Medical Format Flaw Can Let Attackers Hide Malware in Medical Images

medical file format used to hide malware in medical imagesResearch into DICOM has revealed that the medical file format in medical images has a flaw that can give threat actors a new way to spread malicious code through these images. Using this flaw, threat actors can embed executable code in an otherwise regular DICOM file.

DICOM (Digital Imaging and Communications in Medicine) is an international standard for transmitting, processing and storing medical images. Researcher Markel Picardo Ortiz from Cylera Labs identified the flaw at the preamble, in a 128-byte section at the beginning of the file. This preamble was designed to be modified to permit compatibility with non-DICOM image viewers.

Embedding executable code in a DICOM file makes it a mixture of different file formats, allowing it to execute in Windows while remaining adherent to the DICOM standard. It reverses the intention of the modifiable preamble. Instead of DICOM files appearing as other formats for compatibility purposes, the malicious executable files will instead appear as regular DICOM files.

The highly sensitive nature of the information handled by medical devices and their critical functions makes them tempting targets for threat actors. DICOM is a widely accepted global standard in medical imagery, and has great implications should they be used for cyberattacks.

In this case, the sensitivity of DICOM files makes it a good tool for avoiding detection. As pointed out in the research, HIPAA adds further complication in defending and detecting such an attack. Medical images are highly private patient files, which cannot be easily subjected to cybersecurity defenses like automated malware protection.

On the other side of the spectrum, exposed sensitive information found in DICOM images can be a tempting target for threat actors. The unknown exposure of DICOM servers, discovered in some institutions, puts patients' critical data and information at risk. Such exposure can also allow threat actors to corrupt data, send incorrect commands, or infect the system with malware. 

Security recommendations

It is crucial for the healthcare industry to remain wary of possible attacks before they are realized. Given the importance of the industry and its growing development and connectivity, maintaining the balance between cybersecurity solutions and functionality of medical devices is all the more crucial.

[Read: Exposed Devices and Supply Chain Attacks: Overlooked Risks in Healthcare Networks]

In this case the terms in which formats, devices, and software can be modified by third-parties should be carefully defined and guarded. Similarly, connections and networks must be meticulously mapped out to avoid exposure.

Another point to consider: Legacy or older systems still used in the healthcare industry can have their own risk factors. Institutions that retain such systems likely encounter downtime during system upgrades, and should therefore closely examine their internal security strategies.

Here are some security strategies hospitals or other healthcare institutions can consider:

  • Use a rating model for prioritizing threats. Risk rating models like DREAD provide a structured method for handling threats.
  • Develop and improve supply chain management. The supply chain can be an overlooked area in healthcare operations with cascading effects. Establishing and improving a strategy for handling third party providers can help minimize the effects of supply chain threats.
  • Assume compromise. Critical infrastructure, such as hospitals, must have security protocols in place that can quickly identify, contain and mitigate cyberthreats.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.