Hello,
Thank you for your positive feedback and for your interest in Orthanc.
First problem
I have my local Orthanc PACS server and i would like to use server outside my office. Ofcourse i can set public IP addres, port forwarding, DMZ etc. But what with security?! Is any method to auth connection between for example iOS Orthanc client iPaxera. I can’t find any information about this…
Ofcourse i can create VPN tunnel between device and server but i think about simple solution…
The first important thing to understand is that, practically speaking, the DICOM network protocol is an intra-hospital protocol. Although it could be generalized to extra-hospital scenarios, this was not the path chosen by history: Encryption at the DICOM network level is only sparsely implemented and used (though TLS support is in theory available). In practice, almost all hospitals block the DICOM protocol at their firewalls, and deploy PACS servers inside dedicated subnets to prevent any leaking of medical data to Internet.
Nowadays, exchanging data to the outside of hospitals is done through protocols that are inherently Internet-ready, widespread and that can be robustly encrypted. Such protocols are essentially VPN, SSH and HTTPS.
Secondly, you must be aware of the fact that the two primary objectives of the Orthanc project are to (a) provide a good, high-level, open implementation of the DICOM standard, and (b) to wrap this standard into Web-friendly primitives (REST, JSON, PNG, JPEG…). Orthanc is developed following a SOA (Service-Oriented Architecture) approach of medical imaging. This means that Orthanc must be thought of as a service focused on DICOM, and that is part of a more general workflow. As such, security must be implemented by adding other services next to Orthanc.
As a consequence, concretely speaking, you have two possibilities to implement security over Orthanc:
- Use VPN or SSH to get remote access to your hospital. The disadvantage is the need to setup point-to-point connections inside your hospital (which might be costly, yet even forbidden by your network administrators).
- Use HTTPS (i.e. secured HTTP, as used by almost all the banks over Internet). In this setup, you would install an Orthanc inside the DMZ of your hospital, and make it remotely accessible through reverse HTTP proxying of Apache/nginx/IIS/… The content of Orthanc could subsequently be accessed either with our Web viewers, the REST API of Orthanc, or the DICOMweb support. Instructions to setup HTTPS are available in the Orthanc Book: https://orthanc.chu.ulg.ac.be/book/faq/https.html
Second problem
In my office works 3 doctors. Each doctor has another patients.The patient wants only his doctor had access to they dicoms. Is possible co create something like sublibrary? restrictions? acl?
I think the following FAQ entry in the Orthanc Book should answer your question:
https://orthanc.chu.ulg.ac.be/book/faq/authentication.html
This is basically the same answer as above: Because Orthanc is conceived as a SOA component, it does not include full ACL support, as it is focused on DICOM. Orthanc does however contain primitives that allow you to implement this authentication as a part of your workflow.
As Orthanc is very lightweight, sub-libraries can be implemented by deploying one separate instance of an Orthanc server for each doctor. As an alternative, you could hire a Web developer to implement permissions at the patient-level on the top of the REST API of Orthanc, which is discussed in the following FAQ:
https://orthanc.chu.ulg.ac.be/book/faq/improving-interface.html
HTH,
Sébastien-