Are DICOM Viewers Creating Security Risks in Hospitals?

Medical imaging technology relies on the DICOM standard to store, view, and share scans like X-rays, MRIs, and CTs.

DICOM viewers online allow doctors convenient access to these images through web browsers.

However, the WADO to STOW transition process in these viewers may unintentionally reduce security.

We'll break down how hackers could leverage these DICOM transitions to infiltrate hospital systems.


DICOM viewers online


Understanding WADO and STOW

First, let’s define the DICOM protocols involved:

      WADO: Web Access to DICOM Objects retrieves DICOM images, data, etc., from PACS through HTTP requests.

      STOW: DICOM Storage commits directly to PACS storage.

WADO allows web access without exposure to the backend. STOW enables writing data straight into storage.

The Problem

Most DICOM viewers utilize both protocols. Images are fetched with WADO and then converted into STOW for display and manipulation. This transition opens a doorway that hackers could exploit.

Attack Vectors Introduced

The WADO to STOW workflow likely introduces security holes in these key areas:

SQL Injection

Converting the pixel data may allow SQL injection attacks on the PACS database by including malicious SQL statements.

This could let attackers:

      Steal patient health information

      Corrupt/delete images and records

      Install malware for further access

Cross-Site Scripting (XSS)

Attackers may also leverage XSS vulnerabilities opened up by direct STOW access. This allows them to run malicious scripts and code snippets in the viewer.

Effects of an XSS attack include:

      Hijacking user sessions

      Installing trojans

      Crashing applications

DDOS

The additional server load required for STOW transactions could facilitate DDOS attacks aimed at overloading systems and forcing downtime.

Data Theft/Manipulation

Finally, unchecked write access enables the theft or manipulation of patient images and information. The impacts range from falsified records to stolen identities.

Minimizing the Risks

While closing these holes entirely within viewers may not be possible, developers can implement controls to reduce the risks, including:

      Input validation - Filter all inputs into the viewer

      Output encoding - Encode data sent to browsers

      Access restrictions - Limit viewer permissions

      Encryption - Encrypt network traffic end-to-end

      Monitoring - Detect unauthorized changes

Following security best practices tailored for DICOM and medical environments also minimizes exposure.

 

DICOM viewers online

The Bottom Line

DICOM web viewers provide indispensable, easy access to medical imaging. However, the workflow allowing this convenience likely introduces security holes in hospital networks.

Developers must prioritize securing these applications to protect patient health information and prevent disruptions of critical systems. Information security teams should also add DICOM viewers to their audit plans.

With some precautions, hospitals can continue benefiting from the availability of web-based DICOM viewers without sacrificing data protection and integrity.
Location: Boven de Wolfskuil 3a, 24, 6049 LX Merum, Netherlands

Comments

Post a Comment

Popular posts from this blog

Unlock Your Full Potential with These 5 Outlook Pro Tips

Image
Ready to level up your Outlook game and wield your inbox like a pro? With the right customizations and tools, Outlook can become an invaluable productivity booster. As a Microsoft consulting services expert, I've compiled my 5 favorite advanced strategies to transform you into an Outlook ninja overnight. Let's dive in. Optimize Your Interface Layout Outlook's default layout isn't for everyone. Customizing your interface to suit your workflow can make a huge difference in efficiency. Experiment with tweaking: ●       Folder pane width ●       Navigation pane location ●       Reading pane position and size ●       Number of lines in the message list ●       Columns displayed ●       Text size and zoom level Finding your ideal interface setup tailors Outlook to your preferences, saving visual scanning time and clicks. For example, by adjusting my layout, I shaved 3 minutes off reading 70 emails – that saves me 7+ hours a month! Pro tip: Create mul
Read more

How to Use Cloud Storage to Organize Your Image Library?

Image
Cloud storage is a great way to organize and manage your image library. With a cloud storage account, you can store all your images in one central location that you can access from anywhere with an internet connection. In this article, we'll walk you through how to set up a cloud storage account, organize your cloud storage images , and even sync your local image library with the cloud for easy access. 1. Setting Up a Cloud Storage Account The first step is to choose a cloud storage provider. There are many options out there, including popular ones like Google Drive, Dropbox, and OneDrive. Each provider has its own features and pricing, so it's worth taking some time to research and compare the options to find the one that best fits your needs. Once you've chosen a provider, you'll need to create an account and upload your images. Most cloud storage providers offer a desktop app that makes it easy to drag an
Read more

Move Your Lists to Business Central in 5 Easy Steps

Image
Migrating your key master data from your current QuickBooks company to Business Central ensures continuity for your finance and supply chain operations. By moving lists like customers, vendors, and inventory items, you retain all your existing contacts, pricing, item details, and history. This article walks through the key steps to migrate these essential lists: Why Migrate Lists from QuickBooks? ●       Retain customer, vendor, and item details and history from QuickBooks ●       Prevent business disruptions from lost data ●       Save time by re-adding records manually ●       Avoid errors re-keying data into Business Central When Should You Migrate Lists? Migrate master data early in your Business Central project during the preparation phase before going live. ●       Migrate lists before setting up other processes in Business Central ●       Before entering new transactions like sales orders or purchase invoices ●       During a quiet business
Read more