When a medical modality or a DICOM software client connects to a (PACS) server, communication begins between the systems. Typically, this communication is unsecured, meaning any third party could potentially see what data is being exchanged. The Butterfly Cloud DICOM Connector creates a secure, encrypted connection between Butterfly Cloud and your facility’s DICOM endpoints. This enables secure transmission of ultrasound studies captured with Butterfly iQ, via Butterfly Cloud, to a DICOM PACS, VNA or other medical image archive.
The Butterfly Cloud DICOM Connector utilizes DICOM-TLS (Transport Layer Security, v 1.2) to facilitate point-to-point encrypted communication without the drawbacks and setup challenges associated with a VPN tunnel.
Since many PACS solutions do not inherently support the encryption/decryption of DICOM-TLS, we leverage either a network device such as a Citrix ADC (Netscaler), F5 Networks Big-IP, or software like Stunnel to terminate (decrypt/encrypt) the TLS encrypted network traffic.
Stunnel is a proxy designed to add TLS encryption/decryption functionality to existing clients and servers without any changes in the original programs' code.
Stunnel is a free software authored by Michał Trojnara and distributed under GNU GPL version 2 or later with OpenSSL exception. Additionally, commercial technical support for Stunnel or non-GPL licenses are offered for a fee directly from Stunnel.
-
Ensure that you have access to Butterfly Cloud (cloud.butterflynetwork.com) as an Administrator so that you can configure the PACS connection. The PACS configuration screen will provide you with the digital certificate-key pair that will be used with Stunnel.
-
Ability to install software on a Microsoft Windows (64 bit) OS - typically Microsoft Windows Server. The system will have to remain in operation continually to run the Stunnel software and proxy the TLS connection form Butterfly Cloud.
-
Download the latest Stunnel Win-64 installer and copy to the server. Visit https://www.stunnel.org/downloads.html to download the latest version.
-
On your firewall - NAT or port forward the port that you wish to receive the encrypted DICOM-TLS data from Butterfly Cloud to the server that has Stunnel installed.
-
Log in to Butterfly Cloud using your Browser - ensure that your user role in Butterfly Cloud is that of Administrator.
-
Navigate to the DICOM Configuration menu. Click your username in the upper right of the window and select Organization Settings.
-
Select the Connectivity tab and click the ‘+ Add’ option next to Connections to create a new TLS end-point that will be used with your DICOM integration.
-
Proceed to enter all of the necessary DICOM connection parameters.
-
Name = Friendly name for the Connection.
-
In the 'Security' section - set TLS to 'Active' and select the 'Generate' option.
-
Select the PEM download format, and click 'Download'. Ensure that you receive 2 files: Butterfly_SCP_Cert.pem and Butterfly_SCP_key.pem
-
The 2 files will be used in a later step; during the configuration of your TLS termination.
-
-
In the 'SCP' section - Enter the Host information, DNS name or IP of your TLS end-point.
-
Please note that the IP address must be a public IP that can be accessible from Butterfly Cloud to your network. This will typically be the IP address of your network firewall, router, or TLS termination device. Non-routable/private IP addresses are not valid.
-
-
-
Click Save, then click on the Connectivity tab to create the DICOM Integration.
-
After clicking on the Connectivity tab, click the ‘+ Add’ option next to Integrations and select PACS/VNA.
-
Give your PACS/VNA a friendly Name, and select to associate it with the TLS Connection created in Setup Connection from Butterfly Cloud and Download Digital Certificate.
-
Proceed to enter all of the necessary DICOM integration parameters.
-
SCU - Calling AET = The source AE Title of Butterfly Cloud (typically ‘BUTTERFLY’).
-
SCP - AET = the AE Title of your DICOM destination.
-
Enter a Port that you will need to forward from your firewall or router to the computer hosting the Stunnel software.
-
Port 2761/TCP is typically used for DICOM-TLS.
-
Port 2762/TCP may be used in addition if DICOM Modality Worklist will be used.
-
-
Please note that the port that is entered here is the public-facing port that is exposed by your TLS termination point.
-
-
Set the Compression level of the DICOM Images and Cine Loop as required or preferred. The settings above are typical. Select ‘Save Configuration’ to complete the setup.
-
Install the application with default options to path C:\stunnel
-
Copy both files PEM files from the previous step to the C:\stunnel\config directory.
-
When complete, you should have the Cert and Key file (Butterfly_SCP_Cert.pem and Butterfly_SCP_Key.pem) in the C:\stunnel\config directory.
-
Open the C:\stunnel\config\stunnel.conf file with a text editor.
-
Copy the below text into the file, directly below this line:
;********************************* Example TLS server mode services sslVersion = TLSv1.2 [DICOM STORE] accept = 2761 connect = 192.168.1.100:104 cert = Butterfly_SCP_Cert.pem key = Butterfly_SCP_Key.pem
-
The “accept” port will receive the traffic from your firewall. Edit this value as needed.
-
The “connect” IP/port will be the destination (PACS) to which the decrypted DICOM data will be forwarded from Stunnel. Edit this value as needed.
-
The “cert” should reference the name of the Cert file and the “key” should reference the name of the Key file located in the C:\stunnel\config directory.
-
(OPTIONAL) - If Butterfly will be connecting to a second PACS or a Modality worklist - make a second copy of the above configuration block with a new name (e.g. [DICOM DMWL]) and adjust connection values as needed. You may need to NAT or forward a second port from your firewall as well.
-
Run the “stunnel AllUsers” shortcut located on the desktop.
-
There should be no Error messages in the log window. See example below:
2019.06.07 15:16:10 LOG6[main]: Loading certificate from file: SCP_Cert.pem
2019.06.07 15:16:10 LOG6[main]: Certificate loaded from file: SCP_Cert.pem
2019.06.07 15:16:10 LOG6[main]: Loading private key from file: SCP_key.pem
2019.06.07 15:16:10 LOG6[main]: Private key loaded from file: SCP_key.pem
2019.06.07 15:16:10 LOG7[main]: Private key check succeeded
2019.06.07 15:16:10 LOG6[main]: DH initialization not needed
2019.06.07 15:16:10 LOG7[main]: ECDH initialization
2019.06.07 15:16:10 LOG7[main]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384
2019.06.07 15:16:10 LOG5[main]: Configuration successful
2019.06.07 15:16:10 LOG7[main]: Deallocating section defaults
2019.06.07 15:16:10 LOG7[main]: Binding service [DICOM 1]
2019.06.07 15:16:10 LOG7[main]: Listening file descriptor created (FD=900)
2019.06.07 15:16:10 LOG7[main]: Setting accept socket options (FD=900)
2019.06.07 15:16:10 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket
2019.06.07 15:16:10 LOG6[main]: Service [DICOM 1] (FD=900) bound to 0.0.0.0:2761
-
Close Stunnel.
-
From the Windows Start Menu - run the “Stunnel Service Install” shortcut.
-
This will install Stunnel so that it runs continually as a Windows service.
-
Start the stunnel service and test the connection from Butterfly Cloud using the steps below.
-
Switch back to Butterfly Cloud in the Browser.
-
Navigate to the integrations menu. Click your username in the upper right of the window and select Organization Settings.
-
Select the Connectivity tab and click the ‘...’ next to the newly created DICOM integration. Select the Echo option to perform a DICOM C-ECHO from Butterfly Cloud.
-
Click Echo, then Click on ‘Echo’ again in the upper right of the pop-up menu. This triggers a new DICOM C-ECHO; please verify the output is similar to below.
-
Congratulations - you have setup an encrypted DICOM-TLS connection to your DICOM destination.
-
To automatically send any studies saved to a Butterfly Cloud folder to your DICOM end-point, you can associate it with an Archive.
-
Select the Archive folder that you would like to associate with the DICOM connection. Select Archive Settings.
-
Choose the DICOM Storage location to associate with the Archive folder.
-
Now any study saved to this folder (using the Butterfly iQ App) will automatically forward to the chosen DICOM destination.