MINUTES Meeting: Working Group 14 (Security) of the DICOM Standards Committee Place of Meeting: Kyoto, Japan Date: Monday, April 2, 2001 Members Present David Clunie David Gobuty Wolfgang Leetz Eric Martin Isao Ohbayashi Charles Parisot Hidenori Shinoda Dwight Simon Lawrence Tarbox Hitoshi Yoshimura Comview Corporation Eastman Kodak Siemens AG Marconi Medical Systems JIRA GE Medical Systems Toshiba Merge Technologies Siemens Medical Systems Konica Medical Imaging, Inc. Members Absent Kees Smedema Philips Medical Systems Others Present Emmanuel Cardonnier Joel Chabriais David Heaney Minoru Hosoba Kiyonari Inamura Alan Rowberg ETIAM Societe Francaise de Radiologie ALI Technologies Shimadzu JIRA American College of Radiology Presiding Officer: Lawrence Tarbox, Chairman 44 WG 14 (Security) of the DICOM Standards Committee April 2, 2001 1. Approval of Previous Minutes The minutes of the WG 14 meeting held on December 1, 2000 in Chicago were approved as presented. 2. Supplement 31 (Security Enhancements One) and Supplement 41 (Security Enhancements Two) Members reviewed experiences and lessons learned during the demonstrations on secure transport and on digital signatures on structured reports that were held at RSNA and ECR. Members also took account of previously received “public comments” and feedback from Working Group 6. Topics that were discussed include: How Structured Reports should refer to signed objects, How Structured Reports should refer to objects that have not been signed, Incompatibilities between the Japanese and European implementations. Members decided that the first two topics should be handled in a new work item, instead of being incorporated into Supplement 41. Based upon these discussions, members agreed to the following strategy: The ECR demo participants will investigate what caused the incompatibilities, and propose resolutions; Lawrence Tarbox will prepare a new draft of Supplement 41 that incorporates the results of these discussions plus the results of investigations into the incompatibilities, and circulate it to members of the working group; The ECR demo participants will be asked to make appropriate revisions in their demonstration code using the revised supplement and try again to exchange objects in order to check interoperability; Members will hold a telephone conference call to determine whether they agree that the document is, indeed, ready for consideration by WG-06 with the goal of sending it out for letter ballot. 3. Supplement 51 (Media Security) Members reviewed public comments that had been received. Considerable attention was focused on whether there was any need for providing DICOMSEC as a file ID and, more importantly, how to manage encrypted media when one can’t read the encrypted files. Members agreed to eliminate DICOMSEC as a file ID, and merely encrypt DICOMDIR, as suggested in the open items list at the beginning of the supplement. This will significantly shorten the supplement. Additionally, members agreed to ask Marco Eichelberg to make the necessary changes, circulate for review by members of the group, and, if approved, forward to Working Group Six for its review with the goal of sending the document to the DICOM Standards Committee for ballot. The group would like Mr. 45 WG 14 (Security) of the DICOM Standards Committee April 2, 2001 Eichelberg to add some text to the Foreword that will explain why CMS was chosen and the constraints that this choice imposes. 4. Supplement 55 (Attribute Level Confidentiality) Members participated in a line-by-line review of proposed revisions to Supplement 55. The editor will be asked to change the document in compliance with the recommendations of the group. It will then be circulated to members for a final review. Upon agreement of all parties, it can be submitted to WG 6 with the goal of requesting public comments. 5. Japanese Laws on Digital Signatures and Electronic Storage of Clinical Records No additional information was available on this topic. 6. White Paper on Security Structure Eric Martin presented a partially completed document called “Sample Integration Profiles with Enhanced Security” (dated March 21, 2001). He prepared this paper as a tutorial/introduction to security procedures and nomenclature. While the technical experts on this working group may not need the “training” provided by this document, it could be very helpful to standards writers who want to show how to provide secure IHE profiles. The remainder of the paper began identifying mechanisms that could be used to add security to IHE profiles. Much additional work (by the entire group) will be required to develop a comprehensive paper on how one might treat security in IHE. The goal is not to create a complete profile for IHE but, instead, to create a handful of examples of how such a secure profile might look in order to identify and manage potential holes. Any holes detected could lead to the consideration of new work items to fill those holes. 7. New Business Members requested that the secretary ask NEMA to develop a listserv for the group’s use. 8. Agenda for Next Meeting For the purpose of advancing Supplements 41, 51 and 55, members saw no need to plan any faceto-face meetings prior to the November 2001 RSNA meeting in Chicago. However, one or two teleconferences will be scheduled to review revised versions of the three supplements. April 26 (8 AM on the east coast) was identified as a likely option for such a conference call. Two face-to-face meetings were set for May 18, 2001 at NEMA and June 25 in Berlin. These meetings will be used to explore what steps must be taken in order to provide for security in IHE. 46 WG 14 (Security) of the DICOM Standards Committee April 2, 2001 9. Adjournment The meeting was adjourned at 6:15 PM. Submitted by Howard E. Clark Secretary WG-14 DICOM Standards Committee April 11, 2001 Reviewed by Legal Counsel WG-14 Min 10402 47 WG 14 (Security) of the DICOM Standards Committee April 2, 2001