1

Special Topics in Security andPrivacy of Medical Information

Sujata Garera

This unit DICOM Medical images Watermarking techniques Medical grids

DICOM Digital Imaging Communications in Medicine

Image format Data transfer, storage and display protocol Set of standards

PACS Picture Archiving and Communication Systems

Medical systems (h/w and s/w) designed and used to rundigital medical imaging

Analogy to PACS Play with your digital camera (modality), store the images on

your computer (archive) and send them to your friends(reviewers)

PACS brings DICOM standard to life

2

A typical PACS system

DICOM A universal standard of digital medicine

Why is this necessary ?

Excellent image quality E.g. 65536 shades of gray are supported Important for good diagnostic reading

Full support for numerous image acquisitionparameters and different data types

DICOM Complete encoding of medical data

2000 standardized attributes used to capture allaspects of radiology for accurate diagnostics

Clarity in describing digital imagingdevices and their functionality - thebackbone of any medical imaging project

3

DICOM lingo All real world data, patients, studies etc. are

viewed as DICOM objects with respectiveproperties Definitions are standardized according to

DICOM Information Object Definitions

DICOM lingo

DICOM lingo Data captured as DICOM data attributes

can be transmitted and processed betweenvarious DICOM devices and software DICOM applications provide services to one

another Each service type is typically associated with

IODs Service Object Pairs (SOPs)

4

DICOM lingo

DICOM file 129 to 132 symbols should read DICM 1.2.840 .. Prefix used in all standard

DICOM UID strings Dates follow YYYYMMDD format Strings can be easily guessed based on their

content

DICOM file

5

DICOM file MR and CT images typically 256x256 or

512x512 Use either 1 or 2 pixels

One can determine the actual size of aimage matrix by looking at file size

The image can be edited or replaced easilyonce we know its size

DICOM hacking Without any specialized software

Compromise confidential information Compromise integrity of the DICOM data

Securing your DICOM data Secure the entire medical image workflow

All medical images should reside on a separatededicated server

Critical data should be backed up This server should not be shared with other enterprises External connections should go through a VPN Computers should be behind a firewall

6

Securing DICOM data Data remains protected within the network

You may have to send the data out of thenetwork say for a second opinion

How should you protect it in that case ?

Anonymization Remove confidential entries from DICOM files

Irreversible process: Original data cannot be recoveredfrom anonymized version

Could lead to loss of important clinical information

HIPAA identifies 18 attributes as confidential Name, location, dates, tel. nos., fax, email addresses, ssns,

medical record nos., health plan benificiary nos., account nos.,certificate/lisence nos., vehical identifiers, device identifiers,web URLS, IP addreses, biometric identifiers, photographs,any unique identifying characteristic or code

Anonymization DICOM anonymizers keep the list of

confidential attributes Some anonymizers would automatically

remove these private fields Patient ID is confidential but is also a required

attribute by DICOM. Should replace the ID rather than remove it.

7

Anonymization How about instead removing the original

data from public display and place it intoproprietary DICOM tags Is this good enough ?

Anonymization Say Patient ID is 1234567 and the software

replaced it with a randomly generated valuew04_ejF9h Is our mission accomplished ?

Anonymization Some attributes are necessary for the

clinical diagnosis Age Weight

Removing these would result in loss ofclinical information

8

Anonymization Ultrasound images contain proprietary information (name, ID,

birth date) not only in DICOM tags but within the image itself

Encryption Convert plaintext to another code

(ciphertext) which cannot be understoodwithout a key Reversible process

Encryption Consider patient name SMITH^JOE

Replace each letter by the letter that follows TNJUI^KPF

Is this secure ?

9

Encryption What if you use a substitution

A=Z, B=Y ….Z=A Is this secure ?

Encryption Symmetric Key Ciphers

A single common key between communicating parties AES What key size is secure ?

Public Key Ciphers Each party has a public and private key pair RSA, Elgamal Typically rely on a hard problem

What does the security of RSA rely on ?

Encryption Does encrypting the DICOM file protect

its integrity ?

10

Integrity

Integrity DICOM relies on data integrity such as

SHA SHA-1 produces a 20 byte checksum over the

file. Data and checksum transmitted from PACS

server to recipient

Confidentiality and Integrity If we want both confidentiality and

integrity of the DICOM data what shouldbe done ?

11

Confidentiality and Integrity Encrypt and Hash

RSA(DICOM DATA), SHA(DICOM DATA) Is this achieving confidentiality and integrity ?

Confidentiality and Integrity Hash then Encrypt

RSA(SHA(DICOM DATA)) What about this ? Any drawbacks ?

Confidentiality and Integrity Encrypt then Hash

RSA(DICOM DATA), SHA(RSA(DICOMDATA)

What about this ?

12

Authenticity of origin How do you ensure that the data is coming

from the PACS server ?

Digital Signatures Digital signatures can be used to ensure

authenticity of the sender as well as thedocument PACS server has a public and private key pair

The public key is broadcast Server signs with private key and recipient

verifies with public key Signatures provide authenticity , integrity and

non-repudiation

Digital Signatures How do you verify that the public key

belongs to the PACS server ?

13

Hospital setting Producer and referring physician

External diagnostician

Intra-users

Extra-users

Hospital setting Broad Goals

Transfer file between external diagnosticianand referring physician through a trustworthychannel

Protect against malevolent header or imagemanipulations by unauthorized actors

Hospital Setting Guarantee link between name, date and

referring physician and image content Guarantee that the image content is not

modified Guarantee that visualized images are true

images

14

How should this beaccomplished ? Assume you have several cryptographic

primitives available to use

This lecture DICOM security chapter posted online Trusted headers for Medical Images by

Macq and Dewey, 1999 posted online