In this How-to Guide, you will learn how to sync Medical Imaging Server for DICOM metadata with FHIR. To do this, you will learn how to enable DICOM Cast by authentication with Managed Identity.
For healthcare organizations seeking to integrate clinical and imaging data through the FHIR® standard, DICOM Cast enables synchronizing of DICOM image changes to FHIR™ ImagingStudy resource. This allows you to sync DICOM studies, series and instances into the FHIR™ ImagingStudy resource.
Once you have competed the prerequisites and enabled authentication between your Medical Imaging Server for DICOM, your FHIR Server and your DICOM Cast deployment, you have enabled DICOM Cast. When you upload files to your Medical Imaging Server for DICOM, the corresponding FHIR resources will be persisted in your FHIR server.
To learn more about DICOM Cast, see the DICOM Cast Concept.
To enable DICOM Cast, you need to complete the following steps:
NOTE: When deploying a OSS FHIR Server, set the Sql Schema Automatic Updates Enabled setting to be true. This determines whether the sql schema should be automatically initialized and upgraded on server setup.
Currently there are three types of authentication supported for both the FHIR Server for Azure and the Medical Imaging Server for DICOM: Managed Identity, OAuth2 Client Credential and OAuth2 User Password. The authentication can be configured via the application settings by the appropriate values in the Authentication
property of the given server. For details on the three types, see DICOM Cast authentication.
This section will provide an end to end guide for configuring authentication with Managed Identity.
For both your FHIR and DICOM servers, you will create a resource application in Azure. Follow the instructions below for each server, once for your Medical Imaging Server for DICOM and once for your FHIR Server.
- Sign into the Azure Portal. Search for App Services and select the FHIR or DICOM App Service. Copy the URL of the App Service.
- Select Azure Active Directory > App Registrations > New registration:
- Enter a Name for your app registration.
- In Redirect URI, select Web and enter the URL of your App Service.
- Select Register.
- Select Expose an API > Set. You can specify a URI as the URL of your app service or use the generated App ID URI. Select Save.
- Select Add a Scope:
- In Scope name, enter user_impersonation.
- In the text boxes, add an admin consent display name and admin consent description you want users to see on the consent page. For example, access my app.
For both your FHIR and DICOM servers, you will set the Audience and Authority for Authentication. Follow the instructions below for each server, once for your Medical Imaging Server for DICOM and once for your FHIR Server.
- Navigate to the App Service that you deployed to Azure.
- Select Configuration to update the Audience, Authority, and Security:Enabled:
- Set the Application ID URI from the App Service as the Audience.
- Authority is whichever tenant your application exists in, for example:
https://login.microsoftonline.com/<tenant-name>.onmicrosoft.com
. - Set Security:Enabled to be
True
. - Save your changes to the configuration.
- Navigate to the DICOM Cast Key Vault that was created when you deployed DICOM Cast.
- Select Access Policies in the menu bar and click Add Access Policy.
- Under Configure from template, select Secret Management.
- Under Select principal, click None selected. Search for your Service Principle, click Select and then Add.
- Select Save.
- Select Secrets in the menu bar and click Generate/Import. Use the tables below to add secrets for your DICOM and FHIR servers. For each secret, use the Manual Upload option and click Create:
Name | Value |
---|---|
DICOM--Endpoint | <dicom-server-url> |
DicomWeb--Authentication--Enabled | true |
DicomWeb--Authentication--AuthenticationType | ManagedIdentity |
DicomWeb--Authentication--ManagedIdentityCredential--Resource | <dicom-audience> |
Name | Value |
---|---|
Fhir--Endpoint | <fhir-server-url> |
Fhir--Authentication--Enabled | true |
Fhir--Authentication--AuthenticationType | ManagedIdentity |
Fhir--Authentication--ManagedIdentityCredential--Resource | <fhir-server-url> |
Now that you have enabled Authentication for DICOM Cast, you have to Stop and Start the Azure Container Instance to pickup the new configurations:
- Navigate to the Container Instance created when you deployed DICOM Cast.
- Click Stop and then Start.
In this How-to Guide, you learned how to enable DICOM Cast by authentication with Managed Identity. Now you can upload DICOM files to your Medical Imaging Server for DICOM, and the corresponding FHIR resources will be populated in your FHIR server.
To manage authentication with OAuth2 Client Credentials or OAuth2 User Passwords, see DICOM Cast authentication.
For an overview of DICOM Cast, see DICOM Cast Concept.
To upload files to your DICOM Server, refer to Use the Medical Imaging Server APIs.
You can Access FHIR Server with Postman to see the FHIR resources populated via DICOM Cast.