PACS & DICOM SECURITY
PACS & DICOM Penetration Testing
for MDR Compliance
The DICOM standard was built for connectivity, not security. We bridge the gap between legacy protocols and MDR Class IIa/IIb security requirements.
"Standard Compliant" is not "Secure"
Bringing a connected medical device or PACS solution to market requires navigating a contradiction: The DICOM standard prioritizes open data exchange, while the EU MDR mandates strict "State of the Art" cybersecurity. Many configurations explicitly allowed by the DICOM standard—and found in common open-source libraries—are security liabilities. During an audit, a Notified Body will not accept "But the standard allows it" as a defense for insecure patient data.
Our Approach:
We test your DICOM nodes, PACS servers, and viewers specifically against the requirements of IEC 81001-5-1 and MDR Annex I. We identify legacy flaws before your auditor does.
The Three Pillars of DICOM Risk
Examples of the specific security challenges we test for in medical imaging infrastructure.
The "Vagueness" Trap
The DICOM standard is decades old. We test to ensure you haven't inherited its legacy flaws that trigger non-conformities. For example:
AET != Authentication
Application Entity Titles (AETs) are essentially public "nametags," not security credentials. We frequently demonstrate how attackers can spoof trusted devices (like an MRI modality) to inject fake imagery or exfiltrate data.
DICOM-Compliant ≠ MDR-Secure
The DICOM standard permits configurations that are technically compliant yet cryptographically indefensible: TLS left to implementers (often done wrong), and legacy algorithms like MD5/SHA1 still allowed. Notified Bodies expect more. We expose these risks before your auditor does.
Logic & Configuration Risks
We analyze how your server handles logic requests and external connections. For example:
Query/Retrieve Logic (C-MOVE / C-GET)
Complex retrieval protocols often contain logic flaws allowing unauthorized data movement. We test these specific commands for permission bypasses.
Unhardened FOSS Components
Many commercial solutions rely on backends like DCMTK or Orthanc. If left in default configurations, they expose debugging ports and unused functionality. We identify these "open doors" and verify they are closed.
Parsing & Data Handling
A DICOM file is not just an image; it is a complex data structure that can carry malicious payloads. For example:
Polyglot Files & Payload Embedding
The DICOM standard allows a 128-byte preamble that parsers often ignore. Attackers exploit this to create "polyglot" files—valid medical images that simultaneously function as executable archives (e.g., JAR or PE). We verify your ingestion filters detect and reject these dual-nature payloads to prevent your software from becoming a malware carrier.
XXE Injection in Structured Reports
Modern DICOM workflows use Structured Reports (SR) and XML-based configurations. If your parser is not strictly hardened, it is vulnerable to XML External Entity (XXE) attacks. We test your ability to handle complex nested datasets without allowing attackers to read local server files or map your internal network via a malicious report.
Service Scope: What You Get
Clarifying boundaries so you know this is Advisory and Auditor-Ready.
The Output
Technical Evidence
Proof of concepts for all identified vulnerabilities in your DICOM infrastructure.
Risk Prioritization
Findings rated not just by CVSS score, but by their impact on Patient Safety and Clinical Effectiveness.
Auditor-Ready Reports
Written in precise language suitable for submission as part of your verification evidence.
Why Machine Spirits?
We combine deep offensive security research with the pragmatism of veteran engineering. We understand that you need to maintain connectivity with hospital networks while satisfying the strict demands of the MDR.
We don't just hand you a list of bugs and walk away. We provide the context you need to explain these risks to your engineering team and your Notified Body.
Your Audit is Led by Senior Experts
Not juniors. Not generalists. Specialists in medical device security.
Dr. rer. nat. Simon Weber
Lead Pentester & MedSec Researcher
I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.
- PhD on Hospital Cybersecurity
- Critical vulnerabilities found in hospital systems
- Alumni of THB MedSec Research Group
Dipl.-Inf. Volker Schönefeld
Senior Application Security Expert
As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.
- 20+ years as CTO, 50M+ app downloads
- Architected and secured large-scale IoT fleets
- Certified Web Exploitation Specialist
External Resources
Standards and guidance documents for DICOM security in medical devices.
DICOM Part 15: Security and System Management Profiles
The official DICOM standard for security profiles, TLS transport, digital signatures, and certificate management.
View StandardNIST SP 1800-24
NIST guide on securing Picture Archiving and Communication Systems (PACS) in healthcare environments.
View GuideFrom Pentest to MDR Certification
“Machine Spirits helped uncover vulnerabilities in our platform early with a structured and in-depth pentest before we went through MDR certification. The clear reports and pragmatic communication helped us quickly close security gaps and efficiently update our documentation.”
Secure Your PACS Infrastructure
Ensure your DICOM implementation is ready for the MDR.
Schedule a Scoping Call