TLS for DICOM Connections?

Is there an option to connect to a PACS (Orthanc in my case) using DICOM TLS ? I have Orthanc setup to use DICOMTLS, and that works fine between different Orthanc instances, but I would also like the capability to connect 3DSlicer and probably HOROS also to Orthanc. Orthanc has a self-signed certificate and key file currently, but I see no way to add the certificate file or a different one to the 3DSlicer configuration ?

I don’t think anyone has worked with TLS and Slicer’s DICOM. It would probably be possible to expose dcmtk’s implementation via CTK and then Slicer. There would be some work required for that.

In my experience it’s more common to use DICOM only on trusted networks and rely on firewalls and / or VPNs.

1 Like

@sscotti Are you required to use DICOM TLS inside the trusted hospital network? It may make sense, I just don’t see this happening in the hospitals that we have been working with. I don’t think this question has ever come up in Slicer Forum discussions either.

That said, as @pieper wrote above, DCMTK seems to support DICOM TLS. Since we already use OpenSSL in Slicer, it would be mainly GUI work to allow the user to specify the extra connection information and pass it to DCMTK. If you are interested in working on it, we can help you getting started and with answering any specific questions.

I am just the consultant, and you are right, inside the facility, usually do not use TLS. The use case is that Orthanc is in the Cloud, and there is a teleradiology component where readers wish to connect to the PACS remotely, using something like Radiant, Horos, Osirix, etc. The only Web-based certified viewer than is decent is MedDream and that is very expensive. Radiant is not certified, but pretty decent software, and OSIRIX I think is.

Basically looking for a way to provide readers some Desktop software that they can use as part of a reading workstation remotely. The end users for this are in Africa.

I am new to 3DSlicer, and it seems like it is mostly designed for developers and researchers, but it would be nice to have TLS.

I can connect all of those without TLS, and my Orthanc instances are using TLS among themselves, but there might some trouble getting to work with those viewers.

It is interesting that the DCMTK command like this:

echoscu -v 147.182.xxx.xx xxxx -ic --anonymous-tls +cf /Users/sscotti/Downloads/orthanc.crt

does work though. HOROS does not, and I am not sure if Radiant supports that either.

Otherwise, they might have to set up VPN, tunneling or something like that. They have an IP whitelist to restrict access also, but there would be no encryption. I presume that would be vulnerable to hackers in some ways. Thanks.

I’m interested in 3DSlicer because it apparently has some extensions for AI, MONAI, etc. ?

I am surprised that no one every asked about TLS before.

Thanks for the extra context. I would suggest avoiding traditional dicom networking (DIMSE) in a cloud environment. TLS would only give you encryption of the network traffic, not real protection from hackers or other security issues. A VPN would be better, or you can tunnel with ssh. But still, my understanding is that DIMSE is not efficient over wide area networks.

You should look at DICOMweb as an alternative because you can use state of the art web security methods. For example Slicer’s DICOMweb extension can use a Google dicom store that authenticates with a Google account so you have finer grained access control. I haven’t used it, but I understand Orthanc supports DICOMweb, as does dcm4chee.

In terms of web viewers you may wish to look at OHIF.

You are correct that Slicer is not intended for clinical use as-is so be sure to follow local laws and institutional practices. But yes, MONAI is very promising for ML work and many clinicians use Slicer for their research studies.

I agree, TLS would not offer enough protection for accessing real patient data via public internet. IP whitelisting does not work for end users, because they use random dynamic IP addresses; and whitelisted IP address can be very easily spoofed, so anybody could send malicious requests that could compromise the server.

Web application for light workloads (quick image review from a phone or tablet anywhere) and VPN for more serious applications (download DICOM data from server and do local processing) seems to be the standard, and I think the same would apply for your use case, too.

By the way, we have lots of active collaborations and developments of modules and Slicer core features specifically for Africa. It would be nice if you could join one of our weekly meetings or maybe for a discussion at the upcoming Slicer Project Week to talk about what you need and what we are working on.

I guess it is because there are several essential requirements for network security, access control, authentication, etc. that are not addressed by TLS. Instead of setting up some custom solutions for remote access, such as proxy servers with authentication, etc. it is much easier to ask users to connect via a VPN. This means users already communicate through secure, encrypted connection and all users and applications are in the same trusted network. In this environment, TLS does not add a lot of value, while there are extra costs due to configuration complexity, software compatibility, and extra computation load. So, I can understand if hospital IT admins choose not to use it.

Thanks for the input. DICOMweb would be an option, but I’m not sure if the Radiant Viewer support that. Orthanc does. I did test the Radiant Viewer with TLS disabled and the performance was pretty decent still with DIMSE. I am familiar with OHIF and I do use that sometimes, but the PDF support seems to have some issues. It does support SR types, and I think there is ongoing development for MONAI integration, etc. Orthanc’s Stone Viewer isn’t bad, but needs to be developed much more.

I’ll look into those meetings. I have one that I attend on Monday’s via Zoom with some people in the US, Chris Hafey, et. al. along with about 6-12 others in Informatics / Radiology. That one is posted on Github.

Thanks.

Yes, I’m on that from time to time when I don’t have a conflict. That would be a good group to ask for advice on this topic.