Security

User Access

User password and access can be configured to use an institutional LDAP server.  Control and management of password is then governed at the institutional level. Access to individual functions in the teaching file can be set at the server level. This includes administrative, authoring, publishing and viewing functions.

When an LDAP server is not used, passwords are stored as a hash, meaning the passwords cannot be recovered if lost or forgotten, even by the administrator. A new password must be created in this situation.

Internet Security

Most institutional teaching file systems are installed behind the institutional firewall, which prevents access to the system from the internet.  However, the system can be accessed via an institutional virtual private network (VPN). It is recommended to install a SSL certificate on the server, so the data are encrypted during transit, even when behind a firewall.  The https protocol will be used, resulting in a URL such as https://www.myRadPixServer.com.

Patient Information

Protection of patient information is essential, and required by law in the United States by HIPAA and HITECH laws and in other countries by their respective laws.

When DICOM images containing patient information are received by the server, they undergo a series of actions, including DICOM header anonymization and pixel anonymization. The system may be configured to retain patient information in order for the users to later locate the cases. When a case is completed by adding text, annotations, etc., the system can be configured to remove patient information.

It is up to the RadPix Teaching File server administrator and users to follow all local laws.

When patient information is stored in the proper PHI data field, access to that case is logged by the server.