ICS Alert (ICS-ALERT-19-162-01)

DICOM Standard in Medical Devices

Click to Tweet.
Click to send to Facebook.
Click to Share.
Click for the STIX file.

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.



NCCIC is aware of a public report of a vulnerability in the DICOM (Digital Imaging and Communications in Medicine) standard with proof-of-concept (PoC) exploit code. The DICOM standard is the international standard to transmit, store, retrieve, print, process, and display medical imaging information. According to this report, the vulnerability is exploitable by embedding executable code into the 128 byte preamble. This report was released without coordination with NCCIC or any known vendor.

NCCIC has notified some of the affected vendors who may utilize the DICOM Standard (primarily in the healthcare industry) about the report to confirm the vulnerability and to identify mitigations. NCCIC is issuing this alert to provide notice of the report and identify baseline mitigations for reducing risks of these and other cybersecurity attacks.

The report included vulnerability details and PoC exploit code for the following vulnerability:

Vulnerability TypeExploitable RemotelyImpact
Input ValidationNo—Requires Local AccessPossible Embedded Malware in Portable Medical Imagery

Please report any issues affecting medical systems in critical infrastructure environments to NCCIC.

DICOM is widely used throughout the Healthcare and Public Health Sector for portability in medical imaging; it uses the .dcm file extension.

Successful exploitation of this vulnerability could allow an attacker to embed executable code into image files used by medical imaging devices. The severity of any attack varies depending on the type and intent of the executable code embedded within the preamble. It is important to note this code can be embedded in a way that allows the code to be a functioning Windows executable while not interfering with the readability and functionality of the DICOM imagery.

The vulnerability was discovered by Markel Picado Ortiz of Cylera Labs and has been issued CVE-2019-11687.


NCCIC is currently coordinating with multiple stakeholders to identify any potential mitigations.

The DICOM Security Group has provided a statement for user strategies on how to mitigate the risk titled:



This statement is found at the following location: https://www.dicomstandard.org/dicom-in-the-news/

NCCIC recommends that users affected by the vulnerability in the DICOM Standard implement an AV (Antivirus) solution on all medical imaging systems. NCCIC recommends that affected users reach out to their specific AV vendor to determine if their solution properly scans for the affected file type. In the situation where an AV solution cannot be installed, affected users should take steps to make sure that they have processes and procedures in place to scan portable/removable media for suspicious files before introducing the media into their medical networks.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Contact Information

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  https://us-cert.cisa.gov/ics 
or incident reporting:  https://us-cert.cisa.gov/report

CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.