Skip to content
Back to Blog
Security & Compliance

Your Medical Scans on the Open Internet: The DICOM Security Crisis

Exposed DICOM servers have grown 286% since 2017. Millions of patient scans sit on the open internet with no password. Here is what is happening, why it matters, and what you can do about it.

Dr. Vinayaka Jyothi
10 min read
Digital illustration of a cracked shield over a medical imaging server with exposed patient scans visible through the breach, warning symbols and network lines in the background

Your Medical Scans on the Open Internet: The DICOM Security Crisis

Somewhere right now, a server connected to the public internet is responding to requests on Port 104. It does not require a password. It does not require a VPN. Anyone with a free scanning tool and basic technical knowledge can connect to it and begin downloading medical images — CT scans, MRIs, X-rays, ultrasounds — complete with patient names, dates of birth, medical record numbers, and clinical notes.

This is not a hypothetical scenario. It is happening at scale, across dozens of countries, and the problem is getting worse.

The numbers are staggering

The medical imaging world runs on a protocol called DICOM — Digital Imaging and Communications in Medicine. It was developed in the 1980s and standardized in the early 1990s, when the internet was an academic curiosity and the idea of connecting a radiology server to a public network would have been absurd. DICOM was designed for use inside hospital walls, on trusted local networks where physical access was the security model.

Three decades later, those same servers are sitting on the open internet.

Researchers have documented the scale of the problem and the numbers are alarming:

  • 286% growth since 2017. The number of DICOM systems exposed to the public internet has grown by 286% since 2017, according to longitudinal scanning research. What was a niche vulnerability has become a systemic one.

  • 3,800+ servers across 110 countries. Security firm Aplite identified more than 3,800 exposed DICOM servers spanning over 110 countries, collectively exposing the personal information of approximately 16 million patients.

  • Less than 1% use effective security. Of the thousands of DICOM servers scanned by researchers, fewer than 1% had proper authentication in place. The rest respond to any connection attempt with full access to their image databases.

  • 1.6 million simulated attacks recorded. Honeypot research targeting medical imaging infrastructure recorded 1.6 million attack attempts — roughly one every 20 seconds — with 23,000 interactions specifically targeting DICOM protocols.

These are not theoretical risks. These are patient scans — pictures of the inside of real people’s bodies — sitting on servers that anyone can access.

What is actually exposed

When a DICOM server is reachable from the public internet without authentication, the data at risk goes far beyond the images themselves.

A typical DICOM study contains:

  • The medical images — full diagnostic-quality scans in their native resolution. CT scans with hundreds of slices. MRI sequences. Mammograms. Ultrasounds.
  • Patient demographics — full name, date of birth, gender, address, phone number, and in some cases Social Security numbers.
  • Clinical metadata — the referring physician, the reason for the exam, the radiologist’s findings, and the clinical history that prompted the study.
  • Institutional data — the name and location of the facility, department identifiers, and equipment information.

This is not a partial data leak. It is a complete medical identity. A single exposed DICOM server can reveal more about a patient than any other type of data breach — their name, their body, their medical history, and the doctors treating them, all in one package.

Why this keeps happening

The root cause is not complicated. It is a collision between legacy infrastructure and modern network architecture.

DICOM was never designed for the internet. The protocol assumes it is operating on a trusted network. It has no built-in encryption. Its authentication mechanisms are optional and rarely implemented. When a DICOM server is placed on a network with internet connectivity — whether intentionally or through misconfiguration — it becomes an open door.

Healthcare IT budgets prioritize EHR over imaging security. Hospitals spend heavily on electronic health record systems and their associated compliance requirements. PACS (Picture Archiving and Communication Systems) and imaging infrastructure often run on older hardware and software, with security updates treated as optional. Research has found that a significant percentage of PACS workstations carry critical unpatched vulnerabilities — the same vulnerabilities actively exploited by ransomware groups.

Cloud migration creates new exposure. As healthcare organizations move imaging workloads to the cloud, misconfigured DICOM nodes and improperly secured cloud storage create new attack surfaces. A server that was previously protected by being inside a hospital’s physical network suddenly becomes reachable from anywhere when it is migrated without equivalent security controls.

Small practices lack security expertise. A three-radiologist outpatient imaging center does not have a chief information security officer. Their IT support may be a local managed service provider who understands Windows servers but has never heard of DICOM. The imaging equipment vendor set up the system years ago, the default configuration has never been changed, and nobody has audited the network since.

The ransomware connection

Exposed DICOM servers are not just a privacy problem. They are an entry point for attacks that shut down entire healthcare operations.

Healthcare ransomware attacks have surged dramatically. In 2025 alone, 293 ransomware attacks were recorded against hospitals, clinics, and direct care providers in the first nine months. The healthcare sector accounted for 22% of all disclosed ransomware attacks, with activity rising nearly 50% year over year. The average cost of a healthcare data breach reached $7.42 million per incident — the highest of any industry.

The connection to imaging infrastructure is direct. Ransomware groups target healthcare organizations because they know two things: patient care cannot wait, and legacy systems are easy to penetrate. An exposed DICOM server or an unpatched PACS workstation gives attackers a foothold. From there, they move laterally through the network, encrypt critical systems, and demand payment.

The consequences are not abstract. When a hospital’s imaging systems go down:

  • Emergency departments lose access to prior imaging. A trauma surgeon cannot see the CT scan from two hours ago. A cardiologist cannot compare today’s echocardiogram with last month’s baseline.
  • Scheduled procedures get cancelled. Surgeries that require pre-operative imaging are postponed. Cancer patients waiting for follow-up scans are told to come back next week — or next month.
  • Diagnostic workflows grind to a halt. Radiologists cannot read studies. Reports do not get generated. Referring physicians make decisions without imaging data.

The 2024 Change Healthcare breach — which affected an estimated 192.7 million individuals — demonstrated what happens when healthcare infrastructure becomes a ransomware target at scale. The fallout disrupted claims processing, prescription fulfillment, and care delivery across the entire US healthcare system for weeks.

Imaging infrastructure is the next frontier. As Rapid7’s 2026 research documented, DICOM servers and PACS systems exposed on the public internet are being discovered by attackers through routine scanning — the same kind of scanning that security researchers use to find them.

This is different from HIPAA compliance

You might be thinking: does HIPAA not cover this? It does — in theory. HIPAA requires covered entities to implement technical safeguards to protect electronic protected health information. But there is a critical distinction between HIPAA compliance as a legal framework and the infrastructure security of medical imaging systems.

HIPAA compliance focuses on policies, procedures, business associate agreements, and breach notification. It is a regulatory floor. It tells organizations what they must do but does not prescribe how to do it at the infrastructure level.

The DICOM security crisis is an infrastructure problem. It exists because imaging systems were deployed without basic network security controls — firewalls, authentication, encryption, network segmentation. An organization can be “HIPAA compliant” on paper while running an exposed DICOM server that has been leaking patient data for years. And many are.

This is not about checking compliance boxes. It is about whether the systems that store your medical images are actually secure.

What healthcare organizations should do now

If you are a hospital administrator, imaging center manager, or healthcare IT professional, here is what you can do today:

1. Audit your imaging network. Run an internal and external scan for DICOM services on Port 104, 11112, and web ports (80, 443). If any DICOM endpoint is reachable from outside your network without VPN access, you have an urgent problem.

2. Segment your imaging network. PACS and DICOM systems should sit on a dedicated, segmented network with no direct internet access. Connections to external systems should route through secured gateways with authentication and encryption.

3. Patch your PACS. Check the software version and patch status of every PACS workstation and imaging gateway. If your PACS vendor has not issued a security update in the past year, that is a conversation worth having.

4. Implement authentication. DICOM supports authentication through TLS. It is optional in the protocol, but it should not be optional in your deployment. Require authentication for all DICOM associations.

5. Replace insecure sharing workflows. Every CD burned, every unencrypted email, every FTP transfer of DICOM files is a potential exposure point. Modern secure sharing eliminates these vectors entirely.

What patients should know

As a patient, you cannot audit your hospital’s DICOM infrastructure. But you can control how your scans are shared after they are in your hands.

The most common ways patients share medical scans today — CDs, USB drives, unencrypted email, photos texted from a phone — are all insecure. They create copies of your data that you cannot track, cannot expire, and cannot revoke. Every copy is another potential exposure point.

This is exactly the problem Medixshare was built to solve. Developed by AI Bharata, Medixshare was designed from the ground up for secure medical image sharing. When you share a scan through Medixshare:

  • Your data is encrypted in transit and at rest, using the same encryption standards that protect financial and government data.
  • Access expires automatically. You set the window — one hour, one day, one week. When the time is up, the link stops working.
  • No copies are created. The recipient views your scan in a secure browser-based viewer. They do not download an unencrypted file to their desktop.
  • Every access is logged. You see exactly who viewed your scan, when, and from where.
  • You control revocation. Change your mind? One click, and access is gone — even before the expiration window closes.

The challenges of sharing medical scans have persisted for decades because the underlying infrastructure was never designed for a connected world. Medixshare sidesteps the broken infrastructure entirely — your scans move through modern, encrypted channels instead of aging DICOM networks.

The window is closing

The DICOM security crisis is not a future risk. It is a present reality that is growing faster than the healthcare industry is responding. Every exposed server, every unpatched PACS workstation, every insecure sharing workflow is a vulnerability waiting to be exploited.

For healthcare organizations, the time to audit and secure imaging infrastructure was years ago. The next best time is now.

For patients, the simplest step is also the most effective: stop sharing your scans through channels you cannot control, and start sharing them through channels that are encrypted, expiring, and auditable by design.

Ready to share your scans securely? Get started with Medixshare — it is free for patients and takes less than a minute to share your first scan.

For healthcare organizations looking to eliminate insecure imaging workflows, learn how Medixshare works for hospitals and imaging centers.

#DICOM security #medical imaging cybersecurity #PACS vulnerability #healthcare ransomware #patient data protection #Medixshare security

Ready to try MYAIRA by AI Bharata?

Share medical scans instantly or analyze them with AI — start free today with AI Bharata's healthcare imaging platform.

Try Medixshare Free Join Early Access