A 'Radiography' of the [In]Security of PACS & DICOM Systems

At this point, no one is surprised when you visit a doctor and complete your medical history on a computer or on a mobile device, but perhaps not so many of us wonder where and how this information is stored; as well as what impact it would have if other people obtain that information. In this talk I try to analyze and answer these questions from the vulnerabilities found in different medical applications evaluated in web and mobile applications, such as PACS systems, DICOM viewers, ERM / HRM / RIS systems, which has connectivity connectivity commonly with DICOM protocols / HL7. During the time that I have been investigating this type of systems I have found failures at the level of code mainly of type injection, errors of implementation of servers, credentials “hardcoded” in applications, disclosure of information; and each of these would allow at risk sensitive data of patients and doctors, as well as put at risk a complete health infrastructure. The talk will show the level of exposure of these systems based on analysis I have made, found and reported failures; where I also include a demonstration against one of these systems. Hospitals, clinics, patients, doctors and monitoring systems / devices could be affected by these vulnerabilities.

Presented by