Medical Imaging Security

What is PACS / DICOM?

The systems that store, move, and display every X-ray, CT, MRI, and ultrasound in your practice — and one of the most commonly exposed targets in healthcare IT.

The Short Version

DICOM (Digital Imaging and Communications in Medicine) is the file format and network protocol for medical images. PACS (Picture Archiving and Communication System) is the server that stores and serves those images.

Security researchers have repeatedly found tens of thousands of PACS servers exposed to the public internet, many with patient images and metadata fully accessible without authentication. DICOM as a protocol was designed in an era when authentication wasn't a priority — and most PACS deployments still reflect that.

Who This Applies To

Any practice that produces, stores, or views medical imaging:

  • Radiology and imaging centers
  • Orthopedic, dental, and veterinary practices
  • Hand surgery, podiatry, and surgical specialties
  • Cardiology (echocardiograms, nuclear imaging)
  • Ophthalmology (OCT, fundus imaging)
  • Hospitals and outpatient surgery centers
  • Mobile imaging services

If you have a modality — an X-ray, CT, MRI, ultrasound, C-arm — you have PACS and DICOM somewhere in your network. It is covered by HIPAA. It contains PHI in the image metadata (patient name, DOB, sometimes SSN).

What Securing PACS Actually Requires

A properly secured medical imaging environment looks very different from what most vendors install by default:

  • Network segmentation: Imaging modalities and PACS server on an isolated VLAN — not reachable from the general office network
  • No public exposure: No PACS port (104, 4242, 11112, etc.) open to the internet under any circumstances
  • DICOM proxy or VPN: Remote radiologists access through an authenticated gateway, never direct
  • TLS encryption: DICOM-TLS for all imaging traffic where modalities support it
  • Authentication: User accounts with per-user access, not a shared admin login
  • Audit logs: Image views, exports, and prints recorded
  • Patch management: PACS software and underlying OS kept current — this is where most get stuck, because modality vendors often block updates
  • Backup: Imaging data backed up, encrypted, and tested
  • BAA in place: Cloud PACS, teleradiology, and remote reading services all under a Business Associate Agreement

Where PACS Breaches Happen

PACS breaches look different from typical IT breaches, and they're frequent:

  • Port forwards left open by a modality vendor during remote support, never closed
  • Default admin passwords on the PACS web interface
  • Old Windows servers (Server 2008, 2012) running PACS because the vendor "doesn't support" newer OS
  • Flat networks where a compromised front-desk PC can reach the imaging server directly
  • Unencrypted DICOM traffic readable by anyone on the network
  • Shared workstation logins in imaging rooms
  • Shodan-indexed servers discoverable by anyone with a browser — researchers find new ones every month

Under HIPAA, a PACS exposure is a reportable breach. Under HITECH, breaches of 500+ patients land you on the HHS Wall of Shame.

How Digital Armor Helps

Imaging security is one of our specialties. We've built and deployed secured PACS environments, including DICOM proxies for teleradiology:

  • Network segmentation with modalities on isolated VLANs
  • DICOM proxy deployment for remote reading — authenticated, encrypted, logged
  • VPN or zero-trust access for remote radiologists
  • PACS server hardening and patching strategy
  • Modality vendor coordination — we handle the "vendor won't allow updates" problem
  • Encrypted backup with tested restore procedures
  • Audit log monitoring and review
  • External exposure audit — we check what's visible from the public internet

Is Your Imaging Server Visible From the Internet?

We can tell you in under an hour. If it is, we'll tell you how to close it. If it isn't, we'll tell you what else needs attention. Either way, you'll have a clear picture — no jargon, no scare tactics.

Book Your Assessment