Leaky DICOM Medical Standard Exposes Millions of Patient Records

A 30-year-old, rarely updated protocol for medical devices has exposed reams of highly personal data, thanks to a lack of proper security throughout owner environments.

A doctor using a tablet device
Source: Panther Media GmbH via Alamy Stock Photo

Around 60 million personal and medical records may have been exposed over the past few decades due to the use of a legacy protocol in medical equipment, researchers say.

Researchers from Aplite examined the Digital Imaging and Communications in Medicine (DICOM) protocol, which is an
internationally-recognized standard for medical imaging transfers that's implemented in almost every radiology, cardiology imaging, and radiotherapy setting globally. They found that the protocol lacks security controls, according to a
presentation on the research that will be given at Black Hat Europe in London in December.

Aplite senior IT security consultants Sina Yazdanmehr and Ibrahim Akkulak in fact detected more than 3,800 servers using the
DICOM protocol that were accessible on the Internet, and 30% of those were leaking sensitive data.


Perhaps the security holes are to be expected, given that the most recent version of the protocol was introduced 30 years ago in 1993, with the original published in 1985 and a revised edition published in 1988. Yazdanmehr says there were some updates in 2021, "but not in regards to the security improvements that we wanted to see.”

Imaging Machine Exposure Affects Millions of Patients

The researchers say that over 30 years, they estimate that 59 million records could have been visible, "including personal information like names, addresses, dates of birth, gender — and in some cases we could even see the Social Security numbers of those people."

They also say there were medical records that showed examination results in some cases, such as an MRI, X-ray or CT scan result, as well as the examination date and time.

Yazdanmehr says the vendors of the machines they had spoken with were aware of the issues, but says they were unaware of how big the risk is, and what the volume of data leakage is.

"Hopefully we can increase the awareness make it better, and the number goes down and more vendors and hospitals start hardening their infrastructure. But I think it's going to be a kind of long journey," Yazdanmehr says.

He points out that the devices should be able to talk to each other and exchange data, but that moving electronic records securely involves every link in the chain being secure and up-to-date, and that until the majority of equipment and medical devices can support advanced and complex security measures, there will be a problem.



DICOM: No Security Issues on Our End

A spokesperson for the DICOM said in a statement that DICOM is a standard protocol that manufacturers choose to comply with, and that it allows for security mechanisms to be put in place. Vendors and healthcare delivery organizations are the ones to ultimately decide which security mechanisms are appropriate for their environments, the person said.

Thus, the DICOM standard does not inherently pose a security risk, according to the statement, which pointed out that there’s a “Secure Connection capability” that’s been specified in DICOM for almost two decades, and that it’s updated regularly to reflect recommendations from the
National Institute of Standards and Technology (NIST) and other international standard setting organizations. 

"The implementation, deployment, purchase, maintenance and configuration of systems that implement the DICOM Standard are the responsibility of the product vendors and their customers,” according to the statement. “Further, it is the responsibility of the vendors to provide and maintain software implementations. In short, proper security is a shared responsibility between device manufacturers and health delivery organizations. To claim it’s the sole responsibility of a standard is false."


Read more about:

Black Hat News

About the Author(s)

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights