DICOM is ready for HIPAA

November 29, 2000

Imagine the following scenario: The quarterback of your favorite football team injures his knee and is rushed to the hospital for an MRI to inspect the damage. The local physician likes to have a second opinion, however, so she sends the image to a colleague using regular Internet transfer. A hacker paid by a tabloid sports magazine is monitoring all Internet traffic out of the hospital and intercepts the image. The magazine publishes the photo on the front cover, under the heading "Forget about the Super Bowl."

In another scenario, someone intercepts an electronic diagnostic report, captures it, changes a single word ("malignant" to "benign"), and sends it on, pretending to be the original sender.

Such situations may seem farfetched, but security breaches have already been reported involving quite dramatic consequences. The pending HIPAA security regulations are designed to ensure that institutions implement procedures, guidelines, and measures that will prevent such catastrophes from happening in the medical environment.

While these guidelines will have obvious ramifications for health data transfers of all kinds, it is important to note that the communication component of any information exchange is an essential, but not exclusive, part of the security chain.

Even if an institution implements all the necessary measures to make sure the communication is secure, in many instances someone could access a workstation without authorization. It is well known in computer security circles that passwords can often be found on or around workstations. In addition, in the first scenario above, the MRI could be viewed by any layman who happens to look over the shoulder of a physician at the workstation in a public area.

Of course, a number of other measures can be implemented to make each data exchange secure. One of the most common is encryption, which is already commercially available. Every time you buy a book from Amazon.com or any other item over the Web and you provide your credit card number, this transaction is encrypted using a secure socket layer (SSL) protocol. The same can be done for the exchange of images or diagnostic reports.

In addition, the DICOM committee is working on a digital signature proposal whereby certain or all aspects of an image or diagnostic report can be authenticated. DICOM deals only with the communication of data and is therefore not sufficient to achieve full compliance with the upcoming HIPAA guidelines. Thus, digital signatures are expected to become very important in radiology, especially for electronic reports.

Several of these concepts will be demonstrated at upcoming trade shows, notably the RSNA meeting in Chicago and the ECR in Vienna. A number of vendors have sponsored the implementation of these principles, and the resulting software will be available in the public domain.

Comments/questions: Herman Oosterwijk at herman@otechimg.com