Varist launches DICOM engine to spot hidden malware

Varist has launched a DICOM Detection Engine for medical imaging and electronic health record infrastructure, aimed at healthcare communications networks and file transfers used in PACS and EHR environments.

The Icelandic cybersecurity company said the product was built to detect malware hidden in medical imaging files and related healthcare data formats, including threats that conventional scanners and sandboxing tools can miss.

Healthcare providers have become a frequent target for cybercriminals, and imaging systems are drawing closer scrutiny because they handle large volumes of files and rely on specialist protocols. Processing millions of files each day, these environments can create an opening for malware concealed in file headers or image data.

The engine is designed for DICOM, HL7 and FHIR, three formats widely used across medical imaging and electronic health record systems. It can scan files as large as 3GB and inspect the full file rather than only selected sections.

Varist described one risk as the modification of image headers so files can act as executables and deliver malicious payloads. It added that the system simulates the behaviour of suspicious files to identify previously unseen exploits that do not appear in malware signature databases.

The issue has gained prominence after a series of healthcare breaches. Varist pointed to the SimonMed Imaging incident, in which the Medusa ransomware group stole 200GB of data, including medical scans, affecting more than 1.2 million patients.

That case has heightened concern that radiological files and related records can be used in double-extortion attacks, in which criminals both steal data and demand payment to prevent publication. More broadly, more than 9.6 million individuals were affected by healthcare breaches in the first two months of the year, according to figures cited by Varist.

Technical focus

The new engine sits within Varist's wider Hybrid Detection Engine platform. Each instance can process about 500 files a second, while suspicious files can be analysed in under 9 milliseconds, with a false positive rate of less than 0.001%, according to the company.

Unlike security tools that rely chiefly on known signatures, the platform combines file scanning with real-time simulation of suspicious behaviour. That approach is intended to identify both known malware and zero-day threats as they move through healthcare communications systems.

Organisations can also deploy the technology locally rather than sending files to public cloud infrastructure for analysis. That matters in healthcare settings, where patient privacy and regulatory obligations can restrict the movement of sensitive data.

PACS and EHR systems have long been central to hospital operations, linking imaging modalities such as X-rays, CT and PET scans, MRIs and ultrasounds with storage, retrieval and clinical workflows. A compromise in those systems can therefore affect not only data security but also the availability of information used in patient care.

Varist argued that medical imaging presents a distinct security problem because malware can be embedded in parts of files that traditional tools may not inspect. Its system scans image data regions as well as metadata and file headers.

Siggi Petursson, Chief Technology Officer at Varist, said the company sees imaging files as an increasingly attractive route for attackers. "A picture is worth a thousand words, especially when lives depend on it, and threat actors may be looking to use that to their advantage," Petursson said.

He said the product was designed to address evasive threats without disrupting healthcare operations. "Varist's specialized detection for healthcare environments finds new self-evolving threats designed to evade detection by conventional systems, without adding delays or compromising patients' care and privacy," Petursson said.