Digital watermarking : applicability for developing trust in medical imaging workflows state of the art review

Medical images can be intentionally or unintentionally manipulated both within the secure medical system environment and outside, as images are viewed, extracted and transmitted. Many organisations have invested heavily in Picture Archiving and Communication Systems (PACS), which are intended to facilitate data security. However, it is common for images, and records, to be extracted from these for a wide range of accepted practices, such as external second opinion, transmission to another care provider, patient data request, etc. Therefore, confirming trust within medical imaging workflows has become essential. Digital watermarking has been recognised as a promising approach for ensuring the authenticity and integrity of medical images. Authenticity refers to the ability to identify the information origin and prove that the data relates to the right patient. Integrity means the capacity to ensure that the information has not been altered without authorisation. This paper presents a survey of medical images watermarking and offers an evident scene for concerned researchers by analysing the robustness and limitations of various existing approaches. This includes studying the security levels of medical images within PACS system, clarifying the requirements of medical images watermarking and defining the purposes of watermarking approaches when applied to medical images.


Introduction and Motivation
Through the exponential development of modern technologies in the areas of communication and computer networks, the conventional diagnosis has mostly migrated to a technology enabled e-diagnosis. Most Hospital Information Systems (HIS) and medical imaging systems generate and store medical images in different modalities such as X-ray, Ultrasound, Magnetic Resonance Imaging (MRI) and Computerised Tomography (CT). These images are usually managed within a digital workflow based on the Digital Imaging and Communications in Medicine (DICOM) standard [1].

Introduction
In healthcare systems, a hierarchical scheme can be considered as a pyramid with hospitals at the base and the general Picture Archiving and Communication Systems (PACS) at its top.
Images are taken in a hospital and are immediately saved in the PACS. Within few minutes, these images are transferred to an upper PACS, which collects data coming from hospitals belonging to the same division. These files stay in this system for some hours, typically staying for the night, during which time their integrity is not maintained accurately. Then, these files are transmitted to the hierarchically higher PACS until they reach the top-PACS. In the top-PACS, the data are eternally saved and collected in tapes, physical drives or optical supports with associated hash signature, to become ready for the diagnostic workflow operations.
Furthermore, the data are encrypted utilising the secret key of the PACS manager. This operation is called consolidation [2].
For security purposes, the authorised archive is managed off-line, while available data are kept on the top-PACS discs. In most situations, it is difficult to foretell the security issues for each intermediate system, and the data could be altered intentionally or unintentionally: this is the first serious case. Moreover; the data are not directly consolidated when reaching the top-PACS but after approximately 24/36 hours. During this time, PACS professionals, which have access to both the metadata as well as the image's pixels due to the structure of DICOM images, are permitted to edit the files as needed for adjusting potential flaws in patients' data. This matter indicates to the second significant case which allows the malicious PACS manipulation to modify the images before the consolidation process. Hospital's system can retrieve the images from the top-PACS when requested by the physicians. In the case of expected claims, such as regular medical reports, files are pre-fetched in the hospital's PACS, e.g. through night-time or transmitted as soon as possible. The separation between the legal archive (secured data) and the available data (used by clinicians) points out the last crucial case of PACS scenario. If the medical images have been modified in the top-PACS discs, there will be no possibility to automatically discover the manipulation because the authorised archive is saved off-line and the data are not quickly accessible. Definitely, it will be possible to discover the alterations that have been applied to the data in PACS discs, but it might be too late for patients' safety [2].
Furthermore, transmitting medical images between hospitals, located at various locations and different administrative organisations has become a common practice for many reasons, such as diagnosis, treatment, distance learning, training purposes, teleconferences between clinicians and medical consultation between physicians and radiologists [3]. Malicious alterations on the medical images are feasible for getting counterfeit health insurance demands by some insurance company or for hiding medical situations for gaining personal advantages [4]. For instance, Fig. 1. shows a liver disease of a patient which is altered by changing the position of the infected region of the liver by using available software (e.g. Adobe Photoshop) [5]. Many other cases of manipulation can be applied, but the issue is how they can be detected?
Actually, by merely seeing the images, detecting such reasonable manipulations that include entirely forged abnormalities would be impossible.

Motivation for Medical Image Watermarking
Security requirements of medical information are mostly derived from legislative rules and strong ethics of the security policy, that professionals and concerned patients must follow [6].
This requires three mandatory features: confidentiality, reliability and availability.
Confidentiality indicates that only the authorised people, in the normally scheduled situations, (a) Original image (b) Manipulated image have access to the data. Reliability may be decomposed into two aspects: i) Integrity which verifies that the information has not been changed, and, ii) Authentication which ensures that the data belongs to the right patient and is delivered from the verified source. Availability defines the capability of the authorised users to utilise the information system in the normally scheduled situations of access and practice [7].
Confidentiality of the image data can be accomplished by applying many techniques such as encryption, access control and firewall. Integrity can be fulfilled by encrypting the images when sharing them over the network. Authentication needs measures being implemented to discover whether confidentiality and/or the integrity of the data has been breached [8].
Two techniques are commonly employed to ensure integrity and authenticity within the data; metadata and digital watermarking [4,9]. In medical imaging, the metadata refers to the data stored along with the image [9]. The common approach of metadata inclusion is Part 15 of the DICOM standard, where the digital signature data is placed in its header [1]. The metadata has also been employed to offer confidentiality, using the data of DICOM header to encrypt the images [10]. Existing metadata techniques do not provide a robust link between the medical image and its metadata. It is, therefore, almost easy to decay the metadata rendering the image unreliable. This shortcoming can be fixed with digital watermarking [9]. Digital watermarking is a technique that hides data known as a watermark into the digital object such that the concealed watermark can then be detected/extracted to make a confirmation about the object [11]. Image watermarking is one of the earliest techniques to improve integrity and authenticity of the digital data. In recent times, authentication is one of the main watermarking requirements in medical applications [12].

Digital Watermarking Requirements
The essential requirements for designing a general watermarking scheme can be described as follows [13]:

 Fidelity
It is the most important feature in the watermarking system which defines the similarity between both the original and watermarked images. The watermark should remain invisible to human perception although the incidence of slight distortions in the host image [14].

 Robustness
This requirement signifies the ability of the watermarking scheme to resistant to different image processing attacks. These attacks aim to frustrate the watermark from fulfilling its intended purpose. The wide class of existing attacks can be categorized into four groups: removal, geometric, protocol and cryptographic attacks [15,16]. Watermarking algorithms cannot survive with all types of attacks. Some of the algorithms are strong against several attacks.
However, they fail to comply with other stronger operations. Furthermore, not all applications require robust watermark, but in some applications, it is needed to be fragile [17].

 Data Payload (Capacity)
This property refers to the number of bits that can be concealed without affecting the image quality. This factor defines how many bits can be embedded as a watermark so that it can be efficiently discovered through the extraction process. The embedding capacity depends on the required application. Several watermarking applications have various capacity requirements [18].

 Security
The capability of resisting the intentional attacks. A watermarking scheme is supposed to be secure if the unauthorised user cannot extract the watermark without having full information about the algorithm that has been used to embed the watermark. The security factor is crucial to the watermarking system, and only the authorised person can extract the watermark [19].

 Computational Complexity
This feature is defined as the amount of time required for embedding and extraction processes.
For instance, the real-time application requires both fast and efficient algorithms. On the other hand, more computational complexity is needed for high-security applications [20].

 Perceptibility
This concept indicates the amount of degradation that occurs on a watermarked image when embedding the data. This feature should be as little as possible in the invisible watermarking schemes [13].
Watermarking capacity is determined by the other two significant features of the watermarking system, which are imperceptibility and robustness. The relationship between the properties of the watermarking scheme is shown in Fig. 2. Obviously, a high capacity can be achieved by sacrificing either robustness or imperceptibility or both. Therefore, a suitable trade-off might be found depending on the application [17].

Fig. 2:
The properties of the watermarking system, trade-off triangle between the three essential features: robustness, capacity and imperceptibility.
In addition to the previously mentioned requirements, some other special features are desired for medical imaging watermarking. These requirements are imperceptibility, reversibility and reliability. It is evident that developing new watermarking approaches to fulfil these requirements remains a significant and relevant research area [13].

 Imperceptibility
Usually referred to as invisibility or fidelity, it describes the greatest requirement of watermarking schemes. It states that the original and watermarked images should be perceptually similar [20] and might be achieved by reducing either robustness, capacity or both [19]. The standard two statistical benchmarks for estimating the perceptual level of invisibility between the original and watermarked images are Peak Signal to Noise Ratio (PSNR) and Structural Similarity (SSIM) index [13].

 Reversibility
In medical fields, if an image is changed during the workflow process a collapse in trust is formed, regarding the validity of the images, with the hazard that any slight difference could lead to misdiagnosis with possible life-threatening, or legal, implications. Consequently, the necessity to strictly retrieve the original data from the watermarked image is high [21].
Reversible or lossless watermarking methods satisfy this requirement in that they guarantee Robustness Capacity Imperceptibility extraction of the watermark along with exactly reconstructing the unmodified original image [22]. However, a watermarked image is not distortion-free, especially in reversible techniques, but the modified image is employed as a cover for carrying out the watermark, not for diagnostic purposes and the recovered image is used for diagnosis, intervention planning, etc. [23].

 Reliability
This may be decomposed into two parts [24]:  Integrity: The capability of proving that the data has not been changed without authorisation.
 Authentication: The ability to identify information origin and confirming that the data refers to the right patient.
This paper offers a review of digital watermarking schemes and compares some recent works in watermarking medical imaging to define some research issues for the future. The rest of the paper is organised as follows. Section 2 illustrates the basic principles of digital watermarking. Section 3 reviews the recently published approaches in the field of medical imaging watermarking and highlights the limitations of some of these algorithms. In section 4, evaluation benchmarks of watermarking algorithms were demonstrated. Finally, discussion and conclusions drawn from this research will be stated in sections 2.

Digital Watermarking
Digital watermarking is the hiding of information (the watermark) within the digital data, such that the embedded watermark can be identified or extracted later to produce a confirmation of the validity of the data [11].

Principal Components of a Watermarking System
The basic model of the digital watermarking scheme consists of three components [6,14] as shown in Fig. 3:

 Watermark Generation
This function creates a suitable watermark according to the desired applications. In simple applications, the embedded data can be a text or another image. In the developed applications, the watermark may have particular properties based on the desired objectives. For example, in medical applications, the watermark may need the patient information or image features to confirm the integrity and authenticity of the watermarked data.

 Watermark Hiding
The hiding process is done at the source end. In this step, the watermark is inserted into the original data by applying a certain algorithm and a secret key to generate the watermarked data.

 Watermark Extracting
The extraction process is done by reversing the implemented hiding algorithm and use the secret key and/or the original data to detect/extract the embedded watermark.

Digital Watermarking Classifications
Digital watermarking schemes can be classified into many groups in various ways (Fig. 4), such as document type, embedding domain, perceptibility and reversibility [13]. Based on the embedding techniques, watermarking systems can be categorised into spatial and transform domain [25]. On the other hand, the watermarking methods can be divided according to human perception into visible, invisible and dual watermarking techniques. Popular examples of visible watermarks are the sealing and logos, which are placed on the images, videos and TV channels corners for content protection and ownership verification. Moreover, invisible watermarks are hidden in such a way that they cannot be seen, but they can be removed by utilising the exact algorithm. Invisible watermarking schemes are suitable for many purposes like authentication, integrity control and ownership verification of digital files. In some application, visible and invisible watermarks can be applied together. This technique is called the dual watermarking, and in this situation, the invisible watermark is assumed as a backup for the visible one [26]. Invisible watermarking approaches can be further divided, based on their robustness, into four categories: robust, fragile, semi-fragile and hybrid techniques [13]. The robust system, which is typically used for copyright protection, copy control, fingerprinting and broadcast monitoring, should be able to survive against a wide range of attacks, while the fragile watermarking methods are intolerable to the smallest modifications. This technique is designed with a goal to verify the authentication and integrity of multimedia contents. The semi-fragile method is intermediate in robustness, in such that it is robust against authorised operations and fragile with unauthorised operations. This watermarking method is also used for authentication and integrity purposes [27]. Finally, the hybrid approach is a combination of fragile and robust methods to achieve the authenticity, integrity and ownership protection simultaneously [13].
In addition to the previous classifications, the reversible watermarking also called invertible or lossless watermarking is another significant feature of watermarking techniques. Compared to the traditional watermarking systems, reversible algorithms can restore both the embedded watermark and the original data exactly. This feature is a crucial requirement for many fields such as medical, military and law-enforcement applications [22].

Digital Watermarking Techniques
Current watermark embedding techniques can be divided into two main groups. The following are a brief explanation of the properties of each group.

Spatial Domain Techniques
In these methods, the watermark is inserted into the cover image by directly modifying the pixel values of the original image. These algorithms are simple, fast and offer high embedding capacity [25]. Also, a small watermark can be hidden several times. This advantage provides additional robustness against any attack because of the possibility of removing all watermarks is very low. Spatial domain techniques may have some benefits, but their main drawback is that they cannot survive against many operations like adding noise and lossy compression methods. Moreover, when discovering the utilised watermarking method, the hidden watermark can easily be altered by an unauthorised user [28].

Least Significant Bit
Least Significant Bit (LSB) method represents one of the earliest and simplest spatial domain techniques. It can be applied to any form of the watermarking. In this technique, the LSB of the cover image is replaced with the watermark. The watermark bits are encoded in a sequence which serves as the key. This sequence should be known to retrieve the embedded bits. As shown in Fig. 5, the decimal pixels value of the original image is first converted to binary.
Then, the rightmost bits of each pixel are substituted by the watermark bits. Lastly, the changed binary pixels are returned to its original decimal values [29].

Local Binary Pattern
Local Binary Pattern (LBP) is a different method of spatial domain techniques. Firstly, the original image is segmented into non-overlapping square blocks. Secondly, the local pixel differences between the central pixel and its adjacent pixels in each block are calculated. Then, these pixels are utilised for embedding the watermark bits according to the rules mentioned in [30]. LBP based methods are robust against luminance variation and contrast adjustment, but fragile with other operations like blurring and filtering. In other words, this technique is suitable for semi-fragile watermarking applications [13]. LBP operator, originally designed for effective texture analysis, object/pattern recognition and crowd estimation [31].

Histogram Modification
Another watermarking technique in the spatial domain category is the histogram modification which benefits from the global features of the host image for embedding the watermark [32].
This scheme hides the watermark by shifting the maximum and zero points (or minimum if no zero points exist) of the histogram. This method can be executed easily, but the hiding capacity is restricted by the number of maximum points that appear [33].

Transform Domain Techniques
Transformation techniques are applied to the original image before encoding the watermark to provide more robustness against various image processing attacks compared to the spatial domain techniques. These methods generate the transform domain coefficients. The watermarked data can be achieved by changing these coefficients [25].

Discrete Cosine Transform
DCT is one of the greatest attractive methods implemented to transform the data from the spatial domain to transform domain. It is a linear transform, which maps an n-dimensional vector to a set of n-coefficients. DCT is robust to JPEG compression because JPEG standard is based on DCT technique. However, DCT lacks resistance to strong geometric attacks like scaling, cropping, translation, rotation, etc. [18].
By applying this technique, the image will be segmented into three frequency groups: low (FL), middle (FM) and high (FH). Most of the energy is focused in the low-frequency region, while high-frequency part contains the least amount of energy. The mathematical equations of forward and inverse transform of 2D-DCT are shown in Eq. 1 and Eq. 2, respectively [34].
Where m and n define the block size, f(x, y) represents the spatial domain pixel value, C (u, v) is the DC coefficient and ( ), ( ) can be calculated in Eq. 3: The DC coefficients are used for hiding the watermark to prevent changing the significant part of the image because they contain middle sub-band coefficients of the DCT. All other coefficients are titled the AC coefficients [13].

Discrete Wavelet Transform
DWT is a vigorous mathematical tool that has been utilised in various applications. It provides a proper spatial localisation and has multi-resolution characteristics, which are similar to the theoretical models of the human visual system. This method is robust against median and lowpass filtering. However, it is not strong to geometric attacks [18]. DWT separates the image hierarchically into four sub-bands: LL, HL, LH and HH as shown in Fig. 6, where L=low and H=high. The LL sub-band includes an approximation of the image, while the other three subbands covers the missing details. Moreover, the LL sub-band resulted from any stage can also be decomposed continuously to gain another level until reaching the required number of levels based on the application [35]. In digital watermarking systems, lower decomposition levels of the image, which contain a lower amount of energy, are more suitable to modifications. This energy is calculated by Eq. 4 [13]: Where k is the level of the decomposition, Nk and Mk are the dimensions of the sub-band, and Ik indicates the coefficients of the corresponding sub-band.

Discrete Fourier Transform
DFT denotes the most popular technique to convert the images from the spatial domain to transform domain [36]. It offers more robustness against geometric attacks. DFT decomposes an image in sine and cosine form. Therefore, watermark embedding can be implemented in two ways: direct hiding and the template based hiding [37]. Where: F(u,v) is the DFT coefficient, u=0,1,2,…,M−1, and v=0,1,2,…,N−1, R(u,v) and I (u,v) are the real and imaginary parts of DFT, respectively.
The polar of the DFT [13] can also be explained by Eq. 7: Where |F(u,v)| and ϕ(u,v) represent amplitude and phase components respectively, which can be calculated by Eq. 8 and Eq. 9: The watermark can be embedded in the amplitude part, which contains little information about the image, to reduce the visual distortion [36]. Table 1 provides a comparison between the spatial and transform domains techniques regarding the embedding domain, robustness, imperceptibility, capacity, complexity and processing time.

State of the Art
In this section, a list of significant published work in the area of medical images watermarking will be reviewed. This survey aims to highlight the advantages and limitations of recently published techniques concerning the medical images integrity and authenticity and Electronic Patient Record (EPR) data hiding. It is also aimed to provide a path for future researchers to address the limitations of existing watermarking techniques.

Schools of Thought in Medical Image Watermarking
There are three kinds of medical images watermarking approaches; classical methods, a Region of Interest (ROI) and Region of Non Interest (RONI) watermarking approaches and reversible watermarking techniques. Whatever algorithm is used, the computational complexity should not cause a delay in the clinician's time [38]. The following subsections discuss the existing digital watermarking methods applied to medical images. A comparison of these techniques regarding the robustness, capacity, imperceptibility and objective is also illustrated in Table 3.

Classical Methods while Minimising the Distortion
In conventional watermarking methods, the watermark is embedded in the whole cover image by replacing some details like LSBs or losing some details when using lossy image compression methods [38]. When implementing a digital watermarking scheme for a medical image, the images must not be perceptually changed because no radiologist will agree to use the degraded image for taking a decision, no matter how small the alteration is. Hence, the watermarking algorithm must be reversible [2]. The irreversible watermarking approaches remain subjected to an admission by radiologists while the original images stay usually preferred for investigation purposes [39].

Region of Interest and Region of Non-Interest Watermarking Methods
Coatrieux, et al. [40] assumed that medical images can be divided into two regions ROI and RONI. ROI section includes the informative region which is used for diagnostic purposes and must be stored without any distortion. However, RONI usually represents the black background of the image, but occasionally it can contain grey level parts of slight interest [41]. In ROI watermarking, spatial or transform domain techniques is utilised for hiding the watermark. The encoded watermark may be robust or fragile based on the purpose and the application in hand. 18  authentication applications offer a comprehensive framework, the authentication feature maintains the integrity of the image, while the advantage of reversibility protects the quality [21]. The reversible watermarking technique can be deemed as a special case of digital watermarking [21]. Fig. 7 demonstrates the simple reversible watermarking scheme. A patented work on reversible watermarking was introduced by Honsinger, et al. [44]. They embedded the digital signature of the image into the original image to verify its authenticity by implementing a spatial additive watermark method joint with modulo additions 256. Macq [45] suggested an expansion to the patchwork algorithm to design a robust reversible watermarking technique. Both approaches proposed by Honsinger, et al. [44] and Macq [45]  The following subsections present a review of reversible watermarking methods by classifying them into four groups: compression based, histogram modification based, quantization based and expansion based techniques.

Compression Based Technique
In the case of reversible watermarking, additional information is required to be encoded along with the watermark to recover the original unmodified image. As a result, the length of the watermark is much more than the traditional methods. A simple technique to improve the capacity will be by compressing a part of the host image [21,47].  [50], with a genetic algorithm to improve the embedding capacity. In the first step, the image is converted into transform domain by applying integer wavelet transform. Then, the transformed image is segmented into blocks, and the threshold value is calculated for each block. Compounding process is executed for each block has a value larger than a particular threshold. The genetic algorithm has the ability to select the optimal/near-optimal threshold, which organises the compounding operation and the efficient payload. The weakness of the proposed scheme is the time consuming for the training phase. Also, the genetic algorithm must be applied to each cover image.

Histogram Modification Based Technique
Comparing to other approaches of reversible watermarking which are not strong against image processing and distortions, histogram modification has been introduced to overcome the robustness issues. In these methods, the embedding target is replaced by the histogram bin to enhance the robustness of the reversible algorithm [47]. In general, most embedding methods in this type are block-based, and therefore they have the strength to resist some operations. The hiding capacity level in this approach is low, but the robustness is the main benefit of this scheme [53].
In the scheme presented by De Vleeschouwer, et al. [54], the original image is separated into blocks of neighbouring pixels. Then, each block is divided into two regions, and consistent histograms are computed. In their approach, circular interpolation is utilised to shift the histogram bins according to the watermark bit. A high distortion may happen when highest and lowest bits are shifted to the other side. Therefore, the authors enhanced their scheme by using the bijective transformations [46]. The massive distortion produced by the change of the maximum and the minimum bit is controlled by permitting at most two shifts. Another histogram based techniques were developed by [32,55] by only embedding the data in the peak bin pixels. However, these approaches require additional overhead to retrieve the watermark and reconstruct the original image, but they provided a reasonable watermarked image quality.
In order to raise the hiding capacity, Lin, et al. [56] offered a multilevel reversible method using the histogram of difference image for hiding the data. The difference image is produced by utilising the difference between two neighbouring pixels. The image is partitioned into nonoverlapping (4x4) blocks, and then a variance matrix of size (3x4) is created for every block.
For data hiding, histogram shifting is applied to each difference block. Although this approach has a high capacity due to implementing a multi-level embedding method, it suffers from the massive amount of side-information like saving the peak value for all blocks. Tsai, et al. [57] proposed a high capacity scheme by employing a residue image. This remainder indicates a difference between an original pixel and every other pixel in the non-overlapping block rather than the difference between neighbouring pixels. Though, since they need a highest and zero points for each block for obtaining the reversibility feature, that information should be involved to message bits and therefore reducing the hiding capacity of the scheme.
Khan and Malik [58] reported a new high capacity reversible watermarking method which exploits the idea of down sampling for improving the implementation. Down sampling offers two sub-sampled forms, the reference and the data hiding to produce area for embedding by utilising histogram shifting. Moreover, to obtain a blind scheme, the location map was compressed and embedded in the watermarked image. The proposed system provided an excellent imperceptibility versus capacity trade-off and can detect tamper attacks.

Quantization Based Technique
Though quantization based watermarking approaches are, in general, robust, reversible quantization based watermarking methods are typically fragile in nature [21]. In Cheung and Wu [59] system, a Sequential Quantization Strategy (SQS) has been suggested to make the variation of a pixel value dependent on the other pixels. Therefore, a balance between security enhancements can be achieved for authenticity and integrity verification. The combination between proposed SQS and the reversible watermarking mechanism has increased the opportunity of detecting the illegal modifications. Saberian, et al. [

Expansion Based Technique
The concept of DE was first introduced in 2003 [63]. It offered a new way to the reversible watermarking techniques. The proposed scheme embeds one bit of watermark data into the LSB of the difference value of two pixels. The selected pairs can either be any two neighbouring (horizontal or vertical) pixels or any two pixels selected in a pre-defined pattern.
The weakness of this approach is the reduction of the hiding capacity because of the unexpected but required location map. Alattar [64] extended the previous scheme by hiding two bits into the differences of a triple of pixels. The proposed algorithm used spatial and spectral triplets of pixels to conceal a pair of bits to raise the embedding capacity. A spatial triplet denotes any three pixels chosen from the corresponding spectral, or colour part. On the other hand, the spectral triplet can be any three pixels values picked from various spectral components.
Soon after the DE has been suggested, Alattar [65] developed a novel reversible watermarking using DE of quads of colour images. This method embeds three bits in the DE of a group of four pixels. The simplest method of selecting the quads is to suppose every 2x2 adjacent pixels are a quad. The maximum hiding capacity of the proposed system is considered to be 0.75 bpp.
However, in practice, the capacity is estimated to be lower because some quads may not be usable due to overflow/underflow problems. For example, the difference may be (more than 255 or less than 0) for 8-bits depth grayscale images. Alattar [66]  According to Khan, et al. [21], the simple difference between histogram shifting and location map approaches is the degradation produced in the hiding process. In the case of using location map, only watermarked pixels are changed, and then the deformation only happens in these pixels. While, in histogram shifting technique, pixels that are not employed for watermarking are also suffering from deformation due to the using of shifting operation.
Most watermarking systems based on DE techniques are pixel-wise or block based where the damage of data does not impact the next one. However, destroying the location map causes a mismatching to all later pixels. So, these schemes are also fragile under attacks, and they are suitable for authenticity and integrity applications. Also, not all pixels can be used for carrying the watermark bits because of the overflow/underflow problems. Therefore, a threshold to avoid these problems is needed [47].

Purposes of Medical Image Watermarking
Navas and Sasikumar [69] have divided medical images watermarking methods into two groups: authentication and integrity control, and embedding the EPR data. Al-Qershi and Khoo [70] classified medical images watermarking schemes based on the purposes of the application into three classes: authentication (containing tamper detection and restoration), EPR hiding and systems that merge both authentication and EPR hiding to verify the information source and detect the manipulations. In the following subsections, each group will be explained and discussed. A summary of these approaches is also illustrated in Table 3.

Authentication Schemes
There are several approaches for preserving the authentication of the medical images. One method is based on hiding the EPR data to prove that the information relates to the right patient. 25   can be verified by comparing between the recomputed DS/MAC and the hidden one [38]. The priority order of authentication and integrity watermarking systems is imperceptibility, robustness and capacity [69].
Several watermarking approaches were proposed to maintain the authenticity and integrity of medical images. Blind reversible watermarking systems established on integer-to-integer wavelet transform technique were introduced by [2,71]. In these systems, the image is segmented into blocks, and the watermark is inserted into each block by LSB-substitution or bit-shifting technique. The original image can be precisely retrieved at the extraction side since the required information for realising the reversibility such as location map of changeable and unchangeable LSB is also embedded in the image.
Memon, et al. [43] introduced a blind fragile watermarking to ensure the content authentication of CT images. The watermark information, which consists of patient data, hospital logo and authentication code, is embedded in RONI to preserve ROI information and confirm the integrity control. Automatic segmentation technique has been applied instead of drawing a square [82] or ellipse [83] for splitting the ROI and RONI.
Tan, et al. [39] proposed a dual layer reversible watermarking approach to confirm the integrity and authenticity of DICOM images. Firstly, the images were decomposed into 2x2 nonoverlapping blocks. Then, one pixel from each block is selected as an estimator, and the other pixels are used for concealing three bits (one bit each). In the first layer, metadata, authentication information and position of the estimator is embedded. In the second layer,

EPR Data Hiding Schemes
In order to avoid the detachment between image and patients data as well as to decrease the required storage space, the EPR such as patient name, ID, age, sex, demographic information and diagnosis result can be embedded into the patient image [24]. Hence, the capacity represents a significant requirement. So, the priority order of EPR data embedding is imperceptibility, capacity and robustness [69].
Several watermarking approaches were reported for the aim of EPR data hiding. Mostafa, et al. [72] presented a blind watermarking method for medical image organisation.

Authentication and EPR Data Hiding Schemes
Al-Qershi and Khoo [70] presented a mixture watermarking system to verify ROI

Evaluation Benchmarks of Watermarking Algorithms
In the digital watermarking scheme, it is necessary to preserve the quality of the images. So, for evaluating both the watermarked image and the watermark itself, two sets of metrics are required; the first set is to measure the quality of the images, while the second set is to evaluate the accuracy of the extracted watermark. Performance comparison of the different approaches that have been discussed in this research regarding these benchmarks is also demonstrated in Table 3 4

.1. Imperceptibility Assessment of Watermarked Image
There are several metrics used to estimate the distortion of watermarked images. Mean Square Error (MSE), PSNR and SSIM index are the most popular metrics utilised for this purpose.
The PSNR and MSE metrics measure the error sensitivity variations between the unmodified and modified images while the SSIM metric draws more concern to the structures of these images [88]. In all of the following equations, N×M is the images dimension, and I, Iw represent the original and the watermarked images, respectively.

Mean Square Error
MSE between the original image and the watermarked image is measured by the Eq. 10 [13]:

Peak Signal to Noise Ratio
PSNR is usually utilised to estimate the quality of the original and the watermarked image. A higher PSNR value indicates that both images are more similar to each other [89]. This metric is determined in decibels (dB) as Eq. 11: ( , ) = 10 * 10 2 (11) Where: MAXI represents the largest fluctuation of the input image.

Structural Similarity Index
SSIM evaluates the image quality by measuring the demographic changes between the two images. SSIM can be calculated using Eq. 12 and takes a value from ( −1 to 1) where the value of (1) refers that the compared images being the same [88].

Robustness Evaluation of Extracted Watermark
The following metrics can be applied to measure the reliability and readability of the extracted watermark in the case of logo or binary sequence watermark. In all of the following equations, W and W' denotes the embedded and extracted watermark, respectively.

Correlation Coefficient
The Correlation Coefficient (CRC) uses to analyse the corresponding between the original and extracted watermark. CRC value ranges from 0 to 1 and can be calculated by Eq. 13 [90].

Similarity Measure
Similarity Measure (SIM) also called Similarity Coefficient (SC) can be utilised to gauge the similarity between the concealed and extracted watermarks [90] and can be calculated using Eq. 14:

Bit Error Rate
Bit Error Rate (BER) metric is described as the ratio between binary patterns that are decoded wrongly and length of the binary sequence. So, the lower is the BER, the better is the efficiency of the embedding scheme [89]. It is defined by Eq. 15: Where DB is the amount of incorrectly decoded bits and NB is the whole number of bits of the watermark.

Accuracy Ratio (AR)
Accuracy Ratio (AR) also can be used for evaluating the matching between the hidden and extracted watermark. It represents the relation between correct bits and original watermark bits.

= (16)
Where CB represents the number of correct bits, and NB is the whole number of bits of the original watermark. 34

Discussion and Conclusions
The necessity of protecting medical images and other patients' data is not only for confidentiality purposes but also to prevent manipulations that might happen by authorised and unauthorised users while using these images. Therefore, there is a need to use a technique for ensuring trust in digital medical workflows. Digital watermarking has been recognised as a favourable approach for ensuring data integrity and authenticity in medical environments. In this paper, we have presented a comprehensive review of medical image watermarking schemes and discussed various issues related to each approach.
Many techniques have been proposed in the literature for watermarking the medical images utilising both spatial and transform domains. These techniques hide the watermark in the whole image or in the images' ROI and RONI by implementing reversible and irreversible methods.
In comparison to the transform domain techniques, which are suitable for ownership verification applications, techniques based on the spatial domain are less complex and provide higher capacity and visual quality. However, the spatial domain methods are fragile and cannot survive against many operations making them appropriate for integrity and authentication applications. Also, it is noticed that transform domain schemes based on DCT and DFT are rarely used for medical image watermarking and the majority of the studies prefer the techniques based on DWT due to it is offering an accurate matching of the human visual system.
RONI watermarking systems embed watermarks in regions that are insignificant in medical diagnosis, but they have several drawbacks such as they can be only applied if a RONI exists, the size of the watermark depends on the RONI size and also the ROI may not be protected against malicious attacks. So, applying these methods depends on the image characteristics.
Medical requirements are extremely strict with the quality of medical images and do not allow non-clinical based modification in any way. The irreversible watermarking methods remain subject to acceptance by the radiologists while the original images stay typically favoured for diagnosis purposes. So, the watermarking algorithms applied to medical images should have the ability to retrieve the original non-modified image. Reversible watermarking assures recovering the original image precisely after extracting the embedded watermark successfully.
Consequently, the hiding capacity and the number of potential methods that can be performed on medical images have been restricted significantly because of this feature.
In order to apply watermarking to medical information systems, it is fundamental to choose an appropriate and reliable approach. The performance of all watermarking schemes, which have been reviewed in this paper, had been assessed only in terms of perceptibility by utilising physical metrics. PSNR and SSIM benchmarks are the most widely used physical image quality metrics, but they do not take into account all characteristics that are clinically relevant in getting an accurate medical diagnosis [91]. Therefore, this study recommends relating these metrics to the visual/clinical assessment approaches to improve their validity and applicability. This needs expert images' readers to visually evaluate the differences between the original and watermarked images through an objective question set. Also, it is recommended that further work is required for testing the watermarking system regarding image quality in a fully operational PACS where the medical images are archived and retrieved.