1GDCMANON(1) DICOM Manipulation. GDCMANON(1)
2
3
4
6 gdcmanon - Tool to anonymize a DICOM file.
7
9 gdcmanon [options] file-in file-out
10 gdcmanon [options] dir-in dir-out
11
13 The gdcmanon tool is an implementation of PS 3.15 / E.1 / Basic
14 Application Level Confidentiality Profile (Implementation of E.1.1
15 De-identify & E.1.2 Re-identify)
16
17 This tool is split into two very different operating mode:
18
19 • An implementation of PS 3.15, see -e and -d flags
20
21 • A dumb mode, see –dumb
22
23 Dumb mode and PS 3.15 do not work well together, you should really only
24 use one type of anonymization. In case of doubt, avoid using –dumb.
25
26 In order to use the PS 3.15 implementation (-d & -e flag), you'll need
27 a certificate to do de-identification operations, and the associated
28 private key to do the re-identification operation. If you are only
29 doing a one-shot anonymization and do not need to properly re-identify
30 the DICOM file, you can safely discard the private key and only keep
31 the certificate. See OpenSSL refsection below for an example on how to
32 generate the private key/certificate pair.
33
34 gdcmanon will exit early if OpenSSL was not configured/build properly
35 into the library (see GDCM_USE_SYSTEM_OPENSSL in cmake).
36
38 file-in DICOM input filename
39
40 file-out DICOM output filename
41
42 or
43
44 file-in DICOM input directory
45
46 file-out DICOM output directory
47
49 You need to specify at least one operating mode, from the following
50 list (and only one):
51
52 Required parameters
53 -e --de-identify De-identify DICOM (default)
54 -d --re-identify Re-identify DICOM
55 --dumb Dumb mode anonymizer
56
57 Warning when operating in dumb mode, you need to also specify an
58 operation to do, such as 'remove' or 'empty' a tag, see below the dumb
59 mode options.
60
61 specific options
62 -i --input DICOM filename / directory
63 -o --output DICOM filename / directory
64 -r --recursive recursively process (sub-)directories.
65 --continue Do not stop when file found is not DICOM.
66 --root-uid Root UID.
67 --resources-path Resources path.
68 -k --key Path to RSA Private Key.
69 -c --certificate Path to Certificate.
70
71 encryption options
72 --des DES.
73 --des3 Triple DES.
74 --aes128 AES 128.
75 --aes192 AES 192.
76 --aes256 AES 256.
77
78 dumb mode options
79 --empty %d,%d DICOM tag(s) to empty
80 --remove %d,%d DICOM tag(s) to remove
81 --replace %d,%d,%s DICOM tag(s) to replace
82
83 general options
84 -h --help
85 print this help text and exit
86
87 -v --version
88 print version information and exit
89
90 -V --verbose
91 verbose mode (warning+error).
92
93 -W --warning
94 warning mode, print warning information
95
96 -E --error
97 error mode, print error information
98
99 -D --debug
100 debug mode, print debug information
101
102 environment variable
103 GDCM_ROOT_UID Root UID
104 GDCM_RESOURCES_PATH path pointing to resources files (Part3.xml, ...)
105
107 De-identification (anonymization, encrypt)
108 The only thing required for this operation is a certificate file (in
109 PEM format).
110
111 $ gdcmanon --certificate certificate.pem -e original.dcm original_anonymized.dcm
112
113 You can use –asn1 option from gdcmdump to dump the generated DataSet as
114 ASN1 structure (see gdcmdump(1) for example).
115
116 Re-identification (de-anonymization,decrypt)
117 The only thing required for this operation is a private key (in PEM
118 format). It is required that the private key used for the
119 re-identification process, was the actual private key used to generate
120 the certificate file (certificate.pem) used during the
121 de-identification step.
122
123 $ gdcmanon --key privatekey.pem -d original_anonymized.dcm original_copy.dcm
124
125 You can then check that original.dcm and original_copy.dcm are
126 identical.
127
128 Multiple files caveat
129 It is very important to understand the following refsection, when
130 anonymizing more than one single file. When anonymizing multiple DICOM
131 files, you are required to use the directory input. You cannot call
132 multiple time the gdcmanon command line tool. Indeed the tool stores in
133 memory during the process only a hash table of conversion so that each
134 time a particular value is found it get always replaced by the same
135 de-identified value (think: consistent Series Instance UID).
136
137 Dumb mode
138 This functionality is not described in the DICOM standard. Users are
139 advised that improper use of that mode is not recommended, meaning that
140 important tag can be emptied/removed/replaced resulting in
141 illegal/invalid DICOM file. Only use when you know what you are doing.
142 If you delete a Type 1 attribute, chance is that your DICOM file will
143 be not accepted in most DICOM third party viewer. Unfortunately this is
144 often this mode that is implemented in popular DICOM Viewer, always
145 prefer what the DICOM standard describes, and avoid the dumb mode.
146
147 The following example shows how to use dumb mode and achieve 5
148 operations at the same time:
149
150 • Empty the tag (0010,0010) Patient's Name,
151
152 • Empty the tag (0010,0020) Patient ID,
153
154 • Remove the tag (0010,0040) Patient's Sex
155
156 • Remove the tag (0010,1010) Patient's Age
157
158 • Replace the tag (0010,1030) Patient's Weight with the value '10'
159
160 You are required to check which DICOM attribute is Type 1 and Type 1C,
161 before trying to 'Empty' or 'Remove' a particular DICOM attribute. For
162 the same reason, you are required to check what are valid value in a
163 replace operation.
164
165 $ gdcmanon --dumb --empty 10,10 --empty 10,20 --remove 10,40 --remove 10,1010 --replace 10,1030,10 012345.002.050.dcm out.dcm
166
167 Multiple operation of –dumb mode can take place, just reuse the output
168 of the previous operation. Always use gdcmdump on the input and output
169 file to check what was actually achieved. You can use a diff program to
170 check only what changed (see gdcmdiff(1) for example).
171
172 Irreversible Anonymization
173 In some very rare cases, one would want to anonymize using the PS
174 3.15 mode so as to take benefit of the automatic conversion of all
175 content that could contain Patient related information.
176
177 In the end all Patient related information has been removed and has
178 been secretly stored in the 0400,0500 DICOM attribute. However to
179 make sure that no-one ever try to break that security using
180 brute-force algorithm, one want want to remove completely this
181 DICOM attribute. This will make the DICOM:
182
183 • Completely free of any Patient related information (as per PS
184 3.15 specification)
185
186 • Remove any mean of people to brute force attack the file to
187 find out the identity of the Patient
188
189 In this case one could simply do, as a first step execute the
190 reversible anonymizer:
191
192 $ gdcmanon -c certificate.pem input.dcm anonymized_reversible.dcm
193
194 and now completely remove the DICOM attribute containing the
195 secretly encrypted Patient related information:
196
197 $ gdcmanon --dumb --remove 400,500 --remove 12,62 --remove 12,63 anonymized_reversible.dcm anonymized_irreversible.dcm
198
200 On most system you can have access to OpenSSL to generate the Private
201 Key/Certificate pair.
202
203 Generating a Private Key
204 Command line to generate a rsa key (512bit)
205
206 $ openssl genrsa -out CA_key.pem
207
208 Command line to generate a rsa key (2048bit)
209
210 $ openssl genrsa -out CA_key.pem 2048
211
212 Command line to generate a rsa key (2048bit) + passphrase
213
214 $ openssl genrsa -des3 -out CA_key.pem 2048
215
216 Generating a Certificate
217 From your previously generated Private Key, you can now generate a
218 certificate in PEM (DER format is currently not supported).
219
220 $ openssl req -new -key CA_key.pem -x509 -days 365 -out CA_cert.cer
221
223 Page to the DICOM Standard:
224
225 http://dicom.nema.org/
226
227 The DICOM Standard at the time of releasing gdcmanon is:
228
229 ftp://medical.nema.org/medical/dicom/2008/
230
231 Direct link to PS 3.15-2008:
232
233 ftp://medical.nema.org/medical/dicom/2008/08_15pu.pdf
234
236 Certain attributes may still contains Protected Health Information
237 (PHI) after an anonymization step. This is typically the case for
238 Patient's Address (0010,1040). The reason is that this particular
239 attribute is not supposed to be in the composite IODs in the first
240 place. DICOM Supp 142 includes it (however gdcmanon does not implement
241 it).
242
244 gdcmconv(1), gdcmdump(1), gdcmdiff(1), openssl(1), dumpasn1(1)
245
247 Mathieu Malaterre
248 Main developer
249
251 Copyright © 2006, 2011 Mathieu Malaterre
252
253
254
255GDCM 3.0.8 01/26/2021 GDCMANON(1)