DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT, EUA, PWP, DSIG IHE Vendors Workshop 2006 IHE IT Infrastructure Education Robert Horn,

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Mpeg-21 and Medical data A strategy for Tomorrow s EMR.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Applied Cryptography for Network Security

THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.

September, 2005What IHE Delivers 1 Portable Data for Imaging - PDI IHE Vendors Workshop 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

1 Enabling Secure Internet Access with ISA Server.

THE DICOM 2013 INTERNATIONAL CONFERENCE & SEMINAR March 14-16Bangalore, India Keeping It Safe: Securing DICOM Lawrence Tarbox, Ph.D. Mallinckrodt Institute.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Prepared by:Nahed AlSalah Data Security 2 Unit 19.

S Security and DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Audit Trail and Node Authentication Robert Horn Agfa Healthcare.

7 February 2005IHE Europe Educational Event 1 Audit Trail and Node Authentication Integrating the Healthcare Enterprise G. Claeys Agfa Healthcare R&D Vendor.

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

September, 2005What IHE Delivers 1 G. Claeys, Agfa Healthcare Audit Trail and Node Authentication.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

CSC8320. Outline Content from the book Recent Work Future Work.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

September, 2005What IHE Delivers 1 Radiology Option for Audit Trail and Node Authentication IHE Vendors Workshop 2006 IHE IT Infrastructure Education Robert.

Encryption and Security Dylan Anderson Michael Huffman Julie Rothacher Dylan Anderson Michael Huffman Julie Rothacher.

1 Integrating the Healthcare Enterprise Audit Trail and Node Authentication Profile IHE IT Technical and Planning Committee June 15 th – July 15 th 2004.

DICOM Security Andrei Leontiev, M.S. Dynamic Imaging.

Integrating the Healthcare Enterprise Audit Trail and Node Authentication Profile Name of Presenter IHE affiliation.

February 8, 2005IHE Europe Educational Event 1 Integrating the Healthcare Enterprise Basic Security Robert Horn Agfa Healthcare.

DICOM INTERNATIONAL CONFERENCE & SEMINAR Oct 9-11, 2010 Rio de Janeiro, Brazil Security, Privacy & Networking Lawrence Tarbox, Ph.D. Washington University.

Module 11: Securing a Microsoft ASP.NET Web Application.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Education Workshop 2007 IHE IT Infrastructure Education John Moehrke GE Healthcare.

Module 7: Advanced Application and Web Filtering.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

DICOMwebTM 2015 Conference & Hands-on Workshop University of Pennsylvania, Philadelphia, PA September 10-11, 2015 Keeping it Safe – Securing DICOM Robert.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

IAD 2263: System Analysis and Design Chapter 7: Designing System Databases, Interfaces and Security.

1 UNIT 19 Data Security 2. Introduction 2 AGENDA Hardware and Software protect ion Network protect ion Some authentication technologies :smart card Storage.

1 UNIT 19 Data Security 2 Lecturer: Ghadah Aldehim.

Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.

Role Of Network IDS in Network Perimeter Defense.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Basic Security Cor Loef Philips Medical Systems Co-Chair IHE Radiology Technical Committee.

Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Securing Access to Data Using IPsec Josh Jones Cosc352.

VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

Integrating the Healthcare Enterprise The Integration Profiles: Basic Security Profile.

Some Great Open Source Intrusion Detection Systems (IDSs)

Enabling Secure Internet Access with TMG

Module Overview Installing and Configuring a Network Policy Server

Configuring Windows Firewall with Advanced Security

Secure Software Confidentiality Integrity Data Security Authentication

Radiology Option for Audit Trail and Node Authentication Robert Horn

UNIT 19 Data Security 2.

Module 8: Securing Network Traffic by Using IPSec and Certificates

IBM Software Group | Tivoli Brand Software

Integrating the Healthcare Enterprise

INFORMATION SYSTEMS SECURITY and CONTROL

Module 8: Securing Network Traffic by Using IPSec and Certificates

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare

DICOM Security Traffic on the Network Data on Media Activity on the Computer

Traffic on the Network TLS Protection against unauthorized listeners DICOM Traffic DICOM Specifies the use of TLS for encrypting traffic. HTTP over TLS is known as HTTPS, and is the most common method of protecting Web browser traffic. DICOM over TLS has equally strong protection against unauthorized listeners. Protection against unauthorized network listeners by means of encryption

Traffic on the Network AE-1 AE-5 AE-7 AE-3 DICOM Traffic Identifying the other system TLS Node Authentication uses public certificate technology to identify both end points. AE-1 knows with certainty that the other endpoint is AE-3, not AE-7 or some other system. AE-3 knows with certainty that the other endpoint is AE-1, not AE-5 or some other system. DICOM does not specify how this authentication will then be used. Possible uses include: - Ensuring that only internal hospital machines are allowed to connect. - Ensuring that acquired images are sent to the correct machine.

Traffic on the Network TLS encryption makes use of public internet connections safe. –This will need to be explained to security staff. –DICOM over TLS is like HTTPS and should be allowed. Node Authentication uses can be extensively customized. –Each connection can be verified in detail, or connections just checked to ensure that they are all within facility connections. –DICOM enables a very wide variety of authentication and access control policies. –DICOM does not mandate any particular policies.

Data on Media DICOM Media Security applies to all DICOM specified media, e.g., –CDROM – –USB Device Media Security provides –Selective Encryption of DICOM SOP Instances –Selective Digital Signatures of DICOM SOP Instances The media file systems remain unencrypted, so the media can be processed and copied without special operating system drivers. The SOP Instance content can be encrypted to protect against unauthorized disclosure. The SOP Instance content can be signed, to attest to content integrity, verification, etc.

Data on Media top dir file1 Directory structure and file names are not encrypted 7FE0, , , ,0010 Some Attributes are not encrypted Some Attributes are encrypted Some Attributes are not signed Some Attributes are signed

Data on Media Selective Encryption –DICOM defines an encryption method that can encrypt all of the SOP Instance, selected attributes, or even just a single attribute. –Security Profiles are used to describe the attributes that are protected. DICOM only defined one to encrypt the entire SOP Instance. –Local profiles can be used if selective encryption is wanted, e.g., Only encrypt patient information, not equipment or image Only encrypt report contents, not patient identification

Data on Media Selective Signature –DICOM defines an signature method that can sign all of the SOP Instance, selected attributes, or even just a single attribute. –Security Profiles are used to describe the attributes that are signed. –Local profiles can be used if selective encryption is wanted, e.g., Sign only report contents, not patient identification Sign only image and equipment description (a reasonable way for equipment to ensure a complete valid copy)

On the computer DICOM does not specify computer access control or other computer security measures. –These are subject to local policy –These are very application specific –These are very implementation specific DICOM does expect that the use of audit trails and activity monitoring will be part of the local security system. DICOM defines a standard interface for reporting user and computer activity to a centralized audit repository.

On the Computer M1M6M5M4M3M2 Audit Repository 11:00 M1 Dr Wu logs in 11:01 M1 Dr Wu views patient Chang’s CT exam 11:03 M4 Dr Wang views patient Chow’s MR exam 11:04 M1 Dr Wu creates patient Chang report 11:06 M3 Login authorization failure 11:07 M1 Dr Wu views patient Chung CT exam 11:07 M4 Dr Wang logs out The audit log messages allow the repository to record a synchronized view of all the activity on all the different systems. The actual log content is encoded as structured XML messages. The audit repository can be used to record and monitor the entire network. The security detection mechanisms may be as simple as flagging a login failure, or be highly complex behavior pattern recognition. DICOM enables these mechanisms. DICOM does not specify them.

Configuring Network Security Certificate Management –Certificates are used to identify systems (and perhaps Application Entities) –Certificates can be self-generated, facility signed, or signed by internationally recognized authorities. Most equipment supports –Individually provided certificates per system (self-signed or otherwise), and –Certificates for facility authorities. Certificates signed by these authorities are recognized as authorized. Management reference –The SPC paper “Managing Certificates” describes this in more detail.

Configuring Network Security Firewall rules –Firewalls may need to be configured to permit DICOM over TLS traffic (in and out). The DICOM over TLS port defaults to the same port as HTTPS, but it is often changed. Using a different port permits the same system to be both an HTTPS server and a DICOM over TLS system. Audit Policies –DICOM makes no specific recommendations on how the DICOM audit logs should be analyzed. –The audit logs are designed to support surveillance for unauthorized activity. Other more detailed system specific logs are expected to provide forensic detail.