eHealth Beyond the Horizon – Get IT There
S.K. Andersen et al. (Eds.)
IOS Press, 2008
© 2008 Organizing Committee of MIE 2008. All rights reserved.
667
Watermarking Medical Images with
Anonymous Patient Identification to
VerifyAuthenticity
Gouenou COATRIEUXa, Catherine QUANTINb, Julien MONTAGNERa, Maniane
FASSAb, François-André ALLAERTc, Christian ROUXa
a. Inserm U650, LaTIM; GET ENST Bretagne, Dpt. ITI
b. Dpt. of Biostatistics & Medical Informatics, Inserm U866, CHU de Dijon
c. Dpt. of Epidemiology and Biostatistics, Mc Gill University, Montreal Canada
Abstract: When dealing with medical image management, there is a need to
ensure information authenticity and dependability. Being able to verify the
information belongs to the correct patient and is issued from the right source is a
major concern. Verification can help to reduce the risk of errors when identifying
documents in daily practice or when sending a patient's Electronic Health Record.
At the same time, patient privacy issues may appear during the verification process
when the verifier accesses patient data without appropriate authorization. In this
paper we discuss the combination of watermarking with different identifiers
ranging from DICOM standard UID to an Anonymous European Patient Identifier
in order to improve medical image protection in terms of authenticity and
maintainability.
Keywords: Watermarking, Medical
Authenticity, maintainability.
Imaging,
Unique
Patient
Identifier,
Introduction
The evolution of medical information systems, supported by advances in information
technology, enables information to be shared between distant health professionals and
manipulated and managed more easily. However, at the same time, more attention
should be paid to information protection. For example, though the control of access to
information has become tighter, when access is given, it is still difficult to guarantee
that the information concerning a particular patient remains gathered in one place.
When dealing with information protection, we must distinguish between security
and dependability. Security can be defined in terms of confidentiality, availability,
integrity and authenticity [1]. In this paper, our interest concerns first of all
authenticity; that is, providing proof that the information belongs to the correct patient
and is issued from the right source. As we will discuss later, authenticity requires the
creation of a code to identify one document uniquely and to establish a link between
one document and one patient. This authentication code needs to accompany the
668
G. Coatrieux et al. / Watermarking Medical Images with Anonymous Patient Identification
information it is associated with. Dependability mostly concerns the computing system.
It can be described as a composite of availability (of a service), reliability (continuity of
service) and maintainability (ability to undergo modifications and repairs). In this paper,
we will discuss how maintainability with regard to medical images can be achieved
using authenticity mechanisms.
Recently, watermarking has been proposed for medical information protection.
Even though most of the work on watermarking has concerned medical images in order
to verify image integrity or improve confidentiality [2], watermarking also provides a
new way to share data. Basically, watermarking is defined as the invisible embedding
or insertion of a message in a host document, an image, for example. In that way,
watermarking is similar to steganography which means hidden (“stegano”) writing
(“graphy”). However, contrary to steganography, with watermarking the dissimulated
message is related to the host document and the presence of the message in the host is
known to the users. As we will show later in this paper, watermarking makes it possible
to introduce new security and management layers much closer to the host data: at the
signal level. To our knowledge, very few studies have been devoted to authenticity
control of medical images. For this purpose, we discuss in this paper ways to combine
watermarking with different authenticity codes ranging from the UID of DICOM [3] to
the European Identification Number introduced by Quantin et al. in [4].
1. Watermarking in healthcare
In this section we recall the relevance of watermarking as a complementary security
mechanism for medical data within medical information systems.
1.1. Embedding data in host image data
A general chain of watermarking is depicted in figure 1. At the embedding stage, the
message (stego-message) is inserted by modifying the host document in an
“imperceptible” way. Such a host can be a signal, an image, a video, a text as a data
base. “Imperceptible” means that the watermarked document can be used instead of the
original document without interference.
Stegomessage
(m)
Host
document (I)
Watermarked
document Iw
Embedder
Reader
Stegomessage
(m)
Secret Key
Figure 1. A general chain of watermarking.
Applied to an image; embedding consists in slightly modifying its pixel gray level
values to insert the message. Two approaches are usually distinguished. A first set of
methods, spread-spectrum-like methods, embeds one bit of the stego-message by
adding a random sequence to some pixels of the image. This random sequence of gray
values, which can be called a pattern, is derived from the secret watermarking key. For
example, the key can be the seed of a pseudo random sequence generator. As a
consequence, each bit of the message corresponds to the modification of several pixels
in the image. The insertion can be viewed as the addition of a signal, a watermark w, to
the image I. The watermark w corresponds to the set of random sequences, or patterns,
G. Coatrieux et al. / Watermarking Medical Images with Anonymous Patient Identification
669
that encode the stego-message. At the reception of the image, extraction of each bit of
message relies on the detection of each modulated random sequence in the
watermarked image Iw through a correlation measurement. To improve imperceptibility
of the watermark, “psychovisual masking” is used to determine maximum amplitude of
the watermark that can be performed before this watermark becomes visible.
In the second type of method (such as Quantization Index Modulation [5]), an
element from a dictionary is substituted for the original information. For example, one
can substitute the least significant bit of the image with those of the stego-message. In
this case, the dictionary creates the correspondence between the bits of the message and
the parity of the gray levels (ex.: 2551, 254 0, 2531, …). One simply has to read
the image and interpret the observed gray values using the dictionary to decode the
message. For more details about watermarking, the reader may refer to [5].
1.2. Applications in healthcare
1.2.1. Methods for watermarking medical images
Because modifying gray levels of a medical image may interfere with its interpretation
and consequently with the diagnosis, specific methods have been proposed. These
methods are based on the same principles as the methods previously described. One
class of methods is based on reversible or lossless watermarking schemes. Once the
embedded message has been interpreted, the watermark can be completely removed
from the image, thus enabling the original image to be retrieved. Figure 2(a-c) gives an
illustration of such a method [6]. In another method, an unimportant area of the image,
the black background, for example, is watermarked. Such an approach leaves the
information of interest for the diagnosis intact.
(a)
(b)
(c)
Figure 2. Illustration of the reversible watermarking method [6] used in a Magnetic Resonance Image of the
Head (256x256 pixels, encoded on 12 bits), (a) Original image, (b) Reversible watermarked image (c) Signal
of difference, it is the watermark w whose amplitude equals +/-1 or 0.
1.2.2. Interest in medical imaging
In medical imaging, it has been shown that watermarking can improve data protection
and content enrichment. The insertion of meta-data facilitates data management [7][8].
For example, the medical knowledge illustrated by the content of one image can be
summarized in a “knowledge digest” and shared with the image attached to its pixel
values [8]. For medical image protection most applications have been devoted to
integrity control and confidentiality. Regarding confidentiality, it is often considered
that embedding makes it more difficult for unauthorized persons to gain access to the
information [9]. In fact, it is more difficult to gain access to the embedded message
than to an ancillary message. Integrity control can be achieved in different manners [2].
One simple way is to embed a digital signature of the image in the image itself. The
670
G. Coatrieux et al. / Watermarking Medical Images with Anonymous Patient Identification
verification process will extract the embedded signature and compare it to the
recomputed one. Any differences between the two signatures will state loss of image
integrity. To our knowledge, few applications cover the issue of authenticity. However,
watermarking could be of great help not only to verify authenticity but also to improve
the maintainability of medical data (see section 3.1).
2. Watermarking for authenticity and maintainability of medical images
2.1. Authenticity and maintainability through watermarking
As defined, authenticity is based on proof that the information belongs to one patient
and has been issued from the right source. This proof corresponds to an authenticity
code (AC) associated with one image. The authenticity of an image can be verified in
different ways with watermarking. If the AC of one image is known a priori (for
example stored in the header of the image file) one approach is to verify the AC
validity. To achieve this, one can embed in the image the sequence of bits which
corresponds to its AC. As illustrated in figure 3a, the verification process will extract
the AC and compare it with the one contained in the header. One constraint to be
considered here is that in order to exploit the watermarking method it must be possible
to insert the binary representation of the AC in the image. An alternative to this scheme
is illustrated in figure 3b where the AC is used to generate the watermark signal (a
random sequence, see section 2.1) which is then added to the image. In this case,
authenticity verification relies on the detection of the watermark in the watermarked
image. If the AC is not known a priori, this alternative requires testing all possible AC
values and retaining the AC which provides the greatest correlation measurement,
which is much more complex than with the first approach.
Protection
Authenticity
Code C
Secret key
Protection
Secret key
Authenticity
Code C
Image
I
Embedder
Image
I
Verification
Watermarked
image Iw
Secret key
Authenticity
Code C
Yes/No
Comparison
Verification
Authenticity
Code C
Secret key
Watermark
Reader
Authenticity
Code Ĉ
Watermark
Generator
Watermarked
image Iw
Watermark
Generator
Yes/No
(a)
Watermark
Detection
(b)
Figure 3. Verifying the authenticity of an image (a) the binary representation of the AC is embedded in the
image (b) a watermark derived from the AC is added to the image.
As it becomes possible to retrieve the AC from the signal itself, watermarking can
also be used to repair the link between one image, its origin and the patient it belongs
to. This situation may occur after a change of the image file format, for example, when
the original file header information is lost or altered. Hence, the embedded message
simply has to be extracted from the image in order to recover the image’s AC. In this
way, it can help ensure system maintainability. However, the method should guarantee
that the embedded AC can be retrieved exactly, which requires a watermark that is
sufficiently robust to resist possible image alterations. The question of confidentiality
G. Coatrieux et al. / Watermarking Medical Images with Anonymous Patient Identification
671
arises when verifying that the information belongs to the correct patient. How can we
ensure privacy? This question has to be considered when structuring the AC.
2.2. Codes for authenticity
For images, an authenticity code is the combination of image and patient identifiers.
2.2.1. DICOM Image identifiers codes
DICOM (Digital Imaging and Communications in Medicine) is the standard of
reference for medical images. This standard is developed by the American College of
Radiology and the National Electrical Manufacturers Association, in liaison with other
standardization organizations such as the CEN TC251 in Europe and the ANSI in the
USA. DICOM technically guarantees data confidentiality, authentification of data
origin, data integrity and digital signature through its international standards [3].
DICOM makes use of Unique Identifiers (UIDs) to uniquely identify DICOM objects
such as images. These UIDs are based on the OSI object Identification as defined by
the ISO 8824 standard. One UID, which can be defined privately, is constituted of two
parts: <org.root>.<suffix>, each composed of a number of numeric components. The
prefix <org.root> identifies an organization and is issued by a registration authority (ex.
USA ANSI). The <suffix> is defined by the organization itself which has to guarantee
uniqueness of the <suffix>. Consequently, and as stated by the standard, a UID only
ensures uniqueness of one DICOM object. It cannot be parsed as it does not contain
any semantics. As it is, such a UID is useful in the unique identification of an image.
However, the issuing organization must not include information about the patient in the
suffix as this data could jeopardize privacy once the suffix structure is known.
2.2.2. Patient identifiers (Id)
Several methods for patient identification have been developed. For example, DICOM
proposes a method which seems complete and exhaustive, reliable and accurate. This
method is based on a “Patient Module” that contains patient-related data such as:
Patient’s Name, Birth and Gender, Mother's Birth Name, Country and Region of
Residence, Ethnic Group, Patient’s Religious Preference and so on. Concerns related to
DICOM data confidentiality with regard to the sensitive nature of the data can be raised.
For example, the French authority for personal data protection has forbidden the
communication of information such as Patient's Ethnic Group and Patient's Religion. A
solution would be to render anonymous such patient information. However, there is no
guarantee that this solution would be authorized by French authorities. To overcome
this issue, and given that today there is no international harmonisation context for the
patient identification [10], our view is to propose another patient identification method.
In Europe, patient identification methods vary from country to country. Most of the
North European Countries (Finland, Denmark, Luxembourg,…) use the national
identity number for health purposes. In some countries, a specific national patient
identification number is used, like in the United Kingdon, or planned like in the
Netherlands and Ireland. In southern European countries, patient identification is based
on regional specific patient identifiers. France and Belgium are developing a project
related to specific healthcare national patient identifiers rendering anonymous the
social security number. To guarantee interoperability of these different patient Id, we
suggest keeping the national health numbers and combining them with an anonymized
“pivot” Id, such as a family-based identifier referring to family medical records [4]. A
672
G. Coatrieux et al. / Watermarking Medical Images with Anonymous Patient Identification
pivot Id ensures the link to the identifiers of other countries. Identifier calculation
makes use of cryptographic hash function to ensure anonymity applied to a familybased identifier which is composed of nine key variables (last name, first name and
date of birth of the patient, the patient’s mother and the patient’s father). The reader
may refer to [10] for more details. This system has been validated by the French
authority for personal data protection and patented (see international patent n°
11/683,003). The efficiency and accuracy of the method we propose for authenticity
verification of images relies on: the incorporation of this anonymous patient identifier
with the DICOM UID into an Authentication Code and, integration of the paired up
identifiers into the image with watermarking. Patient information confidentiality will
be ensured because the identifier is truly anonymous. This new method may allow
medical image managers to gather the data of the same patient everywhere, anytime
without knowing the true identity of that patient. With regard to management,
utilization and secure access, it is very difficult to gather scattered data of the same
patient. Our method thus provides a solution to these issues, while ensuring privacy.
3. Conclusion
Access to or sharing of an isolated medical document requires that the document can be
identified. Watermarking can be used to provide proof of the authenticity of medical
images, that is to say that the medical information belongs to one patient and has been
issued from the right source. The possibility of inserting a watermark in a document to
identify the patient, without interfering with the document's usefulness, will be a real
step forward if the paradox of cryptic patient identification can be solved (anonymous
for un-authorized users and accessible and available for those who are authorized). The
quality of authentification also depends on the codes used. The DICOM proposal
appears to be one of the best methods for the identification of the image and its source,
but the user has access to the identity of the patient. The sensitive nature of some
patient information obliges us to develop alternative methods. Our proposal combines
an anonymized pivot number identifier with national patient identifiers so as to
guarantee privacy and interoperability. This method may also provide a solution to the
problem of the identification of lost medical documents.
References
[1]
G. Coatrieux, H. Maître, B. Sankur, Y. Rolland, R. Collorec, Relevance of watermarking in medical
imaging, ITAB00, Arlington, USA, Nov. 2000.
[2] G. Coatrieux, L. Lecornu, B. Sankur, C. Roux, A review of Image watermarking applications in
healthcare, EMBC06, New York, USA, Sept. 2006.
[3] Parts of the DICOM standard available at: http://medical.nema.org/
[4] C. Quantin, F.A. Allaert, B. Gouyon, O. Cohen, Proposal for the creation of a European healthcare
identifier, MIE05, Geneva, Switzerland; Stud. Health Technol. Inform., 116:949–954, Aug. 2005.
[5] P. Moulin, R. Koetter, Data-hiding codes, Proc. of the IEEE, 93:2083–2126, 2005.
[6] G. Coatrieux, M. Lamard, W. Daccache, J. Puentes, C. Roux, A low distorsion and reversible
watermark: application to angiographic images of the retina, EMBC05, Shanghai, China, Sept. 2005.
[7] S. Cheng, Q. Wu, K.R. Castleman, Non-ubiquitous digital watermarking for record indexing and
integrity protection of medical images, ICIP05, Genoa, Italy, vol. 2, Sept. 2005.
[8] C. Le Guillou, G. Coatrieux, J.-M. Cauvin, L. Lecornu, C. Roux, Enhancing shared medical image
functionalities with image knowledge digest and watermarking, ITAB06, Ioannina, Greece, Oct. 2006.
[9] R. Acharya, U.C. Niranjan, S.S. Iyengar, N. Kannathal, L.C. Min, Simultaneous storage of patient
information with medical images in the frequency domain, Comput. Meth. Prog. Bio. 76:13–19, 2004.
[10] C. Quantin, O. Cohen, B. Riandey, F.-A. Allaert, Unique patient concept: a key choice for European
epidemiology, Int. J. Med. Inform., 76:419–426, 2007.