DICOM: Security and DICOM: not yet compatible

May 1, 1999

Security and DICOM: not yet compatibleA lot of buzz is being generated in the market about the security and privacy of medical records. As of today, DICOM has no security mechanism. If someone could gain access to a hospital's image archive via the

Security and DICOM: not yet compatible

A lot of buzz is being generated in the market about the security and privacy of medical records. As of today, DICOM has no security mechanism. If someone could gain access to a hospital's image archive via the network, that person could easily query the archive for all the patient information it has available, and even retrieve the corresponding images.

Most vendors have implemented safeguards, such as those that allow only known entities identified by their DICOM application name (also known as application entity or AE title) to connect to the archive. But there is no way to prevent someone from accessing the archive by using another person's identity.

The DICOM standard does not address access control and user authorization and very likely will not do so in the foreseeable future. The DICOM Committee is, however, considering other security issues, such as data confidentiality and integrity.

A teleradiology application that might cause security concerns is the transmission of images to a radiologist's home via the Internet. The message stream could easily be intercepted, and a person familiar with DICOM protocol and encoding could display the images. Standard encryption technologies are available, however, that convert the data stream into a scrambled set of bits, rendering the images unreadable. These encryption techniques are expected to be incorporated into the DICOM standard by the end of this year.

Another security concern is the protection of data integrity, i.e., preventing someone from changing the data without disclosing the alterations to the recipient of the images. One of the gray areas in the DICOM standard is how and when an object, such as an image, can be modified. Changes to the image window width and level--such as the addition of an image overlay or alteration of the image header--might impact the diagnosis. Vendors differ about what is allowed to be changed and what is not, and the standard does not define clear rules.

Digital signatures should be useful in addressing this dilemma. If changes were made in the image object, a specific algorithm would be applied, and the resulting signature would be different. This would notify the end user that the image had been changed or tampered with. Whenever an object was changed, those changes, and who made them, would be recorded along with the location of the original object.

Digital signatures remain on the DICOM drawing board, however. The DICOM Committee has planned a demonstration of the concept during this year's RSNA show to solicit feedback and gain experience by implementing it as a prototype. Standardization will likely occur in 2000.

--By Herman Oosterwijk, president, OTech Inc., (herman@otechimg.com)