Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Medical imaging infrastructure and HIPAA access controls: closing the DICOM security gap

Unauthenticated DICOM servers put imaging PHI at direct risk — here's how to close the access-control and risk-analysis gaps the Security Rule requires you to address.

Patient Protect ResearchMay 12, 2026First reported in HIPAA Pulse →

The control gap

Network-accessible systems storing or transmitting ePHI must be protected by technical access controls — authentication, perimeter restrictions, and role-based access — regardless of which department manages them or which vendor installed them. When imaging infrastructure is siloed from an organization's core IT security function, those controls frequently go unreviewed, and ePHI that should be fully protected becomes functionally public. A Trend Micro analysis identified thousands of internet-facing DICOM servers across hundreds of healthcare entities lacking even basic authentication, meaning patient imaging records and embedded demographics were retrievable by anyone with a network scanner — no credential theft or malware required. First reported in HIPAA Pulse →(https://hipaapulse.com/thousands-of-dicom-servers-exposed-due-to-shameful-lack-of-basic-security-514d9a0d)

The persistence of this problem across multiple years of published research signals that awareness alone is not closing the gap. The issue is organizational: imaging systems get scoped out of formal risk analyses, BAAs with PACS vendors go unreviewed, and access control requirements that apply to every other ePHI system are never applied to the radiology stack.

The HIPAA Security Rule provision in play

Three provisions converge here. §164.308(a)(1) requires a risk analysis covering all ePHI — DICOM servers and PACS systems included. §164.312(d) requires person or entity authentication for any system accessing ePHI. §164.312(a)(1) requires access controls, including unique user identification and automatic logoff, across information systems that store or transmit ePHI. §164.314(a) extends responsibility to business associates: if a third-party vendor operates your DICOM infrastructure, your BAA must assign clear accountability for these controls. An unauthenticated, internet-exposed DICOM server is a simultaneous failure across all four provisions.

How Patient Protect addresses this

  • Information Systems Inventory — Patient Protect's inventory function creates a documented register of every system in scope for HIPAA, making it harder for imaging infrastructure to be silently excluded from security reviews. DICOM servers and PACS interfaces belong on that list.
  • Security Risk Assessment (SRA) — The guided SRA workflow prompts coverage of all ePHI systems, not just EHR platforms. Completing it surfaces imaging infrastructure as an explicit line item with associated controls — and creates the OCR-ready documentation that evidences due diligence.
  • BAA Management / Vendor Risk Scanner — For practices whose DICOM or PACS infrastructure is vendor-managed, Patient Protect tracks executed BAAs and flags gaps in coverage. Controls like this reduce the likelihood that a third-party imaging vendor operates outside a formal accountability structure.
  • Access Management with 8 defined user roles — Patient Protect's role-based access framework reinforces the principle that ePHI access should be scoped to clinical need — a discipline that, applied to imaging systems, limits the blast radius of any future exposure.
  • Autonomous Compliance Engine — Ongoing risk recalculation means that a configuration change — a new imaging device, a network topology update, a new vendor relationship — triggers a compliance review rather than waiting for the next annual assessment.

Practical next steps

  • Add imaging systems to your next SRA explicitly. List every DICOM-capable device, PACS server, and imaging workstation by name and confirm network access controls are documented.
  • Audit internet-facing services this week. Ask your IT contractor or vendor to confirm which, if any, imaging interfaces are reachable from the public internet and require authentication before returning data.
  • Pull and review your PACS vendor BAA. Confirm it assigns responsibility for network security controls, not just data handling. If it doesn't, request an amendment.
  • Segment imaging systems from public-facing network ranges. If a clinical workstation inside your practice can reach it, an open internet scanner shouldn't be able to. Enforce that boundary at the firewall.
  • Document your review. If OCR opens an inquiry, evidence that you identified, assessed, and acted on imaging system risk is what distinguishes a correctable gap from a willful neglect finding.

Try Patient Protect

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/thousands-of-dicom-servers-exposed-due-to-shameful-lack-of-basic-security-514d9a0d