Cybersecurity in Medical Imaging Systems

OPEN MEDSCIENCE REVIEW | August 10, 2025

Summary: Cybersecurity in medical imaging systems is essential for safeguarding patient data, maintaining diagnostic integrity, and ensuring uninterrupted healthcare delivery. This review examines the evolving threat landscape, regulatory frameworks, technical safeguards, resilience planning, and emerging trends, showing why robust security is no longer optional but integral to safe and effective diagnostic imaging.

Keywords: Medical imaging, cybersecurity, data protection, system resilience, medical devices, health informatics

Introduction

The transition from analogue film-based radiology to digital medical imaging has been one of the most significant transformations in modern healthcare. In the analogue era, diagnostic images were captured on film, stored in physical archives, and manually transported between departments or hospitals. While these methods were logistically cumbersome and limited in terms of speed and sharing, they were largely insulated from cyber threats. Theft or loss of film was possible, but remote manipulation or mass data breaches were not realistic concerns.

The advent of Picture Archiving and Communication Systems (PACS) in the 1980s, and the standardisation of Digital Imaging and Communications in Medicine (DICOM) in the 1990s, revolutionised this workflow. Images could now be stored centrally on servers, accessed instantly across hospital networks, and transmitted to authorised clinicians for interpretation anywhere in the world. This digital shift brought huge advantages in clinical efficiency, speed of diagnosis, and multidisciplinary collaboration.

Today’s medical imaging environment is highly interconnected. MRI, CT, ultrasound, nuclear medicine, and digital radiography systems are linked not only to PACS and Radiology Information Systems (RIS) but also to Electronic Health Records (EHRs), hospital-wide IT infrastructure, and increasingly, cloud-hosted storage and reporting platforms. Remote image reporting, AI-based image analysis, and integration with decision-support tools are becoming standard features. While these capabilities enhance patient care and enable more effective use of specialist expertise, they also dramatically expand the potential attack surface for malicious actors.

Cybersecurity in medical imaging has moved from being a niche IT consideration to a core patient safety issue. The confidentiality, integrity, and availability of imaging data are critical for accurate diagnosis and appropriate treatment. A ransomware attack that delays a CT scan for a suspected stroke patient can have life-altering consequences. Manipulation of image data — for example, inserting false lesions or removing genuine ones — could lead to unnecessary interventions, missed diagnoses, or deliberate concealment of conditions.

Furthermore, imaging data is a prime target for cybercriminals because of its value. A single imaging archive can contain hundreds of thousands of patient records, each with identifying details and medical histories. In black market terms, healthcare data can be more valuable than financial records because it can be exploited for identity theft, insurance fraud, and targeted scams.

Adding to the challenge, many imaging devices are high-value capital assets with operational lifespans of ten to fifteen years. Updating or replacing these systems is costly, and the regulatory burden for recertifying medical devices after software changes is significant. As a result, some scanners and workstations still run outdated or unsupported operating systems, making them vulnerable to known exploits. The complex vendor supply chains for imaging equipment also introduce risks, as a compromise at the manufacturing or software development stage can propagate into multiple healthcare environments.

Recognising these threats, regulators such as the UK’s Medicines and Healthcare products Regulatory Agency (MHRA) and the US Food and Drug Administration (FDA) have issued guidance emphasising security-by-design principles for medical devices. This includes secure coding practices, authenticated software updates, encryption of data at rest and in transit, and regular vulnerability assessment. International standards such as IEC 62443 (for securing industrial systems) and ISO 27799 (for health information security management) are increasingly applied in the imaging context.

In this review, we examine the major aspects of cybersecurity in medical imaging systems. We begin by mapping the threat landscape, from ransomware to image manipulation. We then explore the regulatory and compliance frameworks that govern imaging security in the UK, EU, and US. The technical safeguards section outlines best practices in securing imaging workflows, while the resilience and incident response section considers how to maintain services during cyber incidents. Finally, we assess emerging trends — including AI-related risks, cloud PACS challenges, and post-quantum encryption — to understand how imaging cybersecurity must evolve in the coming decade.

Threat Landscape in Medical Imaging Systems

The cyber threat environment facing medical imaging systems is multifaceted, with risks ranging from opportunistic malware infections to highly targeted and sophisticated attacks. Imaging infrastructure is attractive to attackers for three primary reasons: the sensitivity and value of the data it contains, its critical role in patient care, and the frequent presence of outdated or poorly secured components.

Ransomware and Operational Disruption

Ransomware is arguably the most visible and disruptive threat to healthcare systems in recent years, and imaging departments have been frequent casualties. These attacks encrypt local or network-hosted data and demand payment for its release, effectively paralysing services until systems are restored from backups or the ransom is paid.

In 2024, an NHS Trust in England experienced a ransomware attack that encrypted its PACS archives, rendering years of imaging data inaccessible. Stroke, trauma, and oncology cases were delayed as clinicians scrambled to find alternate diagnostic pathways. The lack of robust offline backups meant restoration took over a week, with some studies permanently lost. In another high-profile case in 2021, a major hospital in Ireland had to cancel hundreds of appointments after ransomware crippled its national healthcare network, including radiology systems.

These examples demonstrate that ransomware attacks on imaging systems are not merely IT problems but clinical emergencies. In time-critical conditions such as acute stroke, every minute without diagnostic imaging reduces the likelihood of a favourable outcome.

Image Manipulation and Integrity Attacks

While the availability of imaging data is crucial, its integrity is equally important. Emerging threats involve deliberate alteration of imaging data to mislead clinicians or manipulate outcomes. Proof-of-concept studies have shown that AI-based techniques can convincingly insert synthetic pathologies — such as lung nodules in CT scans — or remove genuine findings, with detection rates by radiologists being alarmingly low.

Such attacks could have devastating consequences if used to conceal a condition, falsify medical evidence in legal cases, or commit insurance fraud. Even the suspicion of such manipulation can undermine trust in imaging results and force costly re-examinations.

Vulnerabilities in Legacy Systems

Many imaging modalities have operational lifespans of a decade or more, during which the software environment may become increasingly outdated. For example, CT scanners still in active service may run Windows XP Embedded or early Linux kernels no longer supported with security patches. This makes them vulnerable to exploits that have long been public knowledge.

In one US case in 2021, an ultrasound machine connected to a hospital network was compromised via default manufacturer credentials. The device became a pivot point for attackers to explore other parts of the hospital network, although no patient data was ultimately stolen.

Modality-Specific Risks

Each imaging modality has unique cybersecurity considerations:

MRI scanners: Firmware manipulation could disrupt image acquisition or trigger hardware issues, including magnet quench events that are costly and dangerous.
CT scanners: Cyber intrusion could alter scan parameters, affecting radiation dose and image quality.
Ultrasound devices: Portable systems often rely on wireless connectivity, making them susceptible to interception and unauthorised access if encryption is not properly configured.
Nuclear medicine systems: These maintain dose schedules for radiopharmaceuticals, which, if altered, could result in unsafe administrations.

Network and Protocol Weaknesses

The DICOM protocol, while critical for interoperability, was not originally designed with encryption or strong authentication. Many PACS implementations still allow unencrypted DICOM transfers over hospital networks, meaning that without segmentation, malicious actors could intercept or alter image data in transit.

Threat Actor Motivations

The range of adversaries targeting imaging systems is diverse:

Cybercriminals: Motivated by financial gain through ransom payments or the sale of stolen data.
Hacktivists: Seeking to disrupt healthcare delivery to make political or ideological statements.
Nation-state actors: Interested in sensitive patient data, clinical research, or the potential to disrupt critical infrastructure.
Insiders: Employees or contractors with legitimate access who abuse their privileges for personal or financial motives.

The breadth of threats means that defences must be layered, combining prevention, detection, and response capabilities across technical, organisational, and procedural domains.

Regulatory and Compliance Frameworks

Cybersecurity for medical imaging systems is governed by a complex set of national laws, regional regulations, international standards, and professional guidelines. These frameworks define the minimum security measures required for both healthcare providers and device manufacturers, but they also increasingly push for a proactive, risk-based approach to managing cyber threats.

In the United Kingdom, the Data Protection Act 2018 enforces the principles of the EU General Data Protection Regulation (GDPR), even after Brexit. Under this law, personal data — which includes medical images — must be processed with “appropriate technical and organisational measures” to ensure confidentiality, integrity, and availability. Medical images fall under the category of special category data, which demands the highest level of protection.

Healthcare organisations must be able to demonstrate compliance through documented policies, regular risk assessments, and evidence of security controls such as encryption and access management. A breach involving medical imaging data must be reported to the Information Commissioner’s Office (ICO) within 72 hours of discovery. Non-compliance can lead to fines of up to £17.5 million or 4% of annual global turnover, whichever is higher.

UK Medical Devices Regulations (UK MDR)

The UK MDR, adapted from the EU Medical Device Regulation, applies to medical devices placed on the UK market, including imaging equipment. Cybersecurity is increasingly recognised as a safety and performance requirement. Manufacturers are expected to follow “security-by-design” principles, which involve:

Threat modelling during the design phase.
Secure coding practices.
Authenticated and integrity-checked software updates.
Vulnerability disclosure and patching procedures.

This approach ensures that security is not treated as an afterthought but is built into the device from the outset.

EU Medical Device Regulation (MDR 2017/745)

In the European Union, MDR 2017/745 includes similar provisions, requiring manufacturers to consider cybersecurity risks as part of their general safety and performance obligations. MDR goes further by mandating post-market surveillance, meaning that manufacturers must monitor device performance and security throughout its lifecycle.

US HIPAA and FDA Guidance

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting patient health information, including images. The HIPAA Security Rule specifies administrative, physical, and technical safeguards such as access controls, audit logs, and data encryption.

The US Food and Drug Administration (FDA) has issued specific cybersecurity guidance for medical devices, both premarket and post-market. The premarket guidance requires manufacturers to identify potential threats and describe security controls in their submissions. The post-market guidance emphasises coordinated vulnerability disclosure and timely updates to address new threats.

International Standards

A number of international standards are relevant to imaging cybersecurity:

IEC 62443: Developed for industrial automation, this framework is increasingly applied to healthcare networks, covering topics such as network segmentation and secure remote access.
IEC 60601 series: Primarily for electrical safety, with amendments addressing IT security requirements for medical electrical equipment.
ISO 27799: Provides guidance on applying information security management standards (ISO 27002) to healthcare environments.

These standards provide a common language for manufacturers, regulators, and healthcare providers to coordinate on security requirements.

Professional Body Guidelines

Professional organisations like the Royal College of Radiologists (RCR) and the American College of Radiology (ACR) publish best practice recommendations for securing PACS and imaging workflows. These guidelines often address operational concerns, such as enforcing strong user authentication, enabling encryption for data at rest and in transit, and maintaining audit logs of image access. While these recommendations are not legally binding, they carry significant weight and are often adopted as part of institutional policy.

Moving Beyond Compliance

While compliance is essential, it is only a baseline. Regulatory frameworks generally describe what needs to be done, not how to do it effectively. Cybersecurity in imaging requires going beyond minimum legal requirements to adopt best practices that reflect the fast-changing threat landscape. This includes continuous monitoring, staff training, proactive patching, and active collaboration between IT, clinical teams, and equipment manufacturers.

By integrating regulatory requirements with technical excellence and operational vigilance, healthcare providers can better protect imaging systems from the full spectrum of cyber threats.

Technical Safeguards and Best Practices

Protecting medical imaging systems from cyber threats requires a combination of layered technical controls, well-defined operational policies, and ongoing monitoring. While regulatory frameworks set the baseline, effective safeguards must address the specific vulnerabilities of imaging workflows, from image acquisition to storage and transmission.

Data Encryption at Rest and in Transit

Encryption is one of the most fundamental defences for protecting imaging data.

At rest: Images stored on PACS servers, local modality storage, or backup archives should use strong encryption algorithms such as AES-256. This prevents unauthorised parties from reading the data even if the physical storage medium is stolen or accessed without permission.
In transit: DICOM communications between modalities, PACS, and viewing workstations should be secured using protocols like Transport Layer Security (TLS 1.3). In cloud environments, all traffic must be encrypted, with certificate-based authentication between endpoints.

Without encryption, attackers who intercept network traffic could view or manipulate images in real time.

Network Segmentation and Isolation

Imaging systems should be logically separated from the general hospital network using VLANs or dedicated physical networks. This segmentation reduces the likelihood of a compromise spreading from an infected workstation or device in another department.

Firewalls should restrict communications to only the ports and IP addresses necessary for imaging operations.
Demilitarised zones (DMZs) can be used to securely connect external teleradiology services without exposing internal systems to direct internet traffic.

Segmentation also aids in monitoring, as unusual traffic between network zones can be a sign of compromise.

Access Control and Authentication

Strong access control is critical to prevent unauthorised use of imaging systems.

Role-based access control (RBAC): Users are granted the minimum permissions needed for their role. A radiographer may upload images but not delete them; a consultant radiologist may access the full archive but cannot alter system configurations.
Multi-factor authentication (MFA): Adds an extra layer of security for administrative accounts and remote access. This can prevent attackers from exploiting stolen passwords.

Shared accounts should be avoided, as they obscure accountability and hinder forensic investigation.

Securing the DICOM Protocol

The DICOM standard, while essential for interoperability, was not originally designed with security in mind. Common weaknesses include unencrypted data transfer and a lack of authentication between systems. To mitigate these risks:

Use DICOM over TLS to encrypt image data in transit.
Implement mutual authentication so that both the sending and receiving systems verify each other’s identity.
Disable unused DICOM services and ports to reduce the attack surface.

Patch and Update Management

Timely patching of operating systems, imaging software, and PACS applications is essential to close known vulnerabilities.

Digitally signed updates should be used to ensure the authenticity of software packages.
Scheduled maintenance windows should be coordinated with clinical teams to minimise disruption.
Legacy devices that cannot be patched should be isolated, monitored closely, and replaced as soon as feasible.

Monitoring and Intrusion Detection

Security monitoring tools can detect suspicious behaviour before it escalates into a serious incident.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can identify malicious activity, such as repeated failed logins or unexpected network connections.
AI-based anomaly detection can establish baselines for normal activity and flag deviations, such as an unusually high number of image downloads from a single account.

Supply Chain Security

Imaging equipment and software often come from multiple vendors, creating supply chain risks. Healthcare providers should:

Assess vendors’ security policies during procurement.
Require vendors to disclose known vulnerabilities and provide patch timelines.
Ensure contractual agreements include security maintenance obligations.

Staff Training as a Technical Safeguard

While often considered an administrative control, regular staff training directly supports technical safeguards. Users must understand why access controls exist, how to identify phishing attempts, and the importance of reporting anomalies immediately.

By implementing these layered measures — encryption, segmentation, access control, secure protocols, timely patching, monitoring, and vendor management — healthcare providers can significantly reduce the risk of compromise in their imaging systems.

Resilience and Incident Response

Even the most secure medical imaging environment can be compromised. Attackers continually discover new vulnerabilities, and unforeseen operational failures can also disrupt services. For this reason, resilience — the ability to maintain or rapidly restore functionality — and a well-rehearsed incident response plan are as important as prevention.

Designing for High Availability

Medical imaging is a mission-critical service, particularly for acute care such as stroke, trauma, and emergency surgery. Downtime can have life-altering consequences. High-availability (HA) architectures aim to eliminate single points of failure:

Redundant PACS servers: Hosting mirrored databases across separate servers allows the system to continue operating if one fails.
Geographically distributed storage: Replicating archives across different sites reduces the risk of a single disaster taking all data offline.
Automatic failover: Systems should be configured to automatically redirect requests to a backup server without manual intervention.

By investing in HA infrastructure, hospitals can significantly reduce downtime during both cyber incidents and hardware failures.

Backup Strategies

Backups are the backbone of resilience. In ransomware incidents, they often provide the only route to recovery without paying the attacker. Best practice includes:

Immutable backups: Write-once, read-many (WORM) storage prevents backup files from being altered or encrypted by attackers.
Air-gapped copies: Physically or logically isolating backups from the network ensures they are unreachable to malware.
Regular testing: Backups should be restored periodically in a test environment to verify their integrity and completeness.

Backups should be taken frequently enough to meet Recovery Point Objectives (RPOs) — the maximum acceptable data loss measured in time.

Defining Recovery Objectives

Resilience planning must be guided by realistic targets:

Recovery Time Objective (RTO): The maximum acceptable time to restore service after an outage. For critical imaging systems, this may be measured in minutes, not hours.
Recovery Point Objective (RPO): The maximum acceptable period for which data might be lost. For acute care services, this might be no more than a few hours.

RTO and RPO targets should be agreed with clinical leadership, as they directly impact patient care priorities.

Building an Incident Response Plan

An effective incident response (IR) plan for imaging systems should include:

Detection and Verification: Confirming the nature and scope of the incident through logs, monitoring alerts, or staff reports.
Containment: Isolating affected systems to prevent spread. For example, taking a compromised PACS server offline while maintaining local access to images on modalities.
Eradication: Removing malicious code, closing vulnerabilities, and applying security patches.
Recovery: Restoring services from clean backups and revalidating integrity.
Post-Incident Review: Analysing root causes and improving defences to prevent recurrence.

Clear communication is essential during each stage, both between IT and clinical teams and with external partners such as equipment vendors or regulators.

Testing and Drills

Plans that exist only on paper are of limited value. Regular exercises are needed to ensure readiness:

Tabletop exercises: Simulated discussions of an incident scenario, testing decision-making and communication.
Live simulations: Controlled shutdowns or disconnects to test failover systems and restoration procedures under realistic conditions.

For example, a live drill might simulate a ransomware attack during peak outpatient scanning hours, requiring staff to switch to offline viewing systems and manually track scan requests until PACS access is restored.

Forensic Readiness

Imaging systems should be configured to retain detailed logs of user activity, system events, and network connections. This evidence is vital for:

Determining how the breach occurred.
Assessing whether data was stolen or altered.
Supporting regulatory investigations or legal proceedings.

By combining robust infrastructure, disciplined backup processes, clearly defined objectives, and well-practised response procedures, healthcare providers can minimise disruption to imaging services and reduce the impact of cyber incidents on patient care.

Emerging Trends and Future Directions

The cybersecurity landscape for medical imaging systems is evolving rapidly, driven by technological advances, regulatory changes, and the increasing sophistication of attackers. Healthcare providers must anticipate and adapt to these developments to protect patient safety and data integrity over the coming decade.

AI in Medical Imaging — New Capabilities, New Risks

Artificial intelligence (AI) is becoming deeply embedded in imaging workflows, from triaging urgent scans to automatically quantifying tumour volumes. However, these algorithms can be vulnerable to novel attack vectors:

Adversarial examples: Subtle pixel-level modifications to an image can cause an AI system to misclassify findings without being noticeable to the human eye. In a radiology setting, this could lead to a malignancy being ignored or a healthy scan being flagged for unnecessary intervention.
Model poisoning: If attackers can insert malicious data into an AI model’s training set, they can bias its outputs in targeted ways, potentially affecting patient care or clinical trials.
Inference attacks: By querying an AI system repeatedly, attackers may be able to reconstruct sensitive aspects of its training data, potentially revealing patient information.

To counter these risks, AI models should undergo adversarial testing during development, employ secure data pipelines for training, and be continuously monitored for anomalous outputs in production.

Cloud PACS — Balancing Accessibility and Security

Cloud-hosted PACS systems offer scalability, cost-effectiveness, and the ability to share images across sites and time zones. However, they introduce new security considerations:

Tenant isolation: In multi-tenant environments, strong logical separation is essential to prevent one customer’s compromise from affecting another’s.
Configuration management: Misconfigured cloud storage buckets have been responsible for numerous healthcare data leaks. Automated security configuration audits should be a standard feature.
Encryption key control: Ideally, healthcare providers should control their own encryption keys rather than relying solely on the cloud vendor, reducing the risk from insider threats or legal requests in other jurisdictions.

Cloud PACS vendors must demonstrate compliance with relevant regulations (such as GDPR and HIPAA) and offer clear service-level agreements for security incident response.

Edge Computing and Portable Imaging Devices

Portable ultrasound units, handheld X-ray devices, and mobile MRI solutions are becoming more common, especially in emergency medicine, rural healthcare, and battlefield medicine. These devices often perform some processing locally — a concept known as edge computing — before sending data to central servers.

While edge processing can reduce latency and dependence on network connectivity, it expands the attack surface:

Portable devices may connect over public or unsecured networks.
Physical theft of a device could expose stored data unless robust encryption and secure boot are in place.
Frequent movement between networks increases exposure to misconfigured or malicious access points.

Policies for mobile device management (MDM) should apply to portable imaging equipment, including encryption, remote wipe capabilities, and regular security patching.

Preparing for Post-Quantum Cryptography

Quantum computing poses a long-term but serious challenge to current cryptographic algorithms, particularly those based on RSA and elliptic curve cryptography (ECC). While large-scale quantum computers capable of breaking these algorithms do not yet exist, medical imaging data often needs to be retained securely for decades. This makes forward planning essential.

The US National Institute of Standards and Technology (NIST) is in the process of standardising post-quantum algorithms. Healthcare organisations — particularly those archiving sensitive imaging — should monitor these developments and plan migration strategies for their systems and archives.

Regulatory Evolution and Future Standards

Regulators are increasingly recognising cybersecurity as a patient safety issue. Likely future developments include:

Mandatory adversarial testing for AI-based diagnostic tools before regulatory approval.
Continuous vulnerability monitoring requirements for networked medical devices.
Coordinated vulnerability disclosure frameworks to streamline communication between security researchers, vendors, and regulators.
Cybersecurity labelling for medical devices to provide transparent information about security features and update policies.

In parallel, international standards bodies are updating frameworks like IEC 62443 and ISO 27799 to address cloud and AI-specific threats, helping to align best practices across borders.

By staying ahead of these trends — and building flexibility into both technical infrastructure and organisational policy — healthcare providers can maintain robust security as medical imaging technology continues to evolve.

Conclusion

Cybersecurity in medical imaging systems has shifted from being an IT concern to a critical component of patient safety, clinical reliability, and regulatory compliance. The increasing digital integration of modalities, PACS, AI tools, and cloud platforms has delivered significant benefits in diagnostic speed, accessibility, and multidisciplinary collaboration — but has also expanded the attack surface in ways that cybercriminals and other threat actors are actively exploiting.

The threat landscape is diverse. Ransomware can paralyse entire imaging services, delaying urgent care for conditions where minutes matter. Image manipulation threatens the integrity of diagnosis, while legacy systems and unsecured protocols create persistent vulnerabilities. These risks are amplified by the value of medical imaging data on illicit markets, where it is traded for use in identity theft, fraud, and targeted scams.

Regulatory frameworks in the UK, EU, and US have begun to reflect these realities, mandating security-by-design in medical device manufacturing and holding healthcare providers accountable for protecting sensitive patient data. Standards such as IEC 62443 and ISO 27799, combined with guidance from professional bodies like the Royal College of Radiologists (RCR) and the American College of Radiology (ACR), provide a blueprint for implementing robust controls — but compliance alone is not enough.

Effective defence requires layered technical safeguards: encryption of data at rest and in transit, network segmentation, strong access control, secure DICOM communication, timely patching, and continuous monitoring. These must be backed by organisational resilience — high-availability architectures, secure and tested backups, and an incident response plan that has been drilled under realistic conditions.

Looking forward, emerging technologies bring both opportunity and challenge. AI-based diagnostic tools can enhance accuracy but require protection against adversarial attacks and data poisoning. Cloud PACS improves accessibility yet demands stringent tenant isolation and encryption key management. Portable, edge-computing devices can extend care into new environments but increase the potential for physical compromise. Post-quantum cryptography, though years away from necessity, must already be on the radar for long-term data security planning.

Ultimately, securing medical imaging systems is not a one-off project but an ongoing process of adaptation. It requires collaboration between manufacturers, healthcare IT teams, clinical staff, regulators, and cybersecurity specialists. Only by embedding security into every stage of the imaging lifecycle — from design to decommissioning — can the sector safeguard patient trust, protect diagnostic integrity, and ensure that life-saving imaging services remain available when they are most needed.

Disclaimer: This article is for informational purposes only and does not constitute legal, regulatory, or technical advice. Readers should consult qualified professionals for guidance specific to their organisation’s cybersecurity and medical imaging systems. The author and publisher accept no responsibility for any loss, damage, or consequences arising from the use of information contained herein.

You are here: home » Cybersecurity in Medical Imaging Systems