We're here to help.

Osirix DICOM-TLS Connectivity with Butterfly DICOM Connector

Introduction

When a medical modality or a DICOM software client connects to a (PACS) server, communication begins between the systems. Typically, this communication is unsecured, meaning any third party with access to that network segment, could potentially see what data is being exchanged. The Butterfly DICOM Connector creates a secure, encrypted connection between Butterfly Cloud and Osirix using DICOM-TLS. This enables secure transmission of ultrasound studies captured with Butterfly iQ, via the Butterfly Cloud, to an instance of Osirix DICOM Viewer.

The Butterfly DICOM Connector utilizes DICOM-TLS (Transport Layer Security, v 1.2) to facilitate point-to-point encrypted communication without the drawbacks and setup challenges associated with a VPN tunnel.

Osirix has native support for DICOM-TLS, which allows for a straightforward process to establish connectivity.

 

Prerequisites

  1. A fully functioning installation of Osirix DICOM Viewer on a Mac.

  2. Admin access to the Mac computer that is hosting the software.

  3. Ensure that you have access to Butterfly Cloud (cloud.butterflynetwork.com) so that you can configure the PACS connection. The PACS configuration screen will provide you with the digital certificate-key pair that will need to be imported into the Mac Keychain Access utility.

  4. On your network firewall or router - NAT or port forward the port that you wish to receive the encrypted DICOM-TLS data from Butterfly Cloud to the TLS listener port of Osirix.

  5. If on a Mac, access to terminal with sudo.
 

Set Up Connection from Butterfly Cloud and Download Digital Certificate

  1. Log in to Butterfly Cloud using your Browser - ensure that your user role in Butterfly Cloud is that of Administrator.

  2. Navigate to the DICOM Configuration menu. Click your username in the upper right of the window and select Organization Settings.

    Org_Settings_2.png
  3. Select the Connectivity tab and click the ‘+ Add’ option next to Connections to create a new TLS end-point that will be used with your DICOM integration.

    New_Connectivity_Menu.png
  4. Proceed to enter all of the necessary DICOM connection parameters.

    Connection_Parameters.png
    1. Name = Friendly name for the Connection.

    2. In the 'Security' section - set TLS to 'Active' and select the 'Generate' option.

    3. Select PFX as the download format, and ensure that you copy/save the Secret password for later use

      PFX_File.png
      1. You will be prompted to download the Butterfly_SCP_key_pair.pfx file which contains the Digital Certificate

    4. In the 'SCP' section - Enter the Host information, DNS name or IP of your TLS end-point.

      1. Please note that the IP address must be a public IP that can be accessible from Butterfly Cloud to your network. This will typically be the IP address of your network firewall, router, or TLS termination device. Non-routable/private IP addresses are not valid.

  5. Click Save, then click on the Connectivity tab to create the DICOM Integration.

 

Configure the DICOM Integration and Associate the TLS Connection

  1. After clicking on the Connectivity tab, click the ‘+ Add’ option next to Integrations and select PACS/VNA.

    Add_PACS_VNA.png
  2. Give your PACS/VNA a friendly Name, and select to associate it with the TLS Connection created in Setup Connection from Butterfly Cloud and Download Digital Certificate.

    NAME_PACS.png
  3. Proceed to enter all of the necessary DICOM integration parameters.

    DICOM_Parameter_Fields.png
    1. SCU - Calling AET = The source AE Title of Butterfly Cloud (typically ‘BUTTERFLY’).

    2. SCP - AET = the AE Title of your DICOM destination.

    3. Enter a Port that you will need to forward from your firewall or router to the computer hosting the Citrix ADC software.

      1. Enter a Port that you will need to forward from your firewall or router to your Mac computer hosting Osirix. (This is typically port 11113).

    4. Please note that the port that is entered here is the public-facing port that is exposed by your TLS termination point.

  4. Set the Compression level of the DICOM Images and Cine Loop as required or preferred. The settings above are typical. Select ‘Save Configuration’ to complete the setup.

 

Import the Certificate Into Mac OS

  1. Open a Terminal session.
  2. Identify the file path to the .pfx file that you previously downloaded from Butterfly Cloud.
  3. Run the following command to install openssl: 
    brew install openssl
  4. Run the following command, replacing the first brackets with the location of your pfx file and the second brackets with your secret key from Butterfly Cloud:
    1. sudo openssl pkcs12 -in [file path to PFX file] -legacy -out temp.pem -nodes -password pass:[Secret Key from Butterfly Cloud]
  5. Run the following command: 
    1. sudo security import temp.pem -k ~/Library/Keychains/login.keychain-db -t agg -f pemseq -Verify that the certificate and key import 
  6. Verify the Certificate and Key Import: # - Open the Keychain Access app. # - Select the login keychain. # - Select the Certificates category. # - Verify that the certificate and key are present in the list.
  7. Open Keychain Access application by using the Finder menu. Once you've opened the Keychain Access app, then select the Certificates category in the Login keychain category. 

    Screenshot 2023-12-24 at 2.19.57 PM.png

  8. Congrats you have just imported the Butterfly Cloud SSL/TLS Certificate pfx file.

 

OsiriX TLS DICOM Listener Setup

Referenced from Osiris Security Guide:  https://www.osirix-viewer.com/osirix/osirix-user-manual/

  1. Open OsiriX.

  2. Open Preferences (in the OsiriX Menu).

  3. Select the Listener preferences.

    Listener_Preferences.png
  4. The last option of this group of settings, you will find the DICOM TLS Listener. Click on the TLS Settings button.

    TLS_Settings.png
  5. In the TLS Settings, click on the Activate DICOM TLS Listener check box, and choose an AETitle and a Port number (it must be different from the default DICOM Listener port - use the Default port 11113). Then click on the Choose button to select the certificate to use for TLS communications.

    Choose.png
  6. The list of available certificates will appear. Select the recently imported ‘Butterfly Network’ Certificate, and click the Choose button.

    Choose_Cerr.png
  7. Select your preferred Cipher Suites - we recommend using AES-256 based CIpher Suites.

    Activate_Listener.png
  8. The chosen AETitle and Port will be displayed on the Listener Preferences window.

    AE_Title.png
  9. You can now receive encrypted DICOM communications on the chosen Port.

 

Verify the Connection from Butterfly Cloud

  1. Switch back to Butterfly Cloud in the Browser.

  2. Navigate to the integrations menu. Click your username in the upper right of the window and select Organization Settings.

    Org_Settings.png
  3. Select the Connectivity tab and click the ‘...’ next to the newly created DICOM integration. Select the Echo option to perform a DICOM C-ECHO from Butterfly Cloud.

    Echo.png
  4. Click Echo, then Click on ‘Echo’ again in the upper right of the pop-up menu. This triggers a new  DICOM C-ECHO; please verify the output is similar to below.

    Echo_Settings.png
  5. Congratulations - you have setup an encrypted DICOM-TLS connection to your DICOM destination.

 

(Optional) - Automatic Forwarding to DICOM Storage

  1. To automatically send any studies saved to a Butterfly Cloud folder to your DICOM end-point, you can associate it with an Archive.

  2. Select the Archive folder that you would like to associate with the DICOM connection.  Select Archive Settings.

    Archive_Settings.png
  3. Choose the DICOM Storage location to associate with the Archive folder.

    PACS_Assignment.png
  4. Now any study saved to this folder (using the Butterfly iQ App) will automatically forward to the chosen DICOM destination.

 
 
Was this article helpful?
2 out of 2 found this helpful
Thank you for your feedback

We’re sorry this didn’t answer your question. We’re here to help. Contact us