THE DICOM 2013 INTERNATIONAL CONFERENCE & SEMINAR March 14-16Bangalore, India Keeping It Safe: Securing DICOM Lawrence Tarbox, Ph.D. Mallinckrodt Institute.

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

Enabling Secure Internet Access with ISA Server

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT, EUA, PWP, DSIG IHE Vendors Workshop 2006 IHE IT Infrastructure Education Robert Horn,

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

THE DICOM 2013 INTERNATIONAL CONFERENCE & SEMINAR March 14-16Bangalore, India Enhanced Image Objects: Other Modalities Lawrence Tarbox, Ph.D. Mallinckrodt.

Cryptography and Network Security

Mpeg-21 and Medical data A strategy for Tomorrow s EMR.

Grid Security. Typical Grid Scenario Users Resources.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

S Security and DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.

Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Audit Trail and Node Authentication Robert Horn Agfa Healthcare.

7 February 2005IHE Europe Educational Event 1 Audit Trail and Node Authentication Integrating the Healthcare Enterprise G. Claeys Agfa Healthcare R&D Vendor.

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

September, 2005What IHE Delivers 1 G. Claeys, Agfa Healthcare Audit Trail and Node Authentication.

DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

September, 2005What IHE Delivers 1 Radiology Option for Audit Trail and Node Authentication IHE Vendors Workshop 2006 IHE IT Infrastructure Education Robert.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

1 Integrating the Healthcare Enterprise Audit Trail and Node Authentication Profile IHE IT Technical and Planning Committee June 15 th – July 15 th 2004.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Web Security : Secure Socket Layer Secure Electronic Transaction.

DICOM Security Andrei Leontiev, M.S. Dynamic Imaging.

Integrating the Healthcare Enterprise Audit Trail and Node Authentication Profile Name of Presenter IHE affiliation.

February 8, 2005IHE Europe Educational Event 1 Integrating the Healthcare Enterprise Basic Security Robert Horn Agfa Healthcare.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

DICOM INTERNATIONAL CONFERENCE & SEMINAR Oct 9-11, 2010 Rio de Janeiro, Brazil Security, Privacy & Networking Lawrence Tarbox, Ph.D. Washington University.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Education Workshop 2007 IHE IT Infrastructure Education John Moehrke GE Healthcare.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

DICOMwebTM 2015 Conference & Hands-on Workshop University of Pennsylvania, Philadelphia, PA September 10-11, 2015 Keeping it Safe – Securing DICOM Robert.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.

Integrating the Healthcare Enterprise Improving Clinical Care: Enterprise User Authentication For IT Infrastructure Robert Horn Agfa Healthcare.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

DICOM Security Andrei Leontiev, Dynamic Imaging Presentation prepared by: Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Basic Security Cor Loef Philips Medical Systems Co-Chair IHE Radiology Technical Committee.

Securing Access to Data Using IPsec Josh Jones Cosc352.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

Integrating the Healthcare Enterprise The Integration Profiles: Basic Security Profile.

1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.

Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.

Radiology Option for Audit Trail and Node Authentication Robert Horn

Module 8: Securing Network Traffic by Using IPSec and Certificates

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Integrating the Healthcare Enterprise

* Essential Network Security Book Slides.

Analytic Workflow: From Images to Reports

Securing Windows 7 Lesson 10.

Module 8: Securing Network Traffic by Using IPSec and Certificates

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

THE DICOM 2013 INTERNATIONAL CONFERENCE & SEMINAR March 14-16Bangalore, India Keeping It Safe: Securing DICOM Lawrence Tarbox, Ph.D. Mallinckrodt Institute of Radiology Washington University in St. Louis Research Assistant Professor of Radiology St. Louis, Missouri, USA WG-5, WG-10, WG-14 (Chair), WG-18, WG-23 (chair), WG-27

Time For A Quiz! L. Tarbox - Analytic Workflow: From Images to Reports Audience Participation

DICOM does not have any provisions for secure communication of images L. Tarbox - Analytic Workflow: From Images to Reports FALSE

Traffic on the Network TLS Protection against unauthorized listeners DICOM Traffic DICOM Specifies the use of TLS for encrypting traffic. HTTP over TLS is known as HTTPS, and is the most common method of protecting Web browser traffic. DICOM over TLS has equally strong protection against unauthorized listeners. Protection against unauthorized network listeners by means of encryption Slide Provided by Eric Pan, Agfa HealthCare

Traffic on the Network AE-1 AE-5 AE-7 AE-3 DICOM Traffic Identifying the other system TLS Node Authentication uses public certificate technology to identify both end points. AE-1 knows with certainty that the other endpoint is AE-3, not AE-7 or some other system. AE-3 knows with certainty that the other endpoint is AE-1, not AE-5 or some other system. DICOM does not specify how this authentication will then be used. Possible uses include: - Ensuring that only internal hospital machines are allowed to connect. - Ensuring that acquired images are sent to the correct machine. Slide Provided by Eric Pan, Agfa HealthCare

Traffic on the Network TLS encryption makes use of public internet connections safe. This will need to be explained to security staff. DICOM over TLS is like HTTPS and should be allowed. Node Authentication uses can be extensively customized. Each connection can be verified in detail, or connections just checked to ensure that they are all within facility connections. DICOM enables a very wide variety of authentication and access control policies. DICOM does not mandate any particular policies. Slide Provided by Eric Pan, Agfa HealthCare

DICOM does not have any provisions for securely communicating user credentials L. Tarbox - Analytic Workflow: From Images to Reports FALSE

User Credentialing Option 1: Trust the sender Mutual TLS authentication Option 2: Assertions during association negotiation SAML Kerberos L. Tarbox - Analytic Workflow: From Images to Reports

User Credentials Facilitates audit logging Step toward cross-system authorization and access controls DICOM still leaves access control in the hands of the application Query Filtering For productivity as well as security

Design Goals Independent of other security mechanisms No changes to other DICOM security mechanisms Avoid incompatibility with the installed base Minimum of changes to existing implementation libraries Extensible for future credential types Established during association negotiation before any regular DIMSE transactions take place Allows SCP to reject associations based on ID

Credential Type Profiles Un-authenticated identity assertion Systems in a trusted environment Username plus passcode Systems in a secure network Kerberos-based authentication Strongest security Generic SAML assertion Nice mix of simplicity and security

Extended Negotiation Response Expected A-ASSOCIATE Request (A B) A-ASSOCIATE Response (A B) DICOM Application Entity "A" User ID Sub-item (58H) ID Type (3) User ID DICOM Application Entity "B" Server- Response User ID Sub-item (58H)

Extended Negotiation No Response Expected A-ASSOCIATE Request (A B) A-ASSOCIATE Response (A B) DICOM Application Entity "A" User ID Sub-item (58H) ID Type (3) User ID DICOM Application Entity "B" (No Sub-Item)

Prepared for the Future Could support any mechanism that supports uni-directional assertion mechanism (e.g. using PKI and Digital Signatures) Does not support identity mechanisms that require bi-directional negotiation (e.g. Liberty Alliance proposals)

Several Options User identity alone, with no other security mechanisms User identity plus the current DICOM TLS mechanism User identity plus future lower level transport mechanisms (e.g. IPv6 with security option) User identity plus VPN Practically any combination needed

DICOM does not have any provisions for guaranteeing the integrity of data. L. Tarbox - Analytic Workflow: From Images to Reports FALSE

Embedded Security Features Digital Signatures Persistent integrity check Identifies users or devices that handled the object, with optional secure timestamp Selective Encryption Persistent privacy protection Hide sensitive Attributes from certain users

Digital Signatures Embedded in SOP Instance Can make secure references to unsigned objects Multiple signatures –Overlapping subsets –Multiple signers –Signatures on individual items Signature purposes Defined in profiles

DICOM does not have standardized digital watermarking of images L. Tarbox - Analytic Workflow: From Images to Reports TRUE, but … DICOM does not preclude its use

There is no embedded encryption defined by DICOM. L. Tarbox - Analytic Workflow: From Images to Reports FALSE

Selective Encryption Can encrypt all of the SOP Instance, selected attributes, or even just a single attribute Security Profiles are used to describe the attributes that are protected Local profiles can be used if selective encryption is wanted for special needs, e.g., Only encrypt patient information, not equipment or image Only encrypt report contents, not patient identification Slide Provided by Eric Pan, Agfa HealthCare

Attributes to be encrypted Item 1 (of only 1) Modified Attributes Sequence Cryptographic Message Syntax envelope CMS attributes Encrypted Content Transfer Syntax Encrypted Content encrypted Content Item 1 (of n) Encrypted Content Transfer Syntax Encrypted Content Item 2 (of n) CMS envelope Encrypted Content Transfer Syntax Encrypted Content Item n (of n) CMS envelope Encrypted Attributes Sequence Attributes (unencrypted) SOP Instance

Media Security DICOM Media Security applies to all DICOM specified media, e.g., CD-R, DVD-R, , USB Device The media’s file system remain unencrypted, so the media can be processed and copied without special operating system driver The individual objects are held in CMS (Cryptographic Message Syntax) envelopes inside files on the media CMS is often used in secure Optional encryption to protect against unauthorized disclosure. Optional integrity check to protect against tampering

DICOM itself provides no mechanisms for controlling access to data L. Tarbox - Analytic Workflow: From Images to Reports TRUE

Securing Access to Data Audit Control Allow action without interference, trusting the judgment of the staff. Monitor behavior to detect and correct errors. Access Control Activity Audit Message Sent to Repository Access Control –Get permission before allowing action –Suitable for certain situations, e.g. restricting access to authorized medical staff Both have a place in security systems Local security policies determine what is handled by access control, and what is handled by audit controls.

On the computer DICOM does not specify computer access control or other computer security measures. These are subject to local policy These are very application specific These are very implementation specific DICOM does expect that the use of audit trails and activity monitoring will be part of the local security system. DICOM defines a standard interface for reporting user and computer activity to a centralized audit repository. Slide Provided by Eric Pan, Agfa HealthCare

On the Computer M1M6M5M4M3M2 Audit Repository 11:00 M1 Dr Wu logs in 11:01 M1 Dr Wu views patient Chang’s CT exam 11:03 M4 Dr Wang views patient Chow’s MR exam 11:04 M1 Dr Wu creates patient Chang report 11:06 M3 Login authorization failure 11:07 M1 Dr Wu views patient Chung CT exam 11:07 M4 Dr Wang logs out The audit log messages allow the repository to record a synchronized view of all the activity on all the different systems. The actual log content is encoded as structured XML messages. The audit repository can be used to record and monitor the entire network. The security detection mechanisms may be as simple as flagging a login failure, or be highly complex behavior pattern recognition. DICOM enables these mechanisms. DICOM does not specify them. Slide Provided by Eric Pan, Agfa HealthCare

Configuring Network Security Certificate Management Certificates are used to identify systems (and perhaps Application Entities) Certificates can be self-generated, facility signed, or signed by internationally recognized authorities. Most equipment supports Individually provided certificates per system (self-signed or otherwise), and Certificates for facility authorities. Certificates signed by these authorities are recognized as authorized. Management reference The SPC paper “Managing Certificates” describes this in more detail. Slide Provided by Eric Pan, Agfa HealthCare

Configuring Network Security Firewall rules Firewalls may need to be configured to permit DICOM over TLS traffic (in and out). The DICOM over TLS port defaults to the same port as HTTPS, but it is often changed. Using a different port permits the same system to be both an HTTPS server and a DICOM over TLS system. Audit Policies DICOM makes no specific recommendations on how the DICOM audit logs should be analyzed. The audit logs are designed to support surveillance for unauthorized activity. Other more detailed system specific logs are expected to provide forensic detail. Slide Provided by Eric Pan, Agfa HealthCare

References L. Tarbox - Analytic Workflow: From Images to Reports

Author Contacts Lawrence Tarbox, Ph.D. 510 South Kingshighway Boulevard St. Louis, MO USA L. Tarbox - Analytic Workflow: From Images to Reports Thank you for your attention !