An organization may have policies requiring encryption of data at rest (i.e., as stored in the files of the storage system). Encryption both limits access to applications that have (securely) obtained the decryption keys, and also ensures file integrity. DICOM specifies methods for secure (encrypted) files (see Annex D “Media Storage Security Profiles (Normative)” in PS3.15 and Section 7.4 “Secure DICOM File Format” in PS3.10), and other file-based encryption mechanisms might be employed by a repository system. However, issues such as key management and distribution are implementation- and site-specific.

Of particular interest to Inventories, the URI link to a stored SOP Instance may point to a Secure DICOM File or a file encrypted by another mechanism. There are no specifications regarding key management to access that file, but storing the key in the Inventory would present significant vulnerabilities, and would be an inappropriate mechanism unless the Inventory itself were encrypted. Processes for a reading application to access such secured files must be handled by non-DICOM mechanisms.