Healthcare Organizations Exposing Patient Data Via Poorly Secured DICOM Servers
Healthcare organizations are exposing a vast amount of patient data by failing to implement even basic security measures for DICOM servers, according to a recent Trend Micro TrendAI analysis. TrendAI identified thousands of internet-facing DICOM servers belonging to hundreds of entities. The lack of security protections puts patient privacy at risk and gives hackers the opening they need for lateral movement and ransomware attacks.
Medical images generated from X-rays, MRI, CT, and ultrasound scans are captured, stored, processed, transmitted, and viewed using the Digital Imaging and Communications in Medicine (DICOM) standard. Work on a standard for communicating medical imaging information started in the early 80s and culminated in the DICOM standard. DICOM defines a file format for medical images and a network protocol for communicating those images between different devices and systems, including equipment such as scanners, workstations, and printers, software, network hardware, and Picture Archiving and Communication Systems (PACS). DICOM enables interoperability across devices and systems, regardless of manufacturer.
DICOM files contain medical imaging data; however, the metadata includes a substantial volume of protected health information, such as full names, dates of birth, and medical record numbers, and sometimes other sensitive data such as Social Security numbers and other patient identifiers. The metadata may also include information such as the referring physician’s name, the reading radiologist, why the test was ordered, diagnosis codes, and procedure information, while the images themselves can reveal sensitive health conditions.
The purpose of the DICOM standard is to allow easy viewing, storage, exchange, and transmission of medical images; however, there are also security features to protect against unauthorized access. The problem is that those security features are not being fully utilized, and in many cases, are not being used at all. Using Shodan.io scanning data, the TrendAI team identified 3,627 DICOM medical imaging servers in more than 100 countries that were directly accessible via the public internet, the largest percentage of which (33%) were in the United States (1,189 servers). While the exposed servers were often PACS or workstations, the TrendAI team points out that they often serve as gateways to medical imaging modalities such as MRI systems, X-Ray equipment, CT and PET-CT scanners, and mammography units. While the analysis did not identify any of those medical devices, it is reasonable to assume that the exposed servers communicate with those devices.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The analysis was conducted using Shodan scanning data from November to December 2025, which revealed that many DICOM servers have minimal or no security controls. TrendAI found that only 0.14% of exposed DICOM servers use TLS encryption, which prevents eavesdropping and man-in-the-middle attacks. DICOM servers should only accept connections from known, trusted sources; however, 99.56% of exposed servers accepted connections without AE Title validation, suggesting AE Title validation was not being enforced. Across the exposed servers, 334 organizations could be identified. They included 231 healthcare organizations such as hospitals, clinics, laboratories, and imaging and radiology centers.
The best practice is to ensure that DICOM servers are on isolated networks with firewalls restricting access; however, the fact that 3,627 servers were exposed to the internet shows that even this basic security control is not being implemented. Further, an analysis of software versions found that many had significant patch deficiencies, including unpatched critical vulnerabilities such as CVE-2019-1010228, CVE-2022-2119, CVE-2022-2120, and CVE-2025-0896. The TrendAI team also found that 44% of servers cluster into groups running identical software, which means that one vulnerability can be exploited on hundreds of targets. The scant protections put patient privacy at risk, potentially allowing extensive data theft, image manipulation, lateral movement, and ransomware attacks.
“Security must be treated as a fundamental requirement rather than an optional enhancement. The tools exist; they simply need to be used,” suggests TrendAI. “Healthcare organizations, cloud providers, and DICOM software vendors all share responsibility for addressing this exposure. Until they do, patient data remains at risk, clinical systems remain vulnerable, and the healthcare sector remains an attractive target for malicious actors.”
