadn’t been replaced, simply because ‘it still works.’”