One of the major advantages
of acquiring, archiving and distributing images in digital format is
the opportunity to conveniently associate patient and procedure
information with the images. The DICOM standard provides a
standardized way of accomplishing this association and has been widely
adopted. However, the inclusion of patient and procedure data with
digital images can be a curse as well as a blessing.
A major medical device company is concerned about the problem of
compromising patient confidentiality by distributing DICOM CDs of
interventional Cardiology procedures for training and sales purposes.
Physicians displaying images at conferences have the same problem, as
do medical research studies that use digital images.
Just erasing the label on a DICOM CD or copying the CD to a blank
CD does not remove most of the identifying information on the
CD. The information is still present in digital form in the files
recorded on the CD.
I have prepared an example that I hope will illustrate the problem
of patient confidentiality in the age of digital imaging. I selected
an image file from the ACC DICOM DISC 95 for illustration purposes and
used a DICOM parsing program to obtain the contents of the file. This
is the result (edited to remove clutter):
(0008,0020) [DA/8] "19941016"; Study Date
(0008,0030) [TM/6] "083000" ; Study Time
(0008,0080) [LO/18] "Community Hospital" ; Institution Name
(0008,0081) [ST/12] "Anytown, USA" ; Institution Address
(0008,0090) [PN/10] "Gray^Henry" ; Referring Physician's Name
(0008,1030) [LO/24] "Cardiac Catheterization " ; Study Description
(0008,103E) [LO/14] "Ventriculogram" ; Series Description
(0008,1050) [PN/10] "White^Paul" ; Performing Physician's Name
(0010,0010) [PN/14] "Johnson^Robert" ; Patient's Name
(0010,0020) [LO/12] "123-45-6789 " ; Patient ID
(0010,0030) [DA/8] "19231016"; Patient's Birth Date
(0010,0040) [CS/2] "M " ; Patient's Sex
To illustrate how easy it is to obtain this information, I also
opened the same file with Microsoft Word. This is a few lines from the
file as displayed by Word:
Acme Products LOCommunity HospitalSTAnytown, USAPN
Gray^Henry0LOCardiac Catheterization >LOVentriculogramPPN
White^PaulPNJohnson^Robert LO123-45-6789 0DA19231016@CSM
As you can see, the same data are readily discernable, especially
to a practiced eye.
These data are part of the DICOM header that precedes
the images in every DICOM file. These data must be present if
the file is to conform to the DICOM Standard.
In addition, each DICOM CD must contain a directory file named
DICOMDIR. DICOMDIR contains the same patient and procedure information
as well as information about each image file.
I have added an anonymizing function to
ViewPlus, my cardiac DICOM viewer. A DICOM anonymizer is computer
software that removes all identifying data from a DICOM file. In order
to accomplish this, I added the following functionality to ViewPlus:
- A user views a DICOM CD and selects some or all of the cine runs
on it. The user then clicks the "Make DICOM" button.
- A new DICOMDIR file is created de novo with absolutely NO
- A new set of image files is created. The header of each image
file is created de novo with absolutely NO identifying
information. The image data is then appended to the header.
- The DICOMDIR and image files are recorded on a blank CD.
The resulting CD
is viewable by
any standard DICOM viewer. Creating an anonymized CD takes just a bit
longer than just copying the CD.
Following is the edited parse of the anonymized file created by
ViewPlus from the same image file shown above:
(0008,0020) [DA/8] "00000000" ; Study Date
(0008,0030) [TM/6] "000000" ; Study Time
(0008,1030) [LO/0] "" ; Study Description
(0008,103E) [LO/0] "" ; Series Description
(0010,0010) [PN/0] "" ; Patient's Name
(0010,0020) [LO/0] "" ; Patient ID
As you can see, there is absolutely no way to identify the patient
or even trace the source of the images.
Note for technically-minded readers:
UIDs used in DICOM files can also compromise confidentiality. For this
reason, UIDs that contain patient, hospital or manufacturer data are
also set to zero.