1GDCMANON(1) DICOM Manipulation. GDCMANON(1)
2
6 gdcmanon - Tool to anonymize a DICOM file.
7
9 gdcmanon [options] file-in file-out
10 gdcmanon [options] dir-in dir-out
11
13 The gdcmanon tool is an implementation of PS 3.15 / E.1 / Basic
14 Application Level Confidentiality Profile (Implementation of E.1.1
15 De-identify & E.1.2 Re-identify)
16 This tool is split into two very different operating mode:
18 • An implementation of PS 3.15, see -e and -d flags
20 • A dumb mode, see –dumb
22 Dumb mode and PS 3.15 do not work well together, you should really only
24 use one type of anonymization. In case of doubt, avoid using –dumb.
25 In order to use the PS 3.15 implementation (-d & -e flag), you'll need
27 a certificate to do de-identification operations, and the associated
28 private key to do the re-identification operation. If you are only
29 doing a one-shot anonymization and do not need to properly re-identify
30 the DICOM file, you can safely discard the private key and only keep
31 the certificate. See OpenSSL refsection below for an example on how to
32 generate the private key/certificate pair.
33 gdcmanon will exit early if OpenSSL was not configured/build properly
35 into the library (see GDCM_USE_SYSTEM_OPENSSL in cmake).
36
38 file-in DICOM input filename
39 file-out DICOM output filename
41 or
43 file-in DICOM input directory
45 file-out DICOM output directory
47
49 You need to specify at least one operating mode, from the following
50 list (and only one):
51 Required parameters
53 -e --de-identify De-identify DICOM (default)
54 -d --re-identify Re-identify DICOM
55 --dumb Dumb mode anonymizer
56 Warning when operating in dumb mode, you need to also specify an
58 operation to do, such as 'remove' or 'empty' a tag, see below the dumb
59 mode options.
60 specific options
62 -i --input DICOM filename / directory
63 -o --output DICOM filename / directory
64 -r --recursive recursively process (sub-)directories.
65 --continue Do not stop when file found is not DICOM.
66 --root-uid Root UID.
67 --resources-path Resources path.
68 -k --key Path to RSA Private Key.
69 -c --certificate Path to Certificate.
70 -p --password Encryption passphrase.
71 Crypto library options
73 --crypto=
74 openssl OpenSSL (default on non-Windows systems).
75 capi Microsoft CryptoAPI (default on Windows systems).
76 openssl-p7 Old OpenSSL implementation.
77 encryption options
79 --des DES.
80 --des3 Triple DES.
81 --aes128 AES 128.
82 --aes192 AES 192.
83 --aes256 AES 256.
84 dumb mode options
86 --empty %d,%d DICOM tag(s) to empty
87 %d,%d,%s DICOM private tag(s) to empty
88 --clear %d,%d DICOM tag(s) to clear
89 %d,%d,%s DICOM private tag(s) to clear
90 --remove %d,%d DICOM tag(s) to remove
91 %d,%d,%s DICOM private tag(s) to remove
92 --replace %d,%d=%s DICOM tag(s) to replace
93 %d,%d,%s=%s DICOM private tag(s) to replace
94 general options
96 -h --help
97 print this help text and exit
98 -v --version
100 print version information and exit
101 -V --verbose
103 verbose mode (warning+error).
104 -W --warning
106 warning mode, print warning information
107 -E --error
109 error mode, print error information
110 -D --debug
112 debug mode, print debug information
113 environment variable
115 GDCM_ROOT_UID Root UID
116 GDCM_RESOURCES_PATH path pointing to resources files (Part3.xml, ...)
117
119 De-identification (anonymization, encrypt)
120 The only thing required for this operation is a certificate file (in
121 PEM format).
122 $ gdcmanon --certificate certificate.pem -e original.dcm original_anonymized.dcm
124 You can use –asn1 option from gdcmdump to dump the generated DataSet as
126 ASN1 structure (see gdcmdump(1) for example).
127 Re-identification (de-anonymization,decrypt)
129 The only thing required for this operation is a private key (in PEM
130 format). It is required that the private key used for the
131 re-identification process, was the actual private key used to generate
132 the certificate file (certificate.pem) used during the
133 de-identification step.
134 $ gdcmanon --key privatekey.pem -d original_anonymized.dcm original_copy.dcm
136 You can then check that original.dcm and original_copy.dcm are
138 identical.
139 Multiple files caveat
141 It is very important to understand the following refsection, when
142 anonymizing more than one single file. When anonymizing multiple DICOM
143 files, you are required to use the directory input. You cannot call
144 multiple time the gdcmanon command line tool. Indeed the tool stores in
145 memory during the process only a hash table of conversion so that each
146 time a particular value is found it get always replaced by the same
147 de-identified value (think: consistent Series Instance UID).
148 Dumb mode
150 This functionality is not described in the DICOM standard. Users are
151 advised that improper use of that mode is not recommended, meaning that
152 important tag can be emptied/removed/replaced resulting in
153 illegal/invalid DICOM file. Only use when you know what you are doing.
154 If you delete a Type 1 attribute, chance is that your DICOM file will
155 be not accepted in most DICOM third party viewer. Unfortunately this is
156 often this mode that is implemented in popular DICOM Viewer, always
157 prefer what the DICOM standard describes, and avoid the dumb mode.
158 The following example shows how to use dumb mode and achieve 5
160 operations at the same time:
161 • Empty the tag (0010,0010) Patient's Name,
163 • Clear the tag (0010,0020) Patient ID,
165 • Remove the tag (0010,0040) Patient's Sex
167 • Remove the tag (0010,1010) Patient's Age
169 • Replace the tag (0010,1030) Patient's Weight with the value '10'
171 You are required to check which DICOM attribute is Type 1 and Type 1C,
173 before trying to 'Empty','Clear' or 'Remove' a particular DICOM
174 attribute. For the same reason, you are required to check what are
175 valid value in a replace operation.
176 $ gdcmanon --dumb --empty 10,10 --clear 10,20 --remove 10,40 --remove 10,1010 --replace 10,1030,10 012345.002.050.dcm out.dcm
178 In the following example a private tag (0029,20,SIEMENS MEDCOM HEADER)
180 is cleared out (made empty only when present):
181 $ gdcmanon --dumb --clear "0029,20,SIEMENS MEDCOM HEADER" input.dcm output.dcm
183 Multiple operation of –dumb mode can take place, just reuse the output
185 of the previous operation. Always use gdcmdump on the input and output
186 file to check what was actually achieved. You can use a diff program to
187 check only what changed (see gdcmdiff(1) for example).
188 Irreversible Anonymization
190 In some very rare cases, one would want to anonymize using the PS
191 3.15 mode so as to take benefit of the automatic conversion of all
192 content that could contain Patient related information.
193 In the end all Patient related information has been removed and has
195 been secretly stored in the 0400,0500 DICOM attribute. However to
196 make sure that no-one ever try to break that security using
197 brute-force algorithm, one want want to remove completely this
198 DICOM attribute. This will make the DICOM:
199 • Completely free of any Patient related information (as per PS
201 3.15 specification)
202 • Remove any mean of people to brute force attack the file to
204 find out the identity of the Patient
205 In this case one could simply do, as a first step execute the
207 reversible anonymizer:
208 $ gdcmanon -c certificate.pem input.dcm anonymized_reversible.dcm
210 and now completely remove the DICOM attribute containing the
212 secretly encrypted Patient related information:
213 $ gdcmanon --dumb --remove 400,500 --remove 12,62 --remove 12,63 anonymized_reversible.dcm anonymized_irreversible.dcm
215
217 On most system you can have access to OpenSSL to generate the Private
218 Key/Certificate pair.
219 Generating a Private Key
221 Command line to generate a rsa key (512bit)
222 $ openssl genrsa -out CA_key.pem
224 Command line to generate a rsa key (2048bit)
226 $ openssl genrsa -out CA_key.pem 2048
228 Command line to generate a rsa key (2048bit) + passphrase
230 $ openssl genrsa -des3 -out CA_key.pem 2048
232 Generating a Certificate
234 From your previously generated Private Key, you can now generate a
235 certificate in PEM (DER format is currently not supported).
236 $ openssl req -new -key CA_key.pem -x509 -days 365 -out CA_cert.cer
238
240 Page to the DICOM Standard:
241 http://dicom.nema.org/
243 The DICOM Standard at the time of releasing gdcmanon is:
245 ftp://medical.nema.org/medical/dicom/2008/
247 Direct link to PS 3.15-2008:
249 ftp://medical.nema.org/medical/dicom/2008/08_15pu.pdf
251
253 Certain attributes may still contains Protected Health Information
254 (PHI) after an anonymization step. This is typically the case for
255 Patient's Address (0010,1040). The reason is that this particular
256 attribute is not supposed to be in the composite IODs in the first
257 place. DICOM Supp 142 includes it (however gdcmanon does not implement
258 it).
259
261 gdcmconv(1), gdcmdump(1), gdcmdiff(1), openssl(1), dumpasn1(1)
262
264 Mathieu Malaterre
265 Main developer
266
268 Copyright © 2006, 2011 Mathieu Malaterre
269GDCM 3.0.22 08/07/2023 GDCMANON(1)