Enabling local authentication services on IBM Storwize V7000 Unified for GE Healthcare imaging applications

Transcription

1 Enabling local authentication services on IBM Storwize V7000 Unified for GE Healthcare imaging applications Maximizing benefits of implementing robust clinical and IT security policies Prashant Avashia IBM Systems and Technology Group ISV Enablement August 2014 Copyright IBM Corporation, 2014

2 Table of contents Abstract...1 Introduction: GE Healthcare imaging applications...1 Introduction: IBM Storwize V7000 Unified systems...3 Storwize V7000 Unified: Configurations, tests, and results...5 GE Healthcare and IBM solution delivery recommendations...6 Healthcare data privacy and security considerations... 6 File systems layout: Best practice recommendations... 7 IBM solution sizing recommendations for a range of annual studies... 8 Solution benefits...9 Summary...10 Acknowledgments...10 Appendixes: Use case scenarios...11 Appendix A: Coexistence of Active Directory and local authentication services in enterprise Appendix B: Radiology practice emergency room services Appendix C: Radiology services with clustered failover Appendix D: Hospital with several functional imaging modalities Appendix E: Imaging for multiple specialties in a hospital network Glossary...17 Resources...20 About the author...20 Trademarks and special notices...21

3 Abstract Clinical practices, worldwide are using high-resolution mobile devices, advanced digital imaging technologies, secure cloud-based clinical processes, and intelligent clinical informatics solutions to deliver better quality healthcare on smaller financial budgets with improved collaborative workflow efficiencies and reduced time to diagnosis. IBM has now partnered with GE Healthcare, a subsidiary of General Electric (GE), to combine GE Healthcare enterprise imaging applications with IBM storage, into a proven and scalable solution. This solution offers a standard-based, secure and robust architecture to optimize clinician and radiologist productivity, reduce imaging turnaround, enhance patient satisfaction, and interoperate with existing departmental and enterprise systems. This paper describes the architecture for deploying GE Healthcare enterprise imaging applications with the IBM Storwize V7000 Unified systems, when configured with local security authentication capabilities. As tested, this robust, secure, and scalable solution is recommended for any medical imaging environment that annually processes 20,000 studies per year to over two million annual studies. The unified capabilities of the IBM Storwize V7000 Unified system also demonstrate a special use case scenario of coexistence and interoperability when two different enterprise security services configured with different authentication capabilities exist in the same enterprise domain. This paper provides easy recommendations, installation steps, and tuning adjustments, and use cases to ensure an efficient installation of the joint solution with good performance. Introduction: GE Healthcare imaging applications GE Healthcare has long experience implementing imaging data repositories in various heterogeneous environments. GE Healthcare Centricity Enterprise Archive is an imaging repository for Centricity Clinical Archive solution. Figure 1: Conceptual architecture: GE Healthcare Centricity Clinical Archive solution 1

4 As demonstrated in Figure 1, the Centricity Clinical Archive solution includes the following product components: Centricity Enterprise Archive: It is a multi-specialty (multi-ology), multi-site clinical content repository that enables consolidation of IT infrastructure for archiving and managing unstructured medical content (images, reports, documents, and so on) using industry standards, Digital Imaging and Communication in Medicine (DICOM), Integrating the Healthcare Enterprise - Cross Enterprise Document Sharing (IHE-XDS). Refer to the Glossary section in this paper for more details. It is also referred to as Enterprise Archive and also includes the following features: - Dynamic and static tag morphing capabilities as part of the repository to manipulate content of DICOM tags in a study during archiving or retrieval. - Image lifecycle management help to easily create, modify, and implement rules to govern the management of imaging studies across the enterprise. Universal Viewer zero footprint (ZFP): It is a zero footprint clinician viewer, for anywhere, anytime access to patient images and documents. IHE-XDS registry from Caradigm: It stores the catalog of patient critical information. Enterprise Master Patient Index (EMPI) from NextGate: It links patient records across network boundaries. Centricity Clinical Gateway: It provides the messaging interface engine to combine workflow systems such as Hospital Information Systems (HIS) and Radiology Information System (RIS) to update information repository and keep information consistent across systems. Device interface engine from PACSGEAR PacsSCAN: It connects non-standard devices and systems to store data in the repository in a standard format. The Centricity Clinical Archive offers a powerful multiology, vendor-neutral solution that: Helps lower cost by unifying imaging and clinical IT infrastructure Centricity Clinical Archive s information repository helps remove redundant departmental archives and helps lower the IT infrastructure footprint. Native DICOM tag morphing helps to overcome the limitations, inconsistencies, and variances in the implementation of the DICOM standard across multi-vendor Picture archiving and communication systems (PACS) to improve standards-based sharing of images and workflows across the enterprise. Helps foster informed decision making Centricity Clinical Archive enables access to a more comprehensive patient health record within the electronic medical record (EMR). This critical access helps care providers make more informed decisions. Its dynamic tag morphing capabilities helps CIOs overcome limitations and variances across multi-vendor PACS systems and seamlessly present enterprise-wide imaging studies within the preferred reading environment helping radiologists make fast, more informed decisions. Helps improve productivity With ubiquitous access to a patient s clinical information and a highly intuitive web viewer that makes it easier to search and access relevant information, care providers are able to increase productivity. 2

5 Helps reduce unnecessary examination and patient transfers Centricity Clinical Archive helps enable access to historical clinical information across the network (including radiology examinations and reports). This full access helps physicians make more informed decisions before requesting additional imaging procedures and patient transfers. Introduction: IBM Storwize V7000 Unified systems This section provides introduction and highlights for the storage components of the joint medical archive solution, the IBM Storwize V7000 Unified systems. The Storwize V7000 Unified system provides the ability to combine both block and file storage into a single system. By consolidating block and file capabilities in a single system, multiple management points can be eliminated and storage capacity can be shared across both types of access, helping to improve overall storage utilization, with a single, easy-to-use, simple management interface. The Storwize V7000 Unified system builds on the functions and high-performance design of the Storwize V7000 system and integrates proven IBM software capabilities to deliver new levels of efficiency. The IBM Storwize V7000 Unified system supports the following types of security authentication methods: Microsoft Active Directory (AD) server Services for UNIX (SFU) Subsystem for UNIX-based Application (SUA) Network Information Service (NIS) Samba primary domain controller (PDC) Lightweight Directory Access Protocol (LDAP) with secure communication using Secure Socket Layer (SSL) LDAP with Transport Layer Security (TLS) LDAP and Kerberos Local authentication services The Storwize V7000 Unified system provides the following software capabilities: Massive scalability: It supports billions of files in a single file system It supports up to 64 file systems per platform Flexibility: It allows access to data in a single global namespace, allowing all users a single, logical view of files through a single drive letter, such as Z. It provides efficient distribution of files, images, and application updates and fixes to multiple locations quickly and cost effectively. It also provides multiple storage tiers for flexible and efficient management of millions of files. Supports industry standard protocols: Common Internet File System (CIFS), Network File System (NFS), File Transfer Protocol (FTP), Hypertext Transfer Protocol Secure (HTTPS), and Secure Copy Protocol (SCP) Performance: It uses two dual-port (all ports active) 10 gigabit Ethernet (GbE) interface cards offering high bandwidth and additional connectivity in each Storwize V7000 Unified 3

6 interface node to simultaneously manage multiple data streams and functions (for example, backup, replication, and antivirus). IBM Real-time Compression : Storwize V7000 Unified system supports integrated IBM Real-time Compression, enabling storage of up to five times as much active primary data in the same physical space for extraordinary levels of efficiency. By significantly reducing storage requirements, you can keep up to five times more information online, use the improved efficiency to reduce storage costs, or achieve a combination of greater capacity and reduced cost. Solid-state drive (SSD): SSD supports applications that demand high disk speed, quick access to data, and requirements for tiered storage environments. Thin provisioning: It supports business applications that need to grow dynamically, while consuming only the space actually used. Data protection: File system and fileset-level snapshots (up to 256 snapshots per file system) provide a way to partition the namespace into smaller, more manageable units. Management: Command-line interface (CLI) and browser-based, simple, intuitive, and state-of-the-art administrative graphical user interface (GUI) provides icon-based navigation and informative graphics that streamline storage tasks and display real-time capacity, performance, and system health. Antivirus: Integrates with McAfee and Symantec AntiVirus, enabling users to secure data from malware and use the most commonly deployed independent software vendor (ISV) antivirus applications. IBM Active Cloud Engine : IBM Active Cloud Engine creates a common namespace access to globally distributed files, quickly and cost-effectively. The scalability is not limited to a single data center. As a cloud feature, it allows multiple sites to participate in fast information exchange, while still owning their own data. The files can reside in any data center, and can be accessible from anywhere. Operational savings and total cost of ownership (TCO): It consolidates multiple individual filers and their management, thereby avoiding problems associated with administering an array of disparate network-attached storage (NAS) systems. It automates file placement by transparently moving files to another internal or external storage pool, optimizes storage resources, and offers significant time and cost savings in administering petabytes of files. It helps conserve floor space (up to a petabyte of data in less than a square meter), is highly scalable, helps reduce capital expenditure, and enhances operational efficiency; its advanced architecture virtualizes and consolidates file space into a single, enterprise-wide file system, which can translate into reduced TCO. 4

7 Storwize V7000 Unified: Configurations, tests, and results Configurations and tests Through this configuration and test, an IBM Storwize V7000 Unified system was successfully enabled with the GE Healthcare Centricity Enterprise Archive application (version ) through local authentication and security capabilities with Microsoft Windows 2008 clients. The required file systems residing on the Storwize V7000 Unified system were made available to the applications as CIFS shares over the network, as shown in Figure 2. Figure 2: NAS (CIFS) attached Storwize V7000 Unified configuration with Centricity Enterprise Archive In this test, the shares were exported from the Storwize V7000 Unified system using CIFS protocols. In terms of network security, local authentication security services were configured in the network. Test results Centricity Enterprise Archive can successfully export and import medical images from and to the Storwize V7000 Unified system. Centricity Enterprise Archive can successfully write, read, and archive images from and to Storwize V7000 Unified system. It is also noted (with required security permissions), a user can easily move image files back and forth successfully from their local workstation to the Storwize V7000 Unified system s exported share (or from the share to the local workstation), with Windows copy services. As tested, the joint solution specified conservatively handles 20,000 to over 2000,000 annual radiological studies per year, and this solution is easily scalable to sustain even larger annual image volumes. 5

8 Centricity Enterprise Archive can be scaled in an extendable and modular way from a stand-alone workstation to an enterprise scenario. Centricity Enterprise Archive offers multiple solutions ranging from dedicated to shared storage, from a single to a multiple archive, from a small to an enterprise PACS. GE Healthcare and IBM solution delivery recommendations To ensure a smooth installation of the complete clinical imaging application solution using GE Healthcare Centricity Enterprise Archive, this section offers the following recommendations, security guidelines, and best practices: Healthcare data privacy and security considerations File systems layout: Best practice recommendations. IBM solution sizing recommendation for a range of annual studies with GE Healthcare s Centricity Enterprise Archive applications Healthcare data privacy and security considerations Recent security lapses have fostered an increased level of policy requirements to be met from a regulatory compliance, public disclosure of data loss, and a legal discovery point of view. The following link provides a most recent list of data breaches in healthcare provider organizations, affecting 500 or more individuals, as required by section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health (HITECH) Act: Even after a decade of publication of Health Insurance Portability and Accountability Act (HIPAA) security rule, this link demonstrates that too many security breaches that occur in the Healthcare industry, due to avoidable events that are frequently tied to lack of security expertise, human ignorance, and minimally skilled resources to implement security controls. Lost data and data devices with unencrypted patient information are the biggest sources of security breaches tied together with careless enterprise security policies, unencrypted and easy passwords, ad hoc firewall rules, open access to unencrypted data stores, and other similar lapses. Robust security needs to be enforced in a healthcare organization as a regulatory clinical policy rather than an information technology policy. To minimize the risk of data loss, a healthcare organization needs to use a regulatory compliance policy to secure all their data and devices (notebooks, mobile devices, , browsers, tapes, databases and not just a few storage systems, and so on). It is equally important to enforce the same security policy at the same access level consistently, across many applications. It is important to avoid the following kinds of security vulnerabilities: It is not sufficient to just look at a post-mortem of a broken application, system, or device after a security breach or after data loss. Many large organizations might have extensive security policies; however, root passwords are commonly shared among their administrators. This defeats the objective of any established security policy in any organization. 6

9 The word "Passw0rd" is clearly documented in Wikipedia, and is visible to all on the Internet (just google it!). It is common knowledge, that if someone sets up a server node on the open side of their organization's firewall, it gets hacked within 24 hours. At the clinical application level, strict data measures must be in place to distinctly differentiate between a real patient s name and a fictitious record of the same name, which is used to train new medical professionals (for example, is the name John Test, a real patient or a fictional test record in the database?). While these are interesting real-life examples, it is extremely important to establish and maintain a robust clinical security policy that prevents data loss in the healthcare organization. From a risk management and a quality management perspective, four specific security vulnerability elements need to be firmly rooted in place in each healthcare organization. A detailed view of security vulnerabilities related to certain server, application, and browser settings to help better understand how to effectively mitigate threats. Recommended countermeasures to address such vulnerabilities and the technical data required to implement and assess the state of each countermeasure as implemented. A product-specific security document that provides detailed instructions and recommendations to help strengthen the security of the servers, tools, applications, workstations, devices, media and browsers in the client's healthcare organization. Methodologies in place to address individual lapses or human ignorance during the administration of applications, systems, servers, files, devices, storage systems, and so on. File systems layout: Best practice recommendations IBM Storwize V7000 Unified systems fulfill the following requirements of electronic archiving systems. Long-term storage (LTS) of the images Access to short-term storage (STS) with storage area network (SAN) and CIFS protocols Access to LTS with CIFS protocols Quick access to all archived images (independent of the time of archiving) Database supported image management, based on metadata Long-term readability of the images by compliance with the DICOM standard Support of DICOM migration procedures Message exchange with other information systems For defining best practice recommendations, a distinction is made between online storage (short-term storage) and archive storage (long-term storage), as follows: STS: New images sent from the modality to Centricity Enterprise Archive are registered in the database libraries and stored in the STS (refer to the Glossary section of this paper). The STS has a limited storage capacity, but allows direct access to the images (for example, during image post processing and reporting). Images can be archived for approximately 3 to 12 months. LTS: Images are copied manually or automatically from the STS to the LTS archives based on specific rules and policies (refer to the Glossary section of this paper). This 7

10 step is the actual archiving. The LTS provides a very large storage capacity. Images can be archived there for many years. For improved performance in a normal and a typical production environment, lay out the file systems for Centricity Enterprise Archive as per the following guidelines and recommendations: IBM Storwize V7000 Unified system supports STS and LTS archiving through simultaneous use of SAN and NAS capabilities. Create the IBM General Parallel File System (IBM GPFS ) on the Storwize V7000 Unified system by using the cluster method of creating the block allocation maps (to achieve a uniform disk performance across all storage capacities). Create the GPFS on Storwize V7000 Unified by using the logfileplacement value as striped (to stripe the log file of the file system across all metadata disks). Recommend using the block size of 256 KB for both STS and long-term storage. As a best practice, run all Windows servers with dual 10 GbE bonded network channel connections, with maximum transmission unit (MTU) = IBM solution sizing recommendations for a range of annual studies Table 1 highlights a typical storage sizing information for Centricity Enterprise Archive. As summarized in this table, a typical study might use about 100 MB of storage irrespective of the modality. If the requirements are slightly larger, or smaller, they can be easily adjusted accordingly. If a radiology department processes a large number of images annually, then the estimated storage for 1 year, 3 years, and 5 years are extrapolated linearly across the row. Estimated MB per study Annual studies (estimated) Estimated storage requirements (1 year) (3 years) (5 years) (TB) (TB) (TB) , , ,000, ,500, ,000, ,500, ,000, ,500, ,000, Recommended storage system One IBM Storwize V7000 Unified system Two IBM Storwize V7000 Unified systems Table 1: Typical storage sizing matrix for GE Healthcare Centricity Enterprise Archive Assumptions: Decimal values have been rounded to the nearest integer value. Storage values are computed using marketing terabytes (TB), and not engineering TBs. 1 marketing terabyte (1 TB = 1000 marketing gigabytes (not 1024 GB) 1 marketing gigabyte (1 GB = 1000 marketing megabytes (not 1024 MB) 8

11 Storage numbers are based on raw storage computations. Redundant Array of Independent Disks (RAID) protection is not assumed in these computations. Depending on the requirement of a specific RAID protection, these estimates need to be increased or adjusted appropriately. (Some clients might prefer RAID-5 and some clients might prefer RAID-6). IBM Storwize V7000 system specifications are available at: ibm.com/systems/storage/disk/storwize_v7000/specifications.html Irrespective of the modality, it is estimated that each new study results in an average of 100 MB of new images and data per study. Extrapolation: For example, if a radiology group does only United States (US) studies, but processes 100,000 annual estimated studies, then, extrapolate the estimated numbers by using the following computations: - Storage (1 year) = 100,000 x (MB per study) = 10 TB - Storage (3 years) = 100,000 x (MB per study) = 30 TB - Storage (5 years) = 100,000 x (MB per study) = 50 TB For very large sites, it is recommended to segregate the applications components (shifting the web server off to handle client load separately from archive and routing back-end processing) to improve efficiencies. From the storage perspective, one Storwize V7000 Unified system is recommended for each 1000 TB of total storage (approximate, and raw computations or estimations). While Table 1 provides approximate estimates, it offers a good starting point for further discussions on fine-tuning the requirements of a specific client situation or opportunity. Solution benefits Healthcare clients running GE Healthcare Centricity Enterprise Archive imaging applications can avail the following benefits: Simplify administration by consolidating STS and LTS into a single system. Achieve improved performance by delivering multithreaded I/O through different interface node IP addresses of the Storwize V7000 Unified system, simultaneously. Reduce latencies in I/O traffic, by using self load-balancing capabilities of Storwize V7000 Unified interface nodes. Include built-in capabilities that support antivirus protection with McAfee, Symantec, Legato, and other IBM ISV partners. Storwize V7000 Unified systems easily support data migration, data archiving, data prefetching, and data compression, with built-in features that are already included Centricity Enterprise Archive software applications. Based on these benefits, the IBM Storwize V7000 Unified storage systems offer flexible and scalable choices to easily support different use cases for a healthcare environment. These use cases are clearly documented in the appendixes, of this paper. 9

12 Summary This paper describes the architecture for deploying GE Healthcare s Centricity Enterprise Archive with IBM Storwize V7000 Unified systems when configured with local authentication capabilities. As tested, this robust, secure and scalable solution is well suited for any medical environment that processes 20,000 annual studies per year to over 2 million annual studies per year. The unified capabilities of the IBM Storwize V7000 Unified system also demonstrate a special use case of coexistence and interoperability between two different security services configured with different authentication capabilities, existing in the same enterprise domain. Acknowledgments Special thanks to the GE Healthcare product management teams in the US for loaning the software and licenses that enabled the IBM test team to successfully create an operational test environment and run tests to document real-life results. Many thanks to the IBM client executives, IBM Systems and Technology Group members, and other associates, worldwide, who contributed with their recommendations during the test run and review process and enabled successful completion and validation so that Centricity Enterprise Archive software applications can run successfully over SAN and NAS environments facilitated by IBM Storwize V7000 Unified systems. 10

13 Appendixes: Use case scenarios This section outlines various use cases using different solutions built with IBM Storwize V7000 and IBM Storwize V7000 Unified systems. These different use cases outline different imaging capabilities as evidenced typically by a small radiologist office, a large radiology department in a single hospital, or a large RIS system that consists of multiple radiology departments situated in a hospital network. These validated solutions have been successfully tested to work optimally with GE Healthcare Centricity Enterprise Archive imaging applications in all healthcare client environments. Appendix A: Coexistence of Active Directory and local authentication services in enterprise Use case scenario The unified capabilities of the Storwize V7000 Unified system demonstrate a special use case scenario of coexistence and interoperability between two different enterprise security services configured with different authentication capabilities, existing in the same enterprise domain. The two different security services are AD and local authentication services. Refer to Figure 3. Figure 3: Coexistence of AD and local authentication services Front-end authentication with AD services 1. Specialist logs into the enterprise network. 2. Specialist credentials are validated by the AD server (or cluster). 3. In the enterprise network, the Centricity Enterprise Archive web server resides on the Windows 2008 x64-based system (or a cluster). 11

14 4. The Centricity Enterprise Archive web client is the specialist console. Centricity Enterprise Archive imaging web server (mentioned in step 3) communicates with the Centricity Enterprise Archive web client and stores short-term storage data on a database (SQL) on a Storwize V7000 system through a 8 GB Fiber Channel SAN interface. Back-end authentication with local authentication services 1. IBM Storwize V7000 Unified (file services only) is configured with local authentication and longterm storage. 2. The Centricity Enterprise Archive application authenticates with local authentication on Storwize V7000 Unified with only two users, NASRW and NASRO. 3. The Centricity Enterprise Archive application moves data from short-term storage to long-term storage on Storwize V7000 Unified. 4. The Centricity Enterprise Archive has the authentication credentials from AD and local authentication services. 5. The specialist only accesses the Centricity Enterprise Archive web client. The credentials of the specialist are not stored on Storwize V7000 Unified. 6. Specialist has no direct access to the Centricity Enterprise Archive application instance or Storwize V7000 Unified (file services). The AD authentication in the enterprise (is not equal to) local authentication on the Storwize V7000 Unified (file), but both security services coexist, together in the same enterprise. Appendix B: Radiology practice emergency room services Use case scenario There are two modalities: Computed Radiography (CR) and Computed Tomography (CT) generating about 5 GB of image data per day. Approximately 20,000 examinations are performed annually. Refer to Figure 4. 12

15 Figure 4: Single radiology practice emergency room services System configuration This is a central system configuration with one shared database. A few client workstations for image viewing are set up, within the healthcare enterprise. Some of these client workstations are local to the network. A select (finite) number of remote client workstations are set up as web clients, and could be external to the Firewall, enabled with validated security access credentials. The central server maintains the image database, and also acts as a web server, for authenticated remote clients. Additionally, the following solution details are outlined: Single shared image database Local and remote clients STS and long-term storage on IBM Storwize V7000 STS can be 300 GB 15 K rpm serial-attached SCSI (SAS) disks LTS can be 4 TB 7.2K rpm nearline SAS disks Storwize V7000 can be SAN-attached or direct-attached to the Centricity Enterprise Archive server. Workflow: New images of all modalities are sent to one server. The workstation clients are not assigned to a certain modality. Appendix C: Radiology services with clustered failover Use case scenario There are five modalities generating about 20 GB of image data per day. Approximately 100,000 examinations are performed annually. Refer to Figure 5. 13

16 Figure 5: Radiology solutions with a clustered failover and with external public Internet access through the firewall System configuration A pair of clustered services for Centricity Enterprise Archive Local and remote clients Services hosted on a pair of virtual machines (VMs) with VMware high availability (HA) and Distributed Resource Scheduler (DRS) (VMware vsphere, and VMware DRS). Both servers (or VMs) access a single shared or common image database A separate server acts as a web server or a jump server for remote clients STS is SAN storage on Storwize V7000 Unified Archive is NAS storage on Storwize V7000 Unified STS and long-term storage reside on IBM Storwize V7000 Unified STS can be 300 GB 15K rpm SAS disks LTS can be 4TB 7.2K rpm nearline SAS disks Workflow New images of all modalities are sent to the server cluster IBM Storwize V7000 Unified serves as NAS storage and is used as the archive All reporting and viewing users access the central database 14

17 Appendix D: Hospital with several functional imaging modalities Use-case scenario Consider a single hospital with several functional imaging modalities used for exploratory, diagnostic, and interventional imaging options. These, state-of-the-art modalities generate about 50 GB of image data per day. As many as 250,000 or more examinations are performed every year. Refer to Figure 6. Figure 6: An illustration of a large radiology department supporting many state-of-art modalities for exploratory, diagnostic, and interventional imaging options System configuration To process a large number of examinations quickly, a server farm is installed. Multiple modalities are connected to each Centricity Enterprise Archive application server. If a server fails, the modalities can send data to another live server. Local and remote clients access the stored images directly through the Centricity Enterprise Archive servers or through the web servers easily. NAS storage archive is configured as two Storwize V7000 Unified systems, paired together as IBM Active Cloud Engine. First Storwize V7000 Unified acts as STS and the second system acts as LTS. STS can be 300 GB 15K rpm SAS disks. LTS can be 4 TB 7.2K rpm nearline SAS disks. Storwize V7000 Unified systems are NAS-attached systems. 15

18 Workflow Each modality transmits its images to one connected application server. There, the images are stored locally. At the same time, the metadata that is required for access to these images is stored on the central server. Each connected client and web client can load all images that are stored centrally in the server farm. The central server controls access to all the images. Two Storwize V7000 Unified systems connected through Active Cloud Engine. They access the image archives on these two systems through the CIFS mount points. Appendix E: Imaging for multiple specialties in a hospital network Use case scenario Consider a large hospital network with RIS services spanning many different buildings of the medical institution. Multiple Centricity Enterprise Archive systems in different specialty departments can form a shared multi-pacs system. As many as 1,000,000 or more examinations are performed every year. Combined with an institution-wide RIS, this configuration provides a solution that can cover the entire radiology workflow in large hospitals with different specialty departments, as shown in Figure 7. Figure 7: Imaging for multiple specialties in a hospital network 16

19 System configuration Institution-wide RIS services spanning multiple buildings of a hospital. RIS covers the entire radiology workflow with different specialty departments. Each building has a separate PACS system. Each PACS system consists of a separate server farm and storage archive. The RIS controls patient data for both PACS systems. Different medical specialties are set up in different hospital buildings. Workflow Glossary Orders for new radiological examinations are registered in the RIS. This information is transmitted to the modalities as DICOM worklist. After the examination, the images are transmitted to the Centricity Enterprise Archive servers and reported to physicians at web client workstations. The images are archived in the appropriate departmental PACS and the reports are stored in a central RIS. Physicians can access the images of the other department over the DICOM query spanning. The query spanning functionality means that patient images can be queried and retrieved from several DICOM nodes in one step using DICOM Query/Retrieve. In this way, a local query can be extended to be a global query. By means of suitable rules, the images are also prefetched during low-load periods and stored in the PACS of the local department. Subsequently, the data can be quickly accessed. CR: Computed Radiography System for Imaging. CT: Computed Tomography System for Imaging. CT was earlier called computerized axial tomography. It is a radiographic technique that produces an image of a detailed cross section of tissue. CT uses a narrowly collimated beam of x-rays that rotates in a full arc around the patient to image the body in crosssectional slices. An array of detectors, positioned at several angles, records those x-rays that pass through the body. The image is created by a computer that uses multiple attenuation readings taken around the periphery of the body part. The computer calculates tissue absorption and produces a representation of the tissues that demonstrates the densities of the various structures. Tumor masses, infractions, bone displacement, and accumulations of fluid can be detected. For cardiologic examination, ultrafast CT is electrocardiogram-triggered and this allows visualization of cardiac function and blood flow. Digital Imaging and Communication in Medicine (DICOM): Is a worldwide standard for exchanging patient images and data. It enables the exchange of images and data between heterogeneous information systems and various imaging and image producing and processing devices (modalities). Enterprise master patient index (EMPI): An index that enables the merging of different medical record numbers (MRN) into a single patient. 17

20 Electronic Medical Record (EMR): Is the digital form of the patient record containing all clinical and part of the administrative information of a patient (such as name, stay in hospital, diagnosis, treatments, and so). HIPAA: The Health Insurance Portability and Accountability Act of 1996 was enacted by the United States Congress and signed by President Bill Clinton in It has been known as the Kennedy- Kassebaum Act or Kassebaum-Kennedy Act after two of its leading sponsors. HIS: Hospital information system is a comprehensive, integrated information system designed to manage all the aspects of a hospital operation, such as medical, administrative, financial, legal and the corresponding service processing. Integrating the Healthcare Enterprise (IHE): An initiative by users and companies to achieve maximum interoperability of the digital information systems used in health services. The basis for this is the integration of the profiles that are based on the working procedures actually followed in radiology. You can find further information about IHE at: Joint Photographic Experts Group (JPEG): A standardization group for the coding and compression of gray scale and color images. JPEG is a graphics format that enables up to 20-fold compression of individual images. The names of files in the JPEG format usually have the extension.jpg. JPEG 2000: A wavelet-based image compression standard. It was created by the JPEG committee in the year 2000 with the intention of superseding their original discrete cosine transform-based JPEG standard. Compared to JPEG, there is an increase in compression performance of JPEG The main advantage offered by JPEG 2000 is the significant flexibility of the code stream. The code stream of a JPEG 2000 compressed image is scalable in nature. It can be decoded in a number of ways. For example, by truncating the code stream at any point, you can obtain a representation of the image at a lower resolution. Lightweight Directory Access Protocol (LDAP): An application protocol for querying and modifying directory services running over TCP/IP. Long-term storage (LTS): A storage medium for long-term storage or archiving of images. Tape archives and jukeboxes are frequently used for this. Metadata: Data about the data. In DICOM, each image is marked with properties, or attributes, such as patient name, study date, and so on. These attributes constitute the metadata. Megapixel (MP): Abbreviation for the resolution of monitors. Additionally, 1.3 MP = pixels 2.0 MP = pixels 3.0 MP = pixels 5.0 MP = pixels Medical Record Number (MRN): An index number for patient identification that is assigned by a HIS or RIS. 18

21 National Electrical Manufacturers Association (NEMA): An industry consortium, which in 1983 began a collaboration with the American College of Radiology (ACR) to develop the imaging standard now known as DICOM. Picture archiving and communication system (PACS): A system consisting of several components for digital storage, distribution, and display of images. Radiology information system (RIS): A system for the radiology department, which takes care of patient administration, documentation, acknowledgment of services, and writing the reports (for example, syngo workflow). Solid-state drive (SSD): In systems and applications, refers to an electronic memory storage. Short-term storage (STS): Is based on storage technologies and connections that allow fast access to image data. Typically, a RAID system that is connected directly to the server is used as a short-term storage. VNA: A Vendor Neutral Archive (VNA) is a medical imaging technology in which images and documents (and potentially any file of clinical relevance) are stored (archived) in a standard format with a standard interface, such that they can be accessed in a vendor-neutral manner by other systems. XDS: XDS stands for cross-enterprise document sharing. Healthcare organizations can use XDS for sharing non-image data with each other. Examples of non-image data include radiology reports, lab reports, primary care physician s diagnoses and emergency-room care records. 19

22 Resources The following websites provide useful references to supplement the information contained in this paper: GE Healthcare portal www3.gehealthcare.com/en/products/categories/healthcare_it/medical_imaging_inform atics_-_ris-pacs-cvis/centricity_pacs IBM Systems on PartnerWorld ibm.com/partnerworld/systems IBM Redbooks ibm.com/redbooks IBM Publications Center IBM Storwize 7000 Unified Information Center pic.dhe.ibm.com/infocenter/storwize/unified_ic/index.jsp IBM Storwize V7000 Introduction and Implementation Guide [SG247938] ibm.com/redbooks/redpieces/abstracts/sg html?open About the author Prashant Avashia is a software engineer in IBM Systems and Technology Group ISV. With more than 20 years of experience in storage infrastructure technologies, he has successfully architected, engineered, and implemented enterprise infrastructure solutions for key global clients in healthcare, financial, and software industries. You can reach Prashant Avashia at pavashia@us.ibm.com. 20

23 Trademarks and special notices Copyright IBM Corporation References in this document to IBM products or services do not imply that IBM intends to make them available in every country. IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. GE and Centricity are trademarks of General Electric Company. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. Information is provided "AS IS" without warranty of any kind. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Information concerning non-ibm products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-ibm list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-ibm products. Questions on the capability of non-ibm products should be addressed to the supplier of those products. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Contact your local IBM office or IBM authorized reseller for the full text of the specific Statement of Direction. Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning. 21

24 Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here. Photographs shown are of engineering prototypes. Changes may be incorporated in production models. Any references in this information to non-ibm websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. 22