View
215
Download
1
Category
Preview:
Citation preview
1
Special Topics in Security andPrivacy of Medical Information
Sujata Garera
This unit DICOM Medical images Watermarking techniques Medical grids
DICOM Digital Imaging Communications in Medicine
Image format Data transfer, storage and display protocol Set of standards
PACS Picture Archiving and Communication Systems
Medical systems (h/w and s/w) designed and used to rundigital medical imaging
Analogy to PACS Play with your digital camera (modality), store the images on
your computer (archive) and send them to your friends(reviewers)
PACS brings DICOM standard to life
2
A typical PACS system
DICOM A universal standard of digital medicine
Why is this necessary ?
Excellent image quality E.g. 65536 shades of gray are supported Important for good diagnostic reading
Full support for numerous image acquisitionparameters and different data types
DICOM Complete encoding of medical data
2000 standardized attributes used to capture allaspects of radiology for accurate diagnostics
Clarity in describing digital imagingdevices and their functionality - thebackbone of any medical imaging project
3
DICOM lingo All real world data, patients, studies etc. are
viewed as DICOM objects with respectiveproperties Definitions are standardized according to
DICOM Information Object Definitions
DICOM lingo
DICOM lingo Data captured as DICOM data attributes
can be transmitted and processed betweenvarious DICOM devices and software DICOM applications provide services to one
another Each service type is typically associated with
IODs Service Object Pairs (SOPs)
4
DICOM lingo
DICOM file 129 to 132 symbols should read DICM 1.2.840 .. Prefix used in all standard
DICOM UID strings Dates follow YYYYMMDD format Strings can be easily guessed based on their
content
DICOM file
5
DICOM file MR and CT images typically 256x256 or
512x512 Use either 1 or 2 pixels
One can determine the actual size of aimage matrix by looking at file size
The image can be edited or replaced easilyonce we know its size
DICOM hacking Without any specialized software
Compromise confidential information Compromise integrity of the DICOM data
Securing your DICOM data Secure the entire medical image workflow
All medical images should reside on a separatededicated server
Critical data should be backed up This server should not be shared with other enterprises External connections should go through a VPN Computers should be behind a firewall
6
Securing DICOM data Data remains protected within the network
You may have to send the data out of thenetwork say for a second opinion
How should you protect it in that case ?
Anonymization Remove confidential entries from DICOM files
Irreversible process: Original data cannot be recoveredfrom anonymized version
Could lead to loss of important clinical information
HIPAA identifies 18 attributes as confidential Name, location, dates, tel. nos., fax, email addresses, ssns,
medical record nos., health plan benificiary nos., account nos.,certificate/lisence nos., vehical identifiers, device identifiers,web URLS, IP addreses, biometric identifiers, photographs,any unique identifying characteristic or code
Anonymization DICOM anonymizers keep the list of
confidential attributes Some anonymizers would automatically
remove these private fields Patient ID is confidential but is also a required
attribute by DICOM. Should replace the ID rather than remove it.
7
Anonymization How about instead removing the original
data from public display and place it intoproprietary DICOM tags Is this good enough ?
Anonymization Say Patient ID is 1234567 and the software
replaced it with a randomly generated valuew04_ejF9h Is our mission accomplished ?
Anonymization Some attributes are necessary for the
clinical diagnosis Age Weight
Removing these would result in loss ofclinical information
8
Anonymization Ultrasound images contain proprietary information (name, ID,
birth date) not only in DICOM tags but within the image itself
Encryption Convert plaintext to another code
(ciphertext) which cannot be understoodwithout a key Reversible process
Encryption Consider patient name SMITH^JOE
Replace each letter by the letter that follows TNJUI^KPF
Is this secure ?
9
Encryption What if you use a substitution
A=Z, B=Y ….Z=A Is this secure ?
Encryption Symmetric Key Ciphers
A single common key between communicating parties AES What key size is secure ?
Public Key Ciphers Each party has a public and private key pair RSA, Elgamal Typically rely on a hard problem
What does the security of RSA rely on ?
Encryption Does encrypting the DICOM file protect
its integrity ?
10
Integrity
Integrity DICOM relies on data integrity such as
SHA SHA-1 produces a 20 byte checksum over the
file. Data and checksum transmitted from PACS
server to recipient
Confidentiality and Integrity If we want both confidentiality and
integrity of the DICOM data what shouldbe done ?
11
Confidentiality and Integrity Encrypt and Hash
RSA(DICOM DATA), SHA(DICOM DATA) Is this achieving confidentiality and integrity ?
Confidentiality and Integrity Hash then Encrypt
RSA(SHA(DICOM DATA)) What about this ? Any drawbacks ?
Confidentiality and Integrity Encrypt then Hash
RSA(DICOM DATA), SHA(RSA(DICOMDATA)
What about this ?
12
Authenticity of origin How do you ensure that the data is coming
from the PACS server ?
Digital Signatures Digital signatures can be used to ensure
authenticity of the sender as well as thedocument PACS server has a public and private key pair
The public key is broadcast Server signs with private key and recipient
verifies with public key Signatures provide authenticity , integrity and
non-repudiation
Digital Signatures How do you verify that the public key
belongs to the PACS server ?
13
Hospital setting Producer and referring physician
External diagnostician
Intra-users
Extra-users
Hospital setting Broad Goals
Transfer file between external diagnosticianand referring physician through a trustworthychannel
Protect against malevolent header or imagemanipulations by unauthorized actors
Hospital Setting Guarantee link between name, date and
referring physician and image content Guarantee that the image content is not
modified Guarantee that visualized images are true
images
14
How should this beaccomplished ? Assume you have several cryptographic
primitives available to use
This lecture DICOM security chapter posted online Trusted headers for Medical Images by
Macq and Dewey, 1999 posted online
Recommended