The Hidden Cyber Risks in Your Imaging Suite

Written By Didier Jourdain

Imaging systems are essential to modern medicine but they’re also among the most overlooked cybersecurity vulnerabilities in a medical practice.

PACS servers, CT consoles, MRI workstations, and portable ultrasound devices often run on outdated operating systems, lack encryption, and may still use default credentials. Many are not patched regularly because of regulatory complexity, compatibility concerns, or vendor lock-in.

In 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued multiple alerts about vulnerabilities in radiology systems, including DICOM viewers and imaging archives [1]. Yet many healthcare organizations assume these devices are protected by general IT security measures. They’re not.

In fact, a study published in JAMA Network Open found that nearly one in four imaging devices in U.S. hospitals remained unpatched for known vulnerabilities longer than 90 days [2].

Why does this matter? Because imaging systems aren’t isolated. They’re connected to your EMR, your network, and sometimes your cloud storage provider. A compromised ultrasound machine or radiology PACS can become a launch point for lateral movement, allowing ransomware or data exfiltration to spread rapidly.

Even more concerning: the DICOM standard, which underpins most medical imaging formats, was never designed with security in mind. Attackers have demonstrated ways to embed malware into DICOM files, where it can evade antivirus tools [3].

At Jourdain Risk Group, we model imaging suites not just as endpoints, but as interconnected ecosystems. Using Bayesian networks and copula analysis, we assess how a vulnerability in a workstation could cascade through your clinical environment. This helps us identify weak links before attackers do and offer mitigation strategies that are practical for radiology workflows.

If you haven’t included your imaging systems in your cybersecurity risk model, you’re flying blind.

Sources:

[1] CISA. Medical Device Advisory Notices, 2023

[2] Leung K et al. Assessment of Vulnerability Patching for Medical Imaging Devices in U.S. Hospitals, JAMA Netw Open, 2023

[3] CyberMDX. DICOM Malware Concealment Vulnerabilities, 2022

Didier Jourdain
Previous

AI in Healthcare Is Booming -So Are the Cyber Risks
Next

The Cost of Misjudging Cyber Risk