DICOM Encryption and Anonymization

Dicom encryption is an important consideration for healthcare organizations. Full disk or partition encryption is one of the best ways to protect data at rest. Full disk encryption protects all files so end-users don’t have to selectively choose what should or should not be protected, and thereby possibly miss important files. Dicom Systems offers Dicom encryption for both data at rest and data in motion.

The Importance of Encrypting DICOM Objects

Most DICOM objects contain images and associated demographic and medical information about the patient, which need to be kept confidential. Encryption is a method for keeping these data confidential. Encryption is just one aspect of the bigger picture regarding data security. Policy makers around the globe have recognized that healthcare institutions are part of a society’s critical infrastructure that requires protection, including protection from cyber threats. Many national and local regulations require health care providers to encrypt private health information (PHI). Encryption is also a best practice for medical imaging data since it often contains PHI.

Encryption and Anonymization of Medical Images at Dicom Systems

Dicom Systems offers full disk encryption. The Unifier platform natively supports LUKS Encryption. LUKS is the standard for Linux hard disk encryption. LUKS bulk-encrypts hard drive partitions so that data is protected while the computer is off. Once the computer is on and LUKS has decrypted the disk, the files on that disk are available to anyone with valid credentials and who normally would have access to the data.

Encrypting files while the computer is running is possible, but highly impractical and resource-intensive; it requires the deployment of a separate, secure server containing the encryption keys allowing end-users to continuously authenticate for access to encrypted files. The full at rest encryption including data encryption to restrict access to data from running computers is possible to implement but it adds substantial overhead to meet clinician and diagnostician workflow expectations.
To protect files when the computer is on, we recommend full disk encryption in conjunction with other measures such as file-based encryption. The Unifier’s default implementation of LUKS is AES 128 with a SHA256 hashing.

Dicom Encryption Available Ciphers:

More information about encryption standards is available at NEMA Standards.

Dicom Encryption: Data in Motion

In addition to protecting data at rest, Dicom Systems offers encryption for all outgoing and incoming traffic. Secure DICOM communication according to Supplement 31, based on the Transport Layer Security (TLS) protocol standard. Authentication is achieved by verification through a secure handshake protocol of the entities involved in the interchange of DICOM objects and HL7 such as images, orders and diagnostic reports in DICOM and HL7 formats. We support up to 4,096-bit RSA encryption keys. There is no additional cost involved in setting this up, as all certificates can be managed within the Dicom Systems Unifier platform. Certificates can be created and managed by the client and not generated on The Unifier server side, allowing the Client to fully control certificates and support end-to-end encryption.

To learn more about the Unifier platform’s encryption and anonymization features, or to discuss your enterprise imaging workflow needs, schedule a demo with our team.

AI Conductor

Unifier with AI Conductor for PACS and EHR drives and conducts AI workflows to get the right information to the right location at the right time and in the right format.

Learn More