Homeland Security warns of vulnerabilities in medical imaging software

A key agency under the Department of Homeland Security is warning of potential vulnerabilities in medical imaging software that could expose providers to a cyberattack. 

The Cybersecurity & Infrastructure Security Agency, or CISA, issued the alert on Tuesday. It cautioned that potential exploitation of these vulnerabilities could allow attackers to write files, access unauthorized information, exhaust memory or crash affected client servers. 

The agency’s warning pertains to a DICOM (digital imaging and communications in medicine) toolkit called OFFIS DCMTK. Researcher Abhinav Agarwal identified the vulnerabilities and alerted CISA about the issue in May, GovInfoSecurity reported June 30. 

DICOM is the global standard used to exchange medical images, deployed in nearly every imaging device, the news outlet noted. 

"These are not ordinary web bugs. They affect DICOM software used in medical imaging workflows, where availability, patient metadata protection and downstream software supply chain visibility matter," Agarwal told the publication. 

"While the vendor has applied fixes in the master branch, there is no release version with the fixes. So, downstream libraries and operators have no way to release with the fix to upgrade to it. The only option is to either patch the changes themselves or wait for a release to be out," he said.

Agarwal noted that many healthcare organizations could be using the impacted OFFIS DCMTK software in their imaging workflows and not even realize it. Providers might not recognize the risk of such vulnerabilities in their PACS, vendor neutral archive, DICOM router, or imaging workstation, he added. 

In its notice, the Cybersecurity & Infrastructure Security Agency urged radiology providers to take “defensive measures” to help reduce the risk of these vulnerabilities being exploited. These actions could include minimizing network exposure for certain devices. 

“When remote access is required, use more secure methods, such as virtual private networks, recognizing VPNs may have vulnerabilities and should be updated to the most current version available,” CISA said June 30. “Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.”

Read more from CISA here.

Subscribe to Radiology Business News

Radiology Business Marty Stempniak

Marty Stempniak has covered healthcare since 2012, with his byline appearing in the American Hospital Association's member magazine, Modern Healthcare and McKnight's. Prior to that, he wrote about village government and local business for his hometown newspaper in Oak Park, Illinois. He won a Peter Lisagor and Gold EXCEL awards in 2017 for his coverage of the opioid epidemic. 

Subscribe to Radiology Business News

Subscribe to Radiology Business News