Special Review
John Eng, MD
Index terms:
Computers
Digital imaging and communications
in medicine (DICOM)
Internet
Intranet
Picture archiving and communication
system (PACS)
Teleradiology
Published online: July 19, 2001
10.1148/radiol.2202001609
Radiology 2001; 220:303–309
Abbreviations:
DICOM ⫽ Digital Imaging and
Communications in Medicine
HCFA ⫽ Health Care Financing
Administration
HIPAA ⫽ Health Insurance Portability
and Accountability Act
PACS ⫽ picture archiving and
communication system
VPN ⫽ virtual private network
1
From the Russell H. Morgan Department of Radiology and Radiological
Science, Johns Hopkins University
School of Medicine, 600 N Wolfe St,
Central Radiology Viewing Area, Rm
117, Baltimore, MD 21287. Received
June 5, 2000; revision requested July
10; revision received November 6; accepted November 20. Address correspondence to the author (e-mail:
[email protected]).
©
RSNA, 2001
Computer Network Security
for the Radiology Enterprise1
As computer networks become an integral part of the radiology practice, it is
appropriate to raise concerns regarding their security. The purpose of this article is
to present an overview of computer network security risks and preventive strategies
as they pertain to the radiology enterprise. A number of technologies are available
that provide strong deterrence against attacks on networks and networked computer systems in the radiology enterprise. While effective, these technologies must
be supplemented with vigilant user and system management.
Computer networks are becoming an integral part of many radiology practices, being a
critical component in strategies for growth of radiology practices to an enterprise level and
in enhancing their workflow efficiency. The shareability, standardization, and geographic
independence provided by computer networks have made them a highly successful
method for transmitting data among medical image acquisition modalities, image display
workstations, and other computer equipment. However, these favorable characteristics are
also responsible for substantial security risks.
While computer network security is a complex, often arcane subject, a basic understanding
of security threats is helpful in making appropriate strategic decisions about allocating resources to deal with the problem. The purpose of this review is to provide a basic understanding of the security concepts and risks that arise when computers are connected to networks,
and special attention is paid to radiology applications. An attempt is made to avoid advanced
technical details that are thoroughly presented in numerous books (1,2) and articles (3). As in
other aspects of computer networking, the subject of security is rapidly evolving. One of the
most valuable sources of up-to-date advisories, reports, and technical tips is the CERT Coordination Center (4), a major Internet security clearinghouse funded by the U.S. government.
Computer network security can be divided into two major categories. One category
concerns the protection of computer systems against access by unauthorized users. For
convenience, in the following discussion this category will be referred to as access security.
The second category concerns the protection of data transmission against electronic
eavesdropping, content alteration, and faking of the identity of the sender. This category
will be referred to as data security. While it can be correctly argued that access security
involves computer systems and not necessarily computer networks, access security deserves to be included in any discussion of network security, because the network is a
common source of breaches of access security.
This review will not address some important topics in computer security that are not
directly related to networks, particularly the protection against accidental risks such as
computer hardware failure, electric outages, air conditioning failure, fire, and natural
disasters. However, these concerns must be addressed in any location in which data are
stored, despite the exclusion of these topics from the present discussion.
The discussion of access security will be divided into two major categories of networked
computing environments from which security threats originate: the internal institution
network, often called the intranet, and the external public Internet. Attention will be given
to how these environments relate to radiology practice. Data security will be discussed in
the context of teleradiology, a common network application in radiology. Some general
recommendations will be offered.
It will be apparent that user and system management is critical in many, if not all,
security strategies, despite the relatively unassuming connotation of these terms. User
management refers to the continuous active monitoring of users who are allowed to access
the computer system and to the control of privileges assigned to these users. System
management refers to the active ongoing maintenance of the computer and network
303
systems. Competent user and system
management requires the devotion of
tangible human and capital resources.
INTERNAL THREATS TO THE
ACCESS SECURITY OF A
COMPUTER NETWORK
Address Spoofing
The Digital Imaging and Communications in Medicine (DICOM) standard (5)
is the one most commonly implemented
in medical imaging equipment. However, it is a standard for only data communication; therefore, access security at
the user level is beyond the scope of
DICOM. When one DICOM device connects to another, there is no requirement
for positive user identification such as
password confirmation. Most DICOM devices provide an informal measure of access security by only allowing connections from certain DICOM devices from a
predetermined list of network addresses.
It is sometimes possible, however, for a
computer to be configured in such a way
as to impersonate the network address of
another. This practice is called address
spoofing, and it is difficult to detect.
The simplest method of address spoofing is physically unplugging a computer
from the network and substituting another
computer from which an attack can be
mounted. Ordinary physical security (eg,
locked doors, security guards) is an important method of guarding against this type
of address spoofing. However, more sophisticated methods of address spoofing
do not require physical disconnection of
the impersonated computer.
In some networks, such as those in
which the dynamic host configuration
protocol (known as DHCP) is used, the
network address of each device is assigned whenever needed, and it is not
fixed. Therefore, reliance on network addresses as a way to identify authorized
connections may not be feasible in some
networks. The security supplement (6) recently adopted into the DICOM standard
includes provisions for access security between two DICOM devices that do not
rely on network address identification.
However, as mentioned previously, these
provisions do not extend to the user
level.
Sniffing
To communicate with one another
within an institution, computers are
commonly connected together with networks that are based on the Ethernet
standard. It is important to realize that
304
䡠
Radiology
䡠
August 2001
Ethernet is a shared network technology
composed of network segments in which
every computer is connected to essentially the same wire. Any data traveling
along a segment of an Ethernet network
are potentially readable by any computer
connected to that segment (Fig 1). This
sharing is used so that one wire can serve
many computers, and it is a major reason
for the popularity and cost-effectiveness
of Ethernet. This sharing is also responsible for unintentional security risks.
With ordinary operation, each computer on an Ethernet network segment
allows entry only of data addressed to it.
For some computers, however, programs
are available that allow the computer to
accept all data traveling on the Ethernet
network segment, regardless of the intended destination. This practice is called
“sniffing.” Since connections between
computers are usually not encrypted,
sniffing can be used to intercept sensitive
information, such as patient identification information contained in a DICOM
header. Since data transmitted over an
Ethernet network often cross several network segments between the source and
destination, sniffing is not limited to
data traveling between computers on the
same segment.
While fundamentally a problem of
data security, sniffing profoundly affects
access security. It is a particularly insidious problem because it can be used to
gain unauthorized access to other computers on the network. When a user logs
in to any computer over the network, a
user name and password is typically required. Because user names and passwords are usually not encrypted when
they are transmitted over a network, they
are vulnerable to discovery through sniffing. Software for sniffing passwords is
readily available. Armed with these passwords, an attacker could have access to
private information that is stored in patient information systems, billing computers, medical image acquisition equipment, and so on. Because the attacker
knows the actual user names and passwords, detection of unauthorized use of
the compromised systems can be nearly
impossible. In the case of radiology
equipment, the problem can even extend
beyond the boundaries of the compromised institution, because some vendors
are known to use the same user name and
password at all installations.
Preventive measures against sniffing
ensure that each computer on the network is only exposed to data that are
meant for it. This is most effectively accomplished by implementing a switch-
Figure 1. Drawing of computer devices connected to a hypothetical Ethernet during normal operation. Data addressed to different
computer devices are represented by Œ, 䊐, and
F. Because of the shared architecture of Ethernet networks, each computer is exposed to all
data being carried on the network, regardless
of the intended destination of the data. In
normal operation, each computer is responsible for filtering out data not addressed to it.
controlled Ethernet network, in which
each computer is connected to the network by means of a switch (Fig 2). In a
switch-controlled network, the switches
send each computer only data destined
for that computer. Each computer on a
switch-controlled network is effectively
on its own segment. The major barriers to
implementing a switch-controlled network— equipment cost and complexity
of installation—are steadily decreasing.
The installation of Ethernet switches also
improves network performance by simplifying the network and reducing the
frequency of data collisions that would
otherwise occur with an Ethernet not
controlled by switches.
Eng
Figure 3. Drawing of an internal network connected to the Internet through a service provider.
As data travel over the Internet, data may pass through the routing computers of many Internet
service providers, each a potential target for attack.
Figure 2. Drawing of a switch-controlled Ethernet. Data addressed to different computer
devices are represented by Œ, 䊐, and F. The
switches on this network forward data to a
connected computer only if data are addressed
to that computer. Unlike an Ethernet not controlled by switches, it is not possible for a computer on a switch-controlled Ethernet to read
data not addressed to it.
In lieu of a switch-controlled network,
rigorous system management is necessary to prevent unauthorized use of network computers for sniffing. Policies and
practices of system management include
active monitoring of all networked computers for suspicious activity that might
indicate operation of a sniffing program,
forcing users to change passwords periodically and allowing administrator-level
(root) computer accounts to be accessed
only from the computer console and not
over the network. The latter measure ensures that the passwords associated with
omnipotent administrator accounts do
not travel over the network and therefore
cannot be discovered with sniffing.
Password encryption is another method
Volume 220
䡠
Number 2
for preventing breaches in access security
that result from the sniffing of passwords.
With this method, the passwords of users
logging in over the network are made unreadable through encryption before being
transmitted over the network. Unfortunately, standards for password encryption
have not been universally adopted.
Many important procedures for protecting confidential information, from
passwords to patient information, do not
rely on sophisticated technology. The
placement of workstations in nonpublic
locations, timed log off, and forced password changes are examples of simple
procedures that help to prevent unauthorized viewing of confidential information. The ultimate form of password
changing is the one-time password system, in which the user is given a small
electronic device that generates an unpredictable series of numeric passwords,
each only valid for a limited time, perhaps 60 seconds (7). Another way to protect passwords is to eliminate them by
implementing a biometric identification
system. In such a system, access is based
on a physical feature or repeatable action
such as fingerprint pattern, retinal scan,
or voiceprint.
Broadcast Data and Storm
It is important to note that a switchcontrolled network places no restrictions
on the flow of broadcast data, which are
data intentionally sent to every computer on the network. For example, networks often rely on broadcast data to
identify all computers on the network
and to monitor the status of every com-
puter. An attacker might use broadcast
data to determine the presence of systems that contain certain vulnerabilities,
or an attacker might initiate a broadcast
storm by sending out large amounts of
meaningless broadcast data to overload
and disable the network. A broadcast
storm is an example of compromise of
availability, a security issue distinct from
that of either access security or data security.
EXTERNAL THREATS TO THE
ACCESS SECURITY OF A
COMPUTER NETWORK
A radiology network may be connected
through an Internet service provider (Fig
3) for access to the many useful information resources on the Internet, such as
MEDLINE. Internet connectivity is also
useful in reverse: Productivity is enhanced with access to the radiology network from home for electronic report
sign off, teleradiology, and so on. With
the convenience of Internet accessibility,
however, the risk of attack increases dramatically because attacks against the radiology network can then be mounted
from literally any computer worldwide
that has Internet access.
Because computers on an institutional
network are often configured to allow
connections that originate only from
within the same network, it is relatively
difficult for an external attacker to engage directly in sniffing, spoofing, or
other malicious activity. Therefore, a
common method of breaking into a computer network is first to break into a com-
Computer Network Security for the Radiology Enterprise
䡠
305
puter within the targeted network. Once
compromised by an external attacker, the
computer can serve as an electronic disguise, giving the attacker privileges ordinarily reserved for computers within the
institution. With these privileges, an external attacker can use any of the methods described in the previous section,
thereby becoming an internal threat.
As with internal threats, prevention
of external threats begins with sound
user and system management. Attackers may access inactive user accounts
relatively unnoticed; therefore, these accounts should be deleted when their
rightful users are no longer present. Since
operating system flaws are commonly exploited by external attackers, system software on all computer systems should be
kept current. In picture archiving and
communication system (PACS) networks,
user management and appropriate software maintenance may be difficult because of the proprietary nature of many
of the applications and computer systems used by PACS vendors. In an environment in which user and system management is difficult, the problem of
security from external threats is usually
solved by means of implementing a network firewall (8).
A firewall is a computer device that has
two network connections: one to the internal network and one to the Internet
(Fig 4). For a firewall to be effective, no
other computer on the internal network
can be allowed to have a direct Internet
connection. The internal network is then
configured so that all data going to and
coming from the Internet passes through
the firewall. The firewall computer monitors all data traffic and is usually configured to allow only certain types of Internet traffic to pass through the firewall.
For example, a firewall may be configured
to allow only Web pages and e-mail to
pass. Remote logins and file transfers to
computers inside the firewall, which
might be used in network computer attacks, are usually not allowed to pass directly through the firewall.
While firewalls provide a substantial
amount of security to an internal network that contains computers at risk, it is
important to recognize the threats firewalls cannot prevent. Firewalls cannot
prevent attacks mounted from computers within the firewall. All of the previously discussed internal threats are unaffected. If a firewall allows unrestricted
connections from a trusted remote institution, then the local internal network is
immediately vulnerable to any and all
weaknesses of the network of the remote
306
䡠
Radiology
䡠
August 2001
Figure 4. Drawing depicts an internal network protected with a firewall. v represent data
from an attacker; Œ, 䊐, and F represent legitimate data. The firewall examines all data going
to and coming from the Internet. Potentially harmful data are not allowed to pass. For
example, data may be filtered if data originate from an unknown source or if the contents
appear suspicious.
institution. A password sniffing program
on the remote network would then be
effective, even if the local network were
impervious to sniffing.
A computer network may allow users
access by means of a direct modem connection. This is typically accomplished
by means of setting up a number of modems connected to a server, which is
connected to the internal network. This
modem pool effectively bypasses the security provided by a firewall. If an external attacker were to compromise the modem pool security and gain access to the
network, the attacker would gain network
access that is unrestricted by the firewall.
Prevention of such potential holes in the
firewall requires an institutional security
policy and the means to enforce it.
DATA SECURITY RISKS OF
TELERADIOLOGY
Teleradiology applications are often
limited by the speed of the data connection between the remote and main sites.
While dedicated high-speed data links
are available and offer a high degree of
security, their expense cannot be justified
for most teleradiology operations, which
typically involve a relatively modest volume of radiology images. The development of economical high-speed data
links, such as cable modems and digital
subscriber lines (known as DSL), has created the attractive possibility of using the
Internet instead of expensive dedicated
data links as the method of data communication. Network security issues associated with teleradiology also apply to
more complex enterprises, such as the
electronic exchange of patient information in health care organizations with
multiple inpatient and outpatient sites
that are distributed to many locations.
As medical images travel along the Internet, whether in a Web-based or other
format, the data pass through many routing computers. The computers of Internet service providers are a common target for attacks because of the potential
wealth of information carried by these
services. If any of these computers were
to be compromised, any sensitive data
passing through them, such as passwords
and account numbers, would be vulnerable to discovery by sniffing. The DICOM
data stream, in particular, contains patient identification information in plain
text, so DICOM communication over the
Internet poses a risk to patient privacy.
Since data security over the Internet
cannot be guaranteed, data encryption is
necessary for preventing the interception
of sensitive data such as identifiable patient information. In its fundamental
form, data encryption is the use of established cryptographic algorithms to mathematically transform the data, prior to
transmission, into a form that is unreadable without a private key. The private
key is usually a long sequence of numbers
known only to the sender and receiver.
Cryptography with private keys is severely hampered by the requirement for
prior exchange of private keys between
the sender and receiver, a process that is
potentially inconvenient and not secure.
To circumvent this problem, most current network-based encryption systems
Eng
implement some form of public key cryptography (9), a system in which the private key is known only to the recipient of
the data but not the sender. The sender
uses a different key, paired to the first, to
encrypt the data prior to transmission.
This second key is known as the public
key because it can be distributed publicly
without compromising the cryptographic
security of the system.
Public key cryptography works because
the public key can be used only to encrypt data and not decrypt it; decryption
can be accomplished only with the private key. Furthermore, the private key
cannot be derived from the public key,
and the public key works only with its
paired private key. With this arrangement, anyone can send encrypted messages to a particular recipient without
knowing any private keys.
Data encryption was recently adopted
as a supplement to the DICOM standard
(6), but conformance is voluntary, and it
is likely that uniform implementation by
vendors is years away. This supplement
to DICOM supports data privacy through
encryption, as well as access security at
the machine level; but as mentioned previously, access security at the user level is
beyond the scope of DICOM.
In addition to privacy, another important aspect of data security is data integrity, the assurance that the data have not
been altered without authorization. Public key cryptography can be adapted to
ensure data integrity with the implementation of encrypted digital signatures (9).
In this adaptation, public key cryptography is run in reverse: The digital signature is encrypted with the signer’s private
key, and anyone wishing to verify the
signature can decrypt it with a public
key. The digital signature will be readable
only if it was originally encrypted with
the real signer’s private key. DICOM protocols for the cryptographic protection of
data integrity are being developed (10),
but their adoption and implementation
by vendors is also years away.
Standards for data encryption are
widely used in Web-based Internet commerce, and they are currently being used
by some vendors of teleradiology systems. Other vendors incorporate built-in
proprietary encryption. A better solution
would be to provide encryption to all
network applications, regardless of their
support of a Web interface or DICOM.
The most generalizable encryption solutions fall under the term virtual private
network (VPN) (11). In a VPN, data encryption over the Internet is used to virtually extend the internal network to a
Volume 220
䡠
Number 2
remote location. Data encryption and
decryption can be performed with software by means of two computers being
connected over the Internet, a method
known as tunneling protocols, or the encryption can be performed by means of
special network routing hardware at each
end of the Internet connection. A VPN
implemented by using special routers is
preferable because it adds data security to
any network application on any computer operating system without requiring
a special configuration or software installation on each computer, as in tunneling
protocols. The main drawback of VPN
routers is the required expertise and expense of installing special hardware at
each end of the Internet connection.
Currently, the implementation of VPN
hardware is far from universal. Also, installation of VPN hardware is probably
not economically justifiable if the remote
site is an individual user’s home or office.
In addition to Internet service providers, the communication link itself can be
a source of data security concerns. Digital
subscriber lines and even the ordinary
telephone modem rely on the telephone
company’s relatively secure switch-controlled technology. By contrast, cable
modems are usually connected to a
shared neighborhood cable and behave
like a shared Ethernet network segment
not controlled by a switch, with potentially all of the associated internal and
external security threats already discussed. Data encryption is particularly
important in such an environment, and
caution should be exercised even with
casual unencrypted use. For example,
software is currently available from the
Internet to show the Web pages being
browsed by literally everyone in a cable
modem neighborhood network segment.
GROWING NEED FOR SECURITY
Maintenance of patient privacy is an integral component of the traditional doctor-patient relationship, and this concept
is being formally extended to the Internet in several ways. In 1998, the Health
Care Financing Administration (HCFA)
issued an Internet security policy (12)
that required both access security and
data security to be used in transmitting
any data related to HCFA (eg, Medicare
and Medicaid billing information) over
the Internet. In 1996, Congress passed
the Health Insurance Portability and Accountability Act (HIPAA), which contains
provisions for both insurance reform and
administrative simplification. One part
of the provisions for administrative simplification is broad security requirements
for any health care organization electronically maintaining or transmitting individually identifiable health information.
As required by HIPAA, the U.S. Department of Health and Human Services (13)
has proposed rules to meet these security
requirements. As of this writing, the proposed security standards have not been
finalized. HIPAA standards are generally
required to be implemented within 2
years after the associated rules have been
finalized.
The proposed HIPAA security standards are organized into four sections:
administrative procedures, physical safeguards, technical services and mechanisms, and electronic signature. Each section describes a set of functional, rather
than technical, requirements to allow
flexibility in compliance and prevent
binding health care organizations to a
particular technology that may rapidly
become outdated. For example, transmission of data over a network is required to implement protection of data
integrity and privacy, but the methods
are purposely unspecified. The Appendix summarizes the technical section of
the proposed security standard (13) as
an example of its scope and detail. The
section about administrative procedures
focuses on planning and documentation
of procedures, such as disaster recovery,
user management, security risk analysis, system maintenance and testing,
and user education. Electronic signatures are not required by the security
standards, but functional requirements
are put forth if electronic signatures are
implemented.
As computers become simpler to install
and configure, it is sometimes easy to
forget factors determined during installation and configuration that affect the security of a computer and the network to
which it is connected. For example, the
end user of a workstation based on a
Unix-type operating system often knows
enough about Unix to set up the workstation but not enough to configure and
maintain the system to account for the
many well-known security flaws in default configurations of Unix-type operating systems. In the typical laboratory setting, the busy end user is under pressure
to begin productive work with the workstation and has insufficient time and experience to configure the system for secure operation. In the PACS setting, a
busy administrator may be under similar
time pressures. In these situations, it is
important to recognize that reasonable
Computer Network Security for the Radiology Enterprise
䡠
307
attention to security issues requires the
prospective commitment of tangible resources in addition to those spent on routine installation and maintenance. The
relative ease of installation and maintenance of modern computers should not
obviate the need for access to personnel
with specialized knowledge and experience in security matters.
DISCUSSION AND
RECOMMENDATIONS
From this overview, it is evident that a
radiology network is potentially open to
a wide range of attacks, perhaps more so
than the average computer network. Attack methods such as password sniffing
are particularly dangerous because the
compromise of just one computer can
result in an avalanche of easy access to
many other computers on the same network. Furthermore, it is impossible to design a network that is completely immune to attack. Because computers and
networks are extremely complex systems developed by humans, who are
fallible, there will always be an error or
oversight that an attacker will discover
and exploit.
Not mentioned in this review are additional malicious activities that cannot be
prevented with any technologic means.
For example, a denial of service attack
involves overwhelming a network or
computer with apparently legitimate
connection requests from an unknown
user. Since the user is unknown to the
network or computer, the connection requests are rejected. However, the sheer
number of these repeated requests may
eventually overload the network or computer, causing it to shut down or crash.
This type of attack can result in widespread slowdown of the Internet and major Web sites such as Yahoo, eBay, and
Amazon.com (14,15).
Electronic mail viruses, such as the
“ILOVEYOU” virus (16), have also resulted in widespread system problems.
Typifying the general behavior of computer viruses, e-mail viruses disguise
their malicious components in an apparently legitimate electronic mail message. Fundamentally, both the denial of
service attack and the electronic mail
virus cannot be prevented without
eliminating essential functions of networks and computers, which include servicing all connection requests and electronic mail.
However, it is appropriate to conclude
with some optimistic remarks. The tech308
䡠
Radiology
䡠
August 2001
nologies described herein are sufficient to
increase the level of security well above
that found in the average computer network, which results in a strong relative
deterrent against attack. Implementation
of switch-controlled networks virtually
eliminates the problem of internal sniffing and should be considered in any new
network installation, since the incremental cost is becoming small. A network in
which sniffing is impossible will be much
less desirable to a potential attacker. A
firewall strategy is a necessity for most
PACS networks because of the difficulty
in managing proprietary DICOM equipment. Because of their connection to external networks, firewalls are vulnerable
to attack, but they can be disconnected
from the external network if an attack
occurs, leaving internal network operation intact.
It cannot be overemphasized that a
policy and practice of vigilant system
management and monitoring for suspicious activity is arguably the most important and effective security measure for a
computer network. It is the only measure
that minimizes the risk of future attacks
by yet unknown methods, as well as by
those methods that are without effective
preventive measures, such as denial of
service attacks and electronic mail viruses. User and system management are
essential components of security strategies in all areas discussed herein and require appropriate allocation of equipment and human resources.
APPENDIX
This Appendix contains a summary of
technical security requirements of the
proposed HIPAA security rule and was
compiled and paraphrased from reference 13.
I. Access Control Requirements (to restrict access to only privileged entities)
A. Procedure for emergency access
B. At least one of the following access control methods
1. Context-based access—based
on time of day or user location, for example
2. Role-based access—based on
each user’s assignment to one
or more predefined roles, each
associated with specific privileges
3. User-based access—based on
specific identity of user
C. Encryption (optional)
II. Audit Control Requirements (to record
system activity)—unspecified
III. Authorization Control Requirements
(information is disclosed only to
those with need to know and is based
on at least one of the following)
A. Role-based access
B. User-based access
IV. Data Authentication Requirements
(protection against unauthorized alteration or destruction)—unspecified
V. Entity Authentication Requirements
(to verify identity of users)
A. Automatic log off
B. Unique user identification—each
user is assigned a unique name
and/or number
C. At least one of the following authentication methods
1. Biometric system—identification is based on a physical feature or repeatable action by an
individual, such as hand geometry, retinal scan, iris scan,
facial characteristics, fingerprint pattern, handwritten
signature, or voice print
2. Password system
3. Personal identification number (PIN)
4. Telephone callback—system
that calls the user back at a predetermined telephone number
to establish a requested connection
5. Token—identification is based
on user’s possession of a device, such as a key card
VI. Communication Control Requirements
A. Integrity controls—ensure validity of information
B. Message authentication—ensures
data received match data sent
C. At least one of the following
communication control methods
1. Access controls—protection
against reception and interpretation by parties other
than intended recipient
2. Encryption
VII. Networking Control Requirements
A. Alarm—senses abnormal system
conditions and provides a signal
B. Audit trail—collects data to facilitate an audit
C. Entity authentication—corroboration that an entity is the one
claimed
D. Event reporting—network message indicating irregularities or
monitoring of network operation
Eng
References
1. Atkins D, Buis P, Hare C, et al. Internet
security. 2nd ed. Indianapolis, Ind: New
Riders, 1997.
2. Garfinkel S, Spafford G. Practical UNIX
and Internet security. 2nd ed. Sebastopol,
Calif: O’Reilly and Associates, 1996.
3. Langer S, Stewart B. Aspects of computer
security: a primer. J Digit Imaging 1999;
12:114 –131.
4. CERT Coordination Center. Available at:
www.cert.org. Accessed May 22, 2001.
5. National Electrical Manufacturers Association. Digital Imaging and Communications in Medicine. Document PS 3. Rosslyn, Va: National Electrical Manufacturers
Association, 1999.
6. DICOM Standards Committee. Digital
Imaging and Communications in Medicine: security enhancements one. Docu-
Volume 220
䡠
Number 2
7.
8.
9.
10.
11.
ment PS 3, supplement 31. Rosslyn, Va:
National Electrical Manufacturers Association, 2000.
RSA SecurID. Available at: www.rsasecurity.com/products/securid. Accessed May 22,
2001.
Zwicky ED, Cooper S, Chapman DB.
Building Internet firewalls. 2nd ed. Sebastopol, Calif: O’Reilly and Associates,
2000.
Zimmermann PR. Cryptography for the
Internet. Sci Am 1998; 279(4):110 –115.
DICOM Standards Committee. Digital
Imaging and Communications in Medicine: security enhancements two— digital signatures. Document PS 3, supplement 41. Rosslyn, Va: National Electrical
Manufacturers Association, 2000.
Scott C, Wolfe P, Erwin M. Virtual private
networks. 2nd ed. Sebastopol, Calif:
O’Reilly and Associates, 1998.
12.
13.
14.
15.
16.
Health Care Financing Administration.
Internet security policy. Available at:
www.hcfa.gov/security/isecplcy.htm. Accessed
May 22, 2001.
United States Department of Health and
Human Services, Office of the Secretary.
Security and electronic signature standards. Federal Register 1998; 63:43242–
43280.
Levy S, Stone B. Hunting the hackers.
Newsweek 2000; Feb 21:38 – 44.
Fithen KT. Internet denial of service attacks
and the federal response. Available at: www.
cert.org/congressional_testimony/Fithen
_testimony_Feb29.html. Accessed May 22,
2001.
CERT Coordination Center. Love letter
worm. Available at: www.cert.org/advisories/CA-2000-04.html. Accessed May 22,
2001.
Computer Network Security for the Radiology Enterprise
䡠
309