1GDCMANON(1)                   DICOM Manipulation.                  GDCMANON(1)
2
3
4

NAME

6       gdcmanon - Tool to anonymize a DICOM file.
7

SYNOPSIS

9           gdcmanon [options] file-in file-out
10           gdcmanon [options] dir-in  dir-out
11

DESCRIPTION

13       The gdcmanon tool is an implementation of PS 3.15 / E.1 / Basic
14       Application Level Confidentiality Profile (Implementation of E.1.1
15       De-identify & E.1.2 Re-identify)
16
17       This tool is split into two very different operating mode:
18
19       •   An implementation of PS 3.15, see -e and -d flags
20
21       •   A dumb mode, see –dumb
22
23       Dumb mode and PS 3.15 do not work well together, you should really only
24       use one type of anonymization. In case of doubt, avoid using –dumb.
25
26       In order to use the PS 3.15 implementation (-d & -e flag), you'll need
27       a certificate to do de-identification operations, and the associated
28       private key to do the re-identification operation. If you are only
29       doing a one-shot anonymization and do not need to properly re-identify
30       the DICOM file, you can safely discard the private key and only keep
31       the certificate. See OpenSSL refsection below for an example on how to
32       generate the private key/certificate pair.
33
34       gdcmanon will exit early if OpenSSL was not configured/build properly
35       into the library (see GDCM_USE_SYSTEM_OPENSSL in cmake).
36

PARAMETERS

38           file-in   DICOM input filename
39
40           file-out  DICOM output filename
41
42       or
43
44           file-in   DICOM input directory
45
46           file-out  DICOM output directory
47

OPTIONS

49       You need to specify at least one operating mode, from the following
50       list (and only one):
51
52   Required parameters
53             -e --de-identify            De-identify DICOM (default)
54             -d --re-identify            Re-identify DICOM
55                --dumb                   Dumb mode anonymizer
56
57       Warning when operating in dumb mode, you need to also specify an
58       operation to do, such as 'remove' or 'empty' a tag, see below the dumb
59       mode options.
60
61   specific options
62             -i --input                  DICOM filename / directory
63             -o --output                 DICOM filename / directory
64             -r --recursive              recursively process (sub-)directories.
65                --continue               Do not stop when file found is not DICOM.
66                --root-uid               Root UID.
67                --resources-path         Resources path.
68             -k --key                    Path to RSA Private Key.
69             -c --certificate            Path to Certificate.
70             -p --password               Encryption passphrase.
71
72   Crypto library options
73                --crypto=
74                      openssl            OpenSSL (default on non-Windows systems).
75                      capi               Microsoft CryptoAPI (default on Windows systems).
76                      openssl-p7         Old OpenSSL implementation.
77
78   encryption options
79                --des            DES.
80                --des3           Triple DES.
81                --aes128         AES 128.
82                --aes192         AES 192.
83                --aes256         AES 256.
84
85   dumb mode options
86                --empty   %d,%d           DICOM tag(s) to empty
87                --remove  %d,%d           DICOM tag(s) to remove
88                --replace %d,%d,%s        DICOM tag(s) to replace
89
90   general options
91             -h   --help
92                    print this help text and exit
93
94             -v   --version
95                    print version information and exit
96
97             -V   --verbose
98                    verbose mode (warning+error).
99
100             -W   --warning
101                    warning mode, print warning information
102
103             -E   --error
104                    error mode, print error information
105
106             -D   --debug
107                    debug mode, print debug information
108
109   environment variable
110             GDCM_ROOT_UID Root UID
111             GDCM_RESOURCES_PATH path pointing to resources files (Part3.xml, ...)
112

TYPICAL USAGE

114   De-identification (anonymization, encrypt)
115       The only thing required for this operation is a certificate file (in
116       PEM format).
117
118           $ gdcmanon --certificate certificate.pem -e original.dcm original_anonymized.dcm
119
120       You can use –asn1 option from gdcmdump to dump the generated DataSet as
121       ASN1 structure (see gdcmdump(1) for example).
122
123   Re-identification (de-anonymization,decrypt)
124       The only thing required for this operation is a private key (in PEM
125       format). It is required that the private key used for the
126       re-identification process, was the actual private key used to generate
127       the certificate file (certificate.pem) used during the
128       de-identification step.
129
130           $ gdcmanon --key privatekey.pem -d original_anonymized.dcm original_copy.dcm
131
132       You can then check that original.dcm and original_copy.dcm are
133       identical.
134
135   Multiple files caveat
136       It is very important to understand the following refsection, when
137       anonymizing more than one single file. When anonymizing multiple DICOM
138       files, you are required to use the directory input. You cannot call
139       multiple time the gdcmanon command line tool. Indeed the tool stores in
140       memory during the process only a hash table of conversion so that each
141       time a particular value is found it get always replaced by the same
142       de-identified value (think: consistent Series Instance UID).
143
144   Dumb mode
145       This functionality is not described in the DICOM standard. Users are
146       advised that improper use of that mode is not recommended, meaning that
147       important tag can be emptied/removed/replaced resulting in
148       illegal/invalid DICOM file. Only use when you know what you are doing.
149       If you delete a Type 1 attribute, chance is that your DICOM file will
150       be not accepted in most DICOM third party viewer. Unfortunately this is
151       often this mode that is implemented in popular DICOM Viewer, always
152       prefer what the DICOM standard describes, and avoid the dumb mode.
153
154       The following example shows how to use dumb mode and achieve 5
155       operations at the same time:
156
157       •   Empty the tag (0010,0010) Patient's Name,
158
159       •   Empty the tag (0010,0020) Patient ID,
160
161       •   Remove the tag (0010,0040) Patient's Sex
162
163       •   Remove the tag (0010,1010) Patient's Age
164
165       •   Replace the tag (0010,1030) Patient's Weight with the value '10'
166
167       You are required to check which DICOM attribute is Type 1 and Type 1C,
168       before trying to 'Empty' or 'Remove' a particular DICOM attribute. For
169       the same reason, you are required to check what are valid value in a
170       replace operation.
171
172           $ gdcmanon --dumb --empty 10,10 --empty 10,20 --remove 10,40 --remove 10,1010 --replace 10,1030,10 012345.002.050.dcm out.dcm
173
174       Multiple operation of –dumb mode can take place, just reuse the output
175       of the previous operation. Always use gdcmdump on the input and output
176       file to check what was actually achieved. You can use a diff program to
177       check only what changed (see gdcmdiff(1) for example).
178
179       Irreversible Anonymization
180           In some very rare cases, one would want to anonymize using the PS
181           3.15 mode so as to take benefit of the automatic conversion of all
182           content that could contain Patient related information.
183
184           In the end all Patient related information has been removed and has
185           been secretly stored in the 0400,0500 DICOM attribute. However to
186           make sure that no-one ever try to break that security using
187           brute-force algorithm, one want want to remove completely this
188           DICOM attribute. This will make the DICOM:
189
190           •   Completely free of any Patient related information (as per PS
191               3.15 specification)
192
193           •   Remove any mean of people to brute force attack the file to
194               find out the identity of the Patient
195
196           In this case one could simply do, as a first step execute the
197           reversible anonymizer:
198
199               $ gdcmanon -c certificate.pem input.dcm anonymized_reversible.dcm
200
201           and now completely remove the DICOM attribute containing the
202           secretly encrypted Patient related information:
203
204               $ gdcmanon --dumb --remove 400,500 --remove 12,62 --remove 12,63 anonymized_reversible.dcm anonymized_irreversible.dcm
205

OPENSSL

207       On most system you can have access to OpenSSL to generate the Private
208       Key/Certificate pair.
209
210   Generating a Private Key
211       Command line to generate a rsa key (512bit)
212
213           $ openssl genrsa -out CA_key.pem
214
215       Command line to generate a rsa key (2048bit)
216
217           $ openssl genrsa -out CA_key.pem 2048
218
219       Command line to generate a rsa key (2048bit) + passphrase
220
221           $ openssl genrsa -des3 -out CA_key.pem 2048
222
223   Generating a Certificate
224       From your previously generated Private Key, you can now generate a
225       certificate in PEM (DER format is currently not supported).
226
227           $ openssl req -new -key CA_key.pem -x509 -days 365 -out CA_cert.cer
228

DICOM STANDARD:

230       Page to the DICOM Standard:
231
232       http://dicom.nema.org/
233
234       The DICOM Standard at the time of releasing gdcmanon is:
235
236       ftp://medical.nema.org/medical/dicom/2008/
237
238       Direct link to PS 3.15-2008:
239
240       ftp://medical.nema.org/medical/dicom/2008/08_15pu.pdf
241

WARNINGS

243       Certain attributes may still contains Protected Health Information
244       (PHI) after an anonymization step. This is typically the case for
245       Patient's Address (0010,1040). The reason is that this particular
246       attribute is not supposed to be in the composite IODs in the first
247       place. DICOM Supp 142 includes it (however gdcmanon does not implement
248       it).
249

SEE ALSO

251       gdcmconv(1), gdcmdump(1), gdcmdiff(1), openssl(1), dumpasn1(1)
252

AUTHOR

254       Mathieu Malaterre
255           Main developer
256
258       Copyright © 2006, 2011 Mathieu Malaterre
259
260
261
262GDCM 3.0.12                       08/02/2022                       GDCMANON(1)
Impressum