FacebookTwitterLinkedIn

Malware Hidden in Medical Imagery

Karolis Liucveikis Written by on (updated)

The healthcare sector has come under increasing fire over recent years. This fire was caused by numerous cybersecurity incidents, from breaches to malware infections affecting critical service delivery. Now the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert warning that files using the Digital Imaging and Communications in Medicine (DICOM) standard can be abused to hide malware. The DICOM standard is used in virtually all hospitals around the world, including by imaging equipment (CT, MR, ultrasound), imaging information systems (HIS, RIS, PACS), and peripheral equipment (workstations and 3D printers). The vulnerability in DICOM type files was discovered by Cylera’s Markel Picado Ortiz, who has described the flaw as a “fundamental design flaw.”

According to the NCCIC successful exploitation of this design flaw, which has been publically announced and has been given a CVE designation of CVE-2019-11687, could allow an attacker to embed executable code into image files used by medical imaging devices. Further, malicious code embedded within such image files which results in a Windows executable will not interfere with the readability and functionality of the DICOM imagery. This could potentially make the detection of malware harder and promote malware persistence on infected devices.

The flaw is not remotely exploitable but given how the healthcare sector has been under siege recently that does not make the flaw any less serious. Given that the sector has been criticized for weak cybersecurity policy and implementation, and the prices medical records can fetch the severity of the flaw should not be underestimated. Cylera in a blog post further stated that,

“By exploiting this design flaw attackers can take advantage of the abundance and centralization of DICOM imagery within healthcare organizations to increase stealth and more easily distribute their malware, setting the stage for potential evasion techniques and multi-stage attacks. Perhaps more interestingly, the fusion of fully-functioning executable malware with HIPAA-protected patient information adds regulatory complexities and clinical implications to automated malware protection and typical incident response processes in ways that did not previously need to be considered. Common incident response procedures could now delete or incidentally leak the ePHI the malware is hiding in.”

As to the actual flaw, Ortiz discovered that a 128-byte section at the beginning of DICOM files often referred to as the preamble, can be used to hide malicious code.

malware hidden in medical imagery

The preamble is included in the DICOM standard as it enables the file to be read and interpreted by DICOM related software as well as non-DICOM software. The preamble stores both the legitimate medical information and the malware if exploited. As mentioned above the medical information included in the preamble is not compromised or degraded, meaning the end user can still access this information thinking nothing is wrong with the file which is potentially harvesting the malware. The blog post published by Cylera, Ortiz describes in detail how the flaw can be exploited and further the researcher includes proof of concept code.

Mitigation and Prevention

The organization responsible for the DICOM standard, the DICOM Security Group, released a press release and a FAQ regarding the flaw last month to inform users of the flaw and what can be done to mitigate the threat. The group stated that,

“The risks of such an exploit can be mitigated. Just as recipients of strange email attachments should be cautious about opening them, programs that process DICOM media files should take precautions. Virus scanning software should scan DICOM media files and not assume DICOM media files are safe. Data import systems should have file execution disabled when reading CD/DVDs.”

Further mitigation strategies suggested by the security group include,

“Just as recipients of strange email attachments should be cautious about opening them, programs that process DICOM media files should take precautions. Virus scanning software should scan DICOM media files and not assume DICOM media files are safe. DICOM files are never intended to hold executable code, so DICOM media files should never be given executable file extensions, and finding an executable code inside a DICOM media file should trigger warning flags…Data import systems should have file execution disabled when reading CD/DVDs. The CDs and DVDs themselves are read-only, and not easy to counterfeit. Media files on a USB stick, email attachments, or shared over the web are only as safe as the associated security systems.  For example, the Dental profile for email exchange requires the use of encryption for DICOM files.”

Patient information, including DICOM image files, form part of strict regulatory conditions. These conditions have been defined in legislation such as HIPAA, standing for Health Insurance Portability and Accountability Act, which was designed to protect sensitive patient data by detailing measures to ensure compliance. The above-described flaw, if exploited, could have serious implications for healthcare organizations. If a regulatory body finds that the organization did not do its utmost to protect sensitive patient data they could be fined on top the other fallout that results from a cybersecurity incident. For example, in the US the civil penalty can be fined a maximum of 1.5 million USD per violation. As was suggested earlier by Cylera the accidental release of sensitive patient data while attempting to prevent a malware infection could potentially result in a HIPAA non-compliance issue. Security teams might be prevented from using security tools and services like VirusTotal without jeopardizing patient data adding more complexity to defending against infection. In this regard, prevention is most definitely better than cure.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog