Overview
A Trend Micro analysis identified thousands of internet-facing DICOM servers operated by hundreds of healthcare organizations that lack even elementary security protections. DICOM — Digital Imaging and Communications in Medicine — is the standard protocol for storing and transmitting medical images such as X-rays, MRIs, and CT scans. Because these servers frequently contain both imaging data and embedded patient demographics, their exposure creates a direct path to protected health information.
The findings show a pattern of misconfiguration rather than a novel attack technique. Servers were reachable from the open internet without requiring authentication, meaning anyone with a network scanning tool could retrieve patient records without needing to compromise credentials or exploit a software vulnerability.
The scale of the exposure — hundreds of entities, not isolated outliers — points to a systemic failure to apply access controls that have been standard practice in other sectors for years. Healthcare organizations operating DICOM infrastructure have repeatedly been identified in similar research, suggesting that remediation has not kept pace with the documented risk.
Key developments
Broad organizational reach. The Trend Micro analysis found exposed servers belonging to hundreds of distinct healthcare entities, ranging across provider types. The breadth makes this a sector-wide configuration problem rather than an incident at a single facility.
No exploitation required. Because the servers lacked authentication, retrieval of patient imaging records and associated metadata required no credential theft, phishing, or malware deployment. The data was functionally public to anyone who scanned for it, lowering the barrier for opportunistic actors considerably.
PHI embedded in imaging files. DICOM files routinely carry patient names, dates of birth, study dates, ordering physician information, and facility identifiers as structured metadata. Exposure of imaging servers therefore constitutes potential PHI exposure under HIPAA, not merely a technical misconfiguration with no patient-facing consequence.
A slow-learning-curve problem. Exposed DICOM servers have appeared in security research repeatedly over the past several years. The persistence of the problem after multiple rounds of public disclosure suggests that awareness alone has not driven remediation, and that many organizations either lack visibility into their own internet-facing infrastructure or have not prioritized imaging systems in their security reviews.
Industry impact
Healthcare data breaches involving network-exposed servers and misconfigurations have grown more costly alongside their frequency. IBM's Cost of a Data Breach Report has consistently placed healthcare at the top of industry breach-cost rankings, with the average healthcare breach cost exceeding $10 million in recent reporting cycles — more than double the cross-industry average. Imaging data exposure contributes to that calculus because DICOM files often contain enough information to satisfy HIPAA's definition of PHI without requiring any additional data source.
OCR's breach investigation history includes multiple cases involving unsecured network-accessible servers, and the agency's right-of-access and security rule guidance makes clear that covered entities bear responsibility for the technical safeguards applied to all systems storing or transmitting PHI, including imaging archives. Business associates operating DICOM infrastructure on behalf of providers share that responsibility under executed BAAs.
The recurring nature of exposed DICOM servers also reflects a gap in how some organizations scope their HIPAA security risk analyses. When imaging systems are managed by radiology departments or third-party PACS vendors separately from the IT security function, they may not appear in enterprise-level risk assessments — leaving known vulnerability categories unreviewed.
What this means for independent practices
- Audit internet-facing systems now. Run an external scan or commission a third party to identify every service your practice exposes to the public internet. DICOM servers, PACS interfaces, and legacy imaging workstations are common blind spots.
- Require authentication on all imaging systems. No DICOM server or PACS interface should be reachable from the internet without strong authentication. If a vendor or IT contractor set up the system without it, that configuration must be corrected and documented.
- Include imaging infrastructure in your risk analysis. HIPAA's Security Rule requires a risk analysis that covers all ePHI, not just EHR data. If imaging servers are not in scope in your most recent risk analysis, update it.
- Review business associate agreements for PACS and imaging vendors. If a third party manages your DICOM infrastructure, confirm that your BAA assigns clear responsibility for network security controls and that the vendor can demonstrate compliance.
- Establish a network segmentation baseline. Imaging systems that do not require direct internet access should be isolated from public-facing network segments. Internal access controls should restrict DICOM queries to authenticated clinical workstations.
Independent practices operating their own imaging equipment — even a single digital X-ray system with DICOM output — carry the same Security Rule obligations as large hospital systems. The fact that imaging infrastructure is often installed and configured by equipment vendors or radiology service companies does not relieve the covered entity of oversight responsibility. Practices should document who manages each imaging system, what network access that system has, and when security controls were last reviewed. That documentation becomes evidence of due diligence if OCR ever opens an inquiry.
What would have prevented this
Network authentication requirements. DICOM servers should require authenticated sessions before returning any data. Enabling authentication at the application layer and at the network perimeter ensures that unauthenticated scans cannot retrieve patient records.
Firewall rules and network segmentation. Imaging systems that serve only internal clinical users should not be reachable from the public internet at all. Firewall rules restricting inbound DICOM traffic to known internal IP ranges eliminate a large class of exposure before authentication is even tested.
External attack surface monitoring. Periodic scanning of an organization's own external IP ranges — using the same tools available to researchers and threat actors — identifies exposed services before they appear in a published vulnerability report. This discipline should be part of routine security operations, not a one-time audit.
Inclusion of imaging systems in formal risk analysis. A HIPAA-required risk analysis that explicitly inventories DICOM servers, PACS systems, and associated workstations creates accountability for known gaps and drives remediation timelines. Systems not named in a risk analysis tend not to receive security attention.
Role-based access controls (RBAC) on imaging archives. Even within authenticated environments, access to patient imaging data should be restricted to users with a clinical need. RBAC prevents broad internal exposure and limits the impact if a single set of credentials is later compromised.