Medical Image Security: Understanding Digital Risks in Clinical Practice
As a medical practitioner, I suppose you trust your PACS viewer to show an accurate representation of a patient’s anatomy.
Well, you might know that the digital files that form the basis of modern diagnostics are DICOM images.
Like any other component of a computer system, they have their own unique exploitation vectors that can compromise this trust.
Nowadays, with the growing number of vulnerabilities discovered in PACS viewers and DICOM processors, ynderstanding these risks is becoming an important part of patient safety.
Your Medical Images Are More Than Just Pictures
A DICOM file is a structured data container. It has two main parts:
- The Pixel Data: The actual image matrix you diagnose.
- The Metadata Header: A detailed text file embedded within, containing Protected Health Information (PHI) like patient name, ID, study date, and physician notes.
This dual nature is the source of both its amazing utility and its vulnerability.
Notable real-life exploitation examples
But now, what are the actual real-life implications of a DICOM file being exploited by a malicious third?
Here are a few examples from real DICOM hacking techniques:
1. The “Trojan Horse” Image (Polyglot File Vulnerability)
In 2019, Markel Picado Ortiz published a research paper in which they demonstrated that the first part of a DICOM file’s metadata header (its Preamble) could contain code data effectively turning it into a Windows executable.
In April 2025, Praetorian expanded this technique to turn a DICOM file into a Linux executable, proving the versality of this exploitation method.
- The Technical Issue: The DICOM standard includes a 128-byte preamble meant for compatibility. Attackers can fill this space with whatever they want. Including malicious code that can be executed on a regular Windows, Linux or Mac OS computer. The file remains a perfectly viewable image in your workstation but can act as an executable program that infects the system when you click to open it.
- The Clinical Risk: You open a routine shoulder MRI from a referring physician. Unknowingly, this triggers malware that encrypts your local drive or spreads through the hospital network.
2. Network Exposure
One of the most critical and frequent issue we discover in our client’s infrastructures: involuntary data exposure to unsecured networks.
- The Technical Issue: PACS servers communicate using specific DICOM ports (e.g., port 104). When these are improperly configured, they can be exposed to guest networks, IoT networks accessible by hacked devices or even the internet. They can be found by simple search engines like Shodan or Censys. Access can be restricted but it is often controlled by weak identifiers called Application Entity Titles (AETs), which can be guessed or brute-forced by a patient attacker.
3. Medical Software Exploits
Maybe less common but still potentially catastrophic: exploitation of the software you’re using to manage and view DICOM files.
How much do you trust the sofware you’re using to view medical images? They could also be a source of attacks and intrusions into your local network.
To list a few that have been discovered in 2025:
A vulnerability in the way Sante DICOM Viewer Pro handles DICOM files has been discovered. This vulnerability could allow an attacker to execute code on the machine running the viewer via a malicious .dcm file.
The same year, the same kind of vulnerability have been discovered in MicroDicom.
Regarding PACS software, vulnerabilities allowing malicious code execution and remote editing of local files in MedDream PACS, Sante PACS and Osirix PACS have been discovered. Source: https://www.txone.com/blog/uncovering-new-vulnerabilities-in-pacs-servers-and-dicom-viewers/.
How These Weaknesses Are Exploited: The Attacker’s Playbook
Attackers chain these vulnerabilities together with clear goals:
| Attacker Goal | Method (Clinical Translation) | Direct Impact on Care |
|---|---|---|
| Data Theft & Extortion | Exfiltrate studies via an exposed PACS port. | Patient privacy breach, institutional blackmail (ransom for not publishing data). |
| Service Disruption (Ransomware) | Deliver a malware payload or viewer exploit to encrypt the PACS database. | Immediate halt to diagnostic imaging workflows. Elective scans stop, urgent cases are delayed. |
| Diagnostic Sabotage | Gain write access to modify image data or critical metadata. | Misdiagnosis. A manipulated mammogram or obscured lung nodule could lead to missed or incorrect treatment. |
| Network Invasion | Use a compromised workstation as a foothold to move laterally to more sensitive systems (e.g., EMR, pharmacy). | Broad-scale breach of the entire hospital’s digital infrastructure. |
Practical Defenses: What You Need to Know and Do
While IT departments lead the technical fight, your awareness and habits are critical.
1. For Your Daily Practice:
- Question Anomalies: If an image series looks strangely distorted, fails to load properly, or originates from an unexpected source, do not repeatedly attempt to open it. Report it to your Clinical Engineering or IT Security team as a potential security incident, just as you would report a malfunctioning piece of equipment.
- Verify Sources: Be cautious with CD/DVD or email attachments from unverified external sources. These are common vectors for targeted attacks.
- Log Out: Always log out of your PACS/Viewer workstation when leaving, preventing unauthorized physical access.
2. What You Should Expect from Your Institution:
- Network Segmentation: The PACS should live on a secure, internal network segment, never directly on the public internet.
- Encryption in Transit: Data between the archive and your viewer should be encrypted (using DICOM TLS).
- Regular Patching: Hospital IT must have a strict policy to patch all medical imaging software and viewers as updates become available.
- Advanced File Screening: Incoming studies from outside should pass through Content Disarm and Reconstruction (CDR) gateways that sanitize files, stripping potential hidden threats while preserving diagnostic data.
Conclusion: An Integral Component of Patient Safety
The integrity of the diagnostic image chain is now a foundational element of clinical care. Cybersecurity for DICOM is not an IT abstraction; it directly defends patient privacy, ensures service availability, and protects the diagnostic truth you rely on.
Framing these digital risks in the context of misdiagnosis, treatment delay, and breach of confidentiality makes them tangible. Your role is to be a vigilant part of this defense, applying the same skepticism and procedural care to digital artifacts as you do to clinical findings.
Resources
- https://www.praetorian.com/blog/elfdicom-poc-malware-polyglot-exploiting-linux-based-medical-devices/
- https://github.com/d00rt/pedicom/blob/master/doc/Attacking_Digital_Imaging_and_Communication_in_Medicine_(DICOM)_file_format_standard_-_Markel_Picado_Ortiz_(d00rt).pdf
- https://www.txone.com/blog/uncovering-new-vulnerabilities-in-pacs-servers-and-dicom-viewers/