Exploitation of DICOM Image Format Could Allow Fusion of Malware with PHI

The DICOM image format has been available for about 30 years. It has a design ‘flaw’ that hackers could exploit to add malware in image files. If that happens, the protected health information (PHI) will be permanently fused with malware.

The DICOM file format is used to easily store and share medical images. Its use replaces the use of physical films and fixed hardware compatibility problems. DICOM is currently the standard image format for MRI and CT images and is compatible with nearly all medical imaging systems. The file format is readable in various devices used for viewing patient image files and diagnostic data.

There is a Preamble section in DICOM images at the beginning of the files. This section facilitates access to the images’ metadata and ensures the images are compatible with viewers that do not support DICOM images. By changing the Preamble section, image viewers can support DICOM images as a file type, for example a jpeg, so the file can be viewed.

This feature is partly the reason for the usefulness of the DICOM file format. But, this is also a flaw that security researcher Markel Picado Ortiz of Cylera discovered. The preamble does not restrict what can be added to the file.

Ortiz states that an arbitrary string of executable code can be put in the image. As long as the code inserted is under 128 bytes, it won’t affect conformity to the DICOM standard, modifying the image in any way, or altering any PHI the file contains. Ortiz named the attack method as PE/DICOM.

By changing the Preamble, a hacker can put in executable code disguised as a DICOM file. The DICOM image then become an executable file though it doesn’t have an extension related to executable files. Headers may also be included making the file look like another file format, for instance an executable.

Any hacker using this method of integrating malicious code would likewise be benefited by HIPAA regulations. Files with PHI are generally dismissed by anti-malware solutions for reasons of compliance. Even if not, the detection of any code in the preamble section is unlikely.

Uncovering the malware would be challenging. Malicious code can stay undetected, but even worse is the storage of the infected files within the healthcare company’s protected system. The healthcare companies with whom the file is shared will not notice the files contain malware.

Because the malware has executable code, other malware may be downloaded onto the network. The attacker could also use it as a launch pad to perform other attacks. Files may have worm-like attributes allowing the malware to propagate all through the network.

There are numerous possible uses of this flaw that could compromise healthcare organizations. Even if the malware is identified, healthcare organizations will have difficulty removing the malware. To remove the malware, the hybrid file must be permanently deleted, which would mean the image and patients’ PHI will be permanently lost. Healthcare providers might need to hold on to the infected file because of HIPAA regulations.

The combination of executable malware with HIPAA-PHI brings regulatory complexities and clinical consequences to computerized malware protection and common incident response procedures that’s not previously considered.

Sadly, because the flaw is found in the DICOM standard itself, a patch cannot be issued to fix the flaw. The solution is to change the DICOM standard to put restrictions on what may be added to the Preamble. However, is going to be a challenge and would require modifying a feature that is very useful in DICOM files.

The presence of malicious code within DICOM images may be checked using newly developed anti-malware solutions, however there is still the concern of what to do with the files found to have malware.

Although the flaw is really serious, an attacker can only exploit it if he first gets access permission to the system containing the DICOM images and command execution permissions. This also needs Valid Active Directory credentials. There have been numerous cases of compromised credentials that gave hackers access to healthcare systems. The flaw may also be exploited through a malicious insider that has network access.

To protect against the flaw, healthcare organizations can only follow standard cybersecurity best practices to stop hackers from accessing the network, such as modifying default credentials, protecting the perimeter, and checking for and fixing vulnerabilities. Network segregation can help prevent the propagation of any malware while intrusion detection systems can spot an attack before the alteration of DICOM images.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA