Data stored on CD media show vulnerability to alteration

Physical security issues for CD media used to transfer imaging data from one institution to another have been well documented. Discs tend to stack up in back offices and are frequently lost. A study from Denmark reveals that data on the disc are not well-protected either and are vulnerable to easy alteration (J Digit Imaging 2007 Aug 21; [Epub ahead of print]).

"Identification information such as patient name, age, institute name, and date of imaging can be readily altered on DICOM files exported by CD media," said Fintan McEvoy, a computer engineer at the University of Copenhagen.

No alterations to the DICOM readers were required, McEvoy said. Changes were applied only to the data files, and the alterations were not detectable without detailed analysis of the file structure.

"When the altered CD is inserted into a standard computer CD drive, a stand-alone viewer is opened and images are displayed with altered data. The user cannot tell from the performance or behavior of the disc that the data have been altered," he said.

CD media should be considered unsafe in any situation with potential for financial or other gain from altering the data and when the copy cannot be cross-checked with the original data, according to McEvoy. These situations include insurance claims, medical litigation, and certification procedures.

"While equipment makers attach disclaimers to the discs and specify intended use of such media, CDs are often the only practical means of transmitting imaging data," McEvoy said.

Manufacturers may state in an opening window, for example, that the discs are for reference only and are not to be used for diagnostic purposes.

McEvoy recommends that radiologists confine their use of CD media to conform to restrictive limits stated by the manufacturers. The imaging community needs to impress upon machine and media manufacturers that some method for secure transmission of data using portable media is required.

"For instance, while encryption of patient data is possible, it has not been implemented in many current releases of software packages," he said.

Encryption raises DICOM issues. A common approach to encryption is to replace certain characters according to a key, but the resulting special characters may then be unusable since they fall outside the DICOM standard.

One remedy to this issue is described in the literature (Int J Med Inform 2001:64(2-3):429-438). The authors copied data from the DICOM files to a relational database, encrypted them, then replaced patient data with permissible but meaningless information in the DICOM file.