Article

Hackers Can Use DICOM Bug to Hide Malware in Medical Images

Topic: Business NetworkingBy Michael PetersPublished Recently added
No ratings yet1,344 viewsSign in to rate
A newly discovered design flaw in DICOM, a three-decade-old medical imaging standard, could be used to deliver malware inside what appears to be an innocuous image file, a researcher from Cylera has discovered. Because the malware would not alter the protected health information (PHI) contained in the image file, it would bypass automated malware detection systems. What is DICOM? Originally developed by the National Electrical Manufacturers Association (NEMA) and the American College of Radiology (ACR), DICOM is an international standard protocol for the management and transmission of medical images and related data, such as MRIs and CT scans. It was created to enable healthcare providers to store and easily share medical images and related patient data digitally, eliminating both hardware incompatibility issues and the need for physical films. Today, DICOM has become the de facto standard for CT and MRI images throughout the healthcare industry. Most medical imaging equipment supports DICOM standards, along with specialized workstations that analyze scan results, and phones and tablets that can be used to view diagnostic information. The DICOM bug The DICOM bug is found in the Preamble, a 128-byte section at the beginning of a file that facilitates access to the images and metadata within a DICOM image. The Preamble is used to enable compatibility with image viewers that do not support DICOM but do support common web image formats, such as JPG or TIFF. It’s important to note that this is not a design flaw per se but an inherent feature of the DICOM file format, meant to facilitate compatibility. By modifying the Preamble, third parties can “trick” these image viewers into thinking a DICOM file is actually one of their supported formats, so that a healthcare provider could view an MRI file using their phone or tablet’s image viewer. Problem is, there are no structural requirements for the data that can be inserted into a DICOM file’s Preamble; any sequence, so long as it is 128 or fewer bytes, can be used while still maintaining compliance with the DICOM standard. This allows hackers to do two things: 1. Insert headers that make the DICOM image appear to be an executable, or some other file format. 2. Write an executable file that is 128 bytes or less and hide it within a DICOM preamble; therefore, instead of having a DICOM file “pretend” to be another image format, an executable “pretends” to be a DICOM file. In either case, the original PHI contained in the image’s metadata is preserved, and a hidden executable will not give itself away with an “.exe” extension. If an unsuspecting provider were to be sent an executable file disguised as a DICOM, they would see the correct file extension, and upon opening it, the correct metadata. They would have no reason at all to suspect that anything was wrong. DICOM bug takes advantage of HIPAA regulations The scenario gets even worse when considering that in healthcare settings, most anti-virus/anti-malware solutions are configured to ignore files that contai PHI—because of HIPAA regulations. Even if the malware were discovered, security response teams would face a quandary, again because of HIPAA. The malware and the file’s PHI would be welded together. The file couldn’t be knowingly deleted because it contains PHI. If it is accidentally deleted, the PHI could be destroyed. This makes the DICOM bug, which the researcher who discovered it has dubbed PE/DICOM, “the first vulnerability whose technical potency is derived from a regulatory environment in addition to a software design flaw.” DICOM bug discovered amidst increasingly sophisticated attacks on healthcare IT systems Unfortunately, it’s not possible for any single vendor to issue a patch for this, nor are there any remedial actions that can be applied to all systems that support DICOM. The only way to fix the DICOM bug will be for the standard to be rewritten to impose standards on the content of the Preamble. Doing so while maintaining the standard’s purpose—to facilitate compatibility—is going to be a challenge, to say the least. The DICOM bug has emerged amidst increasingly sophisticated and destructive attacks on healthcare IT systems. While it is the first vulnerability that takes advantage not just of a technical design flaw, but the regulatory environment governing an industry, it probably won’t be the last. This is why it’s crucial for healthcare organizations to practice proactive cybersecurity and actively defend themselves against not just today’s attacks but also tomorrow’s.

Article author

About the Author

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions. He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.

Further reading

Further Reading

4 total

Article

Introduction There was a time when the call center was seen as a place where phones rang endlessly and agents simply answered questions. That picture has changed dramatically. Today the modern call center sits at the center of customer experience, quietly coordinating returns, managing fulfillment concerns, and shaping how customers feel about every interaction with a brand. Instead of reacting to problems, teams now guide customers through complex journeys. Their role has gr

February 6, 2026

Article

In today’s financial landscape, credit scores play a major role in determining access to loans, housing, and even employment opportunities. For individuals facing late payments, collections, or inaccurate credit reports, rebuilding credit can feel overwhelming. This is why many people turn to professional services for guidance. Among the growing number of Credit Repair Companies in Houston and providers offering Credit Repair San Antonio solutions, White Jacobs continues to

February 6, 2026

Article

Choosing the right POS terminal is more important now than ever. With customer expectations rising and payment methods changing quickly, businesses need a device that works fast, stays secure, and handles different payment types. The PAX A30 is a popular Android POS terminal that has gained attention for its modern design and strong features. In this review, we look at how well it performs in real life, what makes it stand out, and whether it can truly be called the best Andr

January 17, 2026

Article

Installing a rack mount server cabinet is an important task for anyone setting up a server room or a data center. These cabinets are designed to hold servers, networking devices, and other hardware safely and in an organized way. A well-planned installation helps improve airflow, manage cables neatly, and secure equipment, which makes the server room safer and more efficient. Whether you’re setting up a small office server or a larger business data center, knowing how to in

January 16, 2026