In early April, security researchers published a paper outlining how an attacker could tamper with medical images produced by MRI machines and CT scanners. The altered images would have cancerous nodules removed from or added to the images.
The “deepfake” scam was highly effective. According to the Washington Post, when the attackers altered images to add or remove the cancerous nodules, the radiologists were fooled over 95 percent of the time.
The attack surface for this type of exploit is extremely large. According to several people that were contacted by the Washington Post and the researchers themselves, encryption of DICOM images in healthcare delivery environments is not standard practice. There are three reasons for this:
So without encryption, the DICOM images can be attacked while in transit or while at rest. This opens up a large number of attack vectors:
In addition, many PACS systems contain built-in web access solutions, such as Centricity PACS (GE Healthcare), IntelliSpace (Philips), Synapse Mobility (FujiFilm), and PowerServer (RamSoft). Many other PACS systems are directly exposed to the Internet. The researchers noted that “a quick search on Shodan.io reveals 1,849 medical image (DICOM) servers and 842 PACS servers exposed to the Internet.”
Armis has seen this to be the case. Within our customer environments, we have seen many CT scanners that transmit DICOM images without any encryption.
Armis can help prevent an attack against medical images in hospital environments. The Armis platform passively monitors all traffic in the hospital. Deep packet inspection tells us what the traffic is and whether it is encrypted. Once the Armis platform detects that a device is sending medical images in an unencrypted format, the Armis platform will alert hospital security staff, such as the one shown below.
Our alerts are clear and easy to understand. Each alert states what we saw, explains the risk and includes recommendations on how you can mitigate the risk. By ensuring that all medical images are encrypted while at rest and in motion, healthcare delivery organizations can prevent a data tampering attack such as the one demonstrated by the researchers.
If the attack against the DICOM image is being performed while data is at rest, by malware that is resident on the system storing the DICOM image, the Armis platform can often detect the presence of the malware even though we don’t install any agents on any host systems. We do this by monitoring the communication behavior of every host. Malware typically alters the communication patterns of the host it resides on, even if just to receive command-and-control instructions from the remote attacker.
Helping healthcare delivery organizations detect these types of threats is just one of many ways that Armis is helping healthcare delivery organizations protect their patients’ safety, secure medical devices, and generally keep their businesses running smoothly and out of the headlines.
Sign up to receive the latest news