A newly discovered design flaw in DICOM, a three-decade-old medical imaging standard, could be used to deliver malware inside what appears to be an innocuous image file, a researcher from Cylera has discovered. Because the malware would not alter the protected health information (PHI) contained in the image file, it would bypass automated malware detection systems.

What is DICOM?

Originally developed by the National Electrical Manufacturers Association (NEMA) and the American College of Radiology (ACR), DICOM is an international standard protocol for the management and transmission of medical images and related data, such as MRIs and CT scans. It was created to enable healthcare providers to store and easily share medical images and related patient data digitally, eliminating both hardware incompatibility issues and the need for physical films.

Today, DICOM has become the de facto standard for CT and MRI images throughout the healthcare industry. Most medical imaging equipment supports DICOM standards, along with specialized workstations that analyze scan results, and phones and tablets that can be used to view diagnostic information.

The DICOM bug

The DICOM bug is found in the Preamble, a 128-byte section at the beginning of a file that facilitates access to the images and metadata within a DICOM image. The Preamble is used to enable compatibility with image viewers that do not support DICOM but do support common web image formats, such as JPG or TIFF.

It’s important to note that this is not a design flaw per se but an inherent feature of the DICOM file format, meant to facilitate compatibility. By modifying the Preamble, third parties can “trick” these image viewers into thinking a DICOM file is actually one of their supported formats, so that a healthcare provider could view an MRI file using their phone or tablet’s image viewer. Problem is, there are no structural requirements for the data that can be inserted into a DICOM file’s Preamble; any sequence, so long as it is 128 or fewer bytes, can be used while still maintaining compliance with the DICOM standard.

This allows hackers to do two things:

1. Insert headers that make the DICOM image appear to be an executable, or some other file format.
2. Write an executable file that is 128 bytes or less and hide it within a DICOM preamble; therefore, instead of having a DICOM file “pretend” to be another image format, an executable “pretends” to be a DICOM file.

In either case, the original PHI contained in the image’s metadata is preserved, and a hidden executable will not give itself away with an “.exe” extension. If an unsuspecting provider were to be sent an executable file disguised as a DICOM, they would see the correct file extension, and upon opening it, the correct metadata. They would have no reason at all to suspect that anything was wrong.

DICOM bug takes advantage of HIPAA regulations

The scenario gets even worse when considering that in healthcare settings, most anti-virus/anti-malware solutions are configured to ignore files that contain PHI — because of HIPAA regulations. Even if the malware were discovered, security response teams would face a quandary, again because of HIPAA. The malware and the file’s PHI would be welded together. The file couldn’t be knowingly deleted because it contains PHI. If it is accidentally deleted, the PHI could be destroyed.

This makes the DICOM bug, which the researcher who discovered it has dubbed PE/DICOM, “the first vulnerability whose technical potency is derived from a regulatory environment in addition to a software design flaw.”

DICOM bug discovered amidst increasingly sophisticated attacks on healthcare IT systems

Unfortunately, it’s not possible for any single vendor to issue a patch for this, nor are there any remedial actions that can be applied to all systems that support DICOM. The only way to fix the DICOM bug will be for the standard to be rewritten to impose standards on the content of the Preamble. Doing so while maintaining the standard’s purpose — to facilitate compatibility — is going to be a challenge, to say the least.

The DICOM bug has emerged amidst increasingly sophisticated and destructive attacks on healthcare IT systems. While it is the first vulnerability that takes advantage not just of a technical design flaw, but the regulatory environment governing an industry, it probably won’t be the last. This is why it’s crucial for healthcare organizations to practice proactive cybersecurity and actively defend themselves against not just today’s attacks but also tomorrow’s.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.