Patterns for imaging diagnostic components

These are applications used to provide various functions in the imaging diagnostics data flow and include:

Electronic patient record (EPR) – These are systems used by patient care teams in recording information during patient treatment in hospitals.

Radiology information system (RIS) – RIS is a networked software system for managing medical imagery and associated data. A RIS is especially useful for tracking radiology imaging orders and billing information, and is often used in conjunction with picture archiving and communications systems (PACS) and Vendor Neutral Archives (VNAs) to manage image archives, record-keeping, and billing.

Healthcare information system (HIS) – HIS is a similar capability to RIS and is mainly used to record patient information in order to establish a patient’s identity. Deployed mainly at a hospital.

Segmentation options for clinical application services

EPR, HIS or other ordering systems should be placed in logical network groups and subnets with appropriate access control policies to ensure only authorised traffic is permitted to/from the systems hosting these applications.

Databases connected to clinical applications should be segmented in a dedicated logical group/subnet (zone).

Application layer segmentation can be implemented to isolate these applications from less critical applications.

Systems hosting the RIS application should be isolated in their dedicated logical network group and subnet with appropriate access control policies to ensure ingress/egress communication is restricted to authorised traffic.

Diagnostic imaging, also called medical imaging, can be defined as the use of electromagnetic radiation and certain other technologies to produce images of internal structures of the body to:

• show structures inside the body in detail
• screen for possible health conditions before symptoms appear
• diagnose the likely cause of existing symptoms
• monitor health conditions that have been diagnosed, or the effects of treatment for them

Imaging diagnostic devices, also known as modalities, use different technologies to achieve these objectives. Table 5 below, shows the categories of radiological image acquisition devices (also referred to as modalities, as defined by Digital Imaging and Communications in Medicine (DICOM) deployed within the NHS).

Table 5: Sample modalities by categories

Segmentation options for modalities

As identified in the Network segmentation - An introduction for health and care organisations, medical imaging devices may operate embedded operating systems or firmware where patch release cycles may be different from current commercial off-the-shelf operating systems.

You should segment modalities connected to your clinical network in logical network groups and subnets (zone) behind a router/firewall supported by appropriate network access control policies. This is to restrict communication to authorised traffic only as defined in your security policy.

The logical grouping of connected medical devices (CMDs) should be done in compliance with your business continuity plan, to ensure that a successful compromise of one segment does not automatically lead to a lack of service from a particular type of imaging CMDs within the organisation in its entirety.

You should isolate modalities in dedicated logical network groups and subnets (zones) based on a mix of modalities, such that each segment is not comprised of only one type of imaging CMD.

Where manufacturers of modalities have mandated deployment of a dedicated firewall in front of the modality, such firewall should be deployed in the same logical group as the modality and configured as its default gateway.

Table 6 below an example of asset communication information for a Siemens CT scanner, describing the various assets the CT scanner will regularly communicate with and the communications protocols.

Table 6: Sample CT scanner communications information

Acquisition gateways – Depending on the facility's workflow, most modalities send to a quality assurance workstation, sometimes called a PACS gateway. The quality assurance workstation is a checkpoint to ensuree images are of diagnostic quality and that other important attributes of a study is correct. If the study information is correct the images are passed to the archive for storage.

PACS – The picture archiving and communication system is used for archiving and distribution of images and reports. The data is sent to the PACS server mainly from the HIS, the RIS and from the acquisition gateway computers.

PACS will support:

• the HL7 interface that allows clinical systems to interact with the PACS in sharing personal confidential data
• the DICOM interface, which represents a communications and medical imaging standard by which medical imaging modalities interoperate with PACS
• the web server interface, which represents the PACS ability to allow clinical interaction with the PACS to retrieve medical images using hypertext transfer protocol (http) via a standard web browser
• a relational database server to manage metadata about the medical images or PACS administration data

PACS components – The PACS server (controller), the heart and engine of PACS, has two main components: storage media (database) and archive system. The central storage device (archive) stores images and in some cases reports, measurements and other information that resides with the images for any period as stipulated in health regulatory standards.

PACS storage – Storage systems may be configured and attached to the PACS server in various ways, either as direct-attached storage (DAS), network-attached storage (NAS), or via a storage area network (SAN).

Vendor Neutral Archives (VNA) – VNAs are mostly used as image archiving repositories and can also store medical images in a standard format and interface, enabling health and care organisations to consolidate, standardise, and archive images and data from different PACS, into a single, easily accessible, and interoperable repository. This means images stored on VNAs can be accessed by various organisations regardless of what proprietary system created the images.

Segmentation options

System actors that interact with the PACS and VNA consist of: 

• modalities
• PAS, RIS and HIS 
• EPRs
• acquisition gateways

PACS and VNAs are rich sources of patient data (image data, demographic data, and DICOM data, functional data such as image enhancement or manipulation performed by the radiologist). They have become targets for cyber attackers which is why we recommend the following segmentation patterns.

On-premises PACS

Isolate the PACS components, namely the archive system and database, in a dedicated logical network group and network segment (for example VLAN and dedicated subnet) governed by appropriate access control policies.

Where you have multiple PACS, for example radiology, oncology, cardiology and ophthalmology, each instance should be deployed in its own dedicated logical network group and subnet governed by appropriate access control policies and not in one logical group/segment. This is to prevent a total loss of availability to all your organisation’s patient imaging diagnostics information in the event of a compromise of a logical segment via a malicious cyber-attack (ransomware for example).

Isolate VNAs in dedicated logical network group and subnet (VLAN and dedicated subnet for example) governed by applicable access control policies.

Where applicable, acquisition or PACS gateways should be segmented from the PACS logical group/s and network segment/s.

Cloud-based PACS

Cloud-based PACS is similar to standard PACS but, in this case, its storage and features are located in cloud-based servers. Health and care organisations now utilise cloud based PACS either as the primary imaging storage repository or to store and back up medical imaging data to a secure off-site server. This is to mitigate the impact of a ransomware attack. A cloud PACS enables authorised personnel to access medical imaging data from anywhere with an internet connection using any approved devices (a smartphone for example).

We recommend that you follow these segmentation patterns:

1. Where applicable, acquisition or PACS gateways should be segmented from the PACS logical group/s and network segment/s.
2. Preferably, cloud-based vendor PACS solutions should be deployed in a private cloud.
3. In the event that the PACS solution is deployed in the public cloud, each cloud-based PACS instance should be deployed in dedicated virtual networks or private subnets with the relevant network access control lists (NACLs) implemented to govern access to the PACS ecosystem.
4. Cloud-based VNAs should be deployed in dedicated virtual networks accompanied by applicable network access control lists and segmented from the equivalent PACS.
5. Cloud-based PACS storage repositories (infrastructure as a service (IaaS), platform as a service (PaaS)) should be fully segmented from the application layer.
6. Communications from on-premises to the cloud-based PACS should be over secure protocols, such as IPSEC VPN, to provide an encrypted tunnel over the wide-area network (WAN).
7. Intra-cloud communications, such as between the PACS application layer and its storage layer, should be over secure protocols (for example TLS).
8. Communications between the PACS and VNAs should be over secure protocols.

Healthcare personnel require access to diagnostic images stored in PACS for various reasons, including viewing, analysing, interpreting, editing and generating reports.

This includes:

• clinicians
• radiographers
• radiologists
• PACS administrators
• teleradiology specialists
• information technology (IT) or healthcare technology management (HTM) experts

They achieve this by connecting to PACS via workstations referred to as 'viewers'. This is discussed below:

PACS workstations – These are workstations that have PACS application software installed and connect to a PACS server, enabling radiologists and other specialists to:

• retrieve, display, and interpret medical images
• perform minor image-manipulation techniques to optimise the image being viewed
• capture the image interpretation report

DICOM Viewer – DICOM Viewer software installed on PACS workstations or other devices opens and displays DICOM files. It has many useful features like zooming, brightness and contrast adjustment, image comparison and visualising data in 3D. In some cases, such tools can provide advanced functionality like data anonymisation that is critical to enable scientific research. Cloud-based DICOM viewers are accessed through web browsers and allow clinicians to view medical images and to manipulate, share, and compare images depending on the features of the viewer.

Web clients – Typically used across hospitals by clinicians to view images and reports on PACS and enable GPs to view images remotely.

External workstations – These are remote computers used by authorised external users (such as teleradiology specialists, medical imaging specialists and IT/HTM specialists) to view images and feedback.

Image exchange portal (IEP)  – The IEP is a web-based application that enables health and care professionals to securely transfer patient images between hospital trusts in urgent situations (trauma scenarios). Recently, IEPs are being made accessible to patients remotely to access to their diagnostic images.

Segmentation options

Clinical workstations should be segregated from nonclinical production network.

PACS workstations, DICOM viewers and web clients should be isolated in dedicated logical network groups and subnets/zones with appropriate access controls policies implemented to permit only authorised traffic to the PACS/VNA applications.

Connectivity from external workstations to PACS/VNAs should only be permitted via VDI sessions or equivalent remote access servers.

IEP gateways should be isolated in a demilitarized zone (DMZ), firewalled with the appropriate access control policies to govern ingress/egress web connectivity. 

As stated in Network segmentation - An introduction for health and care organisations, whilst network segmentation is a very important tool in network security design, it must be supported by additional security controls to assure the security posture of any organisation’s network.

See guidance on protecting connected medical devices for recommendations on additional security controls. These apply to all categories of imaging diagnostics components.