How Exposed DICOM Servers Enable Remote Patient Record Tampering

TLDR: Medical imaging systems often expose the legacy DICOM protocol to the public internet, allowing anyone to query and exfiltrate sensitive patient data. Beyond simple data leakage, many of these servers lack proper authentication, enabling attackers to use C-STORE to inject malicious images into existing patient studies. This vulnerability allows for the silent modification of medical records, potentially leading to misdiagnosis or the injection of false findings into a patient's history.

Medical imaging is the backbone of modern diagnostics, but the infrastructure supporting it is stuck in the past. The DICOM standard was designed over three decades ago for isolated hospital networks, not for the interconnected, cloud-native environments we see today. When healthcare providers shift their Picture Archiving and Communication Systems (PACS) to the cloud, they often carry these legacy protocols with them, exposing millions of patient records to the public internet. This is not a theoretical risk. A simple scan of the internet reveals thousands of DICOM servers that require zero authentication to access, query, and modify.

The Mechanics of DICOM Exposure

The DICOM protocol operates on a client-server architecture using TCP/IP. During a standard engagement, a researcher or pentester can identify these targets using nmap by scanning for common DICOM ports like 104, 4242, or 11112. Once a target is identified, the barrier to entry is non-existent.

Most of these servers fail to implement even basic Identification and Authentication Failures controls. An attacker can use a simple Python script to perform a C-FIND request, which acts as a search function for the server's database. Because these servers often support wildcards, an attacker can query for all patients or specific identifiers without needing any credentials.

# Example of a C-FIND request using pynetdicom
from pynetdicom import AE
ae = AE()
ae.add_requested_context('1.2.840.10008.5.1.4.1.2.1.1') # C-FIND
assoc = ae.associate('TARGET_IP', 11112, ae_title='ANY_AET')
if assoc.is_established:
    # Query for all patients
    ds = {'PatientName': '*'}
    responses = assoc.send_c_find(ds, query_model='P')

Once the attacker has the patient IDs and study UIDs, they can use C-GET or C-MOVE to download the entire imaging study. The impact here is immediate: full exfiltration of Protected Health Information (PHI) including names, dates of birth, and detailed medical imaging results.

Beyond Exfiltration: The Danger of Data Tampering

The most alarming aspect of this research is the ability to perform data tampering via the C-STORE service. Because the DICOM standard does not enforce strict validation on the sequence of images within a study, an attacker can inject new, malicious images into an existing series.

The attack flow is straightforward:

1. Reconnaissance: Use C-FIND to identify a target patient and their associated study.
2. Exfiltration: Use C-GET to pull the existing images to understand the study structure.
3. Crafting: Generate a malicious DICOM image that mimics the metadata of the original study.
4. Injection: Use C-STORE to push the malicious image to the server.

Because the server accepts these requests without authorization, the malicious image is indexed into the patient's record. When a radiologist or physician later opens the study in their viewer, the malicious image appears as part of the legitimate series. The lack of a "delete" function in the DICOM protocol means that once this data is injected, it is incredibly difficult to remove, often requiring manual intervention by database administrators.

Real-World Engagement Strategy

During a penetration test, your focus should be on identifying these misconfigured PACS nodes. If you find an open DICOM port, do not just report the exposure. Demonstrate the risk by querying the server to see if it returns patient data. If the server supports C-STORE, attempt to upload a benign, non-medical image to prove that the server is accepting unauthorized writes.

The risk is amplified by the fact that many of these systems are used for cross-facility collaboration. An attacker who compromises a single, poorly secured server at a small clinic might be able to pivot or influence the records of a much larger hospital system that trusts the data coming from that source.

Defensive Hardening

Defenders must prioritize network segmentation. DICOM traffic should never traverse the public internet. If remote access is required, it must be tunneled through a secure connection like IPsec or a VPN. Furthermore, organizations should implement strict IP whitelisting at the network firewall level to ensure that only known modality IP addresses can communicate with the PACS.

For those who must expose imaging data for web-based viewing, move away from the raw DICOM protocol. Use DICOMweb, which provides a RESTful API. This allows security teams to apply modern controls like OAuth2, TLS, and Web Application Firewalls (WAF) to filter out malicious payloads like SQL injection attempts.

The industry is moving toward cloud-based storage, but it is doing so while clinging to protocols that were never meant to be exposed. Until the standard bodies and vendors mandate secure-by-default configurations, the responsibility falls on researchers and security teams to identify these exposures before they are weaponized. Stop treating legacy protocols as "internal only" and start treating them as the high-risk assets they are.