DICOM file security: How malware can hide behind HIPAA-protected images

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

What are DICOM files?

A DICOM file is an image from a medical scan saved in the Digital Imaging and Communications in Medicine (DICOM) format. DICOM is the international 30-year-old standard protocol for managing and transmitting medical images, such as ultrasounds, MRIs, X-rays, and CT scans. In addition, these files often include the patient’s identification data, including name, age, date of birth, height, weight, and medical condition. DICOM files facilitate the digital transfer of these images and related data between healthcare entities, eliminating the need for physical films and avoiding compatibility issues.

In 2016, the Box DICOM Viewer – a cloud-based solution designed to enable storing, sharing and viewing any DICOM file on a browser or mobile device – was approved as a class II medical device by the Food and Drug Administration (FDA). As a class II device, medical professionals can use the Box DICOM Viewer for diagnostic purposes. FDA approval was granted after a three-year process during which Box had to demonstrate that through the entire process of uploading, storing, sharing, accessing, viewing, and downloading a DICOM file, there would be no loss of fidelity in the images. Unfortunately, securing these files was not part of the consideration.

How is a DICOM file constructed?

Every DICOM file contains a Preamble, a 128-byte section at the beginning of the file that enables compatibility with image viewers that cannot read DICOM but support other web image formats, such as JPG, PNG, or TIFF. There are no limitations for the data that can be inserted into a DICOM file’s Preamble; as long as the sequence is less than 128 or bytes, it can be inserted in full conformance with the DICOM standard.

How can DICOM files be weaponized?

DICOM files are large due to the amount of data they contain. They are similar to an archival file, functioning as a file that includes other files, providing plenty of space for attackers to hide a malicious element within – a process made even easier by DICOM ports mistakenly exposed on the internet. These can be found using Shodan, a search engine for internet-connected devices that is often used by hackers to locate…