Document Encryption

From IHE Wiki
Jump to: navigation, search

Document Encryption (DEN) encrypts individual documents and portable media content.


Document Encryption (DEN) profile provides a means to encrypt health documents independent of particular transport, healthcare application, or document type, thereby supporting end-to-end confidentiality in heterogeneous or unanticipated workflows. It enables access to documents to be targeted to specific recipients. It addresses the need to protect documents from certain intermediaries in the document exchange path and provides confidentiality to transports that do not have a confidentiality mechanism. The Document Encryption profile allows for multiple alternatives for identity and key management which makes it suitable for a rich set of healthcare environments.

Specifically, the Document Encryption (DEN) supplement addresses encryption mechanisms to support confidentiality in two ways:

  • The Document Encryption profile that provides a means to encrypt any kind of documents in a transport independent way. Its approach enables access to documents to be targeted to specific recipients.
  • The IHE XDM Media Encryption option enables the encryption of the whole XDM media content for use with the various media types (i.e., USB-memory, CD-ROM).


The Document Encryption (DEN) profile enables the protection of confidentiality of documents. This enables organizations to comply with applicable policies ranging from regulatory, organizational as well as privacy or consent policies. It may also contribute to compliance with (e.g., "Meaningful Use" requirements in the United States).

Document Encryption addresses encryption for a number of situations not (well) supported by other IHE profiles. Specifically, the Document Encryption profile provides encryption independent of data exchange method, can protect arbitrary data (documents), and can provide end-to-end confidentiality between arbitrary end-points, in particular where intermediaries or unanticipated workflows are involved. Similarly, the XDM Media Encryption option provides encryption of XDM media content (content and metadata) on physical media.

The profile furthermore provides the benefit of multiple methods of identity and key management. This makes it suitable for a rich set of healthcare environments and allows it to be easily integrated in environments that have pre-existing key management infrastructure in place.


Document Encryption (DEN) encrypts documents using the Cryptographic Message Syntax (CMS) standard.

For key management it supports PKI, shared symmetric key and password methods.

The profile uses strong cryptography. Algorithm includes AES, SHA1, SHA256, PBKDF2, HMAC, and RSA.

The Document Encryptino (DEN) profile offers guidance on use in combination with XDR/XDM/XDS including guidance on the use for XDS Metadata.

Systems Affected

Document Encryption (DEN) may be used in many different system setups: health record systems, hospital information systems, radiology information systems, PACS, etc.

Actors & Transactions: The Document Encryption (DEN) profile uses the Content Profile template. This template uses default actor and transaction names as depicted in the figure below. Den content profile actors.png

The figure below illustrates the use of Document Encryption (DEN) through an example process flow.

Den ex process flow.png


Profile Status: Trial Implementation

Documents: Document Encryption supplement

Underlying Standards:

  • Cryptographic Message Syntax (CMS), RFC 5652, September 2009
  • Password-based Encryption for CMS, RFC 3211, December 2001 835
  • Cryptographic Message Syntax (CMS) Algorithms", RFC 3370, August 2002
  • "Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)", RFC 3565, July 2003
  • Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies, RFC 2045, November 1996
  • Communicating Presentation Information in Internet Messages: The Content-Disposition Header Field, RFC 2183, August 1997

See Also

Document Sharing



Related Profiles

Document Encryption (DEN) has no strict dependencies to other IHE profiles.

Consumer Information

No information is available at this point in time besides the profile and the Wiki pages listed above.

Implementer Information

Document_Encryption_-_Implementation_Notes_and_Examples provides more information towards implementation and testing of the Document Encryption (DEN) profile.

Reference Articles

This profile has not yet been referenced externally.

This page is based on the Profile Overview Template

Current: IT Infrastructure Technical Framework.