A radiology practice loses access to its PACS on a Tuesday morning. The on-call radiologist cannot read the overnight studies. The reception staff cannot pull priors for the day's appointments. The clinic's IT contractor calls the backup vendor and learns that the nightly job has been failing for 11 weeks because someone rotated a service account password and nobody noticed. This is not a hypothetical. This is roughly half the radiology ransomware calls I have heard about over the last three years.
DICOM data is a uniquely bad ransomware target because the studies are large, the archive is long, and the operational tolerance for downtime is approximately zero.
Know what you are actually protecting
A modern CT study is 200 to 500 MB. MRI runs similar. A busy outpatient imaging center generates several hundred GB per week of net-new DICOM, and the archive (per state retention rules and the ACR's medical record guidance) sticks around for years. North Carolina, for instance, requires adult medical imaging to be retained 11 years after the last visit. Pediatric imaging until the patient turns 30. So you are not backing up "a database." You are backing up a slow-growing, multi-terabyte object store sitting on an NFS or SMB share that the PACS server reads from constantly.
This shapes everything downstream. You cannot afford to re-pull terabytes from cold cloud storage during an outage, and you cannot afford to lose any of it.
3-2-1-1-0, and why the second 1 is the one that matters
The textbook answer is 3 copies of the data, 2 different media, 1 offsite, 1 immutable, 0 errors on restore tests. Most clinics get to 3-2-1 and stop. The fourth digit is the one that survives ransomware.
Immutability in 2026 means object lock on S3-compatible storage with a retention period that the attacker cannot shorten, even with the backup admin's credentials. Wasabi Object Lock, Backblaze B2 with Object Lock, AWS S3 with Object Lock in compliance mode, or a Veeam Hardened Repository on a dedicated Linux host all qualify. Veeam, Rubrik, and Cohesity all support immutable repositories and DICOM-friendly throughput. Expect to pay roughly $5 to $7 per TB per month for the cold immutable tier; this is genuinely affordable insurance.
The "0 errors" part of 3-2-1-1-0 is the part everyone skips. Quarterly restore tests of a real study, end to end into a sandbox PACS, are the only thing that tells you the backup is real. The first time you find out it was not should not be the day a ransomware affiliate hits your file server.
Zero trust for PACS without buying a "zero trust platform"
Zero trust has been mangled into a marketing term, but the operational kernel is sound for radiology: assume the network is already compromised, authenticate every access, segment ruthlessly. For a small imaging practice that means a few specific things.
- The PACS server and modalities live on their own VLAN, isolated from the workstation LAN. Modalities (especially older CT and MR consoles still on Windows 7 or 10 LTSC) cannot be patched and must be quarantined behind firewall rules that only permit DICOM ports to the PACS.
- Phishing-resistant MFA on every account that touches the PACS, the backup console, and the EHR. Hardware keys (YubiKey 5 series, around $50) for the radiologists who hate it; passkeys for everyone else.
- Admin interfaces (vendor remote support, the backup web UI, the firewall) are never exposed to the public internet. Cloudflare Access or Tailscale in front of them, full stop.
- Backup credentials live in a separate identity tier from your domain admin. If the attacker pops a domain admin, they should still not be able to delete the immutable backup.
This maps cleanly to HIPAA technical safeguards (164.312(a) access control, 164.312(b) audit, 164.312(c) integrity) and to ISO 27001 Annex A controls A.8.13 (backup) and A.8.16 (monitoring). You are not adopting a new framework. You are doing the work the existing frameworks already asked for.
If a third party reading this would help, Syncritech runs PACS-aware backup and segmentation reviews for small imaging practices and ambulatory clinics; the goal is a restore you have actually tested, not a new logo on the org chart.
