Malware Hidden in Medical Images-Who's at Risk?

April 22, 2019 | by Troy Gill | National Cybersecurity Awareness Month, HIPAA

 

Research published last week by Cylera Labs outlines how an attacker could easily embed a functional executable containing malware into an equally functional DICOM image file.

This Proof of Concept has been generating some buzz as it places security and HIPAA compliance at odds.

Digital Imaging and Communications in Medicine (DICOM) files are designed to display images from common medical imaging devices such as an ultrasound or an MRI. In addition to the patient’s image, these files may also include patient-specific data making them highly personal and, in some cases, lifesaving.

DICOM - THE GOOD, THE BAD AND THE UGLY

Cylera Labs' research demonstrates how the 128-byte preamble section of DICOM files can be manipulated to include a Portable Executable file that, while able to execute fully, does not alter the data integrity of the DICOM file. In other words, an infected DICOM file would look like an ordinary medical image when being viewed by the technician. This is possible since the  file format allocates the “128-byte preamble” with the intent that it can be intentionally altered to be compatible in other image viewers, not specific to DICOM. This is just another example of the unintended repercussions of trading security for convenience. 

The good news is that these files alone are not capable of a single-phase attack. However, they can be used as one stage of a multi-stage attack. This should not provide too much comfort as multi-stage attacks are not rare these days, especially when talking about an advanced and motivated attacker that’s fixated on wreaking havoc on a medical service provider.

What’s more, if an adversary were able to successfully implant malware into a trove of these otherwise very sensitive and very legitimate files, mitigation gets tricky at best. Internal security controls such as AV would need to tread lightly with how they handle an infection of this nature. They can’t simply delete patient data or risk disrupting critical workflows that might involve diagnosis or treatment.

Since this POC was published we have had a few customers reach out to us to ask what type of threat these may pose via email. The silver lining, if there is one, is that while it’s somewhat unlikely that we would see this type of threat used in an email-based attack, we have put multiple protections in AppRiver Email Security to detect and quarantine if one of these weaponized DICOM images were to be sent via email.