Security and DICOM

Lawrence Tarbox, Ph.D.Chair, DICOM Working Group 14Siemens Corporate Research

What’s Available Now

Use of Secure Communications Channels– Data integrity during transit

– Entity authentication

– Confidentiality during transit via encryption

– Secure Transport Connection Profiles• TSL 1.0 (derived from SSL)

• ISCL

Secure Use Profiles– Online Electronic Storage

– Base and Bit-preserving Digital Signature (storage)

What’s Available Now

Secure Media via CMS Envelopes– Data integrity checks

– Confidentiality via encryption

– Only targeted recipients can access

– Media Storage Security Profiles

Embedded Digital Signatures– Data integrity for the life of the SOP Instance

– Identifies signatories, with optional timestamps

– Digital Signature Profiles• Base, Creator, and Authorization RSA Profiles

Profiles in DICOM?

Main standard body provides the ‘hooks’ Profiles provide the particulars, e.g.

– Standard selection– Algorithm selection– Parameter selection

Primarily refer to existing IT standards Easy migration to new ideas Simplifies conformance claims

What’s coming

Attribute Level Encryption (a.k.a. de-identification)– Teaching Files– Clinical Trials– ???

Audit Log Collection– Spans multiple organizations, pushed by IHE

Structured Report Digital Signature Profile

De-Identification, How?

– Simply remove Data Elements that contain patient identifying information?

• e.g., per HIPAA’s safe harbor rules

BUT– Many such Data Elements are required

SO– Instead of remove, replace with a bogus value

Attribute Level Encryption

Since some use cases require controlled access to the original Attribute values:– Original values can be stored in a CMS

(Cryptographic Message Syntax) envelope• Embedded in the Data Set• Only selected recipients can open the envelope• Different subsets can be held for different recipients

– Full restoration of data not a goal Attribute Confidentiality Profiles

Attributes to be encrypted

Item 1 (of only 1)

Modified Attributes Sequence

Cryptographic MessageSyntaxt envelopeCMS attributes

Encrypted Content Transfer SyntaxEncrypted Content

encryptedContent

Item 1 (of n)

Encrypted Content Transfer SyntaxEncrypted Content

Item 2 (of n)

CMS envelope

Encrypted Content Transfer SyntaxEncrypted Content

Item n (of n)

CMS envelope

Encrypted Attributes Sequence

Attributes (unencrypted)SOP Instance

Attribute Encryption Diagram

IHE year 4: collection of trusted nodes

• Local authentication of user (Userid, Password)• Authentication of the remote node (digital certificates)• Local access control• Audit trail• Time synchronization

System A

Secure network

Secure domain

System B

Secure domain

Selection of Standards

Use TLS for Transport Layer Security– Basic TLS Secure Transport Connection Profile

Use X.509 Certificates for node identity and keys– Basic TLS Secure Transport Connection Profile

Use NTP for Time Synchronization Use ??? For Audit Trail Collection

Audit Log Collection

Joint NEMA / JIRA / COCIR Security and Privacy Committee proposal– Governmental regulation– Push management responsibility to one location

ASTM PS 115: Provisional Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems

HL7 Common Audit Message (informative) Part of IHE Year 4 plans

Application Specific Trigger/Content

Security Admin Audit Trail Mgt

User Generated Events

HL7 Security SIG Driven – DICOM references

DICOM WG14 Security Driven – HL7 References

Audit Trail Records TransferSession and Transport : Reliable SYSLOG or ebXML ?

Common DICOM/HL7 infrastructure

Audit Trail Standards in HealthcareA Proposed Model

Division of Tasks

IHE generating initial proposals– Reliable Delivery for Syslog (RFC 3195)– XML schema for defined content– IHE in Technical Framework :

Out for Public Comment Now

HL7 and DICOM WG 14 work on messaging standard

ASTM and SPC work on policy issues

Signatures in SR

Identified as an important use case Reference Mechanism

– To other signed SOP Instances– To unsigned SOP Instances

Resolve issues identified during demonstrations

SR-specific Profile