Three-Dimensional Image Security

Imaging plays a crucial role in clinical trials to test new drugs or devices because images provide a unique and fast diagnosis with visual observance and quantitative assessments.

(PHOTOGRAPHY: COMSTOCK, EYEWIRE ILLUSTRATION: JENNIFER FOLEY)

Image exams (trial data) generated in the field sites are generally sent to a trial center for archiving and further distributed to the expert sites for reviewing.^1-4 As the image data is transferred across public networks, such as the Internet, image security issues arise. A solution has been developed that provides the means for assuring image integrity and authenticity. In addition, issues relating to this solution are discussed when deploying this new technology within trial sites.

In general, image security includes privacy, authenticity, and integrity.⁵ Privacy refers to who can access the image data. Authenticity refers to whether the image data is actually from the original field site. Integrity refers to whether the image has been altered or destroyed by unauthorized persons.

Current IT solutions

Current IT solutions include utilizing SSL (secure socket layer)⁶ or VPN (virtual private network)⁷ for assuring image authenticity and integrity during image transmission. A typical SSL or VPN process in the image data transmission is as follows:

1. Authentication between two sites—in the case of a clinical trial, an example would be a field site and the trial center.

2. Exchange a session key that locks and unlocks the data during transmission between two sites.

3. The sender site (the field site) splits an image into multiple small data packages.

4. The sender site creates a digital signature of the first data package and attaches the digital signature to the first package for integrity assurance. The signature attached data package is then encrypted (locked) using the session key and sent to the receiver site.

5. The receiver site decrypts (unlocks) the received data package and extracts and verifies the digital signature from the package. If the verification of the digital signature fails, the entire transmission is dropped. If the verification succeeds, steps 4 and 5 are repeated for other data packages until the entire image is received.

Limitations of current IT solutions

These IT solutions may work for most two-dimensional trial image exams like an X-ray image. However, they can be inefficient for three-dimensional (3-D) trial image exams that acquire a large number of images, such as a multidetector CT exam.

For example, a 3-D volume CT image exam may contain hundreds or even thousands of images. Using SSL/VPN technologies for assuring the integrity and authenticity of the 3-D image exam requires creating at least hundreds or thousands of digital signatures. The creation of the digital signatures alone will take more than several minutes, not to mention the long delay for image transmission over the Internet caused by the overall SSL/VPN process. For clinical trials that span nationwide or globally, this can result in an unacceptable delay in image transmission over the limited Wide Area Network bandwidth.

In addition to the inefficiencies described above, these solutions (SSL/VPN) are ineffective in detecting any deletion or replacement of single images within a 3-D image exam during transmission. For instance, if a CT trial image exam includes 300 images and one image is replaced by another, current IT solutions are unable to detect the change because they only focus on the integrity of the individual image and have no knowledge of the entire 3-D image exam. Since 3-D image exams in clinical trials are reviewed in their entirety, it is crucial to assure the integrity and authenticity of the entire image exam for the objectivity of the trial outcomes.

New technology: The LDSE method

We have developed a new technology specifically for assuring the 3-D image integrity and authenticity: LDSE (lossless digital signature embedding).⁸ Although digital signature embedding techniques have been around for quite some time, the application of this method to medical images is entirely new.

Unlike other methods, LDSE permanently embeds the digital signature of a 3-D image exam into the image pixels of every image in the exam. However, the images are fully restored once the digital signature is extracted and no image data is ever lost, hence the term "lossless." In addition, the embedded digital signature travels with the exam and can be extracted to verify the integrity and authenticity of the image exam at any point of the exam's life span.

Features of the LDSE method:

• One single digital signature is created for all the images of a 3-D image exam. This digital signature can detect the change of any single pixel of the image and the change in order of the images of an entire 3-D image exam. Therefore, the integrity of the 3-D image exam is assured.

• The digital signature can only be created by the owner of the 3-D image exam; in the case of a clinical trial, this would be the field site. By verifying the digital signature, the trial center can ensure that the image exam originated from a pre-approved field site.

• The embedding of the digital signature is a fully reversible process so that the entire original 3-D image exam can be restored at anytime. This is a key feature since the original image exam is always required for clinical review.

An LDSE scenario

The following is a use-case scenario that shows how this new technology can be utilized for a clinical trial that contains medical imaging data. First, assuming a CT trial image exam is generated in a field site and needs to be sent to a trial center for archiving, Figure 1 shows how to use this LDSE method to assure the integrity and authenticity of the 3-D image exam during transmission.

Figure 1. LDSE software allows the trial center to verify the authenticity of the 3-D image sent by the field site.

• At the field site:

—Install the LDSE software in the computer where the field site is going to send images to the trial center.

—Once the LDSE software is set up, it will automatically take a 3-D image exam and create a single digital signature for all the images of a particular trial exam.

—The digital signature is then automatically embedded into pixels of every image within that trial image study.

—The signature embedded 3-D image exam is sent to the trial center for archiving.

• At the trial center:

—The same LDSE software is installed in the computer where the trial center receives the images.

—Once a signature embedded image exam is received, the embedded digital signature is automatically extracted and the original exam is automatically restored by the LDSE software.

—The extracted digital signature is automatically verified with the restored exam by the LDSE software. If the verification is successful, the restored exam is guaranteed to be the same as the original image exam. Therefore, the integrity and authenticity of the 3-D image exam is assured.

This same use-case scenario can be applied to image transmission between a trial center and an expert site.

LDSE vs DICOM TLS in image transmission

Experiments using LDSE for image transmission over public networks have been performed and the overall time of image transmission and the LDSE process has been obtained and tabulated. To compare the performance of LDSE with current IT solutions, the image transmission using DICOM TLS (Transport Layer Security) was also performed and the time measured and tabulated. Table 1 lists the time performance of LDSE and DICOM TLS for three types of image sets tested.

Table 1. Time performance* of LDSE vs DICOM TLS in image transmission.

The experimental results show that image transmission speed with DICOM TLS is about two times slower than the transmission speed without any security technology, while it is only about one and a half times slower using LDSE. This becomes a significant improvement when the number of images in an image set increases and the transmission time of the image set becomes long (e.g., a 30-second improvement is achieved by transmission using LDSE over DICOM TLS).

The results demonstrated that the LDSE method is more efficient than the current IT security technology for assuring the integrity and authenticity of 3-D image exams transferred over public networks.

Results and experiences

The LDSE method has been tested and evaluated within a clinical trial testbed set up at the Image Processing and Informatics (IPI) Laboratory. The clinical trial testbed is a prototype information system specifically developed for managing and storing clinical trial image exams using grid computing technology.^9-11 In addition to security issues, another challenge facing trial centers involved in imaging-based trials is how to transfer large amounts of images quickly from field sites to trial center and how to manage the image data effectively.

With the ever-increasing amount of trial images being generated every day, it becomes extremely difficult to manage and store all these images. The clinical trial testbed developed at IPI based on grid computing technology aims to tackle this issue by providing a scalable and user-transparent storage system to the clinical trial centers. Together with this new technology for security of 3-D image exams, these solutions provide imaging-based trials with a robust, scalable, and secure distribution and storage management system for trial image studies.

The following issues should be considered when deploying this security technology for assuring the integrity and authenticity of clinical trial image exams:

• The security technology should not interrupt current workflow or change any current setup. For instance, a security technology should not cause a change in the image format that could result in additional work to reconvert the image exams back to their original format. Any change means additional training and support and may cause unexpected problems to the clinical trials. The LDSE technology is compliant with the clinical trial imaging standard of DICOM (digital imaging and communications in medicine).¹² The LDSE software can be seamlessly integrated to the current clinical trial setup without any additional changes to the workflow.

• The security technology should be simple and foolproof—it should require minimum user interaction and can recover itself from most software failures. This is extremely important because most trial staff are not IT experts and should not have to deal with the security software at any time. The LDSE technology is implemented running in the background automatically and requires no user management after it is installed within a computer.

Summary

With HIPAA¹³ regulations currently being enforced, data security issues have become an inevitable and critical concern for every clinical trial site. Images, especially 3-D images, are one of the most difficult data to protect from malicious alteration or destruction. In this article, a new security technology has been presented for assuring integrity and authenticity of 3-D clinical trial image exams based on the limitations of current IT solutions. This new technology could bring a robust, powerful, and easy-to-use security solution for clinical trials that utilize 3-D image studies.

References

1. C.L. Meinert, Clinical Trials: Design, Conduct, and Analysis (Oxford University Press, Oxford, 1986).

2. S. Piantadosi, Clinical Trials: A Methodologic Perspective (John Wiley & Sons, New York, 1997).

3. S.C. Chow and J.P. Liu, Design and Analysis of Clinical Trials: Concepts and Methodologies (John Wiley & Sons, New York, 2004).

4. M.F. McNitt-Gray, S.G. Aramato, L.P. Clarke, G. McLennan, C.R. Meyer, and D.F. Yankelevitz, "The Lung Imaging Database Consortium: Creating a Resource for the Image Processing Research Community," Radiology, 225 (2002), 739–748.

5. Information Processing Systems, Open Systems Interconnection, Basic Reference Model–Part 2: Security Architecture, ISO 7498, 2, 1989.

6. Secure Socket Layer (SSL), http://wp.netscape.com/eng/ssl3/draft302.txt.

7. Virtual Private Network (VPN), http://en.wikipedia.org/wiki/VPN.

8. Z. Zhou, "Lossless Digital Signature Embedding for Medical Image Integrity Assurance," PhD Dissertation, University of Southern California, Los Angeles, CA, August 2005.

9. Z. Zhou, M. Gutierrez, J. Documet, L. Chan, H.K. Huang, B. Liu, "The Role of a Data Grid in Worldwide Imaging-Based Clinical Trials, High Speed Network, 16, 21-33 (2007).

10. Z. Zhou and B.J. Liu, "HIPAA Compliant Architecture for Workflow Auditing of Medical Imaging Systems," Computerized Medical Imaging and Graphics, 29, 235–241 (2005).

11. B.J. Liu, Z. Zhou, J. Documet, "Utilizing Data Grid Architecture for the Backup and Recovery of Clinical Image Data," Computerized Medical Imaging and Graphics, 29, 95–102 (2005).

12. Digital Imaging and Communications in Medicine (DICOM) 2007, http://medical.nema.org/dicom/2007.

13. HIPAA, http://www.hhs.gov/ocr/hipaa/.

Zheng Zhou* is with the Image Processing & Informatics Laboratory, Radiology, at the University of Southern California, 4676 Admiralty Way, Suite 601, Marina del Rey, CA 90503, email: zhengzho@gmail.comBrent Liu is the associate director of the Image Processing & Informatics Laboratory and assistant professor of radiology at the University of Southern California. H.K. Huang is the director of the Image Processing & Informatics Laboratory and professor of radiology at the University of Southern California.

*To whom all correspondence should be addressed.