A Radiography of the InSecurity of PACS and DICOM Systems

Title: A Radiography of the InSecurity of PACS and DICOM Systems Presenter: Carlos Avila Track: In The Clouds 02 Time: 1100 BSides San Antonio 2019 June 08 at St. Mary's University, San Antonio, Texas Abstract: At this point, no one is surprised when you visit a doctor and complete your medical history on a computer or on a mobile device, but perhaps not so many of us wonder where and how this information is stored; as well as what impact it would have if other people obtain that information. In this talk I try to analyze and answer these questions from the vulnerabilities found in different medical applications evaluated in web and mobile applications, such as PACS systems, DICOM viewers, ERM / HRM / RIS systems, which has connectivity connectivity commonly with DICOM protocols / HL7. During the time that I have been investigating this type of systems I have found failures at the level of code mainly of type injection, errors of implementation of servers, credentials “hardcoded” in applications, disclosure of information; and each of these would allow at risk sensitive data of patients and doctors, as well as put at risk a complete health infrastructure. The talk will show the level of exposure of these systems based on analysis I have made, found and reported failures; where I also include a demonstration against one of these systems. Hospitals, clinics, patients, doctors and monitoring systems / devices could be affected by these vulnerabilities. The talk will show the level of exposure of these systems based on analysis I have made, found and reported failures; where I also include a demonstration against one of these systems. Hospitals, clinics, patients, doctors and monitoring systems / devices could be affected by these vulnerabilities. Speaker Bio: Carlos Avila is Chief Security Ambassador at ElevenPaths and also works as an independent consultant in the Information Security industry, fulfilling several mainly technical roles. Carlos is a founding member of ISSA Capitulo Ecuador and is a guest speaker at conferences and events on computer security. He’s an instructor of security related topics such as: Pentesting, Code Review, Defense Techniques and Hardening of Platforms.