A Cloud-ready Architecture for Shared Medical Imaging Repository

Background and Objective: Nowadays usage paradigms of medical imaging resources are requesting vendor-neutral archives, accessible through standard interfaces, with multi-repository support. Regional repositories shared by distinct institutions, teleradiology as a service at Cloud, teaching and research archives, are illustrative examples of this new reality. However, traditional production environments have a server archive instance per functional domain where every registered client application has access to all studies. This paper proposes an innovator ownership concept and access control mechanisms that provide a multi-repository environment and integrates well with standard protocols. Methods: A secure accounting mechanism for medical imaging repositories were designed and instantiated as an extension of a well-known open-source archive. A new Web services layer was implemented to provide a vendor-neutral solution complaint with modern DICOM-Web protocols for storage, search and retrieve of medical imaging data. Results: The concept validation was done through the integration of proposed architecture in an open-source solution. A quantitative assessment was performed for evaluating the impact of the mechanism in the usual DICOM Web operations. Conclusions: This article proposes a secure accounting architecture able to easily convert a standard medical imaging archive server in a multi-repository solution. The proposal validation was done through a set of tests that demonstrated its robustness and usage feasibility in a production environment. The proposed system offers new services, fundamental in a new era of Cloud-based operations, with acceptable temporal costs.

💡 Research Summary

The paper addresses the emerging need for vendor‑neutral, cloud‑ready medical imaging repositories that can serve multiple institutions, research projects, and tele‑radiology services. Traditional Picture Archiving and Communication Systems (PACS) typically operate a single archive instance per functional domain, granting every registered client unrestricted access to all studies. This model is increasingly inadequate as hospitals split into departments, share regional archives, or outsource storage to the cloud.

To overcome these limitations, the authors propose a novel ownership and access‑control framework built on top of the DICOM‑Web standards (WADO‑RS, QIDO‑RS, STOW‑RS). The core of the solution is a role‑based access control (RBAC) model that defines five hierarchical entities: Organization, Facility, User, Resource, and Permission. Each user belongs to a facility within an organization; facilities produce, store, or distribute resources such as imaging equipment, DICOM objects, or reports. Permissions are attached to resources via metadata, enabling fine‑grained control over who can store, query, or retrieve specific data.

Implementation leverages Dicoogle, a popular open‑source PACS with a modular plugin architecture and a Software Development Kit (SDK). Two main plugins were developed: (1) a Security Service that intercepts HTTP/HTTPS requests, validates JWT‑based tokens, and checks the resource’s ownership metadata before allowing the operation; (2) an RBAC Manager that provides a web‑based administration console and REST API for creating users, groups, roles, and assigning permissions dynamically. These plugins integrate seamlessly with DICOM‑Web services, preserving existing clinical workflows while adding authentication, authorization, and audit capabilities.

The authors validated the concept by integrating the plugins into a Dicoogle instance and conducting functional tests that confirmed correct enforcement of multi‑repository isolation. A quantitative performance assessment measured the impact on typical DICOM‑Web operations. The added security layer increased average response times by only 5–12 % compared with the baseline Dicoogle, a trade‑off deemed acceptable for cloud‑based multi‑tenant deployments. Audit logs and policy‑change histories were also recorded to satisfy regulatory compliance and traceability requirements.

Discussion highlights that the proposed architecture fills a gap left by commercial PACS solutions, which often lack granular access control for DICOM Query/Retrieve services. By providing a vendor‑neutral, open‑source, and cloud‑compatible solution, the work enables hospitals to maintain on‑premises control while exploiting the scalability and cost benefits of cloud storage. Future work is suggested in the direction of Attribute‑Based Access Control (ABAC) for even more flexible policies, automated policy generation, and large‑scale multi‑cloud scalability testing.

In conclusion, the paper presents a practical, secure, and standards‑compliant method to transform a conventional medical imaging archive into a multi‑repository, cloud‑ready platform. The solution’s robustness, modest performance overhead, and ease of integration make it a valuable reference for institutions seeking to modernize their imaging infrastructure while preserving patient privacy and meeting regulatory demands.