Encryption with USB Thumbdrive
greggy
secure DICOM image objects stored on a USB thumb drive. I know a lot
about encryption, but very little about how to apply it to DICOM
workflows.
Is there a DICOM standard on this topic that I should implement, or is
this all new to the industry enough that I can venture out my own
strategy?
Any pointers would be appreciated.
Greg
Peter B Schmidt
greggy wrote:
...
> Is there a DICOM standard on this topic that I should implement, or is
> this all new to the industry enough that I can venture out my own
> strategy?
have a look at DICOM PS3.15-2008 - The Security and Confidentially
Profiles describe the DICOM way of encrypting data sets.
Hope this helps,
Peter
greggy
Thanks!
Is this part of the standard widely used? If so, what kinds of issues
do vendors commonly come across?
Greg
greggy
key transport...", which appears to rule out any other form of key
management for DICOM files. Tell me if I am wrong here. This would
imply that password generated keys are not acceptable.
It also implies that the modality generating and encrypting the DICOM
file must know the destinations' public keys. Is it specified anywhere
how the modality will acquire the public keys? Could, for example, the
user take the thumb drive to each destination (recipient) and download
the necessary information for the modality to use? That would seem
like a reasonable approach, but I have no idea how it is done in the
industry today.
Greg
Peter B Schmidt
I did not yet come across a encrypted media installation, just optional
transport security which uses keys also used for remote service.
In this case, the key was generated with connection to the vendor's
network and the modality hosted an own (but externally signed) key.
Remote service could verify the key as they also have connection to the
trust center.
For media, you pinpointed the major problem - how shall the key survive
the lifecycle of the media, how can you ensure this, and what shall
happen to the media if the key is revoked?
I think, this is one reason why we do not see that many installations in
wild life...
Kind regards,
Peter
Peter B Schmidt
greggy wrote:
> Is this part of the standard widely used? If so, what kinds of issues
> do vendors commonly come across?
I know that several PACS vendors offer TLS for network security, but I
would have to browse current Conformance Statements to verify.
Generally, not the media encryption is supported, but network
encryption, e. g. for telemedicine.
It is advisable to pseudonymize studies for clinical trial with
encrypted original content, but personally have never seen that in use
by now.
As Trust Infrastructures in healthcare are not yet wide spread, the use
of encryption is also impeded. There is no use for weak self-signed
trust, this merely creates a bogus security. Responsible vendors know
that ;o) and wait until industry standard trust infrastructures become
available for Healthcare.
Kind regards,
Peter
Robert Horn
> D.1.1 of PS 3.15-2008 states "The enveloped data shall use RSA for the
> key transport...", which appears to rule out any other form of key
> management for DICOM files. Tell me if I am wrong here. This would
> imply that password generated keys are not acceptable.
>
Password encryption mechanism was defined in CP 895.
greggy
I do not know what you mean by CP 895. I bing'd it & came up with
nothing.
RFC 3369 specifies four different mechanisms of key management. Of the
four, only key transport is specified by PS 3.15-2008 @ D.1.1.
But given that it isn't wide spread, I am now contemplating rolling my
own password generated key mechanism for thumbdrives only.
Greg
David Clunie
http://www.dclunie.com/dicom-status/status.html
you will find a link to:
ftp://medical.nema.org/medical/dicom/final/cp895_ft.pdf
David
Peter B Schmidt
David Clunie wrote:
> At:
>
> http://www.dclunie.com/dicom-status/status.html
>
> you will find a link to:
>
> ftp://medical.nema.org/medical/dicom/final/cp895_ft.pdf
>
> David
Thank you for the pointer - I was not aware of this CP.
Kind regards,
Peter