PACS focus shifts from radiology to the enterprise

PACS already enjoys success in the healthcare marketplace and provides numerous benefits to institutions where it has been implemented. Now the focus is shifting from departmental to enterprise-wide systems. The enterprise is a different place, more intimidating than the safe confines of a radiology department. An enterprise network makes its way to many more locations; in some cases, to every location. Users are everywhere. Some have valid reasons to access imaging information, and others do not.

PACS is different from the typical enterprise-level system. Image data sets are extremely large, and users expect and demand rapid access. Unlike billing and e-mail systems, PACS is a clinical workhorse that is critical to patient care, and it must be consistently available and operational without fail. Thus, facilities that are implementing PACS for the first time as well as those that are expanding their existing PACS from a departmental to an enterprise-wide resource face numerous challenges.

Two main concepts should be taken into consideration when preparing to implement an enterprise-wide PACS or upgrade an existing PACS to enterprise-wide stature. The first is bandwidth, and the second is access.

Bandwidth, or the amount of data that a network can handle, is the first and most tangible aspect to consider. Servers now in use have built-in gigabit Ethernet adapters, and many vendors are using storage area networks, or SAN, devices for image and information storage. In order to support these devices, you should plan your network core and backbone to support at least gigabit-per-second throughput, with both fiber- and copper-based switching. Forward-thinking administrators are looking at higher bandwidth networks for the core and backbone, on the order of 10 Gb/sec.

The reasons for upgrading the network architecture are straightforward. As image information moves from a departmental environment to an enterprise, more users access the systems at the same time. More devices send and receive information, and more associated systems communicate with the PACS. These systems include the RIS, HIS, and-for true enterprise distribution-a portal or electronic medical record application.

DATA EXPLOSION

As imaging technology has progressed, and spatial and temporal resolutions have increased, much larger studies have resulted from the modalities in use at many facilities. Multislice CT scanners allow physicians and technologists to acquire a higher slice resolution through the volume of interest. This has resulted in more slices of CT data to transport to the PACS and to other workstation devices. It is not uncommon to see a 200 to 400-image data set, where five years ago 50 to 80 images were the norm. New systems are transferring data at 100 Mb/sec (100 BaseT) as opposed to the older 10 Mb/sec (10 BaseT) standard. Though higher throughput reduces the time spent waiting for a study to transfer, the increased data density yields real-time transfers in what amounts to the same time frame as before. The major difference is that there are a lot more data!

Other common examples of large data sets include MR imaging, PET/CT acquisitions, and x-ray angiography and fluoroscopic exams. Fluoroscopy and x-ray angiography result in video-type data sets, which commonly include 15 images per second, with a matrix of 51 x 512 to 1024 x 1024. For x-ray angiography, it is customary to have between six and 12 acquisitions yielding raw data sets from 900 to 1800 MB. Even with lossless compression, these data sets are still 400 to 800 MB. New technologies in angiography can yield higher temporal resolution, up to 30 frames per second, doubling the data load for each study. PET/CT-type acquisitions result in two data sets:

the PET images and their attendant functional information, and the CT study for the anatomic localization. A whole-body scan requires transfer of a large number of slices for both studies. Multichannel MR systems also allow higher temporal and spatial resolution, yielding more information to transfer.

Transfer of this information is the key to enterprise PACS. No matter what architecture is used, doing a full read of each data set requires sending that entire data set to the reading workstation. There is no magic in Web-based approaches, even though many different schema allow presentation of only the relevant part of the image information through differential compression, selective image identification, or other options. But the reality is that all these data must be transferred to the radiologist to be viewed. This means that a lot of data must move quickly.

Keeping the network working at its peak to provide this data transfer in an efficient fashion requires tools to manage its different components. To maintain network integrity and functionality, it is necessary to benchmark the performance and to have an accurate map of the layout and components. These tools should include a network mapping application, some throughput monitor applications, and a "sniffer" that listens to the network traffic packets of information and can help to interpret where data are coming from and where they are destined, as well as the data packet composition. These tools are a starting point for a network maintenance toolbox.

Up to now, most networks in a departmental setting have been composed of the modalities, the archive system, and several workstations. These devices could, and in many instances do, all exist on one unmanaged switching device. When the PACS moves to the enterprise, these systems go on the hospital network with all the other systems in use at the hospital. PACS will undoubtedly be one of the largest data transfer agents in this environment, but it is by no means the only system on the network. You want your PACS to be a good network citizen. Virtual local area networks (VLANs) are a method of segmentation of your network to allow only traffic between radiology modalities and their archive and workstations.

ACCESS ISSUES

Most enterprise networks in the hospital environment are configured in a pattern of core switch and a series of distribution switches, ending in edge switches that provide connections to the desktop. In addition, routers direct traffic from one part of the hospital network to another, and firewalls stop or regulate traffic in and out of the network.

Most hospital enterprise networks also include interfaces to external networks, and this is where firewalls and routers provide security for the network. The core switch contains the brains of routing for the network and transmits the instructions for routing of packets to the intermediate and edge switches. These switches have programming and intelligence built into them to allow the determination of the best, most efficient routing of data packets through the system. They are also capable of providing different services to the devices connected to them, including security. When moving from department to enterprise, it is always preferable to use the enterprise infrastructure as the backbone.

Placing PACS on the enterprise network means that the security and other issues that are addressed for other computers must be addressed in a similar fashion for your PACS. No longer can you have a single login for radiologist or technologist. Users will most likely have to log into the computer system and then start up the applications they will use. This can include the HIS, RIS, EMR, and any other clinical data application and may entail multiple logins.

The single sign-on is a Holy Grail of network administration in the hospital environment. Though many products work with different applications, the single sign-on remains elusive. Some basics happen in almost every environment. Given the proliferation of Windows as an operating system in the healthcare environment, network login procedures can be used to assist in the single sign-on, given that the applications all provide the proper support. The hospital must support Windows network domains and the use of individual logins and passwords.

Once users are logged into the Windows domain, they can then start applications that will recognize them and allow them to operate as themselves through Windows Authentication or NT login management. Again, this assumes that the application supports authentication or login management. Other products will provide a lookup-type approach to caching of login/password pairs for different programs and will trigger the entry of these into the program upon startup.

Maintenance of the login/password files may become tedious and time-consuming, however, depending on the password aging procedures of an individual hospital. Under any circumstances, the current regulatory environment and good medical and data practices dictate that an accurate record of data access must be provided.

The entire concept of PACS is to provide imaging information where it is needed, and deciding how to distribute imaging data to referring physicians is essential. There are two general methods: putting workstations with PACS software throughout the hospital or publishing a Web site where the PACS Web server resides.

The first approach involves purchase of the appropriate hardware, configuration and maintenance, security (both physical and logical), and individual training of the users for that application. Security for direct workstations, those outside the physical hospital network, usually involves the use of a virtual private network.

The Web method is easier to implement but also involves some user training and adequate bandwidth, for both the end users and the hospital. In addition to a VPN, the Web method will allow other methods of secure access, such as reverse proxy (a server makes the connection back to the client) and Secure Socket Layer (SSL). Most PACS today have a Web server and can be configured to support any or all of these methods. VPN is a secure method that makes the workstation part of the hospital network. This will allow direct access to servers.

The drawback to VPN access is that the computer becomes a node on the hospital network. If the computer is not adequately maintained for virus protection, this system can possibly infect the rest of the network. Reverse proxy involves the use of one or more computers to act as reverse gateways. Maintenance of these systems is a key drawback if only one computer provides the reverse proxy and no access is available if it is disabled. This presents an obvious point of failure. Many implementations of reverse proxy involve multiple servers.

Most systems use SSL, which requires a login/password pair to access and allows for auditing of access to the system from both the user standpoint and the computer address of the access point. SSL does require that access to the secure port on the server be opened to the Internet, but the secure hypertext transport protocol (http) provides for separation of the data from the access method.

Enterprise PACS implementation is a significant task. Careful consideration of the ability to move large amounts of data around efficiently and securely and the concepts of bandwidth and access, network maintenance, segmentation, login, and network security will provide a solid backbone upon which to build and maintain an enterprise PACS and associated systems.

Mr. Cohen is a consultant with Xtria LLC in Richardson, TX.

CLINICAL APPLICATIONS FOR SINGLE SIGN-ON

HIS/RIS (e.g., Meditech)

Pharmacy (e.g., Pyxis)

Dictation (e.g., Lanier)

Transport (e.g., Teletracking)

Radiology (e.g., PACS)

Mobile data (e.g., Mercury MD)

Document management (e.g., Valco)

Internet access

NT/PC services

Home health documentation

Applications that require managed logins within a hospital enterprise.