1GDCMANON(1) DICOM Manipulation. GDCMANON(1)
2
6 gdcmanon - Tool to anonymize a DICOM file.
7
9 gdcmanon [options] file-in file-out
10 gdcmanon [options] dir-in dir-out
11
13 The gdcmanon tool is an implementation of PS 3.15 / E.1 / Basic
14 Application Level Confidentiality Profile (Implementation of E.1.1
15 De-identify & E.1.2 Re-identify)
16 This tool is split into two very different operating mode:
18 • An implementation of PS 3.15, see -e and -d flags
20 • A dumb mode, see –dumb
22 Dumb mode and PS 3.15 do not work well together, you should really only
24 use one type of anonymization. In case of doubt, avoid using –dumb.
25 In order to use the PS 3.15 implementation (-d & -e flag), you'll need
27 a certificate to do de-identification operations, and the associated
28 private key to do the re-identification operation. If you are only
29 doing a one-shot anonymization and do not need to properly re-identify
30 the DICOM file, you can safely discard the private key and only keep
31 the certificate. See OpenSSL refsection below for an example on how to
32 generate the private key/certificate pair.
33 gdcmanon will exit early if OpenSSL was not configured/build properly
35 into the library (see GDCM_USE_SYSTEM_OPENSSL in cmake).
36
38 file-in DICOM input filename
39 file-out DICOM output filename
41 or
43 file-in DICOM input directory
45 file-out DICOM output directory
47
49 You need to specify at least one operating mode, from the following
50 list (and only one):
51 Required parameters
53 -e --de-identify De-identify DICOM (default)
54 -d --re-identify Re-identify DICOM
55 --dumb Dumb mode anonymizer
56 Warning when operating in dumb mode, you need to also specify an
58 operation to do, such as 'remove' or 'empty' a tag, see below the dumb
59 mode options.
60 specific options
62 -i --input DICOM filename / directory
63 -o --output DICOM filename / directory
64 -r --recursive recursively process (sub-)directories.
65 --continue Do not stop when file found is not DICOM.
66 --root-uid Root UID.
67 --resources-path Resources path.
68 -k --key Path to RSA Private Key.
69 -c --certificate Path to Certificate.
70 -p --password Encryption passphrase.
71 Crypto library options
73 --crypto=
74 openssl OpenSSL (default on non-Windows systems).
75 capi Microsoft CryptoAPI (default on Windows systems).
76 openssl-p7 Old OpenSSL implementation.
77 encryption options
79 --des DES.
80 --des3 Triple DES.
81 --aes128 AES 128.
82 --aes192 AES 192.
83 --aes256 AES 256.
84 dumb mode options
86 --empty %d,%d DICOM tag(s) to empty
87 --remove %d,%d DICOM tag(s) to remove
88 --replace %d,%d,%s DICOM tag(s) to replace
89 general options
91 -h --help
92 print this help text and exit
93 -v --version
95 print version information and exit
96 -V --verbose
98 verbose mode (warning+error).
99 -W --warning
101 warning mode, print warning information
102 -E --error
104 error mode, print error information
105 -D --debug
107 debug mode, print debug information
108 environment variable
110 GDCM_ROOT_UID Root UID
111 GDCM_RESOURCES_PATH path pointing to resources files (Part3.xml, ...)
112
114 De-identification (anonymization, encrypt)
115 The only thing required for this operation is a certificate file (in
116 PEM format).
117 $ gdcmanon --certificate certificate.pem -e original.dcm original_anonymized.dcm
119 You can use –asn1 option from gdcmdump to dump the generated DataSet as
121 ASN1 structure (see gdcmdump(1) for example).
122 Re-identification (de-anonymization,decrypt)
124 The only thing required for this operation is a private key (in PEM
125 format). It is required that the private key used for the
126 re-identification process, was the actual private key used to generate
127 the certificate file (certificate.pem) used during the
128 de-identification step.
129 $ gdcmanon --key privatekey.pem -d original_anonymized.dcm original_copy.dcm
131 You can then check that original.dcm and original_copy.dcm are
133 identical.
134 Multiple files caveat
136 It is very important to understand the following refsection, when
137 anonymizing more than one single file. When anonymizing multiple DICOM
138 files, you are required to use the directory input. You cannot call
139 multiple time the gdcmanon command line tool. Indeed the tool stores in
140 memory during the process only a hash table of conversion so that each
141 time a particular value is found it get always replaced by the same
142 de-identified value (think: consistent Series Instance UID).
143 Dumb mode
145 This functionality is not described in the DICOM standard. Users are
146 advised that improper use of that mode is not recommended, meaning that
147 important tag can be emptied/removed/replaced resulting in
148 illegal/invalid DICOM file. Only use when you know what you are doing.
149 If you delete a Type 1 attribute, chance is that your DICOM file will
150 be not accepted in most DICOM third party viewer. Unfortunately this is
151 often this mode that is implemented in popular DICOM Viewer, always
152 prefer what the DICOM standard describes, and avoid the dumb mode.
153 The following example shows how to use dumb mode and achieve 5
155 operations at the same time:
156 • Empty the tag (0010,0010) Patient's Name,
158 • Empty the tag (0010,0020) Patient ID,
160 • Remove the tag (0010,0040) Patient's Sex
162 • Remove the tag (0010,1010) Patient's Age
164 • Replace the tag (0010,1030) Patient's Weight with the value '10'
166 You are required to check which DICOM attribute is Type 1 and Type 1C,
168 before trying to 'Empty' or 'Remove' a particular DICOM attribute. For
169 the same reason, you are required to check what are valid value in a
170 replace operation.
171 $ gdcmanon --dumb --empty 10,10 --empty 10,20 --remove 10,40 --remove 10,1010 --replace 10,1030,10 012345.002.050.dcm out.dcm
173 Multiple operation of –dumb mode can take place, just reuse the output
175 of the previous operation. Always use gdcmdump on the input and output
176 file to check what was actually achieved. You can use a diff program to
177 check only what changed (see gdcmdiff(1) for example).
178 Irreversible Anonymization
180 In some very rare cases, one would want to anonymize using the PS
181 3.15 mode so as to take benefit of the automatic conversion of all
182 content that could contain Patient related information.
183 In the end all Patient related information has been removed and has
185 been secretly stored in the 0400,0500 DICOM attribute. However to
186 make sure that no-one ever try to break that security using
187 brute-force algorithm, one want want to remove completely this
188 DICOM attribute. This will make the DICOM:
189 • Completely free of any Patient related information (as per PS
191 3.15 specification)
192 • Remove any mean of people to brute force attack the file to
194 find out the identity of the Patient
195 In this case one could simply do, as a first step execute the
197 reversible anonymizer:
198 $ gdcmanon -c certificate.pem input.dcm anonymized_reversible.dcm
200 and now completely remove the DICOM attribute containing the
202 secretly encrypted Patient related information:
203 $ gdcmanon --dumb --remove 400,500 --remove 12,62 --remove 12,63 anonymized_reversible.dcm anonymized_irreversible.dcm
205
207 On most system you can have access to OpenSSL to generate the Private
208 Key/Certificate pair.
209 Generating a Private Key
211 Command line to generate a rsa key (512bit)
212 $ openssl genrsa -out CA_key.pem
214 Command line to generate a rsa key (2048bit)
216 $ openssl genrsa -out CA_key.pem 2048
218 Command line to generate a rsa key (2048bit) + passphrase
220 $ openssl genrsa -des3 -out CA_key.pem 2048
222 Generating a Certificate
224 From your previously generated Private Key, you can now generate a
225 certificate in PEM (DER format is currently not supported).
226 $ openssl req -new -key CA_key.pem -x509 -days 365 -out CA_cert.cer
228
230 Page to the DICOM Standard:
231 http://dicom.nema.org/
233 The DICOM Standard at the time of releasing gdcmanon is:
235 ftp://medical.nema.org/medical/dicom/2008/
237 Direct link to PS 3.15-2008:
239 ftp://medical.nema.org/medical/dicom/2008/08_15pu.pdf
241
243 Certain attributes may still contains Protected Health Information
244 (PHI) after an anonymization step. This is typically the case for
245 Patient's Address (0010,1040). The reason is that this particular
246 attribute is not supposed to be in the composite IODs in the first
247 place. DICOM Supp 142 includes it (however gdcmanon does not implement
248 it).
249
251 gdcmconv(1), gdcmdump(1), gdcmdiff(1), openssl(1), dumpasn1(1)
252
254 Mathieu Malaterre
255 Main developer
256
258 Copyright © 2006, 2011 Mathieu Malaterre
259GDCM 3.0.12 08/02/2022 GDCMANON(1)