Presentation is loading. Please wait.

Presentation is loading. Please wait.

DICOMwebTM 2015 Conference & Hands-on Workshop University of Pennsylvania, Philadelphia, PA September 10-11, 2015 Keeping it Safe – Securing DICOM Robert.

Published byJohn Miller Modified over 9 years ago

Similar presentations

Presentation on theme: "DICOMwebTM 2015 Conference & Hands-on Workshop University of Pennsylvania, Philadelphia, PA September 10-11, 2015 Keeping it Safe – Securing DICOM Robert."— Presentation transcript:

1 DICOMwebTM 2015 Conference & Hands-on Workshop University of Pennsylvania, Philadelphia, PA September 10-11, 2015 Keeping it Safe – Securing DICOM Robert Horn, Interoperability Architect, Agfa Healthcare Chair, DICOM Working Group 6, Base Standard

2 What is security? Protecting data access (against unauthorized access) Protecting data integrity (against unauthorized changes) Protecting data loss (against unauthorized deletions) Protecting data availability (against denial of service) Protecting other systems (against indirect attacks)

3 The threat environment is changing Healthcare applications are now on the front line for malicious attackers. –Old attitude of “they won’t attack us” is wrong. –Hiding behind firewalls is becoming insufficient.

4 What are the implications if security is compromised? Data corruption and loss Fraud against those victimized –Approximate median cost to a patient from stolen medical identity: $14,000 (2014) Civil penalties (fines and lawsuits) –Some fines over $1,000,000 in 2014 (US) Criminal penalties –Multiple felony convictions (over 1 yr) in 2014, (US) Serious harm and death

5 Keeping DICOM Safe 5 DICOM Simple workflow Modality transmits images to archive Radiologist requests images for reading : Out to cause security issues

6 DICOM Security Profiles Defined in PS3.15, “Security and System Management Profiles” Describes methods to mitigate various security concerns Items in red describe solutions that are used in the industry but not explicity part of the DICOM standard 6

7 DICOM in Transit (unprotected) Who sees this image? The modality, who sends the image The archive, who receives the image Anyone on the network between 7 DICOM

8 DICOM-TLS Transport Level Security encryption (defined in PS3.15 Section B.1) Encryption algorithm and temporary key is negotiated using public certificates as part of TLS Traffic is encrypted using temporary private key DICOMweb should use TLS (aka HTTPS) Network VPN tunnels and VLAN are other network protection mechanisms 8 DICOM

9 DICOM in Transit (Authentication) 9 Who are the actors in transmission? The modality, who sends the image The archive, who receives the image Anyone pretending to be these actors DICOM

10 Node Identity (Authentication) DICOM-TLS certificates provide identifying information about the end point machines Certificates may be self-signed, private CA signed, or public CA signed. Private CA and self-signed are more appropriate for healthcare. AE title verification is a weak authentication alternative if TLS is used 10 DICOM

11 User Authentication Who can retrieve images? Device is validated by DICOM-TLS User can retrieve images Anyone else using device can, too 11 DICOM

12 User Authentication Defined in PS3.15 B.4-7 Authentication of users can occur via Mutual TLS authentication plus local authentication (trust a known counterparty) Authentication during association negotiation (SAML, Kerberos, etc) OAuth when using DICOMWeb Authenticating users at the application level and making trusted calls to the imaging backend is an alternative approach 12 DICOM

13 Auditing Described in PS 3.15 Part A.5 User should be known Events for authentication, query, access, transfer, import/export, and deletion This is used in the IHE ITI ATNA profile Logs must be analyzed, not just gathered. 13

14 DICOM at Rest Who ensures the images are genuine as the modality provides them? The creating device Anyone who can manipulate the archive 14 DICOM

15 Digital Signatures DICOM supports digital signatures which provides integrity check and other features Defined in PS3.15 Section C Individual fields can also be selectively encrypted 15 DICOM

16 Media Storage Used when DICOM is transmitted via physical media (CD, DVD, USB key) Guarantees confidentiality, integrity, and media origin Defined in PS3.15 section D Disk-level encryption can also be used to maintain protection for both removable media and built-in media. 16

17 Anonymization Anonymization profiles exist to support masking of data for various purposes Clinical trials Teaching files Risk Reduction Defined in PS3.15 section E Addresses removal and replacement of DICOM attributes that may reveal protected health information 17

18 DICOM’s Stance DICOM enables a very wide variety of authentication and access control policies, but does not mandate them DICOMweb does the same through the use of standard internet technologies 18

19 Suggestions Use DICOM-TLS and HTTPS for DICOMweb Use appropriate authentication and authorization measures Use appropriate at-rest encryption mechanisms Control access via managed environments, strong identity management, firewalls Consider security throughout your project lifecycle, not at the end Consider government guidance, e.g. DISA STIGs, NIST 800 series. 19

20 Useful Guidance Links More and more general guidance is available Manageable Network Plan –https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/networks.shtmlhttps://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/networks.shtml NIST 800 family –http://csrc.nist.gov/publications/PubsSPs.html DISA –http://iase.disa.mil/stigs/Pages/index.aspx

21 Keep It Safe! Questions? Thank you! 21 DICOM

22 Image Sources http://echoesofhumanity.co.uk/wp-content/uploads/2014/05/photo.jpg http://icdn.pro/images/en/l/o/lock-icone-6201-128.png http://blog.getcertified4less.com/wp-content/uploads/2012/02/Certificate_Icon.jpg http://fc06.deviantart.net/fs71/i/2010/223/6/4/Computer_Icon_by_DrunkenSandwich.png http://www.clker.com/cliparts/e/2/a/d/1206574733930851359Ryan_Taylor_Green_Tick.svg.med.png 22

Download ppt "DICOMwebTM 2015 Conference & Hands-on Workshop University of Pennsylvania, Philadelphia, PA September 10-11, 2015 Keeping it Safe – Securing DICOM Robert."

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Core Web Service Security Patterns

Core Web Service Security Patterns
Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.

Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.

THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
THE DICOM 2013 INTERNATIONAL CONFERENCE & SEMINAR March 14-16Bangalore, India Keeping It Safe: Securing DICOM Lawrence Tarbox, Ph.D. Mallinckrodt Institute.

THE DICOM 2013 INTERNATIONAL CONFERENCE & SEMINAR March 14-16Bangalore, India Keeping It Safe: Securing DICOM Lawrence Tarbox, Ph.D. Mallinckrodt Institute.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
S Security and DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

S Security and DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.
Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.

Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
What IHE Delivers Healthcare Provider Directories IHE IT Infrastructure Planning Committee Eric Heflin – Medicity/THSA.

What IHE Delivers Healthcare Provider Directories IHE IT Infrastructure Planning Committee Eric Heflin – Medicity/THSA.

Similar presentations

Ads by Google