How to connect an Imaging Modality to PACS server using Internet network

Abdulazeez AlaoAbdulazeez Alao
18 min read

Table of contents

For this article, I will use MRI as a imaging modality type and I will use Orthanc as a PAC server.

Traditionally, DICOM servers and imaging modalities are connected within the confines of a local network, ensuring swift and secure data transfer.

However, the increasing need for remote diagnostics, telemedicine, and centralized data storage has created a demand for accessing these systems over the internet. Whether you're a healthcare provider looking to streamline your imaging workflows or an IT professional tasked with setting up a remote imaging infrastructure, understanding how to connect an imaging modality to Orthanc over the internet is essential. This is because , the Radiologist that will report the images may not be close or around to the imaging enter . ( e.g there many of the Radiologists are reporting images from their home or offices via the internet)

In this article, I will walk you through the step-by-step process of configuring your Orthanc DICOM server for remote access. l will try and cover everything from network setup and security considerations to practical use cases and troubleshooting tips. By the end of this blog, you'll be equipped with the knowledge to establish a secure and efficient remote connection between your imaging modalities and the Orthanc DICOM server, ensuring your medical imaging data is always within reach, no matter where you are.

Network Configuration

To connect an imaging modality to Orthanc over the internet, you need to ensure proper network configuration. This involves setting up a public IP address, configuring port forwarding, and adjusting firewall rules. Let's break down each step:

Public IP Address

The first requirement is ensuring that the server running Orthanc is accessible over the internet. This can be achieved by assigning a public IP address to the server or using a domain name that points to it.

  • Public IP Address: Obtain a static public IP address from your Internet Service Provider (ISP). This address is unique and allows devices outside your local network to connect to your Orthanc server.

  • Domain Name: Alternatively, you can use a domain name (e.g., orthanc.mydomain.com) that points to your public IP address. This is often more convenient as it’s easier to remember and can be managed via DNS settings.

Port Forwarding

If your Orthanc server is behind a router or firewall, you will need to configure port forwarding. This process directs incoming internet traffic on a specific port to the correct internal IP address of your Orthanc server.

  1. Access Router Settings: Log into your router’s configuration interface. This is typically done via a web browser using the router’s local IP address (e.g., 192.168.1.1).

  2. Find Port Forwarding Settings: Locate the port forwarding section, which may be under settings like "Advanced" or "NAT" (Network Address Translation).

  3. Configure Port Forwarding Rule:

    • Service Name: Give the rule a descriptive name (e.g., OrthancDICOM).

    • External Port: Set the external port to 104 (default for DICOM) or another port if Orthanc is configured differently.

    • Internal IP Address: Enter the local IP address of the server running Orthanc.

    • Internal Port: Set the internal port to match the port Orthanc is listening on (e.g., 104).

    • Protocol: Choose TCP as the protocol.

For example, if your Orthanc server's internal IP address is 192.168.1.100 and it listens on port 104, your port forwarding rule might look like this:

Service Name: OrthancDICOM
External Port: 104
Internal IP Address: 192.168.1.100
Internal Port: 104
Protocol: TCP
Firewall Rules

To ensure that the connection is successful, you need to configure the firewall rules on both the Orthanc server and any intermediate firewalls to allow traffic on the designated ports.

  1. Server Firewall:

    • On the server running Orthanc, configure the firewall to allow inbound traffic on the port Orthanc uses (e.g., port 104).

    • For example, on a Linux server using ufw, you can allow traffic on port 104 with the command:

        sudo ufw allow 104/tcp

  2. Network Firewall:

    • If there are any firewalls between the Orthanc server and the internet, configure them to allow traffic on the same port.

By properly configuring your network with a public IP address or domain name, setting up port forwarding, and adjusting firewall rules, you can securely connect an imaging modality to your Orthanc DICOM server over the internet. This setup ensures that remote devices can communicate with the Orthanc server, enabling efficient and secure access to medical imaging data from anywhere in the world.

Orthanc Configuration for External Access.

Connecting an imaging modality to an Orthanc DICOM server over the internet involves careful configuration of the Orthanc server to ensure it is accessible, secure, and capable of handling external requests. This section provides detailed steps on modifying the Orthanc configuration file (orthanc.json), examples of setting up DICOM modalities and SCP, and instructions for setting up access control.

Modifying the Orthanc Configuration File

The Orthanc configuration file, orthanc.json, is where you define the server's behavior, including network settings, DICOM modalities, and security options. Here’s how to configure it for external access:

  1. Locate the Configuration File: The orthanc.json file is typically found in the Orthanc installation directory. On Linux, it might be in /etc/orthanc, and on Windows, in the Orthanc installation folder.

  2. Open the File for Editing: Use a text editor to open the orthanc.json file. For example, on Linux, you might use:

     sudo nano /etc/orthanc/orthanc.json

  3. Configure Network Settings: Ensure that Orthanc listens on the correct IP address and port. If you want Orthanc to be accessible on all network interfaces, use 0.0.0.0:

     {
   "DicomAet": "ORTHANC",
   "DicomPort": 104,
   "HttpPort": 8042,
   "DicomAssociationTimeout": 30,
   "DicomScuTimeout": 30,
   "DicomScpTimeout": 30,
   "RemoteAccessAllowed": true
 }

  4. Example Configuration for DicomModalities: Define the modalities (imaging devices) that will connect to Orthanc. Each modality requires an AE Title, IP address, and port:

     {
   "DicomModalities": {
     "Modality1": [ "MODALITY1_AETITLE", "modality1.ip.address", 104 ],
     "Modality2": [ "MODALITY2_AETITLE", "modality2.ip.address", 105 ]
   }
 }

  5. Example Configuration for DicomScp: Configure Orthanc to act as a DICOM Service Class Provider (SCP) to receive images from modalities:

     {
   "DicomScp": {
     "AETitle": "ORTHANC",
     "Port": 104,
     "Enable": true,
     "DenyAllUsers": false
   }
 }

Setting Up Access Control

To secure your Orthanc server, it’s crucial to set up user accounts and permissions. This ensures that only authorized users can access the server and its data.

  1. Enable Authentication: Add the following section to your orthanc.json file to enable basic authentication:

     {
   "RegisteredUsers": {
     "admin": "admin_password",
     "user": "user_password"
   }
 }

  2. Define User Roles: Set permissions for different user roles. For example, you can define roles for administrators and regular users:

     {
   "UserRole": {
     "admin": "Administrator",
     "user": "ReadOnly"
   }
 }

  3. Enable HTTPS: For secure communication, enable HTTPS by providing paths to your SSL certificate and private key:

     {
   "SslEnabled": true,
   "SslCertificate": "/path/to/certificate.pem",
   "SslPrivateKey": "/path/to/privatekey.pem"
 }

  4. Restrict API Access: If you use the REST API, restrict access to specific users or IP addresses:

     {
   "RestApi": {
     "Enabled": true,
     "AllowUnauthenticated": false,
     "RestrictedUsers": {
       "ReadOnly": [ "user" ]
     }
   }
 }

  5. Set Up IP Filtering: Limit access to the Orthanc server to specific IP addresses if needed:

     {
   "AllowedSources": [
     "192.168.1.0/24",
     "10.0.0.0/8"
   ]
 }

Final Configuration Example

Here’s a complete example of a configured orthanc.json file:

{
  "DicomAet": "ORTHANC",
  "DicomPort": 104,
  "HttpPort": 8042,
  "DicomAssociationTimeout": 30,
  "DicomScuTimeout": 30,
  "DicomScpTimeout": 30,
  "RemoteAccessAllowed": true,
  "DicomModalities": {
    "Modality1": [ "MODALITY1_AETITLE", "modality1.ip.address", 104 ]
  },
  "DicomScp": {
    "AETitle": "ORTHANC",
    "Port": 104,
    "Enable": true,
    "DenyAllUsers": false
  },
  "RegisteredUsers": {
    "admin": "admin_password",
    "user": "user_password"
  },
  "UserRole": {
    "admin": "Administrator",
    "user": "ReadOnly"
  },
  "SslEnabled": true,
  "SslCertificate": "/path/to/certificate.pem",
  "SslPrivateKey": "/path/to/privatekey.pem",
  "RestApi": {
    "Enabled": true,
    "AllowUnauthenticated": false,
    "RestrictedUsers": {
      "ReadOnly": [ "user" ]
    }
  },
  "AllowedSources": [
    "192.168.1.0/24",
    "10.0.0.0/8"
  ]
}

By following these detailed steps to configure orthanc.json, setting up access control, and securing your server, you can ensure that your Orthanc DICOM server is accessible, functional, and secure for external connections. This setup is crucial for enabling remote diagnostics, telemedicine, and centralized data storage while maintaining data integrity and security.

Security Considerations for Connecting Orthanc DICOM Over the Internet.

When connecting an imaging modality to an Orthanc DICOM server over the internet, ensuring the security of transmitted data is paramount. One of the most effective ways to secure communication is by using TLS/SSL encryption. This section provides a comprehensive guide on enabling TLS/SSL in Orthanc, generating SSL certificates, and updating the Orthanc configuration to use these certificates.

Using TLS/SSL for Encryption

TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are cryptographic protocols designed to provide secure communication over a computer network. Enabling TLS/SSL on your Orthanc server encrypts the data transmitted between the imaging modality and the server, protecting it from interception and tampering.

Generating SSL Certificates

To enable TLS/SSL, you need SSL certificates. You can either obtain certificates from a trusted Certificate Authority (CA) or generate self-signed certificates. Here, we’ll cover both methods.

Method 1: Obtaining Certificates from a CA

  1. Purchase or Obtain Free Certificates: Purchase an SSL certificate from a trusted CA (e.g., DigiCert, Comodo) or obtain a free certificate from Let’s Encrypt.

  2. Generate a Certificate Signing Request (CSR): Use OpenSSL to generate a CSR, which you’ll submit to the CA.

     openssl req -new -newkey rsa:2048 -nodes -keyout orthanc.key -out orthanc.csr

    Follow the prompts to enter information about your organization and domain.

  3. Submit the CSR to the CA: The CA will use your CSR to generate an SSL certificate for your domain.

  4. Download the Certificate: Once the CA has verified your information, they will provide you with the SSL certificate files.

Method 2: Generating Self-Signed Certificates

  1. Generate a Self-Signed Certificate: Use OpenSSL to generate a self-signed certificate.

     openssl req -x509 -newkey rsa:2048 -nodes -keyout orthanc.key -out orthanc.crt -days 365

    Follow the prompts to enter information about your organization and domain.

Updating the Orthanc Configuration to Use SSL Certificates

Once you have your SSL certificates, you need to configure Orthanc to use them.

  1. Place the Certificates on Your Server: Copy the certificate and key files to a secure directory on your server. For example:

    • /etc/orthanc/certs/orthanc.crt

    • /etc/orthanc/certs/orthanc.key

  2. Modify the Orthanc Configuration File: Open the orthanc.json file and update it to enable SSL and point to your certificate and key files.

     {
   "HttpServerEnabled": true,
   "HttpPort": 8042,
   "SslEnabled": true,
   "SslCertificate": "/etc/orthanc/certs/orthanc.crt",
   "SslPrivateKey": "/etc/orthanc/certs/orthanc.key",
   "SslCertificateChain": [],
   "SslMinimumVersion": "tls1.2",
   "SslCiphersuites": []
 }

  3. Restart the Orthanc Server: Apply the changes by restarting the Orthanc server.

     sudo service orthanc restart

  4. Verify the Configuration: Access Orthanc through your web browser using https:// and ensure there are no security warnings. For example:

     https://your-domain.com:8042

Best Practices for SSL/TLS Configuration

  1. Use Strong Encryption: Ensure that your SSL/TLS configuration uses strong encryption algorithms. Update the SslCiphersuites in orthanc.json to include only secure ciphers.

  2. Regularly Update Certificates: Keep your SSL certificates up to date and renew them before they expire.

  3. Secure Your Private Keys: Ensure that the private key file is stored securely with appropriate permissions. Only the Orthanc process should have access to this file.

     chmod 600 /etc/orthanc/certs/orthanc.key

By enabling TLS/SSL encryption, generating SSL certificates, and updating the Orthanc configuration, you ensure that your DICOM data is securely transmitted over the internet. This protects sensitive medical information from unauthorized access and maintains compliance with data protection regulations. Implementing these security measures is crucial for maintaining the integrity and confidentiality of medical imaging data in a remote access setup.

Setting Up a VPN for Secure Communication with Orthanc.

In the realm of medical imaging, the security and confidentiality of patient data are paramount. While TLS/SSL encryption provides robust security for data in transit, setting up a Virtual Private Network (VPN) adds an extra layer of protection by creating a secure, encrypted tunnel for all traffic between your devices and the Orthanc server. This guide outlines the steps for setting up a VPN, compares the pros and cons of using a VPN versus TLS/SSL, and discusses best practices for access control and authentication.

Setting Up a VPN

A VPN can be set up using various software solutions. One popular choice is OpenVPN, an open-source VPN solution. Here’s how to set it up:

Step-by-Step Instructions for OpenVPN

  1. Install OpenVPN:

    • On a Linux server, you can install OpenVPN using the package manager:

        sudo apt-get update
  sudo apt-get install openvpn

  2. Generate Keys and Certificates:

    • Use the Easy-RSA package to set up a public key infrastructure (PKI) and generate the necessary keys and certificates.

        sudo apt-get install easy-rsa
  make-cadir ~/openvpn-ca
  cd ~/openvpn-ca
  source vars
  ./clean-all
  ./build-ca
  ./build-key-server server
  ./build-dh
  ./build-key client1
  ./build-key client2

  3. Configure the OpenVPN Server:

    • Create a server configuration file, typically located at /etc/openvpn/server.conf:

        port 1194
  proto udp
  dev tun
  ca ca.crt
  cert server.crt
  key server.key
  dh dh2048.pem
  server 10.8.0.0 255.255.255.0
  ifconfig-pool-persist ipp.txt
  push "redirect-gateway def1 bypass-dhcp"
  push "dhcp-option DNS 8.8.8.8"
  push "dhcp-option DNS 8.8.4.4"
  keepalive 10 120
  cipher AES-256-CBC
  comp-lzo
  user nobody
  group nogroup
  persist-key
  persist-tun
  status openvpn-status.log
  log-append /var/log/openvpn.log
  verb 3

  4. Start the OpenVPN Server:

    • Start the OpenVPN service and enable it to start on boot:

        sudo systemctl start openvpn@server
  sudo systemctl enable openvpn@server

  5. Configure Client Devices:

    • Distribute the client configuration files and certificates to your client devices. Each client will use these files to connect to the VPN.

  6. Test the VPN Connection:

    • On a client device, use the OpenVPN client to connect to the server and verify that the connection is secure.

Pros and Cons of Using a VPN vs. TLS/SSL

Pros of Using a VPN:

  • Comprehensive Security: A VPN encrypts all traffic between the client and the server, not just DICOM data.

  • Network-Level Access: Provides access to the entire network, which can be beneficial for accessing other network resources in addition to Orthanc.

  • Bypass Geo-Restrictions: VPNs can help bypass geo-restrictions and censorship, allowing access from anywhere.

Cons of Using a VPN:

  • Complexity: Setting up and maintaining a VPN can be more complex than enabling TLS/SSL.

  • Performance Overhead: VPNs can introduce latency and reduce bandwidth due to the encryption overhead.

  • Single Point of Failure: If the VPN server goes down, all connected clients lose access.

Pros of Using TLS/SSL:

  • Simplicity: Easier to set up and manage compared to a VPN.

  • Performance: Generally has less performance overhead than a VPN.

  • Granular Control: Provides security specifically for the Orthanc server without impacting other network services.

Cons of Using TLS/SSL:

  • Limited Scope: Only secures traffic to the Orthanc server, not the entire network.

  • Requires Proper Configuration: Misconfigurations can lead to vulnerabilities.

Access Control and Authentication

To further secure your Orthanc server, implement access control and authentication mechanisms:

  1. Enable Basic Authentication:

    • Configure basic authentication in the orthanc.json file to restrict access:

        {
    "RegisteredUsers": {
      "admin": "admin_password",
      "user": "user_password"
    }
  }

  2. Use Strong Passwords:

    • Ensure that all user accounts have strong, unique passwords. Consider using a password manager to generate and store these passwords.

  3. Implement Role-Based Access Control (RBAC):

    • Assign roles to users and restrict access based on these roles. For example, administrators can have full access, while regular users have read-only access:

        {
    "UserRole": {
      "admin": "Administrator",
      "user": "ReadOnly"
    }
  }

  4. Enable HTTPS:

    • Ensure that all communication with the Orthanc server is encrypted using HTTPS:

        {
    "SslEnabled": true,
    "SslCertificate": "/path/to/certificate.pem",
    "SslPrivateKey": "/path/to/privatekey.pem"
  }

  5. Restrict IP Access:

    • Limit access to the Orthanc server by IP address to ensure only trusted devices can connect:

        {
    "AllowedSources": [
      "192.168.1.0/24",
      "10.0.0.0/8"
    ]
  }

  6. Monitor Access Logs:

    • Regularly review access logs to detect and respond to unauthorized access attempts.

Conclusion

Setting up a VPN and implementing robust access control measures are critical steps in securing your Orthanc DICOM server when accessed over the internet. By using a VPN, you ensure that all traffic is encrypted and secure, while TLS/SSL provides an additional layer of security for specific services. Together, these measures help protect sensitive medical data, ensuring compliance with privacy regulations and maintaining the integrity of your medical imaging infrastructure.

Testing the Connection to Orthanc DICOM Server.

After configuring your Orthanc DICOM server for remote access, it is crucial to test the connection to ensure that the setup works correctly and that images can be sent and received without issues. This section provides a comprehensive guide on using DICOM tools for testing, sending test images, verifying the receipt and storage of images, and troubleshooting common issues.

Using DICOM Tools for Testing

One of the most reliable tools for testing DICOM connections is dcm4che, an open-source suite of applications and utilities for working with DICOM files and networks. Here’s how to use it:

  1. Install dcm4che:

    • Download the dcm4che toolkit from the official website (http://www.dcm4che.org/) and follow the installation instructions for your operating system.

  2. Verify DICOM Connectivity:

    • Use the dcm4che tools to test the connectivity between your imaging modality and the Orthanc server. The dcmsnd command sends DICOM files, while dcmrcv listens for incoming DICOM files.

    • Example command to verify connectivity:

        cmecho -L AETitle@orthanc_ip:104

      Replace AETitle, orthanc_ip, and 104 with your Orthanc AE Title, IP address, and port.

Sending Test Images from the Modality to Orthanc

Once you have verified the connectivity, the next step is to send test images from the imaging modality to the Orthanc server.

  1. Configure the Modality:

    • Ensure that the imaging modality (CT, MRI, etc.) is configured to send DICOM images to the Orthanc server. You will need to specify the Orthanc server's AE Title, IP address, and port in the modality’s DICOM settings.

  2. Send Test Images:

    • Perform a test scan or use existing DICOM images on the modality to send to the Orthanc server. Initiate the transfer and ensure the modality indicates a successful send operation.

  3. Using dcm4che for Sending Test Images:

    • If you don’t have immediate access to an imaging modality, you can use dcm4che to send test images to Orthanc. Here’s an example command:

        cmsnd -L AETitle -H orthanc_ip:104 test_image.dcm

      Replace AETitle, orthanc_ip, 104, and test_image.dcm with appropriate values.

Verifying that Images are Received and Stored Correctly

To ensure that the test images are received and stored correctly on the Orthanc server, follow these steps:

  1. Access Orthanc Web Interface:

    • Open a web browser and navigate to the Orthanc web interface using the server’s IP address or domain name:

        https://orthanc_ip:8042

  2. Log In:

    • Log in with your Orthanc credentials (if authentication is enabled).

  3. Verify Received Images:

    • Navigate to the “Patients” or “Studies” section in the web interface. You should see the test images you sent listed there.

    • Click on the images to view details and ensure that the images have been received correctly without any corruption.

  4. Check the Logs:

    • Review the Orthanc logs for any errors or warnings that might indicate issues with the DICOM transfer.

Troubleshooting Common Issues: Common Problems and Solutions When Setting Up Remote Access to Orthanc DICOM Server

Setting up remote access to your Orthanc DICOM server can significantly enhance the flexibility and efficiency of your medical imaging operations. However, this process can also present several technical challenges. This guide covers common problems encountered during setup and provides practical solutions to ensure a smooth and secure connection.

Common Problems and Solutions

  1. Connection Timeouts

    Problem: When attempting to connect the imaging modality to the Orthanc server, you experience connection timeouts.

    Solution:

    • Network Accessibility: Ensure the Orthanc server is accessible over the internet. Verify that the server has a public IP address or is accessible via a domain name.

    • Port Forwarding: Check that port forwarding is correctly configured on your router or firewall. DICOM typically uses port 104, but this can be customized.

    • Firewall Rules: Ensure that any firewalls between the modality and the Orthanc server are configured to allow traffic on the necessary ports.

    sudo ufw allow 104/tcp

  1. Authentication Failures

    Problem: The imaging modality fails to authenticate with the Orthanc server.

    Solution:

    • Check Credentials: Verify that the correct username and password are being used. These credentials should match those specified in the RegisteredUsers section of orthanc.json.

    • Update Orthanc Configuration: Ensure the configuration file includes all necessary users and their roles.

    {
      "RegisteredUsers": {
        "admin": "admin_password",
        "user": "user_password"
      }
    }

  1. Incorrect AE Titles

    Problem: The modality cannot connect because of a mismatch in AE Titles.

    Solution:

    • Match AE Titles: Ensure that the AE Title configured on the imaging modality matches the AE Title specified in Orthanc’s configuration.

    • Case Sensitivity: AE Titles are case-sensitive. Double-check for any discrepancies in letter case.

    {
      "DicomModalities": {
        "Modality1": [ "MODALITY1_AETITLE", "modality1.ip.address", 104 ]
      }
    }

  1. Image Transfer Errors

    Problem: Images are not being transferred correctly, or the transfer is incomplete.

    Solution:

    • Check Log Files: Review the Orthanc server log files for any error messages that can provide insights into what might be going wrong.

    • Ensure Compatibility: Make sure that the DICOM images conform to the standards supported by Orthanc. Sometimes, proprietary or non-standard elements in the DICOM files can cause issues.

    tail -f /var/log/orthanc/orthanc.log

  1. Network Issues

    Problem: There are intermittent connectivity issues or unexplained network errors.

    Solution:

    • Network Diagnostics: Use network diagnostic tools to identify and resolve any underlying network issues. Tools like ping, traceroute, and netstat can be very helpful.
    ping orthanc_ip
    traceroute orthanc_ip
    netstat -an | grep 104
  • Bandwidth and Latency: Ensure that your network has sufficient bandwidth and low latency for transmitting DICOM images, which can be quite large.

  1. SSL/TLS Issues

    Problem: There are problems with establishing a secure connection using SSL/TLS.

    Solution:

    • Certificate Validity: Ensure that your SSL/TLS certificates are valid and properly installed on the server.

    • Trust Chain: If using self-signed certificates, make sure that the imaging modality trusts the root certificate. This often involves importing the root certificate into the modality’s trust store.

    {
      "SslEnabled": true,
      "SslCertificate": "/path/to/certificate.pem",
      "SslPrivateKey": "/path/to/privatekey.pem"
    }

  1. Data Integrity Issues

    Problem: The images received by Orthanc are corrupted or incomplete.

    Solution:

    • Check Disk Space: Ensure that the server has sufficient disk space to store incoming images.

    • Verify Network Stability: Unstable network connections can cause data corruption. Ensure that both the server and the modality have reliable network connections.

  2. Performance Issues

    Problem: The Orthanc server is slow to respond or processes images slowly.

    Solution:

    • Resource Allocation: Ensure that the server running Orthanc has adequate CPU and memory resources.

    • Optimize Configuration: Adjust Orthanc’s configuration to better handle high loads. This might include tweaking settings related to image processing and storage.

Conclusion

Setting up remote access to an Orthanc DICOM server involves a range of technical considerations. By understanding common issues and their solutions, you can troubleshoot effectively and ensure a reliable, secure connection between your imaging modalities and the server. Proper configuration and regular monitoring are key to maintaining a robust medical imaging infrastructure that supports remote diagnostics and telemedicine initiatives.

0
Subscribe to my newsletter

Read articles from Abdulazeez Alao directly inside your inbox. Subscribe to the newsletter, and don't miss out.

PACSorthanc

Written by

Abdulazeez Alao
Abdulazeez Alao