Protecting patient privacy against unauthorized release of medical images in a group communication environment Mingyan Li a , Radha Poovendran a, * , Sreeram Narayanan b,1 a Department of Electrical Engineering, University of Washington, Seattle, WA 98195, USA b Department of Radiation Oncology, University of Washington, Seattle, WA 98195, USA Received 9 November 2004; accepted 8 February 2005 Abstract In this paper, we identify and study an important patient privacy protection problem related to medical images. Following Health Insurance Portability and Accountability Act (HIPAA) mandate on privacy protection of patients’ medical records, efforts have been devoted to guaranteeing the confidentiality of data and medical images during storage and transmission via an untrustworthy channel. However, to our knowledge, there has not been any effort towards protecting against unauthorized release of images by an authorized recipient. In this paper, we study the problem of tracing illegally distributed medical images in a group communication environment and identify a set of design requirements that must be met. We propose a fingerprint model suitable for many-to-many multicast, that is computationally efficient and scalable in user storage and key update communication. Simulation results also show that our scheme is highly robust to typical medical image processing and collusion attacks, while yielding high quality watermarked images. q 2005 Elsevier Ltd. All rights reserved. Keywords: Medical image security; Watermarking; Multicast; Fingerprinting; Privacy protection; DICOM; HIPAA 1. Introduction Privacy protection of medical images has always been an important issue in the management of patients’ medical records. As part of Health Insurance Portability and Accountability Act (HIPAA), a set of standards for privacy protection of health data issued by the federal government took effect on April 14, 2003 [1]. The HIPAA mandates hospitals, medical professionals, and other health providers to ensure ‘confidentiality and integrity of individually identifiable health information, past, present or future’. As digital technology pervades our society, a vast number of medical images now exist in electronic format for easy storage, maintenance, and retrieval. Ubiquitous wired and wireless networks make it possible to access and share data among medical personnel, to promote high quality care for patients. However, the convenience of data access and distribution poses a great threat on privacy of patients’ information. Constant efforts are being made to provide security solutions [2–5] to ensure (i) medical image transmission cannot be accessed by unauthorized parties (confidentiality), (ii) images are not modified during transmission (integrity), and (iii) images have originated from the correct sources to the claimed receivers (authenti- cation). Continuously updated Digital Imaging and Com- munication in Medicine (DICOM) standards provide guidelines to ensure authentication, integrity and confiden- tiality of medical images [2]. Security measures in DICOM [2] and the research on medical image security [3–5] focus on secure storage and secure transmission, before reception. However, after reception it is possible for a recipient to distribute a patient’s data to unauthorized parties, hence violating the patient’s privacy. To the best of our knowledge, currently no one has addressed the problem of guaranteeing patient’s privacy after the data is accessed by an authorized recipient. Hence the HIPAA standards have not been fully addressed. We intend to fill the gap between the HIPAA mandate Computerized Medical Imaging and Graphics 29 (2005) 367–383 www.elsevier.com/locate/compmedimag 0895-6111/$ - see front matter q 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.compmedimag.2005.02.003 * Corresponding author. Address: Department of Electrical Engineering, Paul Allen Center, AE 100R, Campus Box 352500, University of Washington, Seattle, WA 98195, USA. Tel.: C1 206 221 6512; fax: C1 206 543 3842. E-mail address: radha@ee.washington.edu (R. Poovendran). 1 The project was completed when he was a PhD student in the Department of Electrical Engineering at University of Washington.