Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI

Share this article on:

The DICOM image format, which has been in use for around for 30 years, contains a design ‘flaw’ that could be exploited by hackers to embed malware in image files. Were that to happen, the malware would become permanently fused with protected health information.

The DICOM file format was developed to allow medical images to be easily stored and shared. It eliminated the need for physical films and solved hardware compatibility issues. DICOM is now the standard format used for MRI and CT images and is supported by most medical imaging systems. The file format can be read by a range of devices that are used to view patient image files and diagnostic information.

DICOM images contain a section at the start of the files called a Preamble. This section is used to facilitate access to the metadata within the images and ensure compatibility with image viewers which do not support the DICOM image format. By altering the Preamble section of the file, image viewers treat DICOM images as a file type that they support, such as a jpeg, allowing the file to be opened.

This design feature is part of the reason why the DICOM file format is so useful. However, this feature can also be seen as a flaw. Markel Picado Ortiz, a security researcher at Cylera, discovered the preamble section of the file does not have restrictions on what can be added.

Ortiz has a proof-of-concept exploit for the flaw which allows an arbitrary sequence of executable code to be inserted into the image. Provided that code is less than 128 bytes, it can be inserted without affecting compliance with the DICOM standard, altering the image in any other way, or changing any PHI contained in the file. Ortiz has called the attack method PE/DICOM.

By altering the Preamble of a file, a hacker could insert executable code that masquerades as a DICOM file. The DICOM image would become an executable file, yet it would not have a file extension associated with executable files. Headers could also be added that make the file appear to be another file format, such as an executable.

Any hacker that were to use this method of incorporating malicious code would also benefit from HIPAA regulations. Files containing PHI are usually ignored by anti-malware solutions for compliance reasons. Even if they did, it would be unlikely they would detect the presence of any code in the preamble section of the files.

Detecting the malware would therefore prove difficult. Malicious code could remain undetected, but worse, the infected files would be stored within the healthcare provider’s protected environment. The file may also be shared with other healthcare providers would be unaware the files had been infected with malware.

Since the malware contains executable code, it could download other malware onto the network or give an attacker a launch pad to conduct further attacks. Files could be given worm-like properties that allow malware to be propagated throughout the network.

The potential uses of this flaw are numerous. “This [flaw] enables new and existing malware to evolve into more potent variants, optimized for successful compromise of healthcare organizations, by using the infected patient data to hide, protect and spread itself – three of the primary functions that determine the effectiveness of a malware campaign,” said Ortiz.

Were the malware to be identified, healthcare organizations would have a problem with removing the malware. The hybrid file that is created could not have the malware removed without permanently deleting the file, which would result in the permanent loss of the image and patients’ PHI. Healthcare providers may have to keep the infected file due to HIPAA regulations.

“The fusion of fully-functioning executable malware with HIPAA-protected patient information adds regulatory complexities and clinical implications to automated malware protection and typical incident response processes in ways that did not previously need to be considered,” explained Ortiz.

Unfortunately, since the flaw is present in the DICOM standard itself, it is not possible to issue a patch to correct the flaw. The solution would be for the DICOM standard to be changed to place restrictions on what can be incorporated into the Preamble, but that may prove to be a challenge and would also involve altering a feature of DICOM files that makes them so useful.

Anti-malware solutions could be developed to check for the presence of malicious code inside DICOM images, but that does not solve the issue of what is done with the files if they are determined to contain malware.

While the flaw is serous, in order for it to be exploited, an attacker would first need to have permissions to access the system on which DICOM images are stored and would also need to have permissions to execute commands. Valid Active Directory credentials would therefore be required. That said, there have been many cases of credentials being compromised that have given hackers access to healthcare networks. The flaw could also be exploited by a malicious insider with access to the network.

All healthcare organizations can do to protect against the flaw in the short term is to adopt standard cybersecurity best practices to prevent access to the network being gained, such as changing default credentials, securing the perimeter, and scanning for and addressing vulnerabilities. Network segregation will help to prevent the spread of any malware and intrusion detection systems could detect an attack before DICOM images could be changed.

What is clear is that correcting the flaw and preventing abuse is going to be a major challenge and one that will not easily be solved.

Author: HIPAA Journal

Share This Post On