Copyright © 2024 NEMA
Table of Contents
List of Figures
List of Tables
The information in this publication was considered technically sound by the consensus of persons engaged in the development and approval of the document at the time it was developed. Consensus does not necessarily mean that there is unanimous agreement among every person participating in the development of this document.
NEMA standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest in the topic covered by this publication. While NEMA administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications.
NEMA disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. NEMA disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any of your particular purposes or needs. NEMA does not undertake to guarantee the performance of any individual manufacturer or seller's products or services by virtue of this standard or guide.
In publishing and making this document available, NEMA is not undertaking to render professional or other services for or on behalf of any person or entity, nor is NEMA undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication.
NEMA has no power, nor does it undertake to police or enforce compliance with the contents of this document. NEMA does not certify, test, or inspect products, designs, or installations for safety or health purposes. Any certification or other statement of compliance with any health or safety-related information in this document shall not be attributable to NEMA and is solely the responsibility of the certifier or maker of the statement.
This DICOM Standard was developed according to the procedures of the DICOM Standards Committee.
The DICOM Standard is structured as a multi-part document using the guidelines established in [ISO/IEC Directives, Part 2].
DICOM® is the registered trademark of the National Electrical Manufacturers Association for its standards publications relating to digital communications of medical information, all rights reserved.
HL7® and CDA® are the registered trademarks of Health Level Seven International, all rights reserved.
SNOMED®, SNOMED Clinical Terms®, SNOMED CT® are the registered trademarks of the International Health Terminology Standards Development Organisation (IHTSDO), all rights reserved.
LOINC® is the registered trademark of Regenstrief Institute, Inc, all rights reserved.
This Part of the DICOM Standard specifies Security and System Management Profiles to which implementations may claim conformance. Security and System Management Profiles are defined by referencing externally developed standard protocols, such as TLS, ISCL, DHCP, and LDAP, with attention to their use in a system that uses DICOM Standard protocols for information interchange.
The DICOM Standard does not address issues of security policies, though clearly adherence to appropriate security policies is necessary for any level of security. The Standard only provides mechanisms that could be used to implement security policies with regard to the interchange of DICOM objects between Application Entities. For example, a security policy may dictate some level of access control. This Standard does not consider access control policies, but does provide the technological means for the Application Entities involved to exchange sufficient information to implement access control policies.
This Standard assumes that the Application Entities involved in a DICOM interchange are implementing appropriate security policies, including, but not limited to access control, audit trails, physical protection, maintaining the confidentiality and integrity of data, and mechanisms to identify users and their rights to access data. Essentially, each Application Entity must insure that their own local environment is secure before even attempting secure communications with other Application Entities.
When Application Entities agree to interchange information via DICOM through association negotiation, they are essentially agreeing to some level of trust in the other Application Entities. Primarily Application Entities trust that their communication partners will maintain the confidentiality and integrity of data under their control. Of course that level of trust may be dictated by local security and access control policies.
Application Entities may not trust the communications channel by which they communicate with other Application Entities. Thus, this Standard provides mechanisms for Application Entities to securely authenticate each other, to detect any tampering with or alteration of messages exchanged, and to protect the confidentiality of those messages while traversing the communications channel. Application Entities can optionally utilize any of these mechanisms, depending on the level of trust they place in the communications channel.
This Standard assumes that Application Entities can securely identify local users of the Application Entity, and that user's roles or licenses. Note that users may be persons, or may be abstract entities, such as organizations or pieces of equipment. When Application Entities agree to an exchange of information via DICOM, they may also exchange information about the users of the Application Entity via the Certificates exchanged in setting up the secure channel. The Application Entity may then consider the information contained in the Certificates about the users, whether local or remote, in implementing an access control policy or in generating audit trails.
This Standard also assumes that Application Entities have means to determine whether or not the "owners" (e.g., patient, institution) of information have authorized particular users, or classes of users to access information. This Standard further assumes that such authorization might be considered in the access control provided by the Application Entity. At this time, this Standard does not consider how such authorization might be communicated between Application Entities, though that may be a topic for consideration at some future date.
This Standard also assumes that an Application Entity using TLS has secure access to or can securely obtain [ITU-T X.509] key Certificates for the users of the application entity. In addition, this Standard assumes that an Application Entity has the means to validate an [ITU-T X.509] certificate that it receives. The validation mechanism may use locally administered authorities, publicly available authorities, or some trusted third party.
This Standard assumes that an Application Entity using ISCL has access to an appropriate key management and distribution system (e.g., smartcards). The nature and use of such a key management and distribution system is beyond the scope of DICOM, though it may be part of the security policies used at particular sites.
The System Management Profiles specified in this Part are designed to support automation of the configuration management processes necessary to operate a system that uses DICOM Standard protocols for information interchange.
This Part assumes that the Application Entities may operate in a variety of network environments of differing complexity. These environments may range from a few units operating on an isolated network, to a department-level network with some limited centralized network support services, to an enterprise-level network with significant network management services. Note that the System Management Profiles are generally addressed to the implementation, not to Application Entities. The same Profiles need to be supported by the different applications on the network.
The following standards contain provisions that, through reference in this text, constitute provisions of this Standard. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this Standard are encouraged to investigate the possibilities of applying the most recent editions of the standards indicated below.
Normative RFC's are frequently updated by issuance of subsequent RFC's. The original older RFC is not modified to include references to the newer RFC.
[ISO/IEC Directives, Part 2] 2016/05. 7.0. Rules for the structure and drafting of International Standards. http://www.iec.ch/members_experts/refdocs/iec/isoiecdir-2%7Bed7.0%7Den.pdf .
[ISO 7498-1] 1994. Information Processing Systems - Open Systems Interconnection - Basic Reference Model.
[ISO 7498-2] 1989. Information processing systems - Open Systems Interconnection - Basic reference Model - Part 2: Security Architecture.
[ISO/TR 8509] Information Processing Systems - Open Systems Interconnection - Service Conventions. ISO/TR 8509 has been withdrawn. See ISO/IEC 2382-26:1993 Information technology - Vocabulary - Part 26: Open systems interconnection .
[ISO 8649] 1988. Information processing systems - Open Systems Interconnection - Service definition for the Association Control Service Element (ACSE).
[ISO/IEC 10118-3] 2004. Information technology - Security techniques - Hash-functions - Part 3: Dedicated hash-functions (RIPEMD-160 reference). The draft RIPEMD-160 specification and sample code are also available at http://homes.esat.kuleuven.be/~bosselae/ripemd160.html .
[ECMA 235] March 1996. The ECMA GSS-API Mechanism. http://www.ecma-international.org/publications/standards/Ecma-235.htm .
[DNS-SD] DNS Self-Discovery. http://www.dns-sd.org/ .
[ITU-T X.509] Information technology - Open Systems Interconnection - The directory: Public-key and attribute certificate frameworks. http://www.itu.int/rec/T-REC-X.509 . ITU-T Recommendation X.509 is similar to ISO/IEC 9594-8 1990. However, the ITU-T recommendation is the more familiar form, and was revised in 1993 and 2000, with two sets of corrections in 2001. ITU-T was formerly known as CCITT..
[RFC 1035] Domain Name System (DNS). http://www.rfc-editor.org/info/rfc1035 .
[RFC 2030] Simple Network Time Protocol (SNTP) Version 4. http://www.rfc-editor.org/info/rfc2030 .
[RFC 2131] Dynamic Host Configuration Protocol. http://www.rfc-editor.org/info/rfc2131 .
[RFC 2132] Dynamic Host Configuration Protocol Options. http://www.rfc-editor.org/info/rfc2132 .
[RFC 2136] Dynamic Updates in the Domain Name System (DNS UPDATE). http://www.rfc-editor.org/info/rfc2136 .
[RFC 2181] Clarifications to the DNS Specification. http://www.rfc-editor.org/info/rfc2181 .
[RFC 2219] Use of DNS Aliases for Network Services. http://www.rfc-editor.org/info/rfc2219 .
[RFC 2246] Transport Layer Security (TLS) 1.0 Internet Engineering Task Force. http://www.rfc-editor.org/info/rfc2246 .
[RFC 2251] Lightweight Directory Access Protocol (v3). http://www.rfc-editor.org/info/rfc2251 .
[RFC 2313] March 1998. PKCS #1: RSA Encryption, Version 1.5. http://www.rfc-editor.org/info/rfc2313 .
[RFC 2437] October 1998. PKCS #1: RSA Cryptography Specifications - Version 2.0. http://www.rfc-editor.org/info/rfc2437 .
[RFC 2563] DHCP Option to Disable Stateless Auto-Configuration in IPv4 Clients. http://www.rfc-editor.org/info/rfc2563 .
[RFC 2782] A DNS RR for specifying the location of services (DNS SRV). http://www.rfc-editor.org/info/rfc2782 .
[RFC 2827] Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. http://www.rfc-editor.org/info/rfc2827 .
[RFC 2849] The LDAP Data Interchange Format (LDIF). http://www.rfc-editor.org/info/rfc2849 .
[RFC 2898] September 2000. PKCS #5: Password-Based Cryptography Specification Version 2.0. http://www.rfc-editor.org/info/rfc2898 .
[RFC 3161] March 2000. Internet X.509 Public Key Infrastructure - Time-Stamp Protocol (TSP). http://www.rfc-editor.org/info/rfc3161 .
[RFC 3164] August 2001. The BSD syslog Protocol. http://www.rfc-editor.org/info/rfc3164 .
[RFC 3211] December 2001. Password-based Encryption for CMS. http://www.rfc-editor.org/info/rfc3211 .
[RFC 3268] June 2002. Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS). http://www.rfc-editor.org/info/rfc3268 .
[RFC 3447] February 2003. PKCS #1 RSA Cryptography Specifications Version 2.1. http://www.rfc-editor.org/info/rfc3447 .
[RFC 3370] August 2002. Cryptographic Message Syntax (CMS) Algorithms. http://www.rfc-editor.org/info/rfc3370 .
[RFC 3565] July 2003. Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS). http://www.rfc-editor.org/info/rfc3565 .
[RFC 3851] Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification. http://www.rfc-editor.org/info/rfc3851 .
[RFC 3853] S/MIME Advanced Encryption Standard (AES) Requirement for the Session Initiation Protocol (SIP). http://www.rfc-editor.org/info/rfc3853 .
[RFC 3881] September 2004. Security Audit and Access Accountability Message - XML Data Definitions for Healthcare Applications. http://www.rfc-editor.org/info/rfc3881 .
[RFC 4033] March 2005. DNS Security Introduction and Requirements. http://www.rfc-editor.org/info/rfc4033 .
[RFC 4034] March 2005. Resource Records for the DNS Security Extensions. http://www.rfc-editor.org/info/rfc4034 .
[RFC 5246] August 2008. The Transport Layer Security (TLS) Protocol Version 1.2. http://www.rfc-editor.org/info/rfc5246 .
[RFC 5424] The Syslog Protocol. http://www.rfc-editor.org/info/rfc5424 .
[RFC 5425] Transport Layer Security (TLS) Transport Mapping for Syslog. http://www.rfc-editor.org/info/rfc5425 .
[RFC 5426] Transmission of Syslog Messages over UDP. http://www.rfc-editor.org/info/rfc5426 .
[RFC 5652] September 2009. Cryptographic Message Syntax. http://www.rfc-editor.org/info/rfc5652 .
[RFC 5905] Network Time Protocol Version 4: Protocol and Algorithms Specification. http://www.rfc-editor.org/info/rfc5905 .
[RFC 5906] Network Time Protocol Version 4: Autokey Specification. http://www.rfc-editor.org/info/rfc5906 .
[RFC 6762] February 2013. Multicast DNS. http://www.rfc-editor.org/info/rfc6762 .
[RFC 6763] February 2013. DNS-Based Service Discovery. http://www.rfc-editor.org/info/rfc6763 .
[RFC 8446] August 2018. The Transport Layer Security (TLS) Protocol Version 1.3. http://www.rfc-editor.org/info/rfc8446 .
[RFC 8553] DNS AttrLeaf Changes: Fixing Specifications That Use Underscored Node Names. http://www.rfc-editor.org/info/rfc8553 .
[RFC 8633] RFC8633 Network Time Protocol Best Current Practices. http://www.rfc-editor.org/info/rfc8633 .
[RFC 8996] March 2021. Deprecating TLS 1.0 and TLS 1.1. BCP 195. http://www.rfc-editor.org/info/rfc8996 .
[RFC 9325] Nov 2022. Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). BCP 195. RFC 9325. http://www.rfc-editor.org/info/rfc9325 .
[BCP 195] Information on BCP 195. References RFC 8996 and RFC 9325. http://www.rfc-editor.org/info/bcp195 .
For the purposes of this Standard the following definitions apply.
This Part of the Standard makes use of the following terms defined in [ISO 7498-1]:
See [ISO 7498-1].
See [ISO 7498-1].
See [ISO 7498-1].
This Part of the Standard makes use of the following terms defined in [ISO 7498-2]:
See [ISO 7498-2].
See [ISO 7498-2].
See [ISO 7498-2].
See [ISO 7498-2].
See [ISO 7498-2].
This Part of the Standard makes use of the following terms defined in [ISO 8649]:
See [ISO 8649].
This Part of the Standard makes use of the following terms defined in [ECMA 235]:
See [ECMA 235].
This Part of the Standard makes use of the following terms defined in PS3.1:
This Part of the Standard makes use of the following terms defined in PS3.2:
This Part of the Standard makes use of the following terms defined in PS3.3:
This Part of the Standard makes use of the following terms defined in PS3.4:
This Part of the Standard makes use of the following terms defined in PS3.8:
The following definitions are commonly used in this Part of the DICOM Standard:
A Transport Connection that provides some level of protection against tampering, eavesdropping, masquerading.
A digest or hash code derived from a subset of Data Elements.
An electronic document that identifies a party and that party's public encryption algorithm, parameters, and key. The Certificate also includes, among other things, the identity and a digital signature from the entity that created the certificate. The content and format of a Certificate are defined by ITU-T Recommendation X.509.
This Part of the Standard makes use of the following terms defined in PS3.5:
The following symbols and abbreviations are used in this Part of the Standard.
Comite European de Normalisation-Technical Committee 251-Medical Informatics
Japan Medical Imaging and Radiological Systems Industries Association
An implementation may claim conformance to any of the Security and System Management Profiles individually. It may also claim conformance to more than one Security or System Management Profile. It shall indicate in its Conformance Statement how it chooses which profiles to use for any given transaction.
An implementation may claim conformance to one or more Secure Use Profiles. Such profiles outline the use of attributes and other Security Profiles in a specific fashion.
Secure Use Profiles are specified in Annex A.
An implementation may claim conformance to one or more Secure Transport Connection Profiles.
A Secure Transport Connection Profile includes the following information:
Secure Transport Connection Profiles are specified in Annex B.
An implementation may claim conformance to one or more Digital Signature Profiles.
A Digital Signature profile consists of the following information:
A list of Attributes that shall be included in the Digital Signature.
The mechanisms that shall be used to generate or verify the Digital Signature, including:
The algorithm and relevant parameters that shall be used to create the MAC or hash code, including the Value to be used for the MAC Algorithm (0400,0015) Attribute.
The encryption algorithm and relevant parameters that shall be used to encrypt the MAC or hash code in forming the Digital Signature.
The certificate type or key distribution mechanism that shall be used, including the Value to be used for the Certificate Type (0400,0110) Attribute.
Any requirements for the Certified Timestamp Type (0400,0305) and Certified Timestamp (0400,0310) Attributes.
Any other factors needed to create, verify, or interpret the Digital Signature
Digital Signature Profiles are specified in Annex C.
An implementation may claim conformance to one or more Media Storage Application Profiles, which in turn require conformance to one or more Media Storage Security Profiles.
An implementation may not claim conformance to a Media Storage Security Profile without claiming conformance to a Media Storage Application Profile.
A Media Storage Security Profile includes the following specifications:
Media Storage Security Profiles are specified in Annex D.
An implementation may claim conformance to one or more Network Address Management Profiles. Such profiles outline the use of non-DICOM network protocols to obtain the network addresses for the implementation.
Network Address Management Profiles are specified in Annex F.
An implementation may claim conformance to one or more Time Synchronization Profiles. Such profiles outline the use of non-DICOM protocols to set the current time for the implementation.
Time Synchronization Profiles are specified in Annex G.
An implementation may claim conformance to one or more Application Configuration Management Profiles. Such profiles outline the use of non-DICOM network protocols to obtain the descriptions, addresses and capabilities of other devices with which the implementation may communicate using the DICOM Protocol. They also specify the use of those non-DICOM protocols for the implementation to publish or announce its description, addresses and capabilities. They also specify how implementation specific configuration information can be obtained by devices.
Application Configuration Management Profiles are specified in Annex H.
An implementation may claim conformance to one or more Audit Trail Profiles. Such profiles outline the generation and transport of audit messages for security and privacy policy enforcement.
Audit Trail Profiles are specified in Annex A.
An implementation may claim conformance to the Basic Application Level Confidentiality Profile and to one or more Basic Application Level Confidentiality Options. This profile and options support the de-identification of datasets to prevent leakage of individually identifiable information, for reasons of privacy.
The Basic Application Level Confidentiality Profile and its Options are specified in Annex E.
Configuration management support is implemented by means of protocols defined in standards other than the DICOM Standard. These protocols are described here in terms of actors, transactions, and profiles.
Actors are analogous to the Application Entities used within the DICOM profile. An actor is a collection of hardware and software processes that perform a particular role. When a device provides or uses a service it will include an actor to handle the relevant network activity. DICOM Configuration actors may co-exist with other Application Entities on a device. Some DICOM Configuration actors exist as parts of general use IT equipment. Like the Application Entity, specification of an Actor does not imply anything about the details of the actual implementation.
The actor interactions are defined in terms of Transactions. Each transaction is given a name. The transaction may in turn comprise a variety of activity. All transactions are defined in terms of actors that are communicating. The relationships between actors in a transaction may be more complex than the simple SCU and SCP roles in DICOM activities. When the transaction includes interactions with a person, the transactions may be implemented by user interfaces, removable media. and other mechanisms. The person is described in terms of being an actor from the perspective of the transaction use case model. More typically the transactions are a series of network activities that perform a specific operation.
A transaction includes both mandatory and optional components. An Actor that is implementing a transaction is required to implement all of the mandatory components.
Some transactions include human actors in the transaction definition. These actors are not defined as actors elsewhere, nor are they included in profile descriptions. They exist to specify that some sort of mechanism must be provided to permit these people to interact with the computer actor. Other details of how that user interface is provided are not specified by this Standard. For an example, see the definition of the Configure DHCP transaction.
Conformance is further managed by means of Profiles. A Profile is defined in terms of what transactions are required for an actor and what transactions are optional. An implementation of a specific actor is documented by specifying what optional transactions and transaction components have been implemented. An implementation that omits any required transactions or components cannot claim to be an implementation of that Actor.
For example, in the Network Address Management Profile the DHCP Server is required to perform the three Transactions to configure the DHCP server, find and use DHCP servers, and maintain the DHCP leases. It may also support the transaction to update the DNS server by means of DDNS coordination.
A Profile includes definitions for more than one Actor. It specifies the transactions for all of the actors that cooperate to perform a function. For example, the Network Address Management Profile covers the DHCP Server actor, the DHCP client Actor, and the DNS Server actor. There must be at least one DHCP Server and one DHCP Client for the system to be useful. The DNS Server itself is optional because the DHCP Server need not implement the DDNS Coordination transaction. If the DNS Server is part of the system, the DDNS coordination is required and the DHCP Server will be expected to participate in the DDNS Coordination transaction.
There may be a DNS server present on the same network as a DHCP Server, but if it is not providing the DNS Server actor from this profile it is not part of the DICOM Configuration activities.
The profiles, actors, and transactions are summarized in the following sections. The detailed description of actor and transactions for each specific profile are described in annexes for each profile. The transactions are documented in terms of parameters and terms from their original standards document, e.g., an RFC for Internet protocols. The full details of the transaction are not described in the annex, only particular details that are relevant to the DICOM application of that transaction. The complete details for these external protocols are documented in the relevant standards documents for the external protocols. Compliance with the requirements of a particular profile shall include compliance with these external protocol documents.
The DHCP Server is a computer/software feature that is provided with a network configuration description, and that provides startup configuration services in accordance with the DHCP protocol.
The DHCP Client is a software feature that is used to obtain TCP/IP parameters during the startup of a computer. It continues operation to maintain validity of these parameters.
The DNS server is a computer/software feature that provides IP related information in response to queries from clients utilizing the DNS protocol. It is a part of a federated database facility that maintains the current database relating machine names to IP address information. The DNS server may also be isolated from the worldwide federated database and provide only local DNS services.
The DNS client as a computer/software feature that utilizes the DNS protocols to obtain IP information when given hostnames. The hostnames may be in configuration files or other files instead of explicit IP addresses. The hostnames are converted into IP addresses dynamically when necessary. The DNS client uses a DNS server to provide the necessary information.
The NTP server is a computer/software feature that provides time services in accordance with the NTP or SNTP protocol.
The NTP client is software that obtains time information from an NTP server and maintains the client time in synchronization with the time signals from the NTP server.
The SNTP client is software that obtains time information from an NTP server and maintains the client time in approximate synchronization with time signals from the NTP server. The SNTP client synchronization is not maintained with the accuracy or precision that NTP provides.
The LDAP server is a computer/ software feature that maintains an internal database of various directory information. Some of this directory information corresponds to DICOM Configuration schema. The LDAP server provides network access to read and update the directory information. The LDAP server provides a mechanism for external loading, unloading, and backup of directory information. The LDAP server may be part of a federated network of servers that provides a coordinated view of a federated directory database in accordance with the rules of the LDAP protocols.
The LDAP client utilizes the LDAP protocol to make queries to an LDAP server. The LDAP server maintains a database and responds to these queries based on the contents of this database.
The following transactions are used to provide communications between actors in accordance with one or more of the DICOM Configuration protocols.
This transaction changes the configuration on a DHCP server to reflect additions, deletions, and changes to the IP parameters that have been established for this network.
This transaction is a sequence of network messages that comply with the rules of the DHCP protocol. It allows a DHCP client to find available DHCP servers and select the server appropriate for that client. This transaction obtains the mandatory IP parameter information from the DHCP server and obtains additional optional parameters from the DHCP server.
The service staff uses this transaction to set the initial configuration for a client.
This transaction deals with how the DHCP client should behave when its IP lease is not renewed.
This transaction documents whether the DHCP server is coordinating with a DNS server so that access to the DHCP client can be maintained using the hostname assigned to the DHCP client.
This transaction obtains the IP address for a computer when given a hostname.
These transactions are the activities needed for an NTP or SNTP client to maintain time synchronization with a master time service.
This transaction is the autodiscovery procedure defined for NTP. This may use either a broadcast method or a DHCP supported method.
In this transaction the DNS server is queried to obtain the IP address, port, and name of the LDAP server.
In this transaction the LDAP server is queried regarding contents of the LDAP database.
This transaction updates the configuration database using LDAP update instructions from the client being configured.
This transaction updates the configuration database using local services of the LDAP server.
Figure 7-1 shows the actors and their transactions. The usual device will have an NTP Client, DHCP Client, and LDAP client in addition to the other applications actors. The transactions "Configure DHCP Server", "Configure Client", and "Maintain LDAP Server" are not shown because these transactions are between a software actor and a human actor. DICOM does not specify the means or user interface. It only requires that certain capabilities be supported.
The Online Electronic Storage Secure Use Profile allows Application Entities to track and verify the status of SOP Instances in those cases where local security policies require tracking of the original Data Set and subsequent copies.
The Conformance Statement shall indicate in what manner the system restricts remote access.
An implementation that conforms to the Online Electronic Storage Secure Use Profile shall conform to the following rules regarding the use of the SOP Instance Status (0100,0410) Attribute with SOP Instances that are transferred using the Storage Service Class:
An Application Entity that supports the Online Electronic Storage Secure Use Profile and that creates a SOP Instance intended for diagnostic use in Online Electronic Storage shall:
The Application Entity that holds a SOP Instance where the SOP Instance Status is Original (OR) may change the SOP Instance Status to Authorized Original(AO) as long as the following rules are followed:
The Application Entity shall determine that an authorized entity has certified the SOP Instance as useable for diagnostic purposes.
The Application Entity shall change the SOP Instance Status to Authorized Original (AO). The SOP Instance UID shall not change.
The Application Entity shall set the SOP Authorization Date and Time (0100,0420) and Authorization Equipment Certification Number (0100,0426) Attributes to appropriate Values. It may also add an appropriate SOP Authorization Comment (0100,0424) Attribute.
There shall only be one Application Entity that holds a SOP Instance where the SOP Instance Status is Original (OR) or Authorized Original (AO). The Application Entity that holds such a SOP instance shall not delete it.
When communicating with an Application Entity that supports Online Electronic Storage the Application Entity that holds a SOP Instance where the SOP Instance Status is Original(OR) or Authorized Original(AO) may transfer that SOP Instance to another Application Entity that also conforms to the Online Electronic Storage Secure Use Profile as long as the following rules are followed:
The two Application Entities involved in the transfer shall authenticate each other and shall confirm via the authentication that the other supports the Online Electronic Storage Secure Use Profile.
The receiving Application Entity shall reject the storage request and discard the received SOP Instance if the data integrity checks done after the transfer indicate that the SOP Instance was altered during transmission.
The transfer shall be confirmed using the push model of the Storage Commitment Service Class. Until it has completed this confirmation, the receiving Application Entity shall not forward the SOP Instance or Authorized Copies of the SOP instance to any other Application Entity.
Once confirmed that the receiving Application Entity has successfully committed the SOP Instance to storage, the sending Application Entity shall do one of the following to its local copy of the SOP Instance:
When communicating with an Application Entity that supports Online Electronic Storage an Application Entity that holds a SOP Instance whose SOP Instance Status is Authorized Original (AO) or Authorized Copy (AC) may send an Authorized Copy of the SOP Instance to another Application Entity as long as the following rules are followed:
The two Application Entities involved in the transfer shall authenticate each other, and shall confirm via the authentication that the other supports the Online Electronic Storage Secure Use Profile.
The sending Application Entity shall set the SOP Instance Status to either Not Specified (NS) or Authorized Copy (AC) in the copy sent. The SOP Instance UID shall not change.
The receiving Application Entity shall reject the storage request and discard the copy if data integrity checks done after the transfer indicate that the SOP Instance was altered during transmission.
If communicating with a system that does not support the Online Electronic Storage Secure Use Profile, or if communication is not done over a Secure Transport Connection, then
A sending Application Entity that conforms to this Security Profile shall either set the SOP Instance Status to Not Specified (NS), or leave out the SOP Instance Status and associated parameters of any SOP Instances that the sending Application Entity sends out over the unsecured Transport Connection or to systems that do not support the Online Electronic Storage Secure Use Profile.
A receiving Application Entity that conforms to this Security Profile shall set the SOP Instance Status to Not Specified (NS) of any SOP Instance received over the unsecured Transport Connection or from systems that do not support the Online Electronic Storage Secure Use Profile.
The receiving Application Entity shall store SOP Instances in accordance with Storage Level 2 (Full) as defined in the Storage Service Class (i.e., all Attributes, including Private Attributes), as required by the Storage Commitment Storage Service Class, and shall not coerce any Attribute other than SOP Instance Status, SOP Authorization Date and Time, Authorization Equipment Certification Number, and SOP Authorization Comment.
Other than changes to the SOP Instance Status, SOP Authorization Date and Time, Authorization Equipment Certification Number, and SOP Authorization Comment Attributes, as outlined above, or changes to group length Attributes to accommodate the aforementioned changes, the Application Entity shall not change any Attribute Values.
An implementation that validates and generates Digital Signatures may claim conformance to the Basic Digital Signatures Secure Use Profile. Any implementation that claims conformance to this Security Profile shall obey the following rules in handling Digital Signatures:
The implementation shall store any SOP Instances that it receives in such a way that it guards against any unauthorized tampering of the SOP Instance.
Wherever possible, the implementation shall validate the Digital Signatures within any SOP Instance that it receives.
If the implementation sends the SOP Instance to another Application Entity, it shall do the following:
remove any Digital Signatures that may have become invalid due to any allowed variations to the format of Attribute Values (e.g., trimming of padding, alternate representations of numbers),
generate one or more new Digital Signatures covering the Data Elements that the implementation was able to verify when the SOP Instance was received.
An implementation that stores and forwards SOP Instances may claim conformance to the Bit-Preserving Digital Signatures Secure Use Profile. Any implementation that claims conformance to this Security Profile shall obey the following rules in handling Digital Signatures:
The implementation shall store any SOP Instances that it receives in such a way that when the SOP instance is forwarded to another Application Entity, the Value fields of all Attributes are bit-for-bit duplicates of the fields originally received.
The implementation shall not change the order of Items in a Sequence.
The implementation shall not remove or change any Data Element of any SOP Instance that it receives when sending that SOP Instance on to another Application Entity via DICOM. This includes any Digital Signatures received.
The implementation shall utilize an explicit VR Transfer Syntax.
The implementation shall not change the VR of any Data Element that it receives when it transmits that object to another Application Entity.
Any implementation that claims conformance to this Security Profile shall obey the following rules when creating a Structured Report or Key Object Selection Document that includes Digital Signatures:
When the implementation signs a Structured Report or Key Object Selection Document SOP Instance the Digital Signatures shall be created in accordance with the Structured Report RSA Digital Signature Profile.
In every signed Structured Report or Key Object Selection Document SOP Instance created, all referenced SOP Instances listed in the Referenced SOP Sequence Items of the Current Requested Procedure Evidence Sequence (0040,A375) and Pertinent Other Evidence Sequence (0040,A385)shall include either a Referenced Digital Signature Sequence or a Referenced SOP Instance MAC Sequence. The references may include both.
The implementation claiming conformance shall outline in its conformance statement the conditions under which it will either sign or not sign a Structured Report or Key Object Selection Document.
To help assure healthcare privacy and security in automated systems, usage data need to be collected. These data will be reviewed by administrative staff to verify that healthcare data is being used in accordance with the healthcare provider's data security requirements and to establish accountability for data use. This data collection and review process is called security auditing and the data itself comprises the audit trail. Audit trails can be used for surveillance purposes to detect when interesting events might be happening that warrant further investigation.
This profile defines the format of the data to be collected and the minimum set of attributes to be captured by healthcare application systems for subsequent use by a review application. The data includes records of who accessed healthcare data, when, for what action, from where, and which patients' records were involved. No behavioral requirements are specified for when audit messages are generated, or for what action should be taken on their receipt. These are subject to local policy decisions and legal requirements.
Any implementation that claims conformance to this Security Profile shall:
format audit trail messages in accordance with the XML schema specified in Section A.5.1 in a fashion that allows those messages to be validated against that XML schema, following the general conventions specified in Section A.5.2.
for the events described in this Profile comply with the restrictions specified by this Profile in Section A.5.3, and describe in its conformance statement any extensions.
describe in its conformance statement the events that it can detect and report,
describe in its conformance statement the processing it can perform upon receipt of a message
describe in its conformance statement how event reporting and processing can be configured
Implementations claiming conformance to this profile shall use the following XML schema to format audit trail messages. This schema is derived from the schema specified in [RFC 3881], according to W3C Recommendation "XML Schema Part 1: Structures," version 1.0, May 2001, and incorporates the DICOM extensions and restrictions outlined in Section A.5.2.
This schema is provided in Relax NG Compact format.
This schema can be converted into an equivalent XML schema or other electronic format. It includes some modifications to the [RFC 3881] schema that reflect field experience with audit message requirements. It extends the [RFC 3881] schema.
The following is the content of the audit schema:
datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes" # This defines the coded value type. The comment shows a pattern that can be used to further # constrain the token to limit it to the format of an OID. Not all schema software # implementations support the pattern option for tokens. other-csd-attributes = (attribute codeSystemName { token } | # OID pattern="[0-2]((\.0)|(\.[1-9][0-9]*))*" attribute codeSystemName { token }), # This makes clear that codeSystemName is # either an OID or String attribute displayName { token }?, attribute originalText { token } # Note: this also corresponds to DICOM "Code Meaning" CodedValueType = attribute csd-code { token }, other-csd-attributes # Define the event identification, used later EventIdentificationContents = element EventID { CodedValueType }, element EventTypeCode { CodedValueType }*, # Note: DICOM/IHE defines and uses this # differently than RFC-3881 attribute EventActionCode { # Optional action code "C" | ## Create "R" | ## Read "U" | ## Update "D" | ## Delete "E" ## Execute }?, attribute EventDateTime { xsd:dateTime }, attribute EventOutcomeIndicator { "0" | ## Nominal Success (use if status otherwise unknown or ambiguous) "4" | ## Minor failure (per reporting application definition) "8" | ## Serious failure (per reporting application definition) "12" ## Major failure, (reporting application now unavailable) }, element EventOutcomeDescription { text }? # Define AuditSourceIdentification, used later AuditSourceIdentificationContents = attribute AuditEnterpriseSiteID { token }?, attribute AuditSourceID { token }, element AuditSourceTypeCode { AuditSourceTypeCodeContent }* # Define AuditSourceTypeCodeContent so that an isolated single digit # value is acceptable, or a token with other csd attributes so that # any controlled terminology can also be used. AuditSourceTypeCodeContent = attribute csd-code { "1" | ## End-user display device, diagnostic device "2" | ## Data acquisition device or instrument "3" | ## Web Server process or thread "4" | ## Application Server process or thread "5" | ## Database Server process or thread "6" | ## Security server, e.g., a domain controller "7" | ## ISO level 1-3 network component "8" | ## ISO level 4-6 operating software "9" | ## other token }, ## other values are allowed if a codeSystemName is present other-csd-attributes? ## If these are present, they define the meaning of code # Define ActiveParticipantType, used later ActiveParticipantContents = element RoleIDCode { CodedValueType }*, element MediaIdentifier { element MediaType { CodedValueType } }?, attribute UserID { text }, attribute AlternativeUserID { text }?, attribute UserName { text }?, attribute UserIsRequestor { xsd:boolean }, attribute NetworkAccessPointID { token }?, attribute NetworkAccessPointTypeCode { "1" | ## Machine Name, including DNS name "2" | ## IP Address "3" | ## Telephone Number "4" | ## Email address "5" }? ## URI (user directory, HTTP-PUT, ftp, etc.) # The BinaryValuePair is used in ParticipantObject descriptions to capture parameters. # All values (even those that are normally plain text) are encoded as xsd:base64Binary. # This is to preserve details of encoding (e.g., nulls) and to protect against text # contents that contain XML fragments. These are known attack points against applications, # so security logs can be expected to need to capture them without modification by the # audit encoding process. ValuePair = # clarify the name attribute type { token }, attribute value { xsd:base64Binary } # used to encode potentially binary, malformed XML text, etc. # Define ParticipantObjectIdentification, used later # Participant Object Description, used later DICOMObjectDescriptionContents = element MPPS { attribute UID { token } # OID pattern="[0-2]((\.0)|(\.[1-9][0-9]*))*" }*, element Accession { attribute Number { token } }*, element SOPClass { # SOP class for one study element Instance { attribute UID { token } # OID pattern="[0-2]((\.0)|(\.[1-9][0-9]*))*" }*, attribute UID { token }?, # OID pattern="[0-2]((\.0)|(\.[1-9][0-9]*))*" attribute NumberOfInstances { xsd:integer } }*, element ParticipantObjectContainsStudy { element StudyIDs { attribute UID { token } }* }?, element Encrypted { xsd:boolean }?, element Anonymized { xsd:boolean }? ParticipantObjectIdentificationContents = element ParticipantObjectIDTypeCode { CodedValueType }, (element ParticipantObjectName { token } | # either a name or element ParticipantObjectQuery { xsd:base64Binary }), # a query ID field, element ParticipantObjectDetail { ValuePair }*, # optional details, these can be extensive # and large element ParticipantObjectDescription { DICOMObjectDescriptionContents }*, attribute ParticipantObjectID { token }, # mandatory ID attribute ParticipantObjectTypeCode { # optional type "1" | ## Person "2" | ## System object "3" | ## Organization "4" ## Other }?, attribute ParticipantObjectTypeCodeRole { ## optional role "1" | ## Patient "2" | ## Location "3" | ## Report "4" | ## Resource "5" | ## Master File "6" | ## User "7" | ## List "8" | ## Doctor "9" | ## Subscriber "10" | ## Guarantor "11" | ## Security User Entity "12" | ## Security User Group "13" | ## Security Resource "14" | ## Security Granularity Definition "15" | ## Provider "16" | ## Data Destination "17" | ## Data Archive "18" | ## Schedule "19" | ## Customer "20" | ## Job "21" | ## Job Stream "22" | ## Table "23" | ## Routing Criteria "24" | ## Query "25" | ## Data Source "26" ## Processing Element }?, attribute ParticipantObjectDataLifeCycle { # optional life cycle stage "1" | ## Origination, Creation "2" | ## Import/ Copy "3" | ## Amendment "4" | ## Verification "5" | ## Translation "6" | ## Access/Use "7" | ## De-identification "8" | ## Aggregation, summarization, derivation "9" | ## Report "10" | ## Export "11" | ## Disclosure "12" | ## Receipt of Disclosure "13" | ## Archiving "14" | ## Logical deletion "15" }?, ## Permanent erasure, physical destruction attribute ParticipantObjectSensitivity { token }? # The basic message message = element AuditMessage { (element EventIdentification { EventIdentificationContents }, # The event must be identified element ActiveParticipant { ActiveParticipantContents }+, # It has one or more active # participants element AuditSourceIdentification { # It is reported by one source AuditSourceIdentificationContents }, element ParticipantObjectIdentification { # It may have other objects involved ParticipantObjectIdentificationContents }*) } # And finally the magic statement that message is the root of everything. start = message
The following value sets are defined in the audit schema above. These are not coded terminology. They are values whose meaning depends upon their use at the proper location within the message.
The Audit Source Type Code values specify the type of source where an event originated. Codes from coded terminologies and implementation defined codes can also be used for the AuditSourceTypeCode.
The Participant Object Type Code Role is an attribute of the ParticipantObjectIdentification, and is not extensible. This attribute may be omitted or one of the following values assigned. Coded terminologies are not supported.
The Participant Object Data Life Cycle is an attribute of the ParticipantObjectIdentification, and is not extensible. This attribute may be omitted or one of the following values assigned. Coded terminologies are not supported.
The following table lists the primary fields from the message schema specified in A.5.1, with additional instructions, conventions, and restrictions on how DICOM applications shall fill in the field values. The field names are leaf elements and attributes that are in the DICOM Audit Message Schema (see Section A.5.1). Note that these fields may be enclosed in other XML elements, as specified by the schema.
This schema, codes, and content were originally derived from [RFC 3881]. [RFC 3881] is not being maintained or updated by the IETF, and has gradually diverged from the DICOM schema and codes. Other documents exist that refer to [RFC 3881] as the underlying standard. [RFC 3881] does not include corrections and additions to the audit schema made in DICOM since 2004.
In subsequent tables the following notation Is used for optionality:
Table A.5.2-1. General Message Format
The identifier for the family of event. E.g., "User Authentication". |
||||
Indicator for type of action performed during the event that generated the audit. |
||||
Universal coordinated time (UTC), i.e., a date/time specification that is unambiguous as to local time zones. |
The time at which the audited event occurred.See Section A.5.2.5 |
|||
When a particular event has some aspects that succeeded and some that failed, then one message shall be generated for successful actions and one message for the failed actions (i.e., not a single message with mixed results). |
||||
The specific type(s) within the family applicable to the event, e.g., "User Login". |
||||
Unique identifier for the user actively participating in the event. |
See Section A.5.2.1. |
|||
See Section A.5.2.2. |
||||
See Section A.5.2.3. |
||||
Indicator that the user is or is not the requestor, or initiator, for the event being audited. |
Used to identify which of the participants initiated the transaction being audited. If the audit source cannot determine which of the participants is the requestor, then the field shall be present with the value FALSE in all participants. The system shall not identify multiple participants as UserIsRequestor. If there are several known requestors, the reporting system shall pick only one as UserIsRequestor. |
|||
Specification of the role(s) the user plays when performing the event, as assigned in role-based access control security. |
||||
See Section A.5.2.4. |
||||
An identifier for the network access point of the user device This could be a device id, IP address, or some other identifier associated with a device. |
||||
Logical source location within the healthcare enterprise network, e.g., a hospital or other provider location within a multi-entity provider group. |
Serves to further qualify the Audit Source ID, since Audit Source ID is not required to be globally unique. |
|||
The identification of the system that detected the auditable event and created this audit message. Although often the audit source is one of the participants, it could also be an external system that is monitoring the activities of the participants (e.g., an add-on audit-generating device). |
||||
See Section A.5.1.2.1. E.g., an acquisition device might use "2" (data acquisition device), a PACS/RIS system might use "4 "(application server process). |
||||
Code for the participant object type being audited. This value is distinct from the user's role or any user relationship to the participant object. |
||||
Code representing the functional application role of Participant Object being audited. |
See Section A.5.1.2.2. |
|||
Identifier for the data life-cycle stage for the participant object. This can be used to provide an audit trail for data, over time, as it passes through the system. |
See Section A.5.1.2.3. |
|||
Describes the identifier that is contained in Participant Object ID. |
See Section A.5.1.2.4 and CID 404 “Audit Participant Object ID Type Code” |
|||
Denotes policy-defined sensitivity for the Participant Object ID such as VIP, HIV status, mental health status, or similar topics. |
||||
An instance-specific descriptor of the Participant Object ID audited, such as a person's name. |
||||
Implementation-defined data about specific details of the object accessed or used. |
This element is a Type-value pair. The "type" attribute is an implementation-defined text string. The "value" attribute is base 64 encoded data. The value is suitable for conveying binary data. |
|||
The UIDs of SOP classes referred to in this participant object. Required if ParticipantObjectIDTypeCode is (110180, DCM, "Study Instance UID") and any of the optional fields (AccessionNumber, ContainsMPPS, NumberOfInstances, ContainsSOPInstances,Encrypted,Anonymized) are present in this Participant Object. May be present if ParticipantObjectIDTypeCode is (110180, DCM, "Study Instance UID") even though none of the optional fields are present. |
||||
An Accession Number(s) associated with this participant object. |
||||
An MPPS Instance UID(s) associated with this participant object. |
||||
The number of SOP Instances referred to by this participant object. |
||||
A single value of True or False indicating whether or not the data was encrypted. |
||||
A single value of True or False indicating whether or not all patient identifying information was removed from the data |
||||
A Study Instance UID, which may be used when the ParticipantObjectIDTypeCode is not (110180, DCM, "Study Instance UID"). |
If the participant is a person, then the User ID shall be the identifier used for that person on this particular system, in the form of loginName@domain-name.
If the participant is an identifiable process, the UserID selected shall be one of the identifiers used in the internal system logs. For example, the User ID may be the process ID as used within the local operating system in the local system logs. If the participant is a node, then User ID may be the node name assigned by the system administrator. Other participants such as threads, relocatable processes, web service end-points, web server dispatchable threads, etc. will have an appropriate identifier. The implementation shall document in the conformance statement the identifiers used, see Section A.6. The purpose of this requirement is to allow matching of the audit log identifiers with internal system logs on the reporting systems. .
When importing or exporting data, e.g., by means of media, the UserID field is used both to identify people and to identify the media itself. When the Role ID Code is EV(110154, DCM, "Destination Media") or EV(110155, DCM, "Source Media"), the UserID may be:
a URI (the preferred form) identifying the source or destination,
a description of the media type (e.g., DVD) together with a description of its identifying label, as a free text field,
a description of the media type (e.g., paper, film) together with a description of the location of the media creator (i.e., the printer).
The UserID field for Media needs to be highly flexible given the large variety of media and transports that might be used.
If the participant is a person, then Alternative User ID shall be the identifier used for that person within an enterprise for authentication purposes, for example, a Kerberos Username (user@realm). If the participant is a DICOM application, then Alternative User ID shall be one or more of the AE Titles that participated in the event. Multiple AE titles shall be encoded as:
When importing or exporting data, e.g., by means of media, the Alternative UserID field is used either to identify people or to identify the media itself. When the Role ID Code is (110154, DCM, "Destination Media") or (110155, DCM, "Source Media"), the Alternative UserID may be any machine readable identifications on the media, such as media serial number, volume label, or DICOMDIR SOP Instance UID.
A human readable identification of the participant. If the participant is a person, the person's name shall be used. If the participant is a process, then the process name shall be used.
The NetworkAccessPointTypeCode and NetworkAccessPointID can be ambiguous for systems that have multiple physical network connections. For these multi-homed nodes a single DNS name or IP address shall be selected and used when reporting audit events. DICOM does not require the use of a specific method for selecting the network connection to be used for identification, but it must be the same for all of the audit messages generated for events on that node.
The EventDateTime is the date and time that the event being reported took place. Some events have a significant duration. In these cases, a date and time shall be chosen by a method that is consistent and appropriate for the event being reported.
The EventDateTime shall include the time zone information.
Creators of audit messages may support leap-seconds, but are not required to. Recipients of audit messages shall be able to process messages with leap-second information.
The ParticipantObjectTypeCodeRole identifies the role that the object played in the event that is being reported. Most events involve multiple participating objects. ParticipantObjectTypeCodeRole identifies which object took which role in the event. It also covers agents, multi-purpose entities, and multi-role entities. For the purpose of the event one primary role is chosen.
Table A.5.2.6-1. ParticipantObjectTypeCodeRole
The following subsections define message specializations for use by implementations that claim conformance to the DICOM Audit Trail Profile. Any field (i.e., XML element and associated attributes) not specifically mentioned in the following tables shall follow the conventions specified in Section A.5.1 and Section A.5.2.
An implementation claiming conformance to this Profile that reports an activity covered by one of the audit messages defined by this Profile shall use the message format defined in this Profile. However, a system claiming conformance to this Profile is not required to send a message each time the activity reported by that audit message occurs. It is expected that the triggering of audit messages would be configurable on an individual basis, to be able to balance network load versus the severity of threats, in accordance with local security policies.
It is a system design issue outside the scope of DICOM as to what entity actually sends an audit event and when. For example, a Query message could be generated by the entity where the query originated, by the entity that eventually would respond to the query, or by a monitoring entity not directly involved with the query, but that generates audit messages based on monitored network traffic.
To report events that are similar to the events described here, these definitions can be used as the basis for extending the schema.
In the subsequent tables, the information entity column indicates the relationship between real world entities and the information elements encoded into the message.
This audit message describes the event of an Application Entity starting or stopping. This is closely related to the more general case of any kind of application startup or shutdown, and may be suitable for those purposes also.
Table A.5.3.1-1. Application Activity Message
This message describes the event of a person or process reading a log of audit trail information.
For example, an implementation that maintains a local cache of audit information that has not been transferred to a central collection point might generate this message if its local cache were accessed by a user.
Table A.5.3.2-1. Audit Log Used Message
Persons and or processes that started the Application (1..2) |
The person or process accessing the audit trail. If both are known, then two active participants shall be included (both the person and the process). |
||
See Section A.5.2 |
|||
See Section A.5.2 |
|||
See Section A.5.2 |
|||
See Section A.5.2 |
|||
See Section A.5.2 |
|||
See Section A.5.2 |
|||
See Section A.5.2 |
This message describes the event of a system beginning to transfer a set of DICOM instances from one node to another node within control of the system's security domain. This message may only include information about a single patient.
A separate Instances Transferred message is defined for transfer completion, allowing comparison of what was intended to be sent and what was actually sent.
Table A.5.3.3-1. Audit Message for Begin Transferring DICOM Instances
This message describes the event of exporting data from a system, meaning that the data is leaving control of the system's security domain. Examples of exporting include printing to paper, recording on film, conversion to another format for storage in an EHR, writing to removable media, or sending via e-mail. Multiple patients may be described in one event message.
Table A.5.3.4-1. Audit Message for Data Export
The identity of the remote user or process receiving the data |
|||
The identity of the local user or process exporting the data. If both are known, then two active participants shall be included (both the person and the process). |
|||
See Section A.5.2.1 |
|||
See Section A.5.2.2 |
|||
Required if being exported to other than physical media, e.g., to a network destination rather than to film, paper or CD. May be present otherwise. |
|||
Required if Net Access Point Type Code is present. May be present otherwise. |
|||
Values selected from DCID 405 “Media Type Code” |
|||
See Table A.5.2-1 |
|||
This message describes the event of importing data into an organization, implying that the data now entering the system was not under the control of the security domain of this organization. Transfer by media within an organization is often considered a data transfer rather than a data import event. An example of importing is creating new local instances from data on removable media. Multiple patients may be described in one event message.
A single user (either local or remote) shall be identified as the requestor, i.e., UserIsRequestor with a value of TRUE. This accommodates both push and pull transfer models for media.
Table A.5.3.5-1. Audit Message for Data Import
The identity of the local user or process importing the data. |
|||
See Section A.5.3.5 |
|||
See Section A.5.2.1 |
|||
See Section A.5.2.2 |
|||
Values selected from DCID 405 “Media Type Code” |
|||
See Section A.5.2.1 |
|||
See Section A.5.2.2 |
|||
See Section A.5.3.5 |
|||
See Table A.5.2-1 |
|||
This message describes the event of DICOM SOP Instances being viewed, utilized, updated, or deleted. This message shall only include information about a single patient and can be used to summarize all activity for several studies for that patient. This message records the studies to which the instances belong, not the individual instances.
If all instances within a study are deleted, then the EV(110105, DCM, "DICOM Study Deleted") event shall be used, see Section A.5.3.8.
Table A.5.3.6-1. Audit Message for DICOM Instances Accessed
See Table A.5.2-1 |
|||
This message describes the event of the completion of transferring DICOM SOP Instances between two Application Entities. This message may only include information about a single patient.
This message may have been preceded by a Begin Transferring Instances message. The Begin Transferring Instances message conveys the intent to store SOP Instances, while the Instances Transferred message records the completion of the transfer. Any disagreement between the two messages might indicate a potential security breach.
Table A.5.3.7-1. Audit Message for DICOM Instances Transferred
C = (create) if the receiver did not hold copies of the instances transferred R = (read) if the receiver already holds copies of the SOP Instances transferred, and has determined that no changes are needed to the copies held. U = (update) if the receiver is altering its held copies to reconcile differences between the held copies and the received copies. If the Audit Source is either not the receiver, or otherwise does not know whether or not the instances previously were held by the receiving node, then use "R" = (Read). |
|||
Other participants that are known, especially third parties that are the requestor (0..N) |
|||
See Table A.5.2-1 |
|||
This message describes the event of deletion of one or more studies and all associated SOP Instances in a single action. This message shall only include information about a single patient.
This message describes the event of a system, such as a mobile device, intentionally entering or leaving the network.
The machine should attempt to send this message prior to detaching. If this is not possible, it should retain the message in a local buffer so that it can be sent later. The mobile machine can then capture audit messages in a local buffer while it is outside the secure domain. When it is reconnected to the secure domain, it can send the detach message (if buffered), followed by the buffered messages, followed by a mobile machine message for rejoining the secure domain. The timestamps on these messages is the time that the event was noticed to have occurred, not the time that the message is sent.
This message describes the event of a Query being issued or received. The message does not record the response to the query, but merely records the fact that a query was issued. For example, this would report queries using the DICOM SOP Classes:
The response to a query may result in one or more Instances Transferred or Instances Accessed messages, depending on what events transpire after the query. If there were security-related failures, such as access violations, when processing a query, those failures should show up in other audit messages, such as a Security Alert message.
Non-DICOM queries may also be captured by this message. The Participant Object ID Type Code, the Participant Object ID, and the Query fields may have values related to such non-DICOM queries.
Table A.5.3.10-1. Audit Message for Query
Other Participants that are known, especially third parties that requested the query (0..N) |
|||
If the ParticipantObjectIDTypeCode is (110181, DCM, "SOP Class UID"), then this field shall hold the UID of the SOP Class being queried |
|||
If the ParticipantObjectIDTypeCode is (110181, DCM, "SOP Class UID"), then this field shall hold the Dataset of the DICOM query, xs:base64Binary encoded. Otherwise, it shall be the query in the format of the protocol used. |
|||
Required if the ParticipantObjectIDTypeCode is (110181, DCM, "SOP Class UID") A ParticipantObjectDetail element with the XML attribute "TransferSyntax" shall be present. The value of the Transfer Syntax attribute shall be the UID of the transfer syntax of the query. The element contents shall be xs:base64Binary encoding. The Transfer Syntax shall be a DICOM Transfer Syntax. |
|||
See Table A.5.2-1 |
|||
This message describes any event for which a node needs to report a security alert, e.g., a node authentication failure when establishing a secure communications channel.
The Node Authentication event can be used to report both successes and failures. If reporting of success is done, this could generate a very large number of audit messages, since every authenticated DICOM association, HL7 transaction, and HTML connection should result in a successful node authentication. It is expected that in most situations only the failures will be reported.
Table A.5.3.11-1. Audit Message for Security Alert
Success implies an informative alert. The other failure values imply warning codes that indicate the severity of the alert. A Minor or Serious failure indicates that mitigation efforts were effective in maintaining system security. A Major failure indicates that mitigation efforts may not have been effective, and that the security system may have been compromised. |
|||
Values selected from DCID 403 “Security Alert Type Code”. |
|||
For a ParticipantObjectIDTypeCode of 12 = URI, then this value shall be the URI of the file or other resource that is the subject of the alert. For a ParticipantObjectIDTypeCode of (110182, DCM, "Node ID") then the value shall include the identity of the node that is the subject of the alert either in the form of node_name@domain_name or as an IP address. Otherwise, the value shall be an identifier of the type specified by ParticipantObjectIDTypeCode of the subject of the alert. |
|||
An element with the Attribute "type" equal to "Alert Description" shall be present with a free text description of the nature of the alert as the value |
|||
See Table A.5.2-1 |
|||
This message describes the event that a user has attempted to log on or log off. This report can be made regardless of whether the attempt was successful or not. No Participant Objects are needed for this message.
The user usually has UserIsRequestor TRUE, but in the case of a logout timer, the Node might be the UserIsRequestor.
This message describes the event of an order being created, modified, accessed, or deleted. This message may only include information about a single patient.
An order record typically is managed by a non-DICOM system. However, DICOM applications often manipulate order records, and thus may be obligated by site security policies to record such events in the audit logs.
Table A.5.3.13-1. Audit Message for Order Record
This message describes the event of a patient record being created, modified, accessed, or deleted.
There are several types of patient records managed by both DICOM and non-DICOM system. DICOM applications often manipulate patient records managed by a variety of systems, and thus may be obligated by site security policies to record such events in the audit logs. This audit event can be used to record the access or manipulation of patient records where specific DICOM SOP Instances are not involved.
Table A.5.3.14-1. Audit Message for Patient Record
This message describes the event of a procedure record being created, accessed, modified, accessed, or deleted. This message may only include information about a single patient.
DICOM applications often manipulate procedure records, e.g. with MPPS update. Modality Worklist query events are described by the Query event message.
The same accession number may appear with several order numbers. The Study participant fields or the entire message may be repeated to capture such many to many relationships.
Table A.5.3.15-1. Audit Message for Procedure Record
This profile defines the transmission of audit trail messages. [RFC 5425] provides the mechanisms for reliable transport, buffering, acknowledgement, authentication, identification, and encryption. [RFC 5424] states that the TLS used MUST be TLS version 1.2. For this DICOM profile TLS MUST be used, and version 1.2 or later is RECOMMENDED.
The words MUST and RECOMMENDED are used in accordance with the IETF specification for normative requirements.
Any implementation that claims conformance to this profile shall also conform to the Audit Trail Message Format Profile. XML audit trail messages created using the format defined in Audit Trail Message Format Profile shall be transmitted to a collection point using the syslog over TLS mechanism, defined in [RFC 5425]. Systems that comply with this profile shall support message sizes of at least 32768 octets.
Audit messages for other purposes may also be transferred on the same syslog connection. These messages might not conform to the Audit Trail Message Format.
[RFC 5425] specifies mandatory support for 2KB messages, strongly recommends support for at least 8KB, and does not restrict the maximum size.
When a received message is longer than the receiving application supports, the message might be discarded or truncated. The sending application will not be notified.
The XML audit trail message shall be inserted into the MSG portion of the SYSLOG-MSG element of the syslog message as defined in [RFC 5424]. The XML audit message may contain Unicode characters that are encoded using the UTF-8 encoding rules.
UTF-8 avoids utilizing the control characters that are reserved by the syslog protocol, but a system that is not prepared for UTF-8 may not be able to display these messages correctly.
The PRI field shall be set using the facility value of 10 (security/authorization messages). Most messages should have the severity value of 5 (normal but significant), although applications may choose other values if that is appropriate to the more detailed information in the audit message. This means that for most audit messages the PRI field will contain the value "<85>".
The MSGID field in the HEADER of the SYSLOG-MSG shall be set. The value "DICOM+RFC3881" may be used for messages that comply with this profile.
The MSG field of the SYSLOG-MSG shall be present and shall be an XML structure following the DICOM Audit Message Schema (see Section A.5.1).
The syslog message shall be created and transmitted as described in [RFC 5424].
Any implementation that claims conformance to this Security Profile shall describe in its conformance statement:
any configuration parameters relevant to [RFC 5424] and [RFC 5425].
Any implementation schema or message element extensions for the audit messages.
This profile defines the transmission of audit trail messages. [RFC 5426] provides the mechanisms for rapid transport of audit messages. It is the standardized successor to the informative standard [RFC 3164], which is widely used in a variety of settings.
The syslog port number shall be configurable, with the port number (514) as the default.
The underlying UDP transport might not accept messages longer than the MTU size minus the UDP header length. This may result in longer syslog messages being truncated. When these messages are truncated the resulting XML may be incorrect. Because of this potential for truncated messages and other security concerns, the transmission of syslog messages over TLS may be preferred (see Section A.6).
The PRI field shall be set using the facility value of 10 (security/authorization messages). Most messages should have the severity value of 5 (normal but significant), although applications may choose values of 4 (warning condition) if that is appropriate to the more detailed information in the audit message. This means that for most audit messages the PRI field will contain the value "<85>". Audit repositories shall be prepared to deal appropriately with any incoming PRI value.
The MSGID field in the HEADER of the SYSLOG-MSG shall be set. The value "DICOM+RFC3881" may be used for messages that comply with this profile.
The MSG field of the SYSLOG-MSG shall be present and shall be an XML structure following the DICOM Audit Message Schema (see Section A.5.1).
The syslog message shall be created and transmitted as described in [RFC 5424].
Any implementation that claims conformance to this Security Profile shall describe in its conformance statement:
any configuration parameters relevant to [RFC 5424] and [RFC 5426].
Any implementation schema or message element extensions for the audit messages.
Retired. See PS3.3-2018a.
Retired. See PS3.3-2018a.
Retired. See PS3.3-2018a.
An implementation that supports the Basic User Identity Association profile shall accept the User Identity association negotiation sub-item, for User-Identity-Type of 1 or 2. It need not verify the passcode. If a positive response is requested, the implementation shall respond with the association response sub-item.
The user identity from the Primary-field shall be used within the implementation as the user identification. Such uses include recording user identification in audit messages.
Table B.4-1. Minimum Mechanisms for DICOM Association Negotiation Features - Basic User Identity Association Profile
An implementation that supports the User Identity plus Passcode Association Profile shall send/accept the User Identity association negotiation sub-item, for User-Identity-Type of 2. If a positive response is requested, the association acceptor implementation shall respond with the association response sub-item. The passcode information shall be made available to internal or external authentication systems. The user identity shall be authenticated by means of the passcode and the authentication system. If the authentication fails, the association shall be rejected.
The user identity from the Primary-field shall be used within the implementation as the user identification. Such uses include recording user identification in audit messages.
Table B.5-1. User Identity Plus Passcode Association Profile - Minimum Mechanisms for DICOM Association Negotiation Features
An implementation that supports the Kerberos Identity Negotiation Association Profile shall send/accept the User Identity association negotiation sub-item, for User-Identity-Type of 3. If a positive response is requested, the association acceptor implementation shall respond with the association response sub-item containing a Kerberos server ticket. The Kerberos server ticket information shall be made available to internal or external Kerberos authentication systems. The user identity shall be authenticated by means of the Kerberos authentication system. If the authentication fails, the association shall be rejected.
The user identity from the Primary-field shall be used within the implementation as the user identification. Such uses include recording user identification in audit messages.
Table B.6-1. Kerberos Identity Negotiation Association Profile - Minimum Mechanisms for DICOM Association Negotiation Features
An implementation that supports the Generic SAML Assertion Identity Negotiation Association Profile shall send/accept the User Identity association negotiation sub-item, for User-Identity-Type of 4. If a positive response is requested, the association acceptor implementation shall respond with the association response sub-item containing a SAML response. The SAML Assertion information shall be made available to internal or external authentication systems. The user identity shall be authenticated by means of an authentication system that employs SAML Assertions. If the authentication fails, the association shall be rejected.
The user identity from the Primary-field shall be used within the implementation as the user identification. Such uses include recording user identification in audit messages.
Table B.7-1. Generic SAML Assertion Identity Negotiation Association Profile - Minimum Mechanisms for DICOM Association Negotiation Features
When a DICOM File Set is sent over Email transport in compliance with this profile the following rules shall be followed:
The entire email (body, File Set attachment, and any other attachments) shall be encrypted using AES, in accordance with [RFC 3851] and [RFC 3853].
The email body and attachments may be compressed in accordance with [RFC 3851].
The email shall be digitally signed by the sender. The signing may be applied before or after encryption. This digital signature shall be interpreted to mean that the sender is attesting to his authorization to disclose the information in this email to the recipient.
The email signature is present to provide minimum sender information and to confirm the integrity of the email transmission (body contents, attachment, etc.). The email signature is separate from other signatures that may be present in DICOM reports and objects contained in the File set attached to the email. Those signatures are defined in terms of clinical uses. Any clinical content attestations shall be encoded as digital signatures in the DICOM SOP instances, not as the email signature. The email may be composed by someone who cannot make clinical attestations. Through the use of the email signature, the composer attests that he or she is authorized to transmit the data to the recipient.
This profile is separate from the underlying use of ZIP File or other File Set packaging over email.
Where private information is being conveyed, most country regulations require the use of encryption or equivalent protections. This Profile meets the most common requirements of regulations, but there may be additional local requirements. Additional requirements may include mandatory statements in the email body and prohibitions on contents of the email body to protect patient privacy.
Retired. See PS3.3-2022d.
Retired. See PS3.3-2022d.
Retired. See PS3.3-2022d.
An implementation that supports the BCP 195 RFC 8996, 9325 TLS Secure Transport Connection Profile shall utilize the framework and negotiation mechanism specified by the Transport Layer Security protocol. It shall comply with [BCP 195] which includes [RFC 8996], and [RFC 9325]. In the context of this profile, “client” refers to the entity initiating the TLS connection and “server” refers to the entity that is responding to that TLS connection initiation request. This may differ from the role that the entity might play in any DICOM transactions over the TLS connection.
A device may support multiple TLS profiles. DICOM does not specify how such devices are configured in the field or how different TLS profile-related rules are specified. The site will determine what configuration is appropriate.
The DICOM profiles for TLS describe the capabilities of a product. Product configuration may permit selection of a particular profile and/or additional negotiation rules. The specific cipher suite used is negotiated by the TLS implementation based on these rules.
Servers and clients shall support TLS 1.2 and may support TLS 1.3. Clients shall attempt to negotiate TLS 1.3 if it is supported. Servers shall prefer TLS 1.3 if offered by the client.
In cases where an application protocol allows implementations or deployments a choice between strict TLS configuration and dynamic upgrade from unencrypted to TLS-protected traffic (such as STARTTLS), clients and servers shall prefer strict TLS configuration.
Application protocols typically provide a way for the server to offer TLS during an initial protocol exchange, and sometimes also provide a way for the server to advertise suppor