COMPUTER APPLICATIONS

K. Y. E. Aryanto1 & M. Oudkerk1& P. M. A. van Ooijen1

Received: 14 July 2014 /Revised: 18 December 2014 /Accepted: 7 February 2015 /Published online: 3 June 2015# The Author(s) 2015. This article is published with open access at Springerlink.com

AbstractPurpose To compare non-commercial DICOM toolkits fortheir de-identification ability in removing a patient's personalhealth information (PHI) from a DICOM header.Materials and Methods Ten DICOM toolkits were selectedfor de-identification tests. Tests were performed by using thesystem’s default de-identification profile and, subsequently,the tools' best adjusted settings. We aimed to eliminate fiftyelements considered to contain identifying patient informa-tion. The tools were also examined for their respectivemethods of customization.Results Only one tool was able to de-identify all re-quired elements with the default setting. Not all of thetoolkits provide a customizable de-identification profile.Six tools allowed changes by selecting the providedprofiles, giving input through a graphical user interface(GUI) or configuration text file, or providing the appro-priate command-line arguments. Using adjusted settings,four of those six toolkits were able to perform full de-identification.Conclusion Only five tools could properly de-identify the de-fined DICOM elements, and in four cases, only after carefulcustomization. Therefore, free DICOM toolkits should beused with extreme care to prevent the risk of disclosing PHI,especially when using the default configuration. In case opti-mal security is required, one of the five toolkits is proposed.

Key Points• Free DICOM toolkits should be carefully used to preventpatient identity disclosure.

• Each DICOM tool produces its own specific outcomes fromthe de-identification process.

• In case optimal security is required, using one DICOMtoolkit is proposed.

Keywords DICOMFreeware Tools . Patient Data Privacy .

Anonymisation and Pseudonymisation . Data Protection .

Anonymous Testing

Introduction

The Digital Imaging and Communication in Medicine(DICOM) standard [1] has been commonly used for storing,viewing, and transmitting information in medical imaging [2].Because of its structure and open character it can be easilyadapted and upgraded to accommodate changes in medicalimaging technology [3]. DICOM was developed to ease theexchange of data between different manufacturers, but it alsoenables data sharing between institutions or enterprises forclinical research or clinical practice.

A DICOM file not only contains a viewable image thatholds all of the pixel values but it also contains a header witha large variety of data elements. Each data element is repre-sented by a unique tag with specific values and data types. Thetag of an element is written with two hexadecimal numbersindicating its group and element number. These meta-dataelements include identifiable information about the patient,the study, and the institution. Sharing such sensitive data de-mands proper protection to ensure data safety and maintainpatient privacy.

* K. Y. E. Aryantok.y.e.aryanto@umcg.nl

1 University of Groningen, University Medical Center Groningen,Center for Medical Imaging - North East Netherlands (CMINEN),Department of Radiology, Hanzeplein 1, Postbus 30001, 9700RB Groningen, The Netherlands

Eur Radiol (2015) 25:3685–3695DOI 10.1007/s00330-015-3794-0

Free DICOM de-identification tools in clinical research:functioning and safety of patient privacy

There are two methods to de-identify patient-related infor-mation in a DICOM header. The first method isanonymization which removes information carried by headerelements or replaces the information with random data suchthat the remaining information cannot be used to reveal thepatient identity at all. The other method, pseudonymization, isimplemented by replacing the most identifying fields within adata record using one or more artificial identifiers that couldbe used by authorized personnel to track down the real identityof the patient. This method is most frequently used in clinicalanalysis, processing, and research [4–6] since good clinicalpractice requires that, should additional findings be encoun-tered that are essential for the well-being of the patient, itshould be possible to somehow track the real identity of thepatient in order to inform him or her about these findings.

Numerous tools have been built to perform the task ofDICOM data de-identification in order to fulfil the require-ments of patient data protection. Each tool introduces itsown de-identification profiles to remove or replace a selectionof header elements and, therefore, produces its own specificoutcomes from the data de-identification process. In this work,ten non-commercial (free) DICOM toolkits were selected andtested for their de-identification effectiveness and complete-ness to determine the tools’ ability to remove a patient's per-sonal health information (PHI) from the DICOM header. Thiswork also provides further consideration of DICOM toolkitsthat could perform data de-identification to meet regulatoryrequirements.

Methods

Various applications, libraries, and frameworks have been de-veloped for handling, viewing, transmitting, and processingDICOM data. These toolkits offer many features useful forclinical practice or clinical research purposes such as DICOMdata validation, image viewing and analysis, PACS server, andconverting and modifying, including de-identifying, DICOMdata. Similar work examining seven free DICOM softwaretoolkits and their ability to de-identify 38 tags that containpatient or study information using their default and modifiedconfigurations has been previously presented [7, 8].

Several DICOM toolkits were selected to be compared fortheir de-identification capabilities. The candidates were gath-ered through an internet search to obtain as many free toolkitsas possible using a number of dedicated information sourceson the web [9–12] and also through a web search engine withthe search term BDICOM anonymizer^ or Bfree DICOManonymizer .̂ Main inclusion criteria were the ability of theapplications or frameworks to perform de-identification andavailability as freeware or an open source tool that can bedownloaded and installed or is accessible as an on-line, web-based, anonymization service. Other inclusion criteria were

based on how commonly the toolkits were used in practice,by noting practitioner toolkit preferences via direct discussionor via answers posted in online discussion forums or the like.The continuity of a toolkits’ development was also consideredas inclusion criteria; it was determined by the update history ofthe software and active communication about the software.Selected toolkits were not only end-user applications but alsoseveral frameworks, providing features allowing users to per-form de-identification directly.

All selected tools were evaluated on a workstation runningMicrosoft Windows XP Service Pack 3 and tested to de-identify the elements of a Bdummy^ DICOM file header. Fiftyheader elements were chosen to be de-identified since theycontained data that could be used to reconstruct a patient’sreal identity individually or in combination with otherelements (Table 1).

Two scenarios were defined to perform the de-identifica-tion. First, the default setting of the tools were used, meaningthat the installed tools were used to perform the process as is,without any customization. Then, customized settings weredefined to obtain the best possible configuration to performthe de-identification process. For each test, the unchangedelements were observed to determine whether any of the po-tential identifying information was retained. The test was per-formed using a dummy DICOM image (Fig. 1).

The DICOM header elements of the dummy DICOM filewere filled with the string BShould anonymized^ when possi-ble, except for those containing date or time values. Using thisdummy DICOM file, the de-identification process was per-formed according to the two scenarios. The de-identifiedDICOM files were checked to determine whether they stillcontained elements as listed above with the original value orthe given string. Figure 2 describes the workflow of themethod.

Results

Ten tools were selected, namely Conquest DICOM software[13], RSNA Clinical Trial Processor (CTP) [14], DICOM li-brary [15], DICOMworks [16], DVTK DICOM anonymizer[17], GDCM [18], K-Pacs [19], PixelMed DICOMCleaner[20], Tudordicom [21], and YAKAMI DICOM tools [22].Table 2 shows the general features offered by the selectedtools. Several of them have been previously introduced, im-plemented and reported on individually in the literature[23–26]. There are also several frameworks which have fea-tures to perform the de-identification but which were not in-cluded in this comparison since they cannot be used directly asa stand-alone application.

All selected tools are easy to install by following a step-by-step installation wizard. Additionally, some require othersupport ing applicat ions, frameworks, or runtime

3686 Eur Radiol (2015) 25:3685–3695

environments to be pre-installed, depending on what type ofprogramming language in which they were developed.Toolkits developed using Java will need a Java Runtime tobe pre-installed. A NET framework is needed for applicationsthat are developed using C#. Some toolkits require other, morespecific, applications to be pre-installed to support the com-plete process of reading or processing the DICOM files. Forexample, Tudordicom and CTP also require additional JavaImageIO Tools [27] to be present on the system to be able toread and process the compressed DICOM files. The GDCMinstallation under Microsoft Windows requires a Win32OpenSSL [28] to be pre-installed, while YAKAMI needsDirectX to be present. All required pre-installations are avail-able freely from the web from their respective manufacturers.

Amodifiable setting, in this case the ability to adjust the de-identification profiles, is important for an application to meet auser’s more specific needs. Six of the ten toolkits have cus-tomizable de-identification profiles. DVTk provides two pro-file selections to perform the de-identification, in a simple orcomplete way. In the other five tools, customization can bedone using the GUI provided by the applications, insertingscripts into text file, or using command-line arguments. How-ever, not all toolkits provide customizable de-identificationprofiles. Conquest, DICOM Library, DICOMWorks, andKPACS have a fixed profile for the de-identification process.

Using both default and customized configurations, two sce-narios were performed to determine to what extent the profilescould provide a secure de-identification by observing the re-maining original values of the defined 50 elements. Theseelements were selected based on their likelihood of being thecause of a data breach when exposed to a third party, either bythe element itself or combination with other elements.

From the tested applications, only DICOM Library can de-identify all of the defined elements using its default setting,while another four can perform this task using user-customized profiles. These four tools are CTP, GDCM,Tudordicom, and Yakami Dicom Tools. In addition to theheader de-identification, Yakami DICOM Tools, PixelmedDICOM Cleaner and CTP provide the ability of removinginformation Bburned in^ into the image pixels by blackingout a certain region of the image. The summary of the com-parison is shown in Table 3. The list of changed tag elementsare shown in Table 4. The success rate in de-identifying the

Table 1 Fields in the DICOM header defined to be de-identified

Tag ID Tag Name

0008,0020 StudyDate

0008,0021 SeriesDate

0008,0022 AcquisitionDate

0008,0023 ContentDate

0008,0024 OverlayDate

0008,0025 CurveDate

0008,002A AcquisitionDatetime

0008,0030 StudyTime

0008,0031 SeriesTime

0008,0032 AcquisitionTime

0008,0033 ContentTime

0008,0034 OverlayTime

0008,0035 CurveTime

0008,0050 AccessionNumber

0008,0080 InstitutionName

0008,0081 InstitutionAddress

0008,0090 ReferringPhysiciansName

0008,0092 ReferringPhysiciansAddress

0008,0094 ReferringPhysiciansTelephoneNumber

0008,0096 ReferringPhysicianIDSequence

0008,1040 InstitutionalDepartmentName

0008,1048 PhysicianOfRecord

0008,1049 PhysicianOfRecordIDSequence

0008,1050 PerformingPhysiciansName

0008,1052 PerformingPhysicianIDSequence

0008,1060 NameOfPhysicianReadingStudy

0008,1062 PhysicianReadingStudyIDSequence

0008,1070 OperatorsName

0010,0010 PatientsName

0010,0020 PatientID

0010,0021 IssuerOfPatientID

0010,0030 PatientsBirthDate

0010,0032 PatientsBirthTime

0010,0040 PatientsSex

0010,1000 OtherPatientIDs

0010,1001 OtherPatientNames

0010,1005 PatientsBirthName

0010,1010 PatientsAge

0010,1040 PatientsAddress

0010,1060 PatientsMothersBirthName

0010,2150 CountryOfResidence

0010,2152 RegionOfResidence

0010,2154 PatientsTelephoneNumbers

0020,0010 StudyID

0038,0300 CurrentPatientLocation

0038,0400 PatientsInstitutionResidence

Table 1 (continued)

Tag ID Tag Name

0040,A120 DateTime

0040,A121 Date

0040,A122 Time

0040,A123 PersonName

Eur Radiol (2015) 25:3685–3695 3687

DICOM header using the default setting provided by thetoolkits is shown in Fig. 3, while Fig. 4 shows the success rateusing the advance setting.

Only two toolkits provided a high success rate of de-identification when using the default setting (CTP andDICOM Library), while an additional four achieved a highsuccess rate after careful customization (GDCM, PixelMed,TudorDICOM, and Yakami DICOM tool). DICOMLibrary is

the only tool that achieves a 100 % success rate at its defaultsetting. The success rate of the CTP to de-identify the DICOMheader using its default profile is 98 %, which increases to acomplete de-identification of the specified elements undercustom settings. Pixelmed could deliver a high success rateof 98 % using its advance setting while it failed to do so in itsdefault setting (only 64 %). Meanwhile, DVTK provided lessthan a 44 % success rate using its default setting and theoptimization capabilities did not allow much improvement,resulting in a success rate of 48 %.

Only five out of ten selected free DICOM toolkits could de-identify all of the defined DICOM elements properly with a100 % success rate. Four of them could only achieve this afterimprovement using advance settings with user controlled de-identification protocols. One toolkit achieved a 98 % successrate after manual improvement of the de-identification set-tings. Only two out of ten toolkits were able to give a successrate above 90 % using the default setting, with all remainingtools performing at less than 65 %, of which four evenachieved success rates of 26 % or less.

Discussion

Various toolkits have been built to de-identify DICOM data,either as free or paid applications. Paid toolkits have advan-tages such as customer support and development updates,while free versions less likely to have consistent updates.However, the free versions are not necessarily of poorerFig. 2 Flowchart of the method to test DICOM de-identification tools

Fig. 1 Dummy DICOM image. a) A generated DICOM file consisting of header data and image pixels. b) Part of the header. The 50 tag elements to bede-identified by various selected DICOM toolkits were filled with dummy information or the string Bshould be anonymized^

3688 Eur Radiol (2015) 25:3685–3695

Tab

le2

Selected

DICOM

toolkits

Nam

ePlatform

Type

ofDistribution

UserInterface

Functio

nSo

urce

Avail.

Programming

Language

Year

update

Requirements

Doc/U

ser

Manual

DICOMWorks

Windows

Freeware

GUI

Application

NN/A

2007

*OS:M

icrosoft

Windowssystem

sY

KPacs

Windows

Freew

are

GUI

Display,PACS

Client,S

erver

NN/A

2009

*OS:W

indows2000/XP

*Processor

:>=Pentiu

mIII(800

MHz)

*Monito

rwith

1024x768

pixelresolution

Y

ConquestD

icom

Server

Windows,Linux

OpenSource

GUI

Library,PACS

Server

YC/C++

2010

*OS:W

indowsNT/

2000/XP/Vista/W

in7/

Linux

*1024x768x256

display.

*TCP/IP

functio

ning

Y

DVTkDICOM

Anonymizer

Windows

OpenSo

urce

GUI

Library,A

pplication

YC#

2011

*OS:M

icrosoftWindows

XP/Vista/W

indows7

*.NET2.0Fram

ework

Y

DICOM

library

Windows,Macintosh,

Linux

Free

Online

GUI

Library

NN/A

2013

N/A

Y

PixelMed

DICOMCleaner

Windows,Macintosh,

Linux

OpenSource

Com

mand-lin

eutility

Display,L

ibrary,

Utility

YJava

2013

*Java

Runtim

e(JRE)1.5

ornewer

*MicrosoftWindowsXP/

2000/W

indows7/Linux/

Mac

OSX

Y

Tudordicom

Windows,Macintosh,

Linux

OpenSource

GUI

Utility

/Application,

Processor

YJava

2013

*Java

Runtim

e(JRE)1.5

ornewer

*Java

ImageIO

Y

CTP

Windows,Macintosh,

Linux

OpenSource

GUI

Utility

/Application,

Processor

YJava

2013

*Java

Runtim

e(JRE)1.5

ornewer

*Java

AdvancedIm

aging

ImageIOTo

ols

Y

GDCM

Windows,Macintosh,

Linux

OpenSource

Com

mand-lin

eutility

Utility,L

ibrary

YC#,C++,P

ython

2013

*OpenS

SLY

YAKAMIDICOM

Tools

Windows

Freew

are

GUI

Utility

/Application,

PACSClient

NN/A

2013

*OS:

Windows7/V

ista/

XP/2000

*.NET2.0Fram

ework

*DirectX®

Y

Eur Radiol (2015) 25:3685–3695 3689

quality. Many of the free toolkits are provided in an opensource version, which means that the tools are open for im-provements either by users or related communities.

The elements to be de-identified in this work were chosenbased on their potential for being the cause of a data breachwhen exposed to a third party, either by the element itself or incombination with other elements. Even though all of thoseelements will not be filled in a daily routine, a recommenda-tion for removal or modification of those elements is stillrequired due to the possibility of practitioners giving valuesto the elements, as determined via our observation of severalcases where those elements contained certain values. Thevalues are most likely the appropriate values required by theelements and could possibly reveal a patient’s identity.

The selection of 50 DICOM tags was made based on acareful inspection of possible fields containing sensitive infor-mation in combination with the information of Supplement142 of the DICOM standard. This selection was, therefore,based on experience of the authors which could influencethe quality score.

The selection of software packages included in this workwas based on a number of parameters. It would be impossibleto review all available software. Therefore, a possible biascould be introduced by the selection of the software packages.However, to obtain the most relevant results, software pack-ages were selected on criteria that would identify their fre-quency of download and use. Based on these criteria, thesoftware packages most frequently used and, thus, probablywith the highest impact in daily practice, were selected.

A default configuration of a de-identification profile allowsusers to quickly run a required task as intended without in-depth knowledge of the tool itself. Nevertheless, the defaultconfiguration does not always provide de-identification ofsensitive patient-related information within the DICOM datafor a specific research project or for educational purposes. Forsuch reasons, a customizable configuration is required to per-form the intended task. The customizable settings will providemore flexibility and improved tool performance, especially ifthe image data are needed for a specific research project or foreducational purposes.

The selection of element tags was done by considering twokinds of elements, direct and indirect patient informationfields, consisting of 17 and 33 elements, respectively. Directpatient information fields have information that directly pointsto patient identity, including PatientsName, PatientID,IssuerOfPatientID, PatientsBirthDate, PatientsBirthTime,PatientsSex, OtherPatientIDs, OtherPatientNames,PatientsBirthName, PatientsAge, PatientsAddress,PatientsMothersBirthName, CountryOfResidence,RegionOfResidence, Pat ientsTelephoneNumbers,CurrentPatientLocation, PatientsInstitutionResidence. The re-maining elements are indirect patient information fields. Theelements listed above are recommended for de-identificationT

able3

Summaryof

comparisonof

thede-identificationtoolkit

Nam

eDe-identificationProfiles

De-identificationfeatures

De-identify50

Elements

Customizable

Profiles

Configuratio

nMultip

leFiles

Autom

atic

PixelB

lackout

Default

Customized

ConquestD

icom

Server

NFixed

N/A

Y,study/series

NN

NN/A

CTP

YDefined,Elemento

rGroup

selection

GUIor

text

fileinput

Y,directory

YY

NY

Dicom

Library

NFixed

N/A

Y,directory

YN

YN/A

DICOMWorks

NFixed

N/A

Y,study/series

YN

NN

DVTKDICOM

Anonymizer

YFixed

profilesselection

GUI

Y,directory

YN

NN

GDCM

YDefined,E

lementselectio

nCom

mandoptio

ns/argum

ents

Y,directory

YN

NY

KPacs

Anonymizer

NFixed

N/A

Y,directory

YN

NN/A

PixelM

edDICOMCleaner

YGroup

selection

GUI

Y,files/study/series

NY

NN

Tudordicom

YElementselectio

nGUI

Y,directory

YN

NY

YAKAMIDicom

Tools

YElementselectio

nGUIor

text

fileinput

Y,filesor

directory

YY

NY

3690 Eur Radiol (2015) 25:3685–3695

Tab

le4

The

results

ofDICOM

header

elem

entd

e-identificationby

tenDICOM

toolkits

Fields/Tags

TagNam

eConquest

CTP

DICOM

Library

DICOM

works

DVTK

GDCM

KPA

CS

Pixelm

edTudor

Yakam

i

0008,0020

StudyDate

NY

YN

NN

NN

NN

0008,0021

Series

Date

NY

YN

NN

NN

NN

0008,0022

Acquisitio

nDate

NY

YN

NN

NN

NN

0008,0023

ContentDate

NY

YN

NN

NN

NN

0008,0024

OverlayDate

YY

YY

YY

YY

YY

0008,0025

CurveDate

YY

YY

YY

YY

YY

0008,002A

Acquisitio

nDatetim

eY

YY

NN

NN

NN

N

0008,0030

StudyT

ime

NY

YN

NN

NN

NN

0008,0031

SeriesTim

eN

YY

NN

NN

NN

N

0008,0032

Acquisitio

nTim

eN

YY

NN

NN

NN

N

0008,0033

Content

Tim

eN

YY

NN

NN

NN

N

0008,0034

Overlay

Tim

eY

YY

YY

YY

YY

Y

0008,0035

CurveTim

eY

YY

YY

YY

YY

Y

0008,0050

Accession

Num

ber

NY

YN

YY

NY

NN

0008,0080

InstitutionNam

eN

YY

YY

YN

NY

N

0008,0081

InstitutionAddress

NY

YN

YY

NN

YN

0008,0090

Referring

Physicians

Nam

eY

YY

YY

YY

YY

Y

0008,0092

Referring

Physicians

Address

NY

YN

YY

NY

YN

0008,0094

Referring

Physicians

TelephoneNum

ber

NY

YN

YY

NY

YN

0008,0096

Referring

PhysicianIDSequence

NY

YN

NN

NY

YN

0008,1040

InstitutionalDepartm

entNam

eN

YY

NY

YN

NY

N

0008,1048

PhysicianO

fRecord

NY

YN

YY

NY

YN

0008,1049

PhysicianO

fRecordIDSequence

NY

YN

NN

NY

YN

0008,1050

PerformingPh

ysicians

Nam

eN

YY

NY

YN

YY

N

0008,1052

PerformingPh

ysicianIDSequence

NY

YN

NN

NY

YN

0008,1060

Nam

eOfPh

ysicianReading

Study

NY

YN

YY

NY

YN

0008,1062

PhysicianReading

StudyIDSequence

NY

YN

NN

NY

YN

0008,1070

OperatorsNam

eN

YY

NY

YN

YY

N

0010,0010

PatientsNam

eY

YY

YY

YN

YY

N

0010,0020

PatientID

YY

YY

YY

NY

YN

0010,0021

IssuerOfPatientID

NY

YN

NN

NY

NN

0010,0030

PatientsBirthDate

YY

YN

NY

NY

NN

0010,0032

PatientsBirthTim

eN

YY

NY

YN

YY

N

0010,0040

PatientsSex

NY

YN

YY

NN

YN

0010,1000

OtherPatientID

sN

YY

NY

YN

YY

N

0010,1001

OtherPatientNam

esN

YY

NY

YN

YY

N

Eur Radiol (2015) 25:3685–3695 3691

to prevent the elements containing date or time related topatients, data acquisition, or other process being used, aloneor in combination with others, to reveal the real patient iden-tity that may lead to the breach of a patient’s important data. Inorder to de-identify the elements, dummy date or time valuesare set to the appropriate elements to replace the originalvalues. These dummy values vary depending on the aim ofthe study or research.

The support of configurable profiles should provide op-tions to the user to perform a specific de-identification processmore freely. Several methods were introduced by the differenttoolkits, such as adding, modifying or removing header ele-ments one element at a time or using a list of actions, definedby the tools or manually, to be conducted on several elementssimultaneously. Some tools require script files to be manuallywritten or adapted using a text file editor or employ a userinterface to generate these script files from within theapplication.

The ability of a tool to de-identify multiple files automati-cally can be a significant advantage. This feature will ease thede-identification process for a set of images which is usuallyrequired when de-identifying data from cross-section-basedmodalities such as computed tomography (CT) and magneticresonance imaging (MRI). Tools lacking this capability wouldrequire one to manually perform the task one file at a time,resulting in a more time consuming method which is cumber-some for the user and more prone to errors. Customizable oruser-defined selection of de-identification profiles will be amajor advantage when compared to standard settings, becauseotherwise nobody will check which of these DICOM tags willbe de-identified.

Supplement 142 in the DICOM standards provides a pro-file within clinical trials de-identification that has become thestandard of DICOM data security. Nevertheless, to have thefull list of the tags in supplement 142 to be de-identified wouldstill be difficult to do manually. Instead, we provided 50 ele-ments considered to be the minimum requirements for a thirdparty to reveal the identity of a patient. Furthermore, the rec-ommended software has also provided a configurationclaiming to conform to Supplement 142 in the DICOMstandard.

The ability to blackout the embedded information writtenon the images is an advantage in identity protection. In somecases, patient information can be included in the DICOMimage data as Bburned in^ information, for example, in thecase of storage of secondary capture images or with frame-grabbed ultrasound examinations. A de-identification of theDICOM header could become meaningless when such infor-mation is still present within the image itself. This feature isonly supported by Yakami DICOM Tools, Pixelmed DICOMcleaner and CTP.

Another potential risk is the use of private tags. Theseprivate tags can be used by the manufacturer to provideT

able4

(contin

ued)

Fields/Tags

TagNam

eConquest

CTP

DICOM

Library

DICOM

works

DVTK

GDCM

KPA

CS

Pixelm

edTudor

Yakam

i

0010,1005

PatientsBirthNam

eN

YY

NN

NN

YY

N

0010,1010

PatientsA

geN

YY

NY

YN

NY

N

0010,1040

PatientsAddress

NY

YN

NN

NY

YN

0010,1060

PatientsMothersBirthNam

eN

YY

NN

NN

YY

N

0010,2150

CountryOfResidence

NY

YN

NN

NY

NN

0010,2152

RegionO

fResidence

NY

YN

NN

NY

NN

0010,2154

PatientsTelephoneNum

bers

NY

YN

NN

NY

YN

0020,0010

StudyID

NY

YY

NY

NY

NN

0038,0300

Current

Patient

Location

NY

YN

NN

NY

NN

0038,0400

PatientsInstitutionResidence

NY

YN

NN

NN

YN

0040,A

120

DateTim

eY

YY

NN

NN

NN

N

0040,A

121

Date

YY

YN

NN

NN

NN

0040,A

122

Tim

eY

NY

NN

NN

NN

N

0040,A

123

PersonNam

eY

YY

NN

NN

YY

N

3692 Eur Radiol (2015) 25:3685–3695

additional, proprietary information within the DICOM header.These tags may contain sensitive data regarding a patient’sPHI. However, not all private elements consist of sensitivedata. Therefore, unless the tags contain important informa-tion for further processing, it is recommended that thoseelements should be removed. Private tags are typicallydocumented to provide additional information related tothe device/manufacturer. However, the additional datawhich may contain patient related information can alsobe added manually or automatically, for example, whenprivate tags are not displayed in the DICOM viewer. How-ever, as mentioned above, private DICOM tags may alsoprovide sensitive patient data. Although these data are notvisible through the DICOM viewer, they are available for

viewing using the tag reader and may be used by otherparties to reveal the patients identity.

The utilization of a framework or of library tools such asGDCM is limited since those tools are intended to be used foradvanced purposes, integrated into another application as atoolkit. However, the provided functionality is sufficient forpractical use. Other known frameworks that provide a de-identification process are DCM4CHE [29, 30] and DCMTK[31]. DCM4CHE is a framework developed using the Javaprogramming language that is claimed to have better function-ality compared to the others [32]. However, this framework isnot directly suitable for practical use, but can be used by asoftware developer to be integrated into new software tools.The RSNA Clinical Trial Processor (CTP) tested in this study

Fig. 3 Success rate of the toolkitto de-identify fifty DICOMheader elements using the defaultsettings. The numbers presentedin the bars are the total score usingthe default de-identificationsetting

Fig. 4 Success rate of the toolkitto de-identify fifty DICOMheader elements using theadvanced settings. The numberspresented in the bars are themaximum success rate obtainedafter customization of thede-identification settings

Eur Radiol (2015) 25:3685–3695 3693

is one of the toolkits that use this framework as part of thesoftware.

The low de-identification performance of several applica-tions might be caused by the main role of the application itself.For example, the tools that were intended to be an imageviewer are likely to have low priority for development andimplementation of the image de-identification process. Onthe other hand, an application that is addressed as a DICOMdata processor will have more advanced options to performthe de-identification task since that is one of its intended uses.

The DICOMLibrary is an online service to share images. Itis developed mainly for educational and scientific purposes[15]. Its output data were well de-identified and download-able. However, the uploading of images to be de-identified bythe service should be considered further since the process isdone outside the domain of the sender. This means that eventhough the source files are claimed to be de-identified at theclient side, the implementation of an unsupervised processinvolving uploading to a third party should be utilized withcare and checked with hospital security regulations. Using thiskind of service may cause a security breach due to the possi-bility that unmodified parts of data still contain sensitive in-formation. It might, thus, not be allowed according to thesecurity policies of most institutions since it is unknown whatexactly happens with the uploaded files at the server side.Furthermore, the files could be retained at the server for someunknown period of time without the uploading party beingaware of this storage. Even though online, web-basedanonymization services are not ideal for the transfer of suchconfidential data using standard transfer protocols, there arestill possibilities to make such methods acceptable, either bymoving the services to a more secure line or transfer only datawithout burnt-in information within the images. However, al-though the transfer is claimed to be secure, information that isnot processed by such service, i.e., burnt-in information withinthe images themselves, can still reveal patient identity. Wesuggest that the use of online services without full controlfrom the user should be avoided as much as possible.

The challenge with the blackout of regions is that it is afully manual process. When annotations are made on the im-age, e.g., in ultrasound, the location of this information willvary and in some cases manually entered annotations could bepositioned at several places or on top of the actual image.Therefore, default settings to overcome this problem are notavailable. This calls for extra attention when ultrasound im-ages are involved and instructing imagers involved in studiesnot to include annotations that are ‘burned’ into the images.

Conclusion

Only two out of ten free available DICOM de-identificationtoolkits had a success rate of de-identification higher than

90 % using the default setting. All remaining tools performedwith a success rate lower than 65 %, of which four onlyachieved a success rate of 25 % or less.

Free DICOM toolkits should, therefore, be used with ex-treme care when de-identifying sensitive data since they havea high risk of disclosing personal health information, especial-ly when using the default configuration. Four out of ten toolsare not recommended to be used in de-identifying DICOMdata since they could cause serious threats to patient privacy.

In case optimal security is required, RSNA CTP is recom-mended for its high level of customization to perform de-identification to exactly meet the regulatory requirements [33].

Acknowledgments The scientific guarantor of this publication is Prof.Dr. Matthijs Oudkerk. The authors of this manuscript declare no relation-ships with any companies whose products or services may be related to thesubject matter of the article. This study received funding by the ZonMwInnovative Medical Devices Initiative (IMDI) under project registrationnumber 104002003. No complex statistical methods were necessary forthis paper. Institutional Review Board approval was not required becauseour study was not onhuman subjects. Methodology:prospective, experi-mental, performed at one institution.

Open Access This article is distributed under the terms of the CreativeCommons Attribution-NonCommercial 4.0 International License (http://creativecommons.org/licenses/by-nc/4.0/), which permits any noncom-mercial use, distribution, and reproduction in any medium, providedyou give appropriate credit to the original author(s) and the source, pro-vide a link to the Creative Commons license, and indicate if changes weremade.

References

1. N. E. M. A. (NEMA), BThe DICOM Standard.^ [Online].Available: http://medical.nema.org/

2. O. Pianykh, BWhat Is DICOM?,^ in in Digital Imaging andCommunications in Medicine (DICOM), Springer BerlinHeidelberg, 2012, pp. 3–5

3. Mustra M, Delac K, Grgic M (2008) Overview of the DICOMstandard. IEEE 1:10–12

4. Noumeir R, Lemay A, Lina J-M (2007) Pseudonymization ofRadiology Data for Research Purposes. J Digit Imaging 20(3):284–295

5. Neubauer T, Riedl B (2008) Improving patients privacy withPseudonymization. Stud Health Technol Info 136:691–696

6. Neubauer T, Heurix J (2011) A methodology for thepseudonymization of medical data. Int J Med Inform 80(3):190–204

7. Lakhani, P, Chen, J, Nagy, P, Safdar, N, BProtecting Your Patient'sPrivacy: Is Your DICOM Anonymizer Working for You?^,Radiological Society of North America 2009 Scientific Assemblyand Annual Meeting, November 29 - December 4, 2009 ,ChicagoIL.http://archive.rsna.org/2009/8011488.html Accessed September10, 2014

8. National Institutes of Health, BI Do Imaging,^ 2013. [Online].Available: http://www.idoimaging.com/

9. W. Schöch, BDiploma thesis ‘Using DICOM SR in Pathology’,^2012. [Online]. Available: http://www.schoech.de/diploma/toolkits.html

3694 Eur Radiol (2015) 25:3685–3695

10. D. A. Clunie, BDavid Clunie’s Medical Image Format Site,^ 2013.[Online]. Available: http://www.dclunie.com/medical-image-faq/html/part8.html#DICOMDeidentifiers

11. Plastimatch development team, BDICOM anonymizer comparison,^ 2013. [Online]. Available: http://plastimatch.org/dicom_comparison.html

12. Marcel van Herk, BConquest DICOM software.^ [Online].Available: http://ingenium.home.xs4all.nl/dicom.html

13. RSNA, BCTP-The RSNA Clinical Trial Processor.^ [Online].Available: http://mircwiki.rsna.org/index.php?title=CTP-The_RSNA_Clinical_Trial_Processor

14. D. Library, BDICOM Library - Anonymize, Share, View DICOMfiles ONLINE.^ [Online]. Available: http://www.dicomlibrary.com

15. Dicomworks project, BDicomWorks - Free DICOM software.^[Online]. Available: http://www.dicomworks.com

16. DVTk, BDVTk Project.^ [Online]. Available: http://www.dvtk.org/17. GDCM, BGDCM: Grassroots DICOM library.^ [Online].

Available: http://gdcm.sourceforge.net/wiki/index.php/Main_Page18. Andreas Knopke, BK-Pacs.^ [Online]. Available: http://k-pacs.net/19. P. Publishing, BPixelMed Java DICOM Toolkit.^ [Online].

Available: http://www.pixelmed.com20. C. de R. P. H. Tudor, BThe Tudor Dicom Tools.^ [Online].

Available: http://santec.tudor.lu/project/optimage/dicom/start21. Masahiro YAKAMI, BYAKAMI DICOM Tools.^ [Online].

Available: http://www.kuhp.kyoto-u.ac.jp/~diag_rad/intro/tech/dicom_tools.html

22. Puech PA, Boussel L, Belfkih S, Lemaitre L, Douek P, Beuscart R(2007) DicomWorks: software for reviewing DICOM studies and

promoting low-cost teleradiology. J Digit Imaging Off J SocComput Appl Radiol 20(2):122–130

23. Potter G, Busbridge R, Toland M, Nagy P (2007) BMasteringDICOM with DVTk. J Digit Imaging Off J Soc Comput ApplRadiol 20(Suppl 1):47–62

24. Rodríguez González D, Carpenter T, Hemert J, Wardlaw J (2010)An open source toolkit for medical imaging de-identification. EurRadiol 20(8):1896–1904

25. Aryanto KYE, Broekema A, Oudkerk M, a van Ooijen PM (2012)Implementation of an anonymisation tool for clinical trials using aclinical trial processor integrated with an existing trial patient datainformation system. Eur Radiol 22(1):144–151

26. Oracle, BJava Advanced Imaging Image I/O Tools Installation.^[Online]. Available: http://www.oracle.com/technetwork/java/install-jai-imageio-1-0-01-139659.html

27. Shining Light Production, BWin32 OpenSSL.^28. dcm4che, Bdcm4che, a DICOM Implementation in JAVA.^

[Online]. Available: http://www.dcm4che.org/29. Warnock MJ, Toland C, Evans D, Wallace B, Nagy P (2007)

Benefits of using the DCM4CHE DICOM archive. J DigitImaging Off J Soc Comput Appl Radiol 20(Suppl 1):125–129

30. O. computer science Institute, BDCMTK - DICOM Toolkit.^[Online]. Available: http://dicom.offis.de/dcmtk.php.en

31. OBA Vasquez, S Bohn, M Gessat BEvaluation of Open SourceDICOM Frameworks^

32. Freymann JB, Kirby JS, Perry JH, Clunie DA, Jaffe CC (2012)Image data sharing for biomedical research–meeting HIPAA re-quirements for De-identification. J Digit Imaging Off J SocComput Appl Radiol 25(1):14–24

Eur Radiol (2015) 25:3685–3695 3695