Attribute-level Confidentiality

Securing parts of the image header is achieved by implementing the so-called attribute level confidentiality. The underlying principle of this security extension is that all DICOM attribute values to be protected (Patient Name, ID, etc.) are removed from the DICOM object. The original attribute values are encrypted and stored in a separate container which is added to the DICOM header.

Decryption of the encrypted information requires access to the private recipient key which, as with all applications of public key cryptography, is never transmitted. If applicable, the original attributes could be replaced by a pseudonym or dummy value.

Attribute level confidentiality would allow an image to leave a secure environment without the identity of the patient being disclosed, thereby providing interoperability with existing non-security aware legacy applications. The implementation requires only relatively small software changes at the application level, while continuing to use unmodified lower level message and protocol services for network transfer, storage and media exchange. In particular, images can still be communicated and processed (displayed) with existing DICOM implementations – security aware or not. Implementations not aware of the security extensions will only see the anonymized version of the DICOM objects, whereas implementations of this extension may offer functions to reverse/remove the protection if the user has access to the appropriate keys.