[Updated January 2023]

Recently detected activity of the CLOP ransomware gang involving the compromise and infection of medical imaging CD’s and the DICOM files within, has raised alarm due to the extremely wide exposure represented by this ubiquitous medium.
Sasa Software is currently the only cybersecurity vendor offering a dedicated solution for the protection of healthcare networks from attack through DICOM – and it is already in production and implemented by two major hospitals in Israel.

The vulnerability of the medical imaging data transmission chain, including the exposure of PACS servers to attack from the network is well documented and publicized. Less known – and less addressed – is the vulnerability of the DICOM file itself.

In 2019 a security researcher at Cylera Labs demonstrated how a DICOM file can be infected with malware without effecting the functionality of the file in clinical use [1]. In January ’22 researchers described steganographic techniques that can be used to hide malicious content within DICOM files and then infect PACS systems [2]. Recent evidence is emerging showing evidence of the first known real-life use of imaging files as a vector of infection by cyber criminals [3,4]. The CLOP ransomware group has, at least in two instances, been found to be using imaging data to infiltrate and infect target healthcare networks. 

The clear and immanent threat was already identified back in 2019 by the Israeli cybersecurity firm Sasa Software, and prompted the development of GateScanner Imaging Gateway, a web-based DICOM sanitization solution now implemented in major hospitals in Israel.

Threat aspects of DICOM: 

• Imaging CD/DVDs may contain media-based attacks (either unknowingly or with malicious intent).
• The CD/DVDs often contain viewer software (an executable) that can be compromised.
• The DICOM file protocol has known vulnerabilities that enable injecting malicious code that could compromise the PACS system.
• Due to their complexity, it is challenging to scan DICOM files for threats, therefore they evade detection by traditional AV scanners and other security solutions.

 GateScanner Imaging Gateway features: 

• Enables safe upload of imaging files to PACS from local and remote locations, enabling e-health initiatives. 
• Limits the usage of CD/DVDs – enabling easy and managed transfer of data from the physical media to network resources.
• Scans the viewing software.  
• Uses a proprietary technology to scan the DICOM file for vulnerabilities and malicious code.
• Verifies DICOM identity meta-data against healthcare RIS for error minimization and automated import sequence.

Read more about the solution, here 
Watch a short video on our Youtube channel: https://youtu.be/SSSmazFJiH

Related reading: “How to Stop Attackers That Target Healthcare Imaging Data” (Dark Reading, February 22, 2023)

Keywords: DICOM, vulnerability, Imaging, HIPPA, Malware, PACS, CLOP 

1. https://resources.cylera.com/dicom-research-brief-hipaa-protected-malware
2. https://www.mdpi.com/1099-4300/24/2/176
3. https://krebsonsecurity.com/2022/12/new-ransom-payment-schemes-target-executives-telemedicine/
4. https://www.scmagazine.com/analysis/ransomware/clop-ransomware-group-targeting-provider-patient-trust-by-infecting-medical-imagesddresseds