Securely expose Orthanc over the internet for C-STORE requests from authorized modalities only

Hello everyone,

I’m working on a project where I need to expose an Orthanc DICOM server over the internet, but I want to strictly allow only C-STORE requests from pre-authorized modalities.

My main goals are:

1. Restrict C-STORE access: Only specific DICOM modalities should be allowed to send studies.
2. Track the origin of each study: I need to reliably know which modality sent each study, so I can link it later in a database for billing and tracking purposes.

Initially, I considered using AETs to authorize the modalities. However, since AETs can be easily spoofed or changed by the sender, I realized this is not a secure solution by itself.

Several external laboratories will be connecting to the Orthanc server, each with their own modality. Therefore, I need a secure mechanism to authenticate and identify each one individually.

Any suggestions, best practices, or example configurations are highly appreciated!

Thanks in advance!

Hello

Securely exposing DICOM requires DICOM TLS or a VPN/secure tunnel. The former is described in the Orthanc Book.

Regarding the filtering, if you don’t mind deleting the instances that have been stored by unauthorized entities, you could start from something like this sample, but instead of using the remote AET, you could use the RemoteIP (see the list of core metadata)

This thread could also be of interest to you.

Another option is to perform the filtering in the Lua side, where it can prevent the DICOM to be stored altogether. At that stage, you cannot use metadata (they don’t exist yet), but the Lua callback supplies origin information:

• Filtering incoming DICOM instances

• Origin of the Instances (contains the remote IP)

Hope this helps! Let us know how it goes…