Abstract
Healthcare organizations have become a prime target for cyberattacks due to the high value of protected health information (PHI). While numerous studies highlight risks to electronic medical records and insurance systems, diagnostic imaging formats such as the Digital Imaging and Communications in Medicine (DICOM) standard represent an underexamined attack vector. This paper builds on industry research that demonstrates how attackers can exploit misconfigured Picture Archiving and Communication Systems (PACS) for data exfiltration and extends the analysis to show how the same vulnerabilities enable malicious manipulation of imaging files. The implications for patient safety, data integrity, and system security reinforce the necessity of specialized controls such as SecureDICOM that validate file conformity and detect embedded threats.
1. Introduction
The digitization of healthcare has expanded the attack surface for adversaries. PACS and DICOM systems, which underpin modern diagnostic imaging workflows, are often deployed with weak or nonexistent authentication controls. Threat research has shown that attackers can discover exposed PACS endpoints, enumerate Application Entity (AE) Titles, and exfiltrate imaging studies without authorization [1]. Such attacks are typically framed as confidentiality breaches, in which patient data is lost to external parties. Yet the same attack paths can support file injection, enabling manipulation or weaponization of imaging data.
This paper extends exfiltration-focused findings into manipulation scenarios and argues that diagnostic imaging files represent a unique class of cyber threat vectors.
2. Exfiltration as a Proven Entry Point
Gatewatcher Labs demonstrated in Healthcare’s Anatomy: Attacking DICOM that publicly exposed PACS servers can be enumerated by attackers using AE Title brute forcing. Once enumerated, adversaries may issue standard DICOM queries (C-FIND) and retrieve studies (C-MOVE, C-GET) directly from PACS without authentication. This confirms that diagnostic imaging systems are reachable through documented weaknesses, and that the confidentiality of imaging data can be compromised when PACS are misconfigured [1].
3. Extending the Attack Surface: From Exfiltration to Manipulation
While Gatewatcher’s research emphasizes exfiltration, the same weaknesses can plausibly support injection. DICOM supports both retrieval and storage. If a PACS accepts unauthenticated queries and retrievals, it may also accept unauthenticated storage (C-STORE) requests. We present this as a risk-based inference grounded in the protocol’s bidirectionality and observations of open DICOM services on internet-exposed PACS [1]. Gatewatcher’s lab demonstration notes that, once identifiers are enumerated, an attacker can “retrieve (C-Get) and store (C-Store) the images” [1].
3.1 Weaponization of DICOM Files
Malicious payloads may take several forms (Table 1):
- Malformed or specially crafted DICOM objects that trigger memory corruption or code execution in widely used viewers and toolkits. Recent advisories document out-of-bounds write leading to code execution when a user opens a malicious .dcm in MicroDicom [4], out-of-bounds write in OFFIS DCMTK 3.6.8 [5] and earlier DCMTK issues that could allow remote code execution [6], and parsing bugs in the Merative Merge DICOM Toolkit [2]. Together these show a manipulated DICOM can compromise endpoints through commonly deployed components.
- Crafted study content that triggers script execution in web viewers, for example a Cross-Site Scripting vulnerability in the Orthanc Osimis DICOM Web Viewer that can execute attacker-controlled script when a DICOM-carried payload is viewed [3].
- Altered pixel data that falsifies or obscures medical findings, demonstrated by CT-GAN where deep learning adds or removes cancer evidence in volumetric scans and deceives radiologists [7].
- Executable code embedded in a DICOM preamble, shown by the MalDicom framework, leading to system compromise upon viewing [8].
| Weaponization form | What it looks like | Why it matters | Supporting citations |
| Malformed objects | Specially crafted DICOM triggers memory corruption or code execution in viewers or toolkits | Opening a malicious .dcm can compromise a workstation | [2], [4], [5], [6] |
| Script execution | Crafted study content exploits XSS in a web viewer | Attacker script runs when the DICOM is viewed in a browser viewer | [3] |
| Altered pixel data | Deep-learning tampering adds or removes findings | Can falsify diagnosis and deceive experts | [7] |
| Embedded code | Executable payload in DICOM preamble | Viewing the file can execute attacker code | [8] |
Table 1: Representative DICOM file weaponization patterns
3.2 Injection and Persistence
Using an open C-STORE service, an attacker can upload a manipulated DICOM object into PACS. To increase the chance that it will be retrieved for viewing or forwarded for sharing, the injected object can be bound to an existing study and series by preserving the original Study Instance UID and Series Instance UID, and keeping consistent identifiers such as Accession Number. Two practical variants exist:
- Append: submit a new SOP Instance that joins the target series, which typical study or series queries will return by default.
- Replace or shadow: reuse the existing SOP Instance UID so that, depending on PACS behavior, the object may overwrite the prior instance or coexist as a duplicate. In either case, the manipulated content can be displayed automatically by a viewer’s layout rules (known as hanging protocols) or included in exports.
In common workflows, study and series level queries and moves return all SOP Instances that share those UIDs, and routing rules often forward complete studies or complete series to downstream systems. As a result, manipulated instances linked to an existing study are more likely to be pulled during normal clinical retrieval and to propagate through sharing workflows [9][10][11][12][13].
3.3 Partner Feeds and Supply Chain Risk
Even when an organization has fully secured its own PACS servers, it remains susceptible to compromised DICOM files received through external feeds. Healthcare delivery increasingly depends on image sharing across hospitals, imaging centers, and teleradiology providers. If a partner institution has an exposed or misconfigured PACS, adversaries can exploit that weaker environment to inject malicious or manipulated DICOM files that later traverse trusted channels. Independent guidance emphasizes that PACS operates in a complex, interconnected environment and that layered, PACS-specific controls are needed to protect confidentiality, integrity, and availability [12][13].
4. Kill-Chain Scenario
- Reconnaissance: Attacker scans for exposed PACS or DICOM endpoints.
- Access: AE Titles are brute forced, server responds to unauthenticated connections.
- Weaponization: Malicious DICOM crafted with embedded payload or altered content.
- Delivery: C-STORE command used to inject the file into PACS.
- Execution: Radiologist opens the study, payload executes or manipulated content is interpreted as authentic.
- Impact: Confidentiality, integrity, and availability are all at risk, including potential delays in care.
- Post-exploitation: Adversaries can use stolen credentials and common administrative channels to move laterally from the imaging workstation into adjacent clinical and IT domains, increasing the scope of impact [12][14].
5. Implications for Healthcare Security
The combination of exfiltration, manipulation, and supply chain propagation transforms diagnostic imaging from a passive data risk into an active patient safety concern. Altered studies can mislead clinicians, delay treatment, or cause harm. Embedded malware can propagate through radiology workstations into wider hospital networks. These risks are compounded by legacy PACS deployments and the continued use of viewers with disclosed and sometimes unpatched vulnerabilities [2][3]. Neutral guidance urges multi-layered, PACS-specific controls within the broader healthcare IT environment [12][13].
5.1 Enterprise propagation and lateral movement
A compromised radiology workstation can provide a foothold for adversaries to move laterally across the hospital network. Diagnostic workstations are often domain-joined and have access to PACS storage, RIS or EHR integrations, and other clinical systems. Once malware executes on a workstation, attackers can use standard enterprise techniques to pivot, escalate privileges, and disrupt operations beyond imaging. Independent guidance recognizes PACS as part of an interconnected environment and recommends segmentation, least privilege, and layered security around PACS endpoints to limit spread [12]. Large healthcare incidents have shown how endpoint infections can rapidly propagate and degrade clinical operations at scale [14][15].
Recent disclosures show that DICOM viewers and core toolkits have had vulnerabilities where opening a specially crafted DICOM file can lead to code execution, turning manipulated studies into a direct compromise path on imaging endpoints. Examples include MicroDicom [4], OFFIS DCMTK [5][6], flaws in the Merative Merge DICOM Toolkit [2], and a RadiAnt DICOM Viewer update mechanism flaw that allowed machine-in-the-middle delivery of malicious updates [16].
In addition to these software supply-chain exposures, real-world campaigns have distributed backdoors and miners via binaries impersonating DICOM viewer software, underscoring that adversaries view imaging endpoints as a viable entry point into healthcare environments [17].
6. The Case for SecureDICOM
SecureDICOM is a specialized software solution developed by WetStone Labs to protect diagnostic imaging workflows from file-based threats. It is designed to address the limitations of traditional antivirus tools, which are not capable of reliably analyzing the complex structure of DICOM files.
SecureDICOM performs deep file inspection of DICOM objects, validating conformity to the standard, detecting malformed metadata, and identifying hidden or malicious payloads. This includes the detection of polyglot files, embedded malware, and steganographic content that may be concealed in image data or encapsulated documents. By operating at ingestion points, such as PACS upload or cross-enterprise data exchange, SecureDICOM helps ensure that manipulated files are intercepted before they can propagate into trusted environments [18][19].
Independent guidance supports the need for PACS-specific, layered defenses in interconnected environments. Industry and academic sources recommend controls at receiving or importing stages for imaging data, rather than relying on general IT measures alone [12][13]. In addition, official advisories show that viewer update mechanisms themselves can be abused to deliver malicious packages if not validated, reinforcing the need for PACS-aware, file-level inspection at ingestion and careful validation of software provenance [16].
The solution is positioned to protect PACS servers and related imaging infrastructure, which have been documented as vulnerable to exposure and misconfiguration. It also reduces supply chain risk by inspecting studies received from external partners. If a partner institution has an exposed or compromised PACS, SecureDICOM can prevent malicious or manipulated files from being trusted inside the receiving organization’s workflow. By complementing perimeter security with file-level defenses, SecureDICOM provides protection that generic IT security controls do not supply [18][19].
7. Conclusion
Evidence from industry threat intelligence confirms that diagnostic imaging systems can be exploited for exfiltration. The same vulnerabilities can also allow manipulation and weaponization of imaging files, extending the impact from confidentiality breaches to integrity and safety threats [1][2][3][4][5][6][7][8]. Moreover, even well-secured institutions remain at risk when they import imaging data from partners with exposed infrastructure.
This dual challenge highlights the need for specialized file-level safeguards. SecureDICOM has been developed to protect PACS environments directly and to mitigate supply chain risks by validating DICOM studies received from external partners [18][19]. By ensuring that only standards-compliant and threat-free files enter clinical workflows, SecureDICOM supports data integrity, operational resilience, and patient safety in ways that generic cybersecurity tools cannot match.
References
[1] Gatewatcher Labs. Healthcare’s Anatomy: Attacking DICOM. 2024. Available at: https://www.gatewatcher.com/en/lab/healthcares-anatomy-attacking-dicom/
[2] Nozomi Networks. Exploiting Healthcare Supply Chain Security: Merge DICOM Toolkit. 2024. Available at: https://www.nozominetworks.com/blog/exploiting-healthcare-supply-chain-security-merge-dicom-toolkit
[3] CISA. ICSMA-24-023-01: Orthanc Osimis DICOM Web Viewer, Cross-Site Scripting. 2024. Available at: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01
[4] CISA. ICSMA-25-121-01: MicroDicom DICOM Viewer. 2025. Available at: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-121-01
[5] NVD. CVE-2024-52333: OFFIS DCMTK 3.6.8 out-of-bounds write via crafted DICOM file. 2025. Available at: https://nvd.nist.gov/vuln/detail/CVE-2024-52333
[6] CISA. ICSMA-22-174-01: OFFIS DCMTK (Update). 2022. Available at: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-174-01
[7] Mirsky Y, Mahler T, Shelef I, Elovici Y. CT-GAN: Malicious Tampering of 3D Medical Imagery Using Deep Learning. USENIX Security Symposium, 2019. Available at: https://www.usenix.org/system/files/sec19-mirsky_0.pdf
[8] Mishra A, Bagade P. MalDicom: Memory Forensics Framework for Detecting Malicious Payloads in DICOM Files. arXiv, 2023. Available at: https://arxiv.org/abs/2312.00483
[9] DICOM Standard PS3.4, Query/Retrieve Service. Available at: https://dicom.nema.org/medical/dicom/current/output/chtml/part04/sect_C.4.html
[10] DICOM Standard PS3.3, Series Instance UID (0020,000E). Available at: https://dicom.innolitics.com/ciods/grayscale-softcopy-presentation-state/presentation-state-relationship/00081115/0020000e
[11] DICOM Standard PS3.17, Annex V, Hanging Protocols. Available at: https://dicom.nema.org/medical/dicom/current/output/chtml/part17/ps3.17.html
[12] NIST NCCoE. NIST SP 1800-24: Securing Picture Archiving and Communication System (PACS). Final, Dec 2020. Available at: https://csrc.nist.gov/pubs/sp/1800/24/final
[13] Eichelberg M, Kleber K, Kämmerer M. Cybersecurity in PACS and Medical Imaging: an Overview. Insights into Imaging, 2020. Available at: https://pmc.ncbi.nlm.nih.gov/articles/PMC7728878/
[14] National Audit Office. Investigation: WannaCry Cyber Attack and the NHS. 2018. Available at: https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf
[15] Ghafur S, Grass E, et al. A retrospective impact analysis of the WannaCry cyberattack on the NHS. NPJ Digital Medicine, 2019. Available at: https://pmc.ncbi.nlm.nih.gov/articles/PMC6775064/
[16] CISA. ICSMA-25-051-01: Medixant RadiAnt DICOM Viewer. 2025. Available at: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-051-01
[17] Forescout Research. Healthcare Malware Hunt Part 1: Silver Fox APT Targets Philips DICOM Viewers. 2025. Available at: https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/
[18] WetStone Labs. SecureDICOM: Protecting Diagnostic Imaging Files from Malicious Manipulation. 2025. Available at: https://www.wetstonelabs.com/securing-a-pacs-network-vulnerabilities-and-challenges/
[19] WetStone Labs. SecureDICOM: Deep File Inspection of DICOM Files. 2024. Available at: https://www.wetstonelabs.com/securedicom-deep-file-inspection-of-dicom-files/