1. Introduction

This guide describes an architecture to receive and store DICOM images in AWS. It runs the Orthanc free and open-source, lightweight DICOM server to provide an encrypted DICOMWeb transport for medical images over the internet. The image files are stored as objects in an Amazon S3 bucket, available for further processing. Metadata of each DICOM image is stored in a NoSQL database for fast querying of any attribute of the images.

This architecture comprises the following:

  • Orthanc runs as a resilient, scalable containerized service on Amazon Elastic Container Service.

  • The Orthanc Docker image provided by Osimis, is used to provide an up to date Orthanc release with all plugins configurable through environment variables. No state is stored in the containerized application, so the tasks making up the Orthanc service may be started and terminated without any configuration.

  • All Orthanc configuration options and secrets are securely stored in AWS Systems Manager Parameter Store.

  • An AWS Application Load Balancer provides an HTTPS front-end for the Orthanc service.

  • AWS Certificate Manager provides SSL/TLS certificates for the HTTPS transport.

  • Amazon RDS is used to store the index of the DICOM images received and stored by the Orthanc application in a PostgreSQL database.

  • An Amazon S3 bucket stores the received DICOM images. S3 buckets are highly durable and have no effective size limit, so a single bucket is sufficient to store any quantity of images. The DICOM image objects are guaranteed to have unique names, so no storage hierarchy is required within the bucket.

  • Each DICOM image object that arrives in the S3 bucket triggers a notification event which is sent to an Amazon Simple Queue Service (SQS) queue.

  • An AWS Lambda Python function consumes the messages from the SQS queue. The function reads the header of the DICOM image S3 object corresponding to each message, and parses the header of this object into a JSON document using the PyDicom library.

  • The DICOM header metadata is written to a DynamoDB table, using the object’s S3 key as a key value. From DynamoDB the data may be analyzed using a number of AWS analytics services.

  • Encryption is employed in transit during internet transport, and in communication between the Orthanc application and the PostgreSQL database and S3 bucket.

  • Encryption of data is employed at rest in the S3 bucket, and the RDS and DynamoDB databases.

  • All user access to the solution is through the HTTPS endpoint of the Application Load Balancer. AWS resources in the user’s VPC (ECS service, RDS database) are deployed in private subnets without inbound internet access. Outbound internet access for these components is through NAT Gateways in public subnets.

  • All the services used are HIPAA eligible. With additional configuration, it may be possible for this solution to be used as part of a HIPAA compliant workflow.

_images/2207-Orthanc.png

Architecture Diagram