lunar (1) gdcmanon.1.gz

Provided by: libgdcm-tools_3.0.21-1_amd64 bug

NAME

       gdcmanon - Tool to anonymize a DICOM file.

SYNOPSIS

           gdcmanon [options] file-in file-out
           gdcmanon [options] dir-in  dir-out

DESCRIPTION

       The gdcmanon tool is an implementation of PS 3.15 / E.1 / Basic Application Level
       Confidentiality Profile (Implementation of E.1.1 De-identify & E.1.2 Re-identify)

       This tool is split into two very different operating mode:

       •   An implementation of PS 3.15, see -e and -d flags

       •   A dumb mode, see –dumb

       Dumb mode and PS 3.15 do not work well together, you should really only use one type of
       anonymization. In case of doubt, avoid using –dumb.

       In order to use the PS 3.15 implementation (-d & -e flag), you'll need a certificate to do
       de-identification operations, and the associated private key to do the re-identification
       operation. If you are only doing a one-shot anonymization and do not need to properly
       re-identify the DICOM file, you can safely discard the private key and only keep the
       certificate. See OpenSSL refsection below for an example on how to generate the private
       key/certificate pair.

       gdcmanon will exit early if OpenSSL was not configured/build properly into the library
       (see GDCM_USE_SYSTEM_OPENSSL in cmake).

PARAMETERS

           file-in   DICOM input filename

           file-out  DICOM output filename

       or

           file-in   DICOM input directory

           file-out  DICOM output directory

OPTIONS

       You need to specify at least one operating mode, from the following list (and only one):

   Required parameters
             -e --de-identify            De-identify DICOM (default)
             -d --re-identify            Re-identify DICOM
                --dumb                   Dumb mode anonymizer

       Warning when operating in dumb mode, you need to also specify an operation to do, such as
       'remove' or 'empty' a tag, see below the dumb mode options.

   specific options
             -i --input                  DICOM filename / directory
             -o --output                 DICOM filename / directory
             -r --recursive              recursively process (sub-)directories.
                --continue               Do not stop when file found is not DICOM.
                --root-uid               Root UID.
                --resources-path         Resources path.
             -k --key                    Path to RSA Private Key.
             -c --certificate            Path to Certificate.
             -p --password               Encryption passphrase.

   Crypto library options
                --crypto=
                      openssl            OpenSSL (default on non-Windows systems).
                      capi               Microsoft CryptoAPI (default on Windows systems).
                      openssl-p7         Old OpenSSL implementation.

   encryption options
                --des            DES.
                --des3           Triple DES.
                --aes128         AES 128.
                --aes192         AES 192.
                --aes256         AES 256.

   dumb mode options
                --empty   %d,%d           DICOM tag(s) to empty
                          %d,%d,%s        DICOM private tag(s) to empty
                --clear   %d,%d           DICOM tag(s) to clear
                          %d,%d,%s        DICOM private tag(s) to clear
                --remove  %d,%d           DICOM tag(s) to remove
                          %d,%d,%s        DICOM private tag(s) to remove
                --replace %d,%d=%s        DICOM tag(s) to replace
                          %d,%d,%s=%s     DICOM private tag(s) to replace

   general options
             -h   --help
                    print this help text and exit

             -v   --version
                    print version information and exit

             -V   --verbose
                    verbose mode (warning+error).

             -W   --warning
                    warning mode, print warning information

             -E   --error
                    error mode, print error information

             -D   --debug
                    debug mode, print debug information

   environment variable
             GDCM_ROOT_UID Root UID
             GDCM_RESOURCES_PATH path pointing to resources files (Part3.xml, ...)

TYPICAL USAGE

   De-identification (anonymization, encrypt)
       The only thing required for this operation is a certificate file (in PEM format).

           $ gdcmanon --certificate certificate.pem -e original.dcm original_anonymized.dcm

       You can use –asn1 option from gdcmdump to dump the generated DataSet as ASN1 structure
       (see gdcmdump(1) for example).

   Re-identification (de-anonymization,decrypt)
       The only thing required for this operation is a private key (in PEM format). It is
       required that the private key used for the re-identification process, was the actual
       private key used to generate the certificate file (certificate.pem) used during the
       de-identification step.

           $ gdcmanon --key privatekey.pem -d original_anonymized.dcm original_copy.dcm

       You can then check that original.dcm and original_copy.dcm are identical.

   Multiple files caveat
       It is very important to understand the following refsection, when anonymizing more than
       one single file. When anonymizing multiple DICOM files, you are required to use the
       directory input. You cannot call multiple time the gdcmanon command line tool. Indeed the
       tool stores in memory during the process only a hash table of conversion so that each time
       a particular value is found it get always replaced by the same de-identified value (think:
       consistent Series Instance UID).

   Dumb mode
       This functionality is not described in the DICOM standard. Users are advised that improper
       use of that mode is not recommended, meaning that important tag can be
       emptied/removed/replaced resulting in illegal/invalid DICOM file. Only use when you know
       what you are doing. If you delete a Type 1 attribute, chance is that your DICOM file will
       be not accepted in most DICOM third party viewer. Unfortunately this is often this mode
       that is implemented in popular DICOM Viewer, always prefer what the DICOM standard
       describes, and avoid the dumb mode.

       The following example shows how to use dumb mode and achieve 5 operations at the same
       time:

       •   Empty the tag (0010,0010) Patient's Name,

       •   Clear the tag (0010,0020) Patient ID,

       •   Remove the tag (0010,0040) Patient's Sex

       •   Remove the tag (0010,1010) Patient's Age

       •   Replace the tag (0010,1030) Patient's Weight with the value '10'

       You are required to check which DICOM attribute is Type 1 and Type 1C, before trying to
       'Empty','Clear' or 'Remove' a particular DICOM attribute. For the same reason, you are
       required to check what are valid value in a replace operation.

           $ gdcmanon --dumb --empty 10,10 --clear 10,20 --remove 10,40 --remove 10,1010 --replace 10,1030,10 012345.002.050.dcm out.dcm

       In the following example a private tag (0029,20,SIEMENS MEDCOM HEADER) is cleared out
       (made empty only when present):

           $ gdcmanon --dumb --clear "0029,20,SIEMENS MEDCOM HEADER" input.dcm output.dcm

       Multiple operation of –dumb mode can take place, just reuse the output of the previous
       operation. Always use gdcmdump on the input and output file to check what was actually
       achieved. You can use a diff program to check only what changed (see gdcmdiff(1) for
       example).

       Irreversible Anonymization
           In some very rare cases, one would want to anonymize using the PS 3.15 mode so as to
           take benefit of the automatic conversion of all content that could contain Patient
           related information.

           In the end all Patient related information has been removed and has been secretly
           stored in the 0400,0500 DICOM attribute. However to make sure that no-one ever try to
           break that security using brute-force algorithm, one want want to remove completely
           this DICOM attribute. This will make the DICOM:

           •   Completely free of any Patient related information (as per PS 3.15 specification)

           •   Remove any mean of people to brute force attack the file to find out the identity
               of the Patient

           In this case one could simply do, as a first step execute the reversible anonymizer:

               $ gdcmanon -c certificate.pem input.dcm anonymized_reversible.dcm

           and now completely remove the DICOM attribute containing the secretly encrypted
           Patient related information:

               $ gdcmanon --dumb --remove 400,500 --remove 12,62 --remove 12,63 anonymized_reversible.dcm anonymized_irreversible.dcm

OPENSSL

       On most system you can have access to OpenSSL to generate the Private Key/Certificate
       pair.

   Generating a Private Key
       Command line to generate a rsa key (512bit)

           $ openssl genrsa -out CA_key.pem

       Command line to generate a rsa key (2048bit)

           $ openssl genrsa -out CA_key.pem 2048

       Command line to generate a rsa key (2048bit) + passphrase

           $ openssl genrsa -des3 -out CA_key.pem 2048

   Generating a Certificate
       From your previously generated Private Key, you can now generate a certificate in PEM (DER
       format is currently not supported).

           $ openssl req -new -key CA_key.pem -x509 -days 365 -out CA_cert.cer

DICOM STANDARD:

       Page to the DICOM Standard:

       http://dicom.nema.org/

       The DICOM Standard at the time of releasing gdcmanon is:

       ftp://medical.nema.org/medical/dicom/2008/

       Direct link to PS 3.15-2008:

       ftp://medical.nema.org/medical/dicom/2008/08_15pu.pdf

WARNINGS

       Certain attributes may still contains Protected Health Information (PHI) after an
       anonymization step. This is typically the case for Patient's Address (0010,1040). The
       reason is that this particular attribute is not supposed to be in the composite IODs in
       the first place. DICOM Supp 142 includes it (however gdcmanon does not implement it).

SEE ALSO

       gdcmconv(1), gdcmdump(1), gdcmdiff(1), openssl(1), dumpasn1(1)

AUTHOR

       Mathieu Malaterre
           Main developer

       Copyright © 2006, 2011 Mathieu Malaterre