Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Keeping it safe: Securing DICOM

5,086 views

Published on

Presentation I gave at the DICOM Workshop, held in Chengdu, China, in August 2014. Topics include: DICOM over TLS, DICOM file encryption, DICOM content in other transports, security profiles, and DICOM anonymization profiles.

Published in: Healthcare

Keeping it safe: Securing DICOM

  1. 1. THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Securing DICOM Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM WG-27, Web Technologies
  2. 2. What is security? • Protecting data security (against unauthorized access) • Protecting data integrity (against unauthorized changes) • Protecting data loss (against unauthorized deletions) • Protecting data availability (against denial of service)
  3. 3. What are the implications if security is compromised? • Data corruption and loss • Fraud against those victimized • Civil penalties (fines and lawsuits) • Criminal penalties • Serious harm and death
  4. 4. What is NOT security? • Changing names of parameters, servers or functions to make it harder to guess • Including dangerous functions in a release but not including them in documentation
  5. 5. Keeping DICOM Safe DICOM DICOM Simple workflow •Modality transmits images to archive •Radiologist requests images for reading : Out to cause security issues August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 6
  6. 6. DICOM Security Profiles • Defined in PS3.15, “Security and System Management Profiles” • Describes methods to mitigate various security concerns • Items in red describe solutions that are used in the industry but not explicity part of the DICOM standard August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 7
  7. 7. DICOM in Transit DICOM DICOM Who sees this image? • The modality, who sends the image • The archive, who receives the image • Anyone on the network between August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 8
  8. 8. DICOM-TLS DICOM DICOM • Transport Level Security encryption (defined in PS3.15 Section B.1) • Encryption is negotiated as part of TLS • Traffic encrypted with public certificate and decrypted by private key • Network VPN tunnels is another mechanism • DICOMweb can leverage HTTPS (TLS based) August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 9
  9. 9. DICOM in Transit DICOM DICOM Who are the actors in transmission? • The modality, who sends the image • The archive, who receives the image • Anyone pretending to be these actors August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 10
  10. 10. Node Identity DICOM DICOM • DICOM-TLS certificates specifies identifying information about the owner • Verification of certificates are done against a signing authority • AE titles are a less secure alternative August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 11
  11. 11. User Authentication DICOM DICOM Who can retrieve images? • Device is validated by DICOM-TLS • User can retrieve images • Anyone else using device can, too August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 12
  12. 12. User Authentication DICOM DICOM • Defined in PS3.15 B.4-7 • Authentication of users can occur via • Mutual TLS authentication (each side presents certificates) • Authentication during association negotiation (SAML, Kerberos, etc) • Authenticating users at the application level and making trusted calls to the imaging backend is an alternative approach August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 13
  13. 13. Auditing • Described in PS 3.15 Part A.5 • User should be known • Events for authentication, query, access, transfer, import/export, and deletion • This is used in the IHE ITI ATNA profile with Radiology option August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 14
  14. 14. DICOM at Rest DICOM DICOM Who ensures the images are genuine as the modality provides them? • The archive accomplishes this task • Anyone else who can manipulate the archive August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 15
  15. 15. Digital Signatures DICOM DICOM • DICOM supports digital signatures which provides integrity check and other features • Defined in PS3.15 Section C • Individual fields can also be selectively encrypted • Disk-level encryption can also be used to maintain integrity at rest August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 16
  16. 16. Media Storage • Used when DICOM is transmitted via physical media (CD, DVD, USB key) • Guarantees confidentiality, integrity, and media origin • Defined in PS3.15 section D August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 17
  17. 17. Anonymization • Anonymization profiles exist to support masking of data for various purposes • Clinical trials • Teaching files • Defined in PS3.15 section E • Addresses removal and replacement of DICOM attributes that may reveal protected health information August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 18
  18. 18. DICOM’s Stance • DICOM enables a very wide variety of authentication and access control policies, but does not mandate them • DICOMweb shares the same position through the use of standard internet technologies August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 19
  19. 19. Suggestions  Use DICOM-TLS, and HTTPS for DICOMweb  Use appropriate authentication and authorization measures  Use appropriate at-rest encryption mechanisms  Control access via managed environments, strong identity management, firewalls  Consider security throughout your project lifecycle, not at the end August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 20
  20. 20. Keep It Safe! DICOM Questions? Thank you! DICOM August 2014, THE DICOM 2014 Chengdu Workshop Keeping It Safe – Brad Genereaux 21

×