The healthcare sector has come under increasing fire over recent years. This fire was caused by numerous cybersecurity incidents, from breaches to malware infections affecting critical service delivery. Now the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert warning that files using the Digital Imaging and Communications in Medicine (DICOM) standard can be abused to hide malware. The DICOM standard is used in virtually all hospitals around the world, including by imaging equipment (CT, MR, ultrasound), imaging information systems (HIS, RIS, PACS), and peripheral equipment (workstations and 3D printers). The vulnerability in DICOM type files was discovered by Cylera’s Markel Picado Ortiz, who has described the flaw as a “fundamental design flaw.”
According to the NCCIC successful exploitation of this design flaw, which has been publically announced and has been given a CVE designation of CVE-2019-11687, could allow an attacker to embed executable code into image files used by medical imaging devices. Further, malicious code embedded within such image files which results in a Windows executable will not interfere with the readability and functionality of the DICOM imagery. This could potentially make the detection of malware harder and promote malware persistence on infected devices.
The flaw is not remotely exploitable but given how the healthcare sector has been under siege recently that does not make the flaw any less serious. Given that the sector has been criticized for weak cybersecurity policy and implementation, and the prices medical records can fetch the severity of the flaw should not be underestimated. Cylera in a blog post further stated that,
“By exploiting this design flaw attackers can take advantage of the abundance and centralization of DICOM imagery within healthcare organizations to increase stealth and more easily distribute their malware, setting the stage for potential evasion techniques and multi-stage attacks. Perhaps more interestingly, the fusion of fully-functioning executable malware with HIPAA-protected patient information adds regulatory complexities and clinical implications to automated malware protection and typical incident response processes in ways that did not previously need to be considered. Common incident response procedures could now delete or incidentally leak the ePHI the malware is hiding in.”
As to the actual flaw, Ortiz discovered that a 128-byte section at the beginning of DICOM files often referred to as the preamble, can be used to hide malicious code.
The preamble is included in the DICOM standard as it enables the file to be read and interpreted by DICOM related software as well as non-DICOM software. The preamble stores both the legitimate medical information and the malware if exploited. As mentioned above the medical information included in the preamble is not compromised or degraded, meaning the end user can still access this information thinking nothing is wrong with the file which is potentially harvesting the malware. The blog post published by Cylera, Ortiz describes in detail how the flaw can be exploited and further the researcher includes proof of concept code.
Mitigation and Prevention
The organization responsible for the DICOM standard, the DICOM Security Group, released a press release and a FAQ regarding the flaw last month to inform users of the flaw and what can be done to mitigate the threat. The group stated that,
“The risks of such an exploit can be mitigated. Just as recipients of strange email attachments should be cautious about opening them, programs that process DICOM media files should take precautions. Virus scanning software should scan DICOM media files and not assume DICOM media files are safe. Data import systems should have file execution disabled when reading CD/DVDs.”
Further mitigation strategies suggested by the security group include,
“Just as recipients of strange email attachments should be cautious about opening them, programs that process DICOM media files should take precautions. Virus scanning software should scan DICOM media files and not assume DICOM media files are safe. DICOM files are never intended to hold executable code, so DICOM media files should never be given executable file extensions, and finding an executable code inside a DICOM media file should trigger warning flags…Data import systems should have file execution disabled when reading CD/DVDs. The CDs and DVDs themselves are read-only, and not easy to counterfeit. Media files on a USB stick, email attachments, or shared over the web are only as safe as the associated security systems. For example, the Dental profile for email exchange requires the use of encryption for DICOM files.”
Patient information, including DICOM image files, form part of strict regulatory conditions. These conditions have been defined in legislation such as HIPAA, standing for Health Insurance Portability and Accountability Act, which was designed to protect sensitive patient data by detailing measures to ensure compliance. The above-described flaw, if exploited, could have serious implications for healthcare organizations. If a regulatory body finds that the organization did not do its utmost to protect sensitive patient data they could be fined on top the other fallout that results from a cybersecurity incident. For example, in the US the civil penalty can be fined a maximum of 1.5 million USD per violation. As was suggested earlier by Cylera the accidental release of sensitive patient data while attempting to prevent a malware infection could potentially result in a HIPAA non-compliance issue. Security teams might be prevented from using security tools and services like VirusTotal without jeopardizing patient data adding more complexity to defending against infection. In this regard, prevention is most definitely better than cure.