Some DICOM deidentification toolkits pose privacy risk

2013 07 09 12 27 04 471 Dutch Flag 200

If you're using free DICOM toolkit software to deidentify patient personal health information (PHI) on images for clinical research purposes, a little caution may be in order. A team of Dutch researchers recently found very few of the toolkits they tested performed well using default settings.

In a study published online on 3 June in European Radiology, a group from the University Medical Center Groningen reported that only five of the 10 noncommercial DICOM toolkits they tested were able to successfully handle all deidentification tasks. Of these, four required detailed customization to achieve 100% success.

"Free DICOM toolkits should, therefore, be used with extreme care when deidentifying sensitive data since they have a high risk of disclosing personal health information, especially when using the default configuration," wrote the team led by Dr. Kadek Aryanto. "Four out of 10 tools are not recommended to be used in deidentifying DICOM data since they could cause serious threats to patient privacy."

Pseudonymization

For clinical analysis, processing research purposes, patient information stored in DICOM image headers is typically deidentified via a process of pseudonymization, which involves replacing identifying fields with one or more artificial identifiers. These identifiers could then later be used to track the real identity of the patient should it be needed to inform them of additional findings, according to the researchers.

To determine the effectiveness of noncommercial DICOM toolkits for removing patient PHI from the DICOM header, the Dutch researchers tested 10 toolkits: Conquest DICOM software, RSNA CTP, DICOM Library, DICOMworks, DVTK DICOM anonymizer, GDCM, K-Pacs, PixelMed DICOMCleaner, TudorDICOM, and Yakami DICOM tools. Each of these toolkits was assessed for their ability to deidentify 50 elements of a dummy DICOM file header.

After the toolkits first performed these tasks via their default settings, the researchers then defined customized settings in order to obtain the toolkits' best possible configuration for performing deidentification. These customized settings were then applied to again perform the deidentification tasks. During each of these two scenarios, the researchers examined any unchanged image header elements to determine if any identifying patient information remained.

Deidentification success rates under toolkit default settings:

  • DICOM Library: 100%
  • RSNA CTP: 98%
  • PixelMed DICOMCleaner: 64%
  • TudorDICOM: 62%
  • GDCM: 48%
  • DVTK DICOM anonymizer: 44%
  • Conquest DICOM: 26%
  • DICOMworks:18%
  • K-PACS: 10%
  • Yakami DICOM tools: 10%

"Only two out of 10 toolkits were able to give a success rate above 90% using the default setting, with all remaining tools performing at less than 65%, of which four even achieved success rates of 26% or less," the authors wrote.

Customization often helps

Fortunately, customization made a big difference in the performance of several toolkits. Using customized settings, the performance of RSNA CTP increased to 100%, while PixelMed DICOMCleaner (98%), TudorDICOM (100%), GDCM (100%), and Yakami DICOM tools (100%) saw big jumps. However, customization didn't help much with DVTK DICOM anonymizer, which only improved its success rate slightly from 44% to 48%, according to the group.

"Only five out of 10 selected free DICOMtoolkits could deidentify all of the defined DICOM elements properly with a 100% success rate," the authors wrote. "Four of them could only achieve this after improvement using advance settings with user controlled deidentification protocols."

The researchers noted that "in case optimal security is required, RSNA CTP is recommended for its high level of customization to perform deidentification to exactly meet the regulatory requirements."

Page 1 of 1264
Next Page