The MedSeC Project

Speed-optimized Data Security for Telemedical Applications
Abstract 
Telemedical services rely on the digital transfer of large amounts of data in a short time. For these services to find acceptance, new hard- and software concepts are required. The fast exchange of data is well performed within a high-speed ATM-based network (MAN of Berlin). The fast access to the data from different platforms poses more difficult problems, which may be categorized into those relating to standardized data formats and those relating to different levels of data security across nations. For the standardized access to image data, a DICOM 3.0 server was implemented. Images were converted into the DICOM 3.0 standard when necessary. The access to the server is provided by an implementation of  DICOM in Java, allowing access to the data from different platforms. Data protection measures to ensure the secure transfer of sensitive patient data have not yet been solved within the DICOM concept. Using the DICOM/Java modality, we have investigated different schemes to protect data with as little impact on data transfer speed as possible. 
[Top of page]
Objectives 
The goal of the MedSeC project is to develop methods for ensuring the confidentiality and integrity of medical image data in the specific context of high-speed networks, to implement these methods on the basis of existing standards (DICOM, Java), and to evaluate them using selected real scenarios. 
[Top of page]
Project Description 
Client/server applications within a public network put high demands on security measures, especially when using sensitive data such as in medicine-related projects. Unauthorized access to personal data must be prevented at all cost. In most countries, including Germany, the transfer of image data over public networks either is not allowed or will soon be regulated by law. Since already simple image data like a CT scan contain patient-relevant data in their header written in ASCII format, the transport of images always involves some amount of private data exchange. Even within the hospital itself, access to images should only be granted to the attending physician and other authorized people. 

This is even more valid for the public network to which most university hospitals are connected nowadays. Since a certain exchange of information is still needed between different locations, the complete isolation of a hospital is not an alternative. Most internal hospital networks are separated from the public networks by firewalls, which allow the transfer of data if initiated from within the hospital. Before transport, patient-relevant information must be encrypted. Whereas de- and encryption are not the speed-limiting factor in conventional networks, they play a significant role if highspeed networks are involved. Of equal importance is the consideration that data communication should build upon existing standards rather than any proprietary singular solutions. This concept must be further extended for hospitals since the existence of different platforms within different departments is a well-known problem. This situation is aggravated by the fact that most medical users are not computer experts. During the last few years much effort has been made to connect different platforms via standardized network protocols. The DICOM 3.0 standard was developed for medical image interchange. The use of WWW and HTML has triggered the development of  platform-independent software using Java.
Under the auspices of the Bundesministerium für Forschung und Zukunft (BMBF) and the Deutsches Forschungsnetz (DFN), a Metropolitan Area Network (MAN) has been installed in Berlin that employs the Asynchronous Transfer Mode (ATM) to achieve a data transfer speed of up to 155 Mbit/s. Within the framework of the MedSeC project, the network links the University Hospital Benjamin Franklin of the Free University (UKBF) and the computer science department of the Technical University (TUB). Network linkage enables access to two comprehensive locally installed software programs. 
The first software program allows the three-dimensional reconstruction, interactive manipulation and fusion of different tomographic image data. This system is mainly used for research in functional MRI. The main application consists of the overlay of functional active brain areas after special stimulation paradigms onto the 3D reconstructed cortex. The images of the functionally stimulated areas have different geometry and data structure. The data, overlaid with colors that correspond to their interpretation, allow the identification of the anatomical structure of the functional areas. 
The second software system uses special MR sequences in one of the university hospitals (UKBF), serving for the early diagnosis of acute ischemic infarcts. After special image-processing methods, the differential diagnosis and the exact determination of the so-called apparent diffusion coefficient (ADC) using a histogram-based cluster analysis are greatly improved especially in cases of small, heterogeneous or irregularly shaped infarcts. 
The data sets including preprocessed data and derived images are transferred from various image modalities in platform-dependent file format to an intermediate server. There they are cached, converted into DICOM and encrypted.  They are subsequently stored in a database. Data subsets earmarked for external evaluation or  further processing by application servers are transferred to the external DICOM server where they are temporarily stored and can be subsequently accessed by authorized users.
Medical services offered by the different hospitals and universities in Berlin are available via a highspeed MAN. DICOM is used for the standardized communication and the exchange of image data between different image modalities and applications servers. Platform-independent access is possible via a WWW interface through the use of CGI scripts or Java applets. Data security is provided by a security protocol or by an extension of the DICOM protocol. To account for data security within DICOM, a modification of the standard is necessary. For the application layer encryption, two  independent modifications are possible: a new DICOM transfer syntax and/or the use of a new DICOM element containing the whole patient-relevant information in encrypted form. A modification of the DICOM protocol version is necessary for the transport layer encryption. Encryption with hardware support confines the communication to predefined partners with the same hardware. It may therefore lead to difficulties in environments with changing short-term projects or when communicating with specialists who do not possess the same hardware. Within this particular project, priority is therefore given to software-only solutions. 
[Top of page]
Results / Publications
The MedSeC project is still under development. The main results are presented below. For more details see under publications

Evaluation and enhancement of DICOM-related software

Within the MedSeC project, the implementation of tools utilizing the DICOM standard is based on three software packages: 

The DICOM server implemented in Java has the advantage of platform independence and has been used to implement more recent tools requiring DICOM communication and display functionality. The RSNA library, which allows the integration of databases for the image server, was used to develop the conversion software. This library has a clear performance advantage over the other two solutions with regard to data encoding and decoding. However, it is not an object-oriented implementation, which is a disadvantage for a more sophisticated development. We also took commercial implementations into consideration but concluded that for the given research purposes their advantages do not justify the additional costs. 
The mSQL database system (version 2.1, public domain software) serves as the database for the project. The database layout of the image server from the RSNA code had to be modified. There were no fields for derived images or for image information like slice position, echo time (TE) and repetition time (TR), which were necessary for certain query and retrieval functions. The database structure and the image server software were extended to meet these demands of our project. 
For query/retrieval and for viewing of the DICOM data a Java-Client was implemented. By utilizing Java, this software can be executed on every platform for which a Java implementation exists (PC, Mac, almost all UNIX platforms as well as various other systems). Generally, the client software can be executed within every appropriately equipped Web browser. In the project, we use the Netscape Communicator. That way the same client software can be used, independent of the client computer plaftorm and its location in the network.
Our project partners - the Surgical Research Unit OP2000, situated in the Robert-Rössle-Klinik at the Max-Delbrück-Centre, Charité University Hospital, Humboldt University (location Berlin-Buch), directed by Professor Dr. P. M. Schlag and coordinated by  Dr. G. Graschew - adapted the Mallinckrodt DICOM software for IRIX 6.2 and 6.3 operating system and installed it on SGI Onyx and SGI O2 computers (contact: Dr. G. Bellaire). The installation was succesfully tested internally and via the DICOM server at the UKBF. Aimed as an extension proposal for the DICOM standard, various compression methods for digital stereoscopic video sequences were implemented and tested. Furthermore, a cooperation with Informix was set up in order to deploy their IUS database as a backbone of the Mallinckrodt DICOM server.

Evaluation of available security technologies and tools

We have chosen the following cryptographic libraries: 

For C/C++: SSLeay 0.8.1 (ftp://ftp.psy.uq.oz.au/pub/Crypto/

For Java: Cryptix 2.2 (http://www.systemics.com/software/cryptix-java/index.html

The SSLeay Toolkit incorporates interfaces toward various cryptographic standards (IDEA, RSA, DES, RC2, RC4, MD5, MD2, Blowfish) as well as to SSL version 2 and 3. 
The Cryptix Library also offers access to these cryptographic methods but it does not yet support SSL. In addition to the Java implementation there exist shared libraries for the Intel platform. That way the encryption and decryption can be done with native code, resulting in a considerably higher performance while preserving compatibility. 

 

Security architecture for telemedical applications

To establish a secure communication the following concepts, with reference to the OSI layer model, were tested: 

  1. Encryption within the transport layer: Online encryption of the data stream on the TCP/IP level: This concept was implemented with the aid of Secure Socket Layer (SSL) and can be installed in an application- independent way. 
  2. Encryption within the application layer; for example, parts of the DICOM object.

We have to distinguish between two basically different application cases: 

  • The query/retrieval of the data via the WWW does not impose great demands on transfer speed. Therefore the online encryption of the data stream is feasible in this case. 
  • For the transfer of large amounts of data to the application servers, high performance is needed. An online encryption of the complete data stream is not acceptable due to the time expenditure involved. Encrypting at the application level has to be preferred.

The DICOM standard does not yet define mechanisms for a secure data transfer. In cooperation with the DICOM working group, we are currently implementing a procedure that allows only the patient-relevant data fields to be encrypted. This is advantageous in that the user can determine within the application what part of the data should be encrypted. 
Alternatively, the entire data stream can be encrypted between the routers. This is implemented in order to link external centers with the logical network infrastructure of the hospital across insecure networks (virtual private network). This method is offered by router manufacturers and is integrated directly into the hardware. It is transparent for the software but enables only a communication between like-equipped routers. 

Implementation of security mechanisms and services in C and Java

On-line encryption
  • For the implementation of the access methods via WWW, we utilized Apache (1.1) with SSL extensions as the Web server, so that we can use secured HTTP for the communication between the server and browser. 
  • Regarding the DICOM server, we extended the Mallinckrodt Institute of Radiology DICOM implementation by the SSL-communication. A client based on that library was able to successfully communicate with a server utilizing the same library.


    • Extension of the Java-based DICOM implementation by SSL on-line encryption is currently in the works.
 
Off-line encryption

We have implemented a method for partial encryption of DICOM objects using Java and the Cryptix library. Using this method, original data elements are cleared or filled with meaningless information while the original data are stored in encrypted form in an additional group. This approach allows data encryption and storage without undermining the DICOM standard. Therefore, DICOM-based applications can work with these data if they do not depend on the encrypted information, for example our analysis tool for special MR sequences. Secured applications decrypt the data and put them back in their original place. The cryptographic application currently implements the cycles retrieve/encrypt/store, retrieve/decrypt/store and retrieve/decrypt/view for patient datasets. It allows the retrieval of non-encrypted DICOM datasets from a secure internal server, encryption and storage of those encrypted datasets on a network-wide accessible server, and vice versa. 

Measurements

The transfer speed of the online encryption method is displayed in Table 1. All measurements were performed between a DEC 3000/600 and a DEC Alphastation 255/4. The maximum transfer speed was limited by the hard-disk speed. Memory-based ATM data transfer reached up to 13 Mbyte/s. 
 

Encryption method with SSL 

Transfer speed (Ethernet 10 Mbit/s)

Transfer speed 
(ATM 155 Mbit/s)
without encryption

900 Kbyte/s

4200 Kbyte/s

RC4-MD5

820 Kbyte/s

1770 Kbyte/s

IDEA-CBC-MD5

660 Kbyte/s

711 Kbyte/s

DES3-CBC-MD5

393 Kbyte/s

400 Kbyte/s

Table 1: Online encryption on 10 Mbit/s Ethernet and 155 Mbit/s ATM using different encryption algorithms.

 A comparison of online and offline encryption transfer speeds is depicted in Table 2. 
 

Encryption method = IDEA Transfer speed
without encryption (155 Mbit/s) 4200 Kbyte/s
partially encrypted (155 Mbit/s) 3900 Kbyte/s
SSL (155 Mbit/s) 711 Kbyte/s
SSL (10 Mbit/s) 600 Kbyte/s

Table 2: Performance of the data transfer using the different encryption methods

 
 
Demo

Click here for a demo applet, which demonstrates the off-line encryption of DICOM datasets as implemented in the project. The demo applet offers only a few features of the full version, but it uses essentially the same code and therefore the same mechanisms. It combines  DICOM access with encryption. 

 

Secure DICOM services:
Test of distributed telemedical applications in cooperation with the Department of Radiology, UKBF

In the radiology department of the University Hospital Benjamin Franklin a DICOM database for medical services has been set up. This database is currently being filled with real patient data. To make this possible, we had to find solutions for three problems: 

  • transfer of image data from the modalities to the database
  • conversion of vendor-specific image data format of the spiral CT into DICOM, and
  • linkage to the Radiological Information System (RIS), in order to integrate reports with the image data

The image data is first transferred via DECnet from the VAX computer belonging to the spiral CT to a PC running Windows NT 4.0. There the image format is converted to DICOM with a converter we implemented for that purpose. The images are then sent via DICOM network services (on top of TCP/IP with Ethernet physical link) to the DICOM server. That server is implemented in Java and running on a PC with Windows NT operating system. All operations are controlled with custom-developed scripts and supervised by custom-developed software, which also enables accurate remote error diagnostics. 
DICOM converters developed for medical imaging devices "Siemens Vision" (MR) and "Siemens Somatom Plus" (Spiral CT) are based on the SLClib library developed earlier in the project and now ported from UNIX onto the Windows NT 4.0 platform. Because it was not possible to convert every Siemens data entry into an appropriate DICOM data element, we store the complete original Siemens-Header into a private DICOM element, enabling future access to that data if required. 
The vendor-specific RIS was implemented by analyzing the output of that system via a terminal emulation. On the image server, the reports are automatically converted on arrival and stored into a relational database. This database can be accessed via WWW with a Java applet implemented for that purpose, which enables a strict access control. 
[Top of page]
Acknowledgments

MedSeC project has been launched and organized by the DFN-Verein. It is funded by the BMBF.

 [Top of page]

 

back