DICOM: The 'Invisible' Vulnerability of Healthcare Networks
Attacks on healthcare systems are a growing concern. Healthcare data is a special category of sensitive data, containing extremely sensitive personal information that make it attractive both for institutional blackmailing – in the form of ransomware, and for individual ransom demands as in the case of high-profile individuals. As such, health IT networks need to implement high-end security tools that meet the particular challenges of securing electronic healthcare data. This article focuses on one specific, but universally prevalent vulnerability represented in the widely used DICOM medical imaging file.
DICOM: A Ticking Time Bomb
In healthcare systems, one of the most common file types being shared around is the DICOM file. DICOM is a very specialized file format created about 24 years ago specifically for the healthcare industry. It holds all the sensitive information about a patient – his/her name, age, ID, date of birth, weight, medical condition etc. – as well as the relevant medical images such as X-Ray, CT Scan, MRI etc. Due to the amount of data included, the structure of a DICOM file is similar to that of an archive file – essentially a container holding multiple files inside.
DICOM is the mainstream conduit for storage of digital medical images in most hospitals and healthcare establishments today. Due to the highly specialized purpose of this file format, its potential vulnerability is not in the consideration of major cyber protection tools.
The current state of affair poses a serious security concern because malicious software like ransomware can effortlessly be transported via DICOM file, by disguising as a legitimate digital object. Healthcare institutions typically use portable media devices such as USB flash drives or DVDs to transfer and share the DICOM files. The problem is, in most cases, these innocent-looking portable media devices, which were brought over by the patients themselves, can be the main source of a ransomware outbreak.
Scenario: Attack via PACS
Imagine this scenario: A patient did an MRI scan overseas and this overseas hospital gave him the MRI scan files in a DICOM format using a DVD disc. What he did not know was that this overseas hospital’s network had been infected and there is a ransomware spreading around, even in the DICOM file inside the DVD they gave him.
Now he is back to his own country and decided to do a follow up with a local doctor so he passed the DVD to him. The unsuspecting local doctor inserts the DVD, opens up the file, and a malicious attack could then find its way in. The ransomware inside the DICOM file infects the doctor’s computer first, from which it continues to infect the hospital’s Picture Archiving and Communication System (PACS). Once the ransomware is inside the PACS system, it is just a matter of time before it proliferates to the whole hospital network and encrypting everything, essentially bringing down the entire system, shutting down all the operations and compromising the sensitive patient information.
The proliferated impact of DICOM infection would potentially be much more devastating than what ransomware has done to the healthcare sector thus far. This is because such vulnerability is relatively unknown, and the impact would not just affect the IT systems, but also the OT (Operational Technology) platforms such as the PACS and other related medical devices. The degree of damages could hence be the health and life of patients in the hospital.
Why existing measures won’t suffice
DICOM files are typically encrypted and hashed, but that does not prevent the attacker from attaching a hidden malware to a legitimate DICOM image file or a DICOM viewer application. Certainly, comparing the hash of the original DICOM file against the hash of the DICOM file the doctor received will expose any tampering done to the file, however, there are three main deawbacks with this approach:
(1) It is tedious and counter-productive to compare the hashes of every single image files with the original hashes before opening the file.
(2) Even if this hash-comparing process is done automatically with the help of an application or script, there is still a good chance that the original hash might be tampered even before going through this process if the computers connected to the MRI or X-ray scan machines already have some backdoors.
(3) Most importantly, after comparing the hashes, what happens next if it is different from the original? The doctor may ask the patient to get a legitimate copy again and come back since it can be potentially life-threatening if the patient’s X-ray images or MRI images in the DICOM file are tampered and the diagnosis went wrong. However, what if it is a critical patient who needs the medical attention right away based on these X-ray images in the DICOM file?
Hence, the main objective here should NOT be based on finding out what is wrong with the file, but rather, on making sure that all DICOM files the doctors receive are clean and legitimate so that they can stop worrying about whether they will bring down the whole hospital system and instead, focus on the more important thing: saving lives.
How to sanitize DICOM files
The challenge now is how to make sure that these DICOM files are indeed clean and devoid of malware?
The common belief is that we can simply scan them using standard detection tools such as anti-virus or sandboxes. While it is true that using detection-based tools can give protection to a certain extent, the main underlying issue is that “detecting nothing malicious” does not equal “safe file”. Detection tools, whether with signature or signature-less, all work on the same principle: employing the most advanced technology available in order to detect malware and remove it.
Unfortunately, while this approach may have worked a couple of years ago, it is no longer effective. This is because advanced threats are not straightforwardly detectable in the first place. With literally hundreds and thousands of new advanced malwares being developed daily by highly-funded cyber criminals around the world, it is simply impractical and impossible to detect them. This means that detection-based applications are bound to miss out on certain new threats every now and then. If that is the case, how can we make sure that all the files are 100% clean?
The Solution – CDR/CDNR Non-Detection Centric Strategy
In view of the challenges mentioned, we need to move on to a non-detection centric technology named “CDNR”. It is an acronym for Content Deconstruction Neutralization and Reconstruction, also commonly known as CDR (Content Disarm and Reconstruction) in the security industry. CDNR is a non-detection based file-cleansing technique where every file is deconstructed and stripped down to the bare minimum components, neutralized or sanitized using a different number of algorithms and techniques, and then usually reconstructed back to the original file format, without affecting much on the original legitimate contents. A good CDNR solution can rebuild the file so perfectly that it is barely noticeable to the users.
Sanitizing a DICOM file with CDNR technique would mean that even if there is any malicious content or ransomware hidden inside the DICOM file, all these components will be wiped out and only the sanitized content will reach the user. However, the sanitization and rebuilding process in CDNR needs to be done very precisely, in a smart and delicate way, because these DICOM image files are naturally much more sensitive to changes than a normal image file is. As a slight change in the image content can result in a drastically wrong diagnosis.
Conclusion: Government-grade CDR/CDNR for DICOM Protection
In summary, as much as being an extremely useful file type for healthcare industry, the world has come to a realization that DICOM is a file type that needs to be handled with extreme care. The file can literally be a trojan horse for malwares and viruses to compromise the healthcare sector. Since healthcare is one of the most sensitive industries where the patients’ lives are at risk, hospitals and clinics would need to step up their cybersecurity game and go extra miles to make sure that they are always protected and safe.
One last word of caution – while CDR/CDNR is a fast-emerging technology that has come to notice only recently, it is important to source for vendors with has a strong track record in protection of state-level critical info infrastructures. This is in view that there are many tools that claim to have CDR/CDNR technologies but are only of recent development with very thin layer of actual CDR/CDNR operations. The healthcare sector needs a government-grade CDR/CDNR technology tool, such as Sasa Software’s GateScanner Imaging Gateway, to protect its files, especially the DICOM file, which could affect patient’s health and lives directly.
Keywords: PACS, Healthcare IT, Healthcare Cyber Security, DICOM malware, DICOM protection, PACS protection, Sasa Software, GateScanner Imaging Gateway
Sasa Software is ISO 27799 certified.
