Privacy Issues in Medical Image Analysis

Prachi Natu, Shachi Natu and Upasana Agrawal

Introduction

Medical images are an integral part of healthcare data and play a vital role in the medical diagnosis of a patient. The development of new medical imaging systems has resulted in huge amounts of medical image data generation. Maintaining the privacy and confidentiality of a patient’s healthcare data, whether it is electronic health records (EHR) or medical images, is very much important.

Privacy is a fundamental human right. In the simplest words, privacy is to have control over who knows what about us. As Ruth Gravison says, there are three elements in privacy: secrecy, anonymity and solitude. In the medical field, privacy is legal and ethical too. Patients have the right to decide who can access their health information and to what extent. When it comes to data in healthcare, medical image data have their own significance. Medical image data are acquired for different purposes, such as diagnosis, therapy planning, intraoperative navigation, post-operative monitoring and biomedical research. Privacy is of the utmost importance because patients reveal their personal data to the doctor. The privacy of a patient’s healthcare data is necessary to maintain the trust between patient and doctor. A patient’s trust in a doctor can help the doctor to collect more accurate data. More accurate data in turn result in an accurate diagnosis and precise conclusion by the doctor. Hence a doctor needs to access all of the patient’s data and know all the history related to it.

It will be easy to understand this with the help of a case study reported by Mark Warner [1].

Everyday huge numbers of medical images are available on the Internet and anyone can download them. Nearly half of all the unprotected images which incorporate X-rays, ultrasounds and CT scans belong to patients in the United States. However, despite warnings from security specialists making medical clinics and specialists’ workplaces aware of the issue, many have disregarded their alerts and kept on exposing their patients’ private wellbeing information. One patient, whose data were uncovered after a visit to an emergency room in Florida a year ago, portrayed her uncovered clinical information as “scary” and “awkward.” Another patient with a chronic disease had regular scans at an emergency clinic in California over a period of 30 years. “It appears to deteriorate each day,” said Dirk Schrader, who drove the exploration at Germany-based security firm Greenbone Networks, which has been observing the quantity of uncovered servers for as long as a year.

Be that as it may, even in instances of patients with just one or a bundle of medical images, the private information can be utilized to derive an image of an individual’s wellbeing, including diseases and wounds. With an end goal to secure the servers, Greenbone reached in excess of a hundred associations a month ago about their uncovered servers.

Rather, he claimed that it was pure negligence that specialist’s workplaces neglected to appropriately design and secure their servers. Lucia Savage, a previous senior security official at the US Department of Health and Human Services, said that in the healthcare industry especially, in those organizations that lack the resources, more efforts must be taken in order to improve the security of medical images. Personal information from these data need to be secured from unauthorized access. Penalties can be imposed if the laws are not maintained and followed. One Tennessee-based medical imaging company was fined over $3 million last year for exposing the images of over 300,000 patients.

Deven McGraw, who was the top protection official in the Health and Human Services’ implementation arm, the Office of Civil Rights, said if security help was progressively accessible to small organizations, the government could concentrate its requirement endeavours on suppliers that stubbornly disregard their security commitments. McGraw stated that government enforcement is important, as are guidance and support for lower-resourced providers and easy-to-deploy solutions that are built into the technology, as it may be very difficult for an individual agency to enforce it. Schrader mentioned that there is a lot to improve but he and his team would do the best to improve the systems of unprotected data globally.

This brief summary of facts is sufficient to show the severity of not protecting patients’ privacy.

The purpose of this chapter is to introduce briefly the techniques to maintain the privacy of medical images. Section 4.2 describes a common medical image storing format: Digital Imaging and Communications in Medicine (DICOM) images, followed by their storage and transmission in Section 4.3. Threats to the privacy of medical images are discussed in Section 4.4. Section 4.5 focuses on privacy protection methods for medical images, which include two major methods: Encryption- based and image anonymization. Cryptography is one of the ways of encrypting personal data in medical images. It is a method of securing the information such that only the intended user can read it without it being stolen or altered by a third party. It uses an encryption key to lock or hide the important data which are the patient’s information in this case. On the receiving side, a decryption key is used by the receiver party to unlock this hidden information. Since no other person or entity has this decryption key, the patient’s personal information is sent securely without any intervention by an unauthorized user. Anonymization is another way to achieve the privacy of patients’ data. In anonymization, annotated personal data written onto the image are removed from the image provided that it does not contain any information about the anatomy of organs or disease specifications. Further, this chapter discusses in detail the security in DICOM images in Section 4.6 and vulnerabilities and securities in DICOM images in Section 4.7.

Digital Imaging and Communications in Medicine (DICOM) Image Format

Medical images collected via different modalities are stored as DICOM images, which is a worldwide accepted format. It is used for the storage, exchange and display of medical images [2].

DICOM serves many purposes. Physicians can make faster diagnoses using DICOM. DICOM images are sent through a network and assistance in diagnosis can be obtained from experts, located in geographically distant areas. This helps patients get effective treatment.

DICOM images consist of a header and image dataset in a single file. Header files consist of the patient’s demographics or protected health information (PHI), image dimensions and acquisition parameters. These data may or may not be visible on screen while viewing the image but can be extracted from the header file. A DICOM viewer is required to view these images with their details.

Figure 4.1 shows sample DICOM images with different modalities for different organs.

The patient’s privacy allows the sharing of protected health information (PHI) only with those who need it.

The following is some information called PHI which can violate the privacy of a patient [3]:

• 1. Name
• 2. Geographic locators
• 3. Dates (e.g., birth date, admission and discharge date, date of death and any other kind of date that can reveal the age of the patient)
• 4. Contact numbers
• 5. E-mail addresses
• 6. IP addresses

FIGURE 4.1 Sample DICOM images with different modalities.

• 7. Any kind of licence numbers
• 8. Biometric identifiers
• 9. Photo
• 10. Any unique identifier

But if these medical images are to be used for research purposes or as a learning resource, then the PHI of the patient should not be included in the image, thus ensuring the privacy of the patient.

Ethical and privacy aspects of using medical images are described in the context of the VISCERAL project [4]. This project was aimed at organ segmentation, landmark detection, lesion detection and similar case retrieval. A huge medical image dataset was the primary requirement of the project. These data were collected from three different data providers who play an important role in the anonymization of data. Ethical, legal and privacy aspects need to be handled by the data provider. To anonymize the data, patients’ personal information like birth date, name ID, institution name, examination number and study date was removed from the DICOM header. Any text embedded into the image and serial numbers of implants are also removed from images. Whole-body CT scans were defaced by partly blurring the faces. Before actual use of the data, a local/national medical ethics committee (MEC) reviews the data. Once the committee agrees on it, the use of the data is assured for research purposes.

Storage and Transmission of Medical Images

The digitization of medical images has transformed healthcare and medical research. New technologies, smart phones and social media provide instant access to patients and their data by healthcare providers and research collaborators. Advanced storage and transfer capabilities have made it feasible to store medical images along with electronic records, but as the demand for capturing and storing images increases, so does the need for privacy measures. Healthcare professionals are heavily using social media like Facebook, Twitter and Instagram to transmit pathological images. The use of social media opens doors for researchers by allowing them easy access to such images. At the same time, however, it raises the challenges of protecting the privacy of patients’ personal information hidden in such medical images. The use of smartphones in order to produce and store medical images on social media also has risks like insecure data storage, tampering with the privacy of patients and the failure of the physician or institution to obtain the patient’s consent [5].

A blockchain-based approach has been proposed for retrieving medical images [6]. The inherent characteristics of blockchain technology are decentralization, anonymity and data consistency. These characteristics facilitate the secure sharing of data via cryptographic transactions. Two challenges have been identified and tried to overcome by authors in this paper. The first challenge is to share/retrieve the largesized medical image through storage-constrained blocks in blockchain, and the second is to protect the privacy of a medical image while retrieving and analysing it. To overcome the first challenge, selected features of the image are used. To overcome the second challenge, a customized transaction structure is designed. Mingyan Lia et al. emphasize the problem of the illegal release of medical images by authorized users in group communication networks and design requirements that must be met to avoid this. A computationally feasible and scalable fingerprint model has been suggested by the authors [7].

This is achieved with the help of watermarking, i.e., the authorized user who leaked the image is traced from the watermark hidden inside the leaked image. Embedding such a watermark introduces restrictions like high image fidelity and robustness to frequency selective operations in medical images.