Leaky DICOM Medical Standard Exposes Millions of Patient Records

Around 60 million personal and medical records may have been exposed over the past few decades due to the use of a legacy protocol in medical equipment, researchers say.

Researchers from Aplite examined the Digital Imaging and Communications in Medicine (DICOM) protocol, which is an
internationally-recognized standard for medical imaging transfers that's implemented in almost every radiology, cardiology imaging, and radiotherapy setting globally. They found that the protocol lacks security controls, according to a
presentation on the research that will be given at Black Hat Europe in London in December.

Aplite senior IT security consultants Sina Yazdanmehr and Ibrahim Akkulak in fact detected more than 3,800 servers using the
DICOM protocol that were accessible on the Internet, and 30% of those were leaking sensitive data.

[DO YOU HAVE MORE DETAILS ON WHAT THE SECURITY GAPS/ISSUES ARE?]

Perhaps the security holes are to be expected, given that the most recent version of the protocol was introduced 30 years ago in 1993, with the original published in 1985 and a revised edition published in 1988. Yazdanmehr says there were some updates in 2021, "but not in regards to the security improvements that we wanted to see.”

Imaging Machine Exposure Affects Millions of Patients

The researchers say that over 30 years, they estimate that 59 million records could have been visible, "including personal information like names, addresses, dates of birth, gender — and in some cases we could even see the Social Security numbers of those people."

They also say there were medical records that showed examination results in some cases, such as an MRI, X-ray or CT scan result, as well as the examination date and time.

Yazdanmehr says the vendors of the machines they had spoken with were aware of the issues, but says they were unaware of how big the risk is, and what the volume of data leakage is.

"Hopefully we can increase the awareness make it better, and the number goes down and more vendors and hospitals start hardening their infrastructure. But I think it's going to be a kind of long journey," Yazdanmehr says.

He points out that the devices should be able to talk to each other and exchange data, but that moving electronic records securely involves every link in the chain being secure and up-to-date, and that until the majority of equipment and medical devices can support advanced and complex security measures, there will be a problem.

[HOW DOES THIS RELATE TO THE DICOM PROBLEM?]

[ARE THERE ANY REMEDIES AVAILABLE?]

DICOM: No Security Issues on Our End

A spokesperson for the DICOM said in a statement that DICOM is a standard protocol that manufacturers choose to comply with, and that it allows for security mechanisms to be put in place. Vendors and healthcare delivery organizations are the ones to ultimately decide which security mechanisms are appropriate for their environments, the person said.

Thus, the DICOM standard does not inherently pose a security risk, according to the statement, which pointed out that there’s a “Secure Connection capability” that’s been specified in DICOM for almost two decades, and that it’s updated regularly to reflect recommendations from the
National Institute of Standards and Technology (NIST) and other international standard setting organizations. 

"The implementation, deployment, purchase, maintenance and configuration of systems that implement the DICOM Standard are the responsibility of the product vendors and their customers,” according to the statement. “Further, it is the responsibility of the vendors to provide and maintain software implementations. In short, proper security is a shared responsibility between device manufacturers and health delivery organizations. To claim it’s the sole responsibility of a standard is false."

[DO THE RESEARCHERS HAVE ANY RESPONSE TO THIS?]