Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Premarket · Imaging & AI/SaMD

    Medical Device Penetration Testing for Imaging AI & SaMD

    Penetration testing for imaging AI and SaMD - DICOM ingestion, model inference paths, cloud APIs, and PACS integration. FDA-aligned for AI/ML SaMD submissions.

    Last reviewed March 2026 · Reviewed against the FDA Feb 3, 2026 final premarket cybersecurity guidance.

    How this applies to Imaging & AI/SaMD

    Imaging AI and SaMD devices are software products that present as cloud services or PACS-integrated workstations, and their attack surface is mostly cloud, mostly DICOM, and mostly model-adjacent. The naive pen test treats them as web apps. The right pen test treats them as a pipeline: DICOM in → preprocessing → model inference → results out → PACS / EHR. Each hop has its own failure modes, and reviewers under FDA's evolving AI/ML guidance expect to see the whole pipeline modeled.

    We test the DICOM ingestion path for malformed-tag handling (the historic source of imaging zero-days), C-STORE vs. STOW-RS authentication, and whether the de-identification step can be bypassed. On the model side we evaluate the inference path for adversarial-input behavior at the boundaries that matter clinically (not academic adversarial examples - clinically plausible perturbations the device must reject or flag), prompt-injection-style bypasses for any LLM-augmented reporting, and whether confidence/uncertainty outputs can be manipulated to suppress flags. We test cloud APIs for tenancy isolation across hospital customers (the most common high-severity finding in this segment), service-account scope creep, and storage permissions on intermediate buffers. Finally, the results-write path: how does the device write back to PACS, who can spoof results, and what audit trail survives a compromise? Findings are mapped to FDA's AI/ML PCCP expectations and ANSI/AAMI SW96.

    Attack surface

    Layers we exercise in this engagement

    The imaging & ai/samd system, from the outermost cloud and clinician surfaces down to the device itself. Highlighted layers are exercised by this medical device penetration testing.

    1. 01Hospital PACS
    2. 02Ingress DICOM listener Tested
    3. 03Inference container Tested
    4. 04Model weights Tested
    5. 05DICOM SR writeback Tested
    6. 06Clinician web UI Tested

    Layers shown outermost (top) to innermost (bottom). Dashed rows are part of the surrounding system but out of scope for this view.

    How the engagement runs

    Medical Device Penetration Testing engagement, end to end

    Four phases, fixed fee, scoped to imaging & ai/samd architecture from kickoff onward.

    1. 01

      Scope + kickoff

      Architecture review, attack-surface walkthrough, and threat-model alignment with your team. Written scope in 24 hours.

    2. 02

      Threat-model alignment

      Every STRIDE entry in your threat model is matched to a planned test case so reviewers see one-to-one coverage.

    3. 03

      Test execution

      Device, cloud, mobile, BLE/RF, and OTA channels exercised in parallel by senior engineers - not a single web-app scan.

    4. 04

      Reviewer-ready report + retest

      eSTAR-format report with findings, CVSS, remediation, and unlimited retests until every finding is closed.

    Common findings

    What we see in Imaging & AI/SaMD medical device penetration testing

    The patterns we hit in this segment, this service, again and again.

    • Cross-tenant data leak via shared inference cache

      Inference results keyed by hash of pixel data. Two hospitals with the same study (rare but possible - phantom QA) saw each other's results.

    • DICOM C-STORE accepted without TLS or authentication

      On-prem appliance variant exposed default DICOM AE on port 104, no association-level auth. Anyone on the hospital VLAN could push studies into the inference queue.

    • Model output writeback to PACS accepts spoofed source

      DICOM SR (Structured Report) writeback uses a fixed AE title for the AI device. Any host that takes that AE title can push fake AI findings to the radiologist worklist.

    • Confidence-suppression via crafted metadata

      Specific combinations of acquisition metadata cause the model to short-circuit and emit max-confidence 'normal' without inferring. Documented model-card behavior, undocumented security implication.

    • Service-account broad S3 IAM

      Inference workers' role grants list/get on the entire studies bucket, not just the current job's prefix. A compromised worker reads every customer's pending studies.

    Notable incidents

    Public imaging & ai/samd cybersecurity history

    Recalls, CISA ICS-MA advisories, and disclosed research that shape what reviewers ask about in this segment - and what our scope is built to cover.

    • Independent research·2019

      DICOM protocol preamble / file format research (PE-in-DICOM)

      Researchers demonstrated executable code could be embedded in DICOM file preambles, surviving PACS ingestion. Reinforced the need to treat the DICOM listener as a hostile-input boundary, not a trusted intra-hospital protocol.

    • NVD·2020-2024

      Orthanc and DICOM toolkit CVEs

      A steady stream of CVEs in open-source DICOM toolkits commonly embedded in imaging-AI containers. Drives the need for an accurate SBOM plus per-CVE VEX, not a one-time pen test alone.

    "Blue Goat Cyber takes the burden off our engineers and makes FDA cybersecurity requirements easy to understand. Their expertise and smooth process mean we can focus on our product, not the paperwork. The organized documentation, perfectly formatted for eSTAR, saves us countless hours."
    Amy Lynn
    Amy Lynn
    Chief Compliance Officer · Medivis
    What you get

    Standard Medical Device Penetration Testing deliverables

    The same deliverables the parent Medical Device Penetration Testing service ships with - tuned to your imaging & ai/samd architecture.

    • Device, firmware, and embedded testing - hardware teardown, JTAG/UART/SPI bus access, firmware extraction and reverse engineering, and exploitation of the secure boot, debug, and update paths. Done by operators who have tested infusion pumps, monitors, surgical robots, and implantables.
    • Companion app and cloud API coverage - iOS/Android binary analysis, BLE pairing/GATT attacks, REST/MQTT/gRPC fuzzing, authentication and authorization testing, and tenant-isolation checks. We test the device as patients and clinicians actually use it, not in isolation.
    • FDA-ready penetration test reports - executive summary, methodology, CVSS-scored findings tied to your threat model, reproduction steps, and a Letter of Attestation formatted to the FDA's 2026 premarket guidance. Reviewer-ready, not a generic IT security PDF.
    • Remediation guidance and re-test included - written fix recommendations per finding, engineer-to-engineer support during remediation, and unlimited re-tests of fixed issues inside the fixed fee. You leave with a clean report, not a list of open items.
    Deliverable preview

    What lands in your eSTAR submission

    Reviewer-format documents ready to drop straight into the cybersecurity attachments of your submission - no reformatting on your side.

    Sample
    Medical Device Penetration Testing
    for Imaging & AI/SaMD
    eSTAR · 524B · AAMI SW96
    • Device, firmware, and embedded testing - hardware teardown, JTAG/UART/SPI bus access, firmware extraction and reverse engineering, and exploitation of the secure boot, debug, and update paths. Done by operators who have tested infusion pumps, monitors, surgical robots, and implantables.
    • Companion app and cloud API coverage - iOS/Android binary analysis, BLE pairing/GATT attacks, REST/MQTT/gRPC fuzzing, authentication and authorization testing, and tenant-isolation checks. We test the device as patients and clinicians actually use it, not in isolation.
    • FDA-ready penetration test reports - executive summary, methodology, CVSS-scored findings tied to your threat model, reproduction steps, and a Letter of Attestation formatted to the FDA's 2026 premarket guidance. Reviewer-ready, not a generic IT security PDF.
    • Remediation guidance and re-test included - written fix recommendations per finding, engineer-to-engineer support during remediation, and unlimited re-tests of fixed issues inside the fixed fee. You leave with a clean report, not a list of open items.
    Standards

    Standards that apply

    The Imaging & AI/SaMD baseline, plus the call-outs that matter for medical device penetration testing in this segment.

    FDA 2026 Premarket Cyber Guidance
    AAMI SW96
    AAMI CR34971
    ISO/IEC 27001
    IEC 62304

    Segment-specific call-outs

    FDA AI/ML PCCP guidance

    Your Predetermined Change Control Plan is a security boundary, not just a regulatory one. We check that the model-update path can't be hijacked to ship an unapproved model under cover of an approved PCCP change.

    DICOM PS3.15 (Security Profiles) and ANSI/AAMI SW96

    DICOM has security profiles; most products don't enable them. Reviewers are starting to ask why not.

    Honest scoping

    What's not in scope

    We scope tightly on purpose. These items are either out-of-scope by design or belong in a separate engagement - we'll tell you up front, not after kickoff.

    • Hospital enterprise IT network penetration testing
    • Clinical efficacy or human-factors validation
    • Physical security of manufacturing sites
    • Source-code review (unless explicitly added as a separate engagement)
    FAQs

    Medical Device Penetration Testing for Imaging & AI/SaMD - FAQs

    The questions buyers in this segment actually ask before scoping a medical device penetration testing engagement.

    Related reading

    Go deeper on Imaging & AI/SaMD and premarket

    Guide
    10 Reasons Cybersecurity Vendors Fail MedTech

    A practical, ungated buyer's guide for medical device manufacturers evaluating cybersecurity partners, what goes wrong, why it costs you, and what to demand from your next engagement. Aligned to the FDA February 2026 premarket guidance.
    Guide
    12 Critical Findings from Medical Device Pen Tests

    The most common high- and critical-severity findings we surface in medical device penetration tests, what each one looks like in the field, and how to fix it before your FDA submission.
    Guide
    12 Critical Threat-Modeling Gaps in Submissions

    A practical, ungated guide to the threat modeling gaps that trigger FDA cybersecurity questions in 510(k), De Novo, and PMA submissions - and exactly how to close them before reviewers find them.
    Article
    FDA Cybersecurity Failure Consequences for Medical Devices

    What happens if you fail an FDA cybersecurity inspection: the 483-to-consent-decree enforcement ladder and the commercial fallout for device makers.
    Article
    Does FDA Section 524B Apply to Legacy Devices?

    FDA Section 524B applies to any new premarket submission for a cyber device, including legacy platforms. What attaches, what postmarket rules cover the rest.
    Article
    SPDF vs SSDLC: What Medtech Teams Get Wrong

    SPDF vs SSDLC for medical devices. Why the FDA's Secure Product Development Framework demands more than a standard Secure SDLC, and what to add.

    Pair this with

    Other engagements for Imaging & AI/SaMD

    Teams in this segment commonly bundle these alongside medical device penetration testing.

    Keep going

    Medical Device Penetration Testing · Imaging & AI/SaMD

    Scope a Medical Device Penetration Testing engagement for your imaging & ai/samd program.

    A 30-minute call with a senior engineer who has done this in imaging & ai/samd before - not a sales rep.