Академический Документы
Профессиональный Документы
Культура Документы
HIPAA
Copyright (C) Canon Inc. Medical Technical Service Dept. All rights reserved
CONTENT
1. HIPAA................................................................................................................................................1
1) Overview ........................................................................................................................................1
2) Functions........................................................................................................................................1
3) Overall image of HIPAA support....................................................................................................1
4) Strage Commitment (Structuring) ..................................................................................................2
5) Installation .....................................................................................................................................3
1) Purpose ..........................................................................................................................................6
2) Overview ........................................................................................................................................6
3) Login operation flow ......................................................................................................................7
4) LOGIN screen details.....................................................................................................................8
5) Auto Logout function......................................................................................................................9
6) Logout function ............................................................................................................................10
7) User authentication setup ............................................................................................................ 11
8) User Management screen and User Properties screen ................................................................12
9) Summary of User Privileges.........................................................................................................13
10) Installation, operation and service..........................................................................................14
11) Operator’s Name display on the STUDY INFO. screen...........................................................15
12) Summary of setting items (MenuPara.ini file).........................................................................16
13) Setup procedure.......................................................................................................................16
3. Audit Log.........................................................................................................................................17
1) Overview ......................................................................................................................................17
2) Operating environment ................................................................................................................17
3) Configuration ...............................................................................................................................18
4) Audit Log Module functions .........................................................................................................19
5) Operation log ...............................................................................................................................20
6) CONFIG file setting items............................................................................................................21
7) Setup procedure............................................................................................................................22
1) Overview ......................................................................................................................................23
2) Setup procedure............................................................................................................................23
i
5. Node Authentication Function .......................................................................................................24
1) Overview ......................................................................................................................................24
2) Purpose ........................................................................................................................................24
3) Functions......................................................................................................................................25
4) TLS ...............................................................................................................................................26
5) Public key encoding method.........................................................................................................27
6) Electronic certificates ..................................................................................................................29
7) Certificate installation .................................................................................................................31
8) Operation method ........................................................................................................................31
9) Setup method ................................................................................................................................32
10) Troubleshooting.......................................................................................................................34
1) Overview ......................................................................................................................................35
2) Setup Procedure ...........................................................................................................................35
1) Overview ......................................................................................................................................50
2) Setup Procedure ...........................................................................................................................50
ii
V6.4 New Function Descriptions Appendix 6
1. HIPAA
1) Overview
HIPAA (Health Insurance Portability and Accountability Act of 1996) is a law that should be strictly
observed by hospitals.
The CXDI with system software versions 6.3 and later provides a device that makes it easy for
hospitals to support HIPAA.
2) Functions
System software versions 6.3 and later support HIPAA, so the IHE Basic Security Integration Profile
is supported.
This support can be broadly divided into the following four functions.
・User Authentication ......................................* For details, see “2. User Authentication Function”.
・Log Generation (Generation of audit records) * For details, see “3. Audit Log”.
・Time Synchronization ...................................* For details, see “4. Maintain Time Setup”.
・Node Authentication .....................................* For details, see “5. Node Authentication Function”.
System software version6.4 and later versions are supported “Reject Reason function”.
And also, combination DMW_PS2 Ver4.1 or later versions are support “storage commitment
function”.
・Reject Reason ...............................................* For details, see “6. Reject Reason Function”.
・Storage Commitment ....................................* For details, see “7. Storage commitment Function”.
User Authentication
PACS
Auto Logoff
Printer
Node
Authentic
RIS,
CXDI etc
Audit Log
Maintain Time
WindowsTimeService
TimeServer ARR
1
V6.4 New Function Descriptions Appendix 6
Commit folder
Node authentication
commit.exe Request Association Connection
Storage commitment result (N-EVENT-REPORT)
2
V6.4 New Function Descriptions Appendix 6
5) Installation
Before running HIPAASetupTool.exe, upgrade to version 6.4 and complete installation with the
CXDI environment setup tool (CxdiEnv.exe).
For details, see “V6.4 New Function Descriptions - APPENDIX-3. Upgrade Procedure Manual”.
The six functions mentioned above can be turned ON and OFF using the HIPAA setup tool
HIPAASetupTool.exe. The installation defaults set the HIPAA functions to the disabled state.
2. Make the necessary User Authentication function settings and Reject Reason, then click [NEXT].
* For details, see “2. User Authentication Function”,”6.Reject Reason function”.
3
V6.4 New Function Descriptions Appendix 6
4
V6.4 New Function Descriptions Appendix 6
5. Make the necessary Node Authentication function settings, then click [NEXT].
* For details, see “5. Node Authentication Function”.
6. Make the necessary Storage commitment function settings, then click [NEXT].
* For details, see “7. Storage commitment Function”.
5
V6.4 New Function Descriptions Appendix 6
1) Purpose
User authentication is a part of HIPAA support, and improves security by having CXDI operators
login and logout.
2) Overview
・ The User Authentication function is comprised of a database for saving user names, passwords,
operators’ names, and privileges, and modules for database registration and editing.
HIPAA
Log
Module
・ The Opera Module (Opera.DLL) controls the operator information for the User Authentication
function (login), and has an interface for the OPU and the operator information.
・ The Opera Module is started up from the OPU, and outputs the log to the HIPAA Audit Log
Module as necessary.
・ During the initial user authentication (login) when there is no Opera.MDB, an Opera.MDB is
generated by the Opera Module.
At this time the service engineer logs in with the administrator privilege of the default “user
name: admin” and “password: xxxxx”.
・ When the Opera.MDB contents are changed, the Opera Module creates a backup of the database
file.
File backups are saved in D:\ccr\OLD as the file name “Operayyyymmddhhmmss.MDB”. Up to
ten backup files are stored, and the superfluous files are deleted in time order from the oldest
one.
admin
6
V6.4 New Function Descriptions Appendix 6
(Exposure Screen)
7
V6.4 New Function Descriptions Appendix 6
(LOGIN Screen)
・ The following errors may occur at the LOGIN screen depending on the circumstances.
User name could not be found. User Name or Password is wrong. Enter the correct User Name
Password does not match. and Password.
Database file cannot be read. Database file cannot be read. Database is broken or user data
cannot be found. CXDI will shut down. Please call service.
⇒SHUTDOWN Menu
8
V6.4 New Function Descriptions Appendix 6
・ The Auto Logout function operates at all screens except the following.*2
*2① Each setup screens under the Setup Menu, Edit Exposure Mode, Calibration, Self Test, Error
(However, the Auto Logout function operates for gray message boxes displayed by modules
other than OPU or by CCR and DLL.)
When Auto Logout is enabled during startup, a message appears and Auto Logout is set to
“DISABLE”.
When Auto Logout is enabled on the LOGIN/LOGOUT Setup screens, a message appears and
Auto Logout is set to “DISABLE”.
Message: “Because Generator Communication Module is set to Two-Way Communication type,
Auto Logout Setting will be invalidated.”
・ Auto Logout EABLE/DISABLE and the Auto Logout Time can be set.
(Setting range: 1 to 60 minutes. The default is 10 minutes.)
These operations are available only to users with administrator privileges, and cannot be
performed by general users.
(LOGIN/LOGOUT Screen)
9
V6.4 New Function Descriptions Appendix 6
6) Logout function
・ Logout is performed by touching the LOGOUT button and by the Auto Logout function.
・ In principle, the screen immediately after login displays the status immediately before the
LOGOUT button was pressed.
・ Magnified screens*1 and other window displays in positions that differ from the OPU main unit
are hidden during logout.
1
* Magnified screen, second monitor, high resolution monitor
・ When logout is performed in the Sensor READY state, X-ray exposure is not allowed even if the
Sensor READY lamp is illuminated.*2
*2 The Sensor READY timeout time (illuminated time) is 10 minutes (default) as set in the
cxdcap.ini file. (This function is enabled even when logged out.)
・ PATIENT INFO. notices, END STUDY notices, and generator communication (PreCond and
UnPreCond from the generator) are not accepted from the RIS when logged out.
10
V6.4 New Function Descriptions Appendix 6
(LOGIN/LOGOUT Screen)
11
V6.4 New Function Descriptions Appendix 6
12
V6.4 New Function Descriptions Appendix 6
13
V6.4 New Function Descriptions Appendix 6
① During the initial user authentication (login) when there is no Opera.MDB, an Opera.MDB is
generated by the Opera Module. At this time the service engineer logs in with the administrator
privilege of the default “user name: admin” and “password: xxxxx”.
② After the CXDI administrator (Chief Radiologist, etc.) has been determined and the
administrator and operators have been registered within the hospital facility, the user name and
password of the “admin” user should be changed or deleted.
③ In the event that the database is corrupted, the backup file (extender .MDB) saved in
④ If a general user (operator, etc.) forgets his or her password, the administrator should perform
⑤ When the User Authentication function is used, service cannot be performed without logging in.
14
V6.4 New Function Descriptions Appendix 6
15
V6.4 New Function Descriptions Appendix 6
・ Set whether to display the previous user name on the LOGIN screen.
16
V6.4 New Function Descriptions Appendix 6
3. Audit Log
1) Overview
The IHE Basic Security Integration Profile severely restricts the use and the disclosure of Protected
Health Information (PHI) in order to protect privacy.
Therefore, log output must be performed to allow post-facto tracking of who performed what, when
and on what system in order to monitor system security and whether privacy is protected.
The Audit Log Module supports HIPAA and outputs logs generated by the CXDI control software to
the AuditRecordRepository server (ARR) in the XML schemer format prescribed by the IHE
Technical Framework. The SYSLOG protocol is used when outputting to the ARR.
・ Log output to the ARR is possible when the Log output are enabled by HIPAA Set-up tool.
・ Log output is performed when the OPU is started up and shut down, the destination setting is
changed, the login password is changed, data is saved to an external disk storage or output to a
printer or storage, the study list display is selected, and so on.
2) Operating environment
The Audit Log Module requires the following operating environment.
[Japanese edition]
・ .NET Framework 1.1 Redistributable package (Japanese edition) installation
・ .NET Framework 1.1 Language Pack installation
[English edition]
・ .NET Framework 1.1 Redistributable package (English edition) installation
17
V6.4 New Function Descriptions Appendix 6
3) Configuration
The Audit Log Module is comprised of the following four files.
OPU CCR
Interface block
MSMQ ARR
MSMQ: This temporarily saves the logs generated by the CXDI control software. When a large
number of logs are output at once from the CXDI control software, the logs are temporarily saved
here.
ARR: AuditRecordRepository server. This receives and saves the logs in SYSLOG protocol.
18
V6.4 New Function Descriptions Appendix 6
19
V6.4 New Function Descriptions Appendix 6
[Function]
① Operation when the log length exceeds 1024 bytes is controlled according to the following
setting.
・ When the TruncateLog key in the CONFIG file is “0”, the 1024-byte limitation is ignored and
the entire log is output including the excess portion.
・ When the TruncateLog key in the CONFIG file is “1”, the log is truncated at 1024 bytes and
output without the portion exceeding 1024 bytes.
Note: The TruncateLog function has the following restrictions, so care should be taken during use.
・ Simple truncation processing is performed at 1024 bytes from the start, so the XML in the log
may not be appropriate.
・ The XML in the log is encoded, so a single character may be converted into multiple bytes by
the encoding. Therefore, a byte arrangement that ends partway through a character may be sent
to the ARR when 1024-byte truncation processing is performed.
In this case the audit logs output thereafter may not be saved properly depending on the ARR
specifications (for example, when received audit log byte arrangements are added continuously
to the file).
② Whether or not to control output log per patient for import and export events where the log
length is highly likely to exceed 1024 bytes is controlled according to the following setting.
・ When the DivideLog key in the CONFIG file is “0”, import and export events are output as a
single log regardless of whether the information for multiple patients is included.
However, when the log length exceeds 1024 bytes, operation conforms to the function (1) above.
・ When the DivideLog key in the CONFIG file is “1” and an import or export event contains the
information for multiple patients, the log is divided and per patient.
The number of output logs is equal to the number of patients contained in the import or export
event.
However, when an individual log length exceeds 1024 bytes after division, operation conforms
to the function (1) above.
5) Operation log
The Audit Log Module outputs an internal operation log to the IheAuditLog.log file. The
information output in the operation log is determined by the PerformanceLogLevel key in the 6)
CONFIG file setting items.
Operation log output format
Item Detailed description
Log recording date Date and time that the operation log was recorded in the file.
and time Output format: [mm/dd/yyyy hh:mm:ss:xxx]
Process name Audit Log Module client process name
Log output DLL DLL that output the operation log
Log level Level of the output operation log
Log contents Detailed operation log contents
20
V6.4 New Function Descriptions Appendix 6
Note: The HIPAA Setup Tool should be used to edit the CONFIG file. However, operation is not
guaranteed when directly edited.
21
V6.4 New Function Descriptions Appendix 6
7) Setup procedure
Perform the audit log setup using HIPAASetupTool.exe.
・ Input the IP address and port number of the ARR for log output.
・ Touch the [Ping] button to confirm that network communication is possible with the ARR.
・ Set the operation when the log length exceeds 1024 bytes.
・ Set whether to control output logs of Import and Export event per patient.
・ Set the operation log output level in the Audit Log Module.
22
V6.4 New Function Descriptions Appendix 6
1) Overview
When performing log output to the ARR, the time and the date recorded in the log have to be same
for all modalities on the network. Therefore, the time on time server and the time on CXDI are
synchronized using the Windows Time Service (W32Time) function.
2) Setup procedure
In Windows XP, an “Internet Time” tab has been added to “Date & Time Properties” in the task tray.
Input the name (or IP address) of the SNTP server to be synchronized using HIPAASetupTool.exe.
The time.windows.com NTP server is referenced as the default.
If there is another NTP server that can be used, input that SNTP server name (or IP address).
・ Touch the [Ping] button to confirm that network communication is possible with the NTP server
to be synchronized.
・ The Maintain Time operation cycle can be set in hour units.
23
V6.4 New Function Descriptions Appendix 6
1) Overview
A Node Authentication function has been added as an essential IHE Basic Security function.
This function supports authentication between DICOM Secure Nodes using TLS (Transport Layer
Security) which is a protocol for sending and receiving encrypted information over the internet.
2) Purpose
Node1 authentication is considered a necessary technical approach to prevent leaks of patient
electronic data2 and support the USA’s HIPAA and Japan’s Personal Information Protection Act.
IHE3 adopts TLS (Transport Layer Security; see the following section) as a technology for realizing
node authentication. The purpose of node authentication is to prevent the following four potential
risks.
1. Spoofing: A third party pretending to have sent something or pretending to be the intended
recipient. Impersonation fraud is a type of spoofing.
Example: The CXDI supposedly sent the data to a PACS, but the data was intercepted by a
different server that changed the PACS IP address.
1
A node refers to a connection point on a LAN or a computer installed at that connection point.
2
This is referred to as PHI (Target of Medical information Protected ) by IHE.
3
Integrating the Healthcare Enterprise; a joint initiative committee comprised of RSNA and HIMSS that uses
DICOM and HL7 as standards.
24
V6.4 New Function Descriptions Appendix 6
3) Functions
・ Install the certificates required for Node Authentication in the CXDI, then add the following to
the DESTINATION OPTION parameters to enable Node Authentication.
-h client certificate client private key
・ The operation method of the certificate differs according to the hospital’s security policy.
・ Possible authentication bureau (authentication agency) operation and certificate issue methods
are as follows:
(A) Having the system vendor prepare keys and certificates issued by an internet certificate authority
(for example, Verisign, Hitachi Systems, etc.)
(B) Having the system vendor establish an independent authentication server (Example: Microsoft
WindowsServer2003 Active Directory) within the hospital for issuing keys and certificates.
25
V6.4 New Function Descriptions Appendix 6
4) TLS
クライアント
Client TLS サーバ
Server
Attack
Third
第三者 party
TLS can also be used in a transmissive manner without changing higher order protocols, making it
possible to achieve encoding without remounting or changing the DICOM. For example,
conventional DICOM communication to a printer can be performed without TLS, and DICOM
communication can be performed to a PACS via TLS.
4
An organization for standardizing the technology used by the internet. The official issuer of RFC.
5
A protocol developed by Netscape Communications Corporation for sending and receiving encoded information
over the internet.
6
RFC (Request For Comment) is a document issued by IETF that assigns serial numbers to and releases the
protocols used by the internet as well as other specifications and requirements for various internet-related
technologies.
7
This is also called the Message Digest Function, and is an arithmetic algorithm for generating a quasi-random
number of a fixed length from a raw document. It is used to detect document falsification, and is also applied to
digital signatures. In Internet Explorer it is expressed as a thumbprint algorithm.
26
V6.4 New Function Descriptions Appendix 6
Encoded keys and certificates of the public key encoding method to use TLS with DICOM. Keys are
able to ensure security in combination with locks8. In encoding circles, methods where the locking
key and unlocking key are the same like a key to a house are called common key encoding methods.
Here, the keys used for encoding are long bit electronic data.
When this method is applied to the CXDI, the encoding and decoding keys are the same, so the key
must be given to the communicating party in advance. Also using this same key for other
communicating parties increases the risk of spoofing, so a separate key is prepared for each
communicating party. That is to say, a exclusive key must be managed simply to communicate with
a particular device. For example, in order for the CXDI to get a work list from Company A’s RIS,
the hospital administrator must create a key for the CXDI and the RIS and install this key in both
units beforehand. Similarly, for the CXDI to transfer data to Company B’s PACS, a key must be
created for the CXDI and the PACS and installed in both units, and for the CXDI to print to
Company C’s imager, a key must be created for the CXDI and the imager and installed in both units.
In addition to the problem of key management, this method also has the problem that it is not
possible to confirm whether a key is actually that of the intended communicating party. However,
the public key encoding method solves these problems.
Public key code has the characteristic in that the locking key and unlocking key are different. That is
to say, the encoding and decoding keys used are expressed by bits that form a arithmetic pair.
Releasing the encoding key to communicating parties (public key) and keeping the decoding key a
secret to oneself (private key) has the advantage that only the user can perform decoding. That is to
say, even if there are eight other communicating parties, the only key that must be kept secret is a
single private key9.
Key Pair
8
Locks for electronic keys correspond to cipher algorithms. However, an explanation of algorithms would deviate
from the purpose of this manual, so this is omitted.
9
The communicating party can use only the locking key, and only the user can use the unlocking key. The unlocking
key cannot be inferred from the locking key.
27
V6.4 New Function Descriptions Appendix 6
When the same public key is given to Company A’s RIS, Company B’s PACS and Company C’s
imager and encoding is performed using that public key, the communication results can be decoded
only by the CXDI which has the private key. In actual operation, data is sent from the CXDI to the
PACS, so communication can be concealed by encoding the image data using the PACS public key,
and having the PACS which receives the images decode the CXDI data using its own private key.
encrypt
decrypt
PACS’ s PACS’ s
Public Key Private Key
CXDI PACS
Encrypted Image Data
However, encoding/decryption processing using public keys generally requires significant CPU
power and time. Therefore, TLS authenticates the communicating party by the public key method,
generates a common key called a session key, and then encodes and sends only this session key
using the communicating party’s public key (Fig. 5). On the other hand, the exposure data is encoded
and sent using the previously generated session key. This session key is generated for each
communication, so there is no risk of reuse of the same key.
When the communicating party receives the exposure data, first it decodes the session key using its
own private key. Then secure communications can be established by using this session key to decode
the exposure data.
Session key
use Session key
use
Session Key
encrypt
decrypt
Session Key
encrypt
decrypt
PACS’ s
PACS’ s
Public Key
Private Key
28
V6.4 New Function Descriptions Appendix 6
The CXDI’s private key format is a X.50910 DER (Distinguished Encoding Rule)11 format binary
file, and the private key is stored in the CXDI Run directory together with the certificates. Encoding
this private key with a password phrase12 is recommended. In addition, private keys are generated
as a pair with public keys, so certificate authority services generally issue them at the same time as
certificates.
6) Electronic certificates
Does a public key really correspond to the private key of the communicating party, and is it really a
public key? The public key infrastructure (PKI) is shown below. PKI refers to the overall
authentication technology and infrastructure that uses public key code. When using the public key
method alone, there is the vulnerability that a third party may send a fake public key.13
Therefore, electronic certificates were devised as a system to solve this problem. An electronic
certificate consists of the user’s information (name, e-mail), validity period, public key, certificate
authority information and other data, which is electronically signed14 by the certificate authority
(CA) (Fig. 6).
Version
Serial Number
Signature Algorithm
Issuer
Validity Period
Private Key Subject
Encrypt hash- value with
Public Key
CA’ s Private Key
Signature
10
Standard specification for electronic key certificates and certificate revocation lists (CRL). Recommended by the
ITU (International Telecommunications Union).
11
This is the format used by WWW browsers. Certificates are also distributed by a text format called PEM (Privacy
Enhanced Mail), but this is Base64 encoding so it cannot be read by humans without the use of some tool. PEM and
DER are mutually convertible.
12
In contrast to a single password, a password phrase is multiple words (or a sentence) including spaces. The number
of bits increases, so there is less vulnerability compared to a password.
13
This is called a man-in-the-middle attack.
14
A hash-value encoded by a secret key in order to confirm that a certificate (and particularly the public key) has not
been falsified.
29
V6.4 New Function Descriptions Appendix 6
Encoding the signature with the CA’s public key makes it possible to verify whether the
communicating party’s certificate is correct.
In addition, it is natural to question whether the CA’s public key can be trusted. Therefore, in order
to confirm the CA’s public key, have another CA issue a certificate and repeat this authentication
process further. This method of confirming certificate reliability by retracing a layered structure
until a reliable CA is finally reached is called the X.509 authentication model.
root CA
sub CA
trust
Private key trust
signature
signature
CXDI’ s PACS’ s
certificate certificate
CXDI PACS
However, anyone can create electronic certificates by following X.509, so just because there is a
certificate does not mean it is secure. Certificate reliability depends on the certificate authority
established by the hospital system vendor or the specified certificate authority. Considering the use
in the closed environment within a hospital, that is to say without an internet connection, the
necessity of using certificates created by a well-known CA on DICOM is unclear. However,
environments that are connected to the internet have a high security risk, so the costs should be
accepted and certificates from a legitimate CA (the well-known VeriSign.com etc.) should be used.
30
V6.4 New Function Descriptions Appendix 6
7) Certificate installation
Install keys and certificates in D:\ccr (Copy in DER format)
When intermediate certificates and route certificates are installed in D:\ccr\srv-certs (copied in DER
format), the communicating party’s certificates that are exchanged during TLS communication are
automatically traced and authenticated. When authentication of the communicating party
(certificates) succeeds, a DICOM Association can be established.
A maximum two years of validity period for a certificate is recommended by IHE.
Keys and certificates are issue by the system vendor in accordance with the specifications required
by the hospital. Note that using a validity period that is shorter than necessary will increase the time
and effort needed for renewal.
8) Operation method
The detailed operation method depends on the specifications required by the security policy of each
hospital. The system vendor issues certificates and keys that allow authentication between the
various devices, so these certificates and keys for the CXDI are renewed by copying the provided
files to the specified directories.
31
V6.4 New Function Descriptions Appendix 6
9) Setup method
After completing certificate installation, perform the Node Authentication function setup using
HIPAASetupTool.exe.
Specify the certificate and private key files specify the certificate and private key files for CXDI in
association with a printer number registered as a printer on the output destination setting of CXDI
system software.
The next time the CXDI is started up, these certificates and keys are added to the PRINTER
OPTION parameters registered in the printer setup. (Example: -h client.der privkey.der)
↓CXDI startup
32
V6.4 New Function Descriptions Appendix 6
The settings on the storage side should also be made likewise by adding the certificates and keys to
the STORAGE OPTION parameters.
33
V6.4 New Function Descriptions Appendix 6
10) Troubleshooting
When an error occurs during DICOM communication, the error is displayed in the OPU dialog and
on the CCR console screen.
34
V6.4 New Function Descriptions Appendix 6
1) Overview
The CXDI System Software earlier than V. 6.4 did not support a function that allows the X-ray
operator to enter the reason for rejection when the operator has rejected the image or when the
operator retakes an image. In addition, it did not support a function that allows an administrator to
view the whole information about rejected images.
Therefore, it has been difficult for the administrator in the hospital to know why and how often
individual X-ray operators have rejected and retaken images.
To overcome such a difficulty and meet the strong demands of the marketplace, the CXDI System
Software V. 6.4 or later support a function that allows the X-ray operator to enter the reason for
image rejection and a function that allows the administrator to view the information about rejected
images. Thus, the administrator can collect and analyze the information about rejected images.
(Before release of V. 6.4, there was a site that allowed the administrator to know the reason for
rejection according to the series description.)
2) Setup procedure
[Technical Description]
1. GUI
[SYSTEM]->[SETUP MENU]->[SYSTEM SEUP]->[REJECT REASON]
(For the setup method, refer to Section 3 “Setup”.)
35
V6.4 New Function Descriptions Appendix 6
2. Operation
1) The administrator can view the image rejection information by accessing the CXDI (Cont PC)
from another PC over the network. The administrator can also copy data to his/her PC over the
network.
2) Combined use of the reject reason information function with the User Authentication function (a
new function supported by V. 6.3 or later) allows the administrator to identify operator's name
efficiently.
3) It is recommended that the [Erase Study] button be undisplayed.
(Ver. 6.4 or later can undisplay the [Erase Study] button in the Exposure screen.)
4) The service technician must set up the reject reason function at installation.
5) The administrator must create (or edit) a reject reason list.
Person in
Description
charge
Service
Sets up the reject reason function and the network.
technician
Creates (or edits) a reject reason list and analyzes the
Administrator
rejection information.
Operator Enters the reason for rejection.
3. Setup
(1) Use the HIPAA setup tool or Ccr Console Menu to set up the reject reason function.
(The parameters set using the HIPAA setup tool are reflected in the Ccr console Menu.)
36
V6.4 New Function Descriptions Appendix 6
2) Check the [Use Reject Reason] check box and set parameters.
37
V6.4 New Function Descriptions Appendix 6
38
V6.4 New Function Descriptions Appendix 6
[Parameters list]
Name of Button Format Value displayed Film Note
%PID% Patient ID %DTOD_XXXX_S% Tube-Sensor distance
%PNAME% Patient Name %EXPTIME_S% Exposure Time (msec)
39
V6.4 New Function Descriptions Appendix 6
40
V6.4 New Function Descriptions Appendix 6
4. Details on Function
4.1 Creating a Reject Reason List
[SYSTEM]-> [SETUP MENU]-> [SYSTEM SETUP]
-> [REJECT REASON]
Position
Too little Dos.
41
V6.4 New Function Descriptions Appendix 6
3) The CXDI outputs rejection information as a CSV text file. The service technician must create a
CSV file output destination folder on the CXDI PC using Explorer, or create a new folder using
the HIPAA setup tool.
(The CXDI does not create an output destination folder automatically.)
Note: Do not create an output destination folder on another PC on the network. If crated, proper
operation is not guaranteed.
For example, rejection information cannot be output when a network failure occurs.
This function is only capable of outputting a CSV file to the CXDI (Control PC).
Output destination folder sharing must be set to allow the administrator to view the created folder.
The procedure is described below.
Procedure
(1) Preparation
Have the keyboard and mouse ready.
(2) Using Explorer, display the Properties screen of the created folder.
42
V6.4 New Function Descriptions Appendix 6
(3) On the [Sharing] tab of the created folder, select “Share this folder”.
(4) Press the [Permissions] button, and then remove “Everyone” from the displayed list.
(5) Add “supervisor” as a user name, and then click the [Read] check box in the “Permissions for
Everyone” filed to grant permission for "Read only".
43
V6.4 New Function Descriptions Appendix 6
Supplementary Explanation
In the work-group environment, the “Simple File Sharing” function of Windows XP must be
deactivated so that permission for access to the shared folders can be set for each user.
To deactivate the “Simple File Sharing” function, select [Explorer]-> [Tools]-> [Folder Options]. On
the [View] tab, uncheck the [Use simple file sharing (Recommended)] check box.
Supplementary Explanation
Setting of shared folders in domain environment, a shared folder can also be set using the user
specified from the hospital side without using the user “supervisor” which the installer of CXDI
creates. However, please note that the following two which are to be set up in Procedure 3) should
be performed simultaneously at the time of the setting of a shared folder.
-Be sure to delete “Everyone user” from the list of access privileges.
-For the user added to the list, be sure to set the access privilege as “Read”.
4) When the reject reason function is used, it is recommended that the [Erase Study] button be
undisplayed. (By default, this button is disabled.)
If study is finished by pressing the [Erase Study] button, the image information is not saved in
the CSV file.
5) When the reject reason function is active, it is recommended to activate the “user authentication”
function.
When the user authentication function is active, the administrator can exactly know the operators
who rejected individual images. Accordingly, the reject reason function can be effectively
implemented when combined with the user authentication function.
Of course this function can be used in an environment where the user authentication function is
inactive. This function can be implemented normally irrespective of whether “Essential” or
“Option” is selected for operator name input.
44
V6.4 New Function Descriptions Appendix 6
6. Multi-view
The multi-view screen does not show the reject reason.
To view the reject reason, open the Reject Reason Entry screen.
45
V6.4 New Function Descriptions Appendix 6
CXDI PC External PC
Administrator
CXDI program
Output destination folder
reject01.csv
reject02.csv
Rejection information ….. Logs in from a different
is output at reject12.csv network-connected PC as a
completion of study.
“Supervisor” user and opens
the folder on the CXDI
Network sharing
Supervisor: Read Only
Everyone: Deny
For example, rejection information about the images taken in June 2005 is output to reject06.csv,
rejection information about the images taken in July 2005 is output to reject07.csv, and rejection
information about the images taken in June 2005 is output to reject06.csv respectively. When
rejection information is output to reject06.csv where the rejection information about the images
taken in the previous year already exists, the old information is deleted before new information is
stored (according to the file update date). Since all CSV files are overwritten when one year lapses,
the period of retention of reject reasons in the CXDI is set to one year. If the administrator wants to
retain reject reasons for more than one year, the administrator must manage it by coping CSV files to
another PC.
After completion of study and image transfer, the CXDI determines the destination CSV file
assuming that the time a reject reason is stored in the CSV file is the current time. If study started on
August 31 and ended on September 1, the rejection information is stored in reject09.csv.
46
V6.4 New Function Descriptions Appendix 6
47
V6.4 New Function Descriptions Appendix 6
The CXDI outputs rejection information in the CSV1 format (character-string-type item enclosed
with double quotation marks (”)) assuming that all items separated by commas (,) are character
strings. If a double quotation mark (”) is used in data, the CXDI replaces it with two double
quotation marks (””).
The operation performed when reject reason is displayed on the CALLED IMAGE screen and the
operation performed when the [Reject] button is pressed on the CALLED IMAEG screen or
multi-view screen (after completion of image reproduction) are the same as that performed during
normal exposure. When the [Reject] button is pressed for an accepted image, the Reject Reason
Entry screen appears. When the [Reject] button is pressed for a rejected image, the SELECT
PROCESS dialog appears.
Note that the rejection/acceptance status and reject reason changed here are not reflected
in the current study. They are reflected in the newly created study only when transfer to
the internal temporary storage is specified for “study re-output/image re-output”.
8. Errors
8.1 Errors Occurring at CXDI Start
Error 535
Reject Info Output Error
Selected directory for reject list can only be read. Reject info cannot be
saved on the file.
Error 537
Reject Info Output Error
The file format for reject list includes incorrect strings. Reject info cannot
be saved on the file.
48
V6.4 New Function Descriptions Appendix 6
Warning 535
Reject Info Output Error
Selected directory for reject list does not exist, or attribution is incorrect.
Reject info cannot be saved on the file.
Warning 537
Reject Info Output Error
The file format for reject list includes incorrect strings. Reject info cannot
be saved on the file.
Warning 539
Reject Info Output Error
Error has occurred on saving reject info on the file. Do you retry it?
id=[Patient ID] name=[Patient name]
8.3 Others
Other possible errors are as follows (messages for these errors are not displayed on the CXDI).
Symptom Possible cause
The CXDI PC is invisible from
The CXDI PC has not started.
other PCs.
49
V6.4 New Function Descriptions Appendix 6
1) Overview
For the combination of CXDI System Software Ver6.4 and DMW_PS2 Ver4.1 or later, Storage
Commitment function of DICOM Standard has been officially supported.
For the former combination of already released CXDI System Software Ver6.33 and DMW_PS2
Ver4.0, this function was only tentatively supported because of residual problems such as
incompatibility with Node Authentication function, etc.
2) Function/Setup procedure
[Technical Explanation]
1. Difference from CXDI Ver6.33 (DMW PS2_Ver4.0)
CXDI Ver6.33 (DMW PS2_Ver4.0) had the following limitations:
-Formerly, image deletion control was not provided on CXDI side even when storage commitment
result from PACS (N-EVENT-REPORT) was received; It means images were automatically
deleted in chronological order (from the oldest) when HDD storage became full.
-HIPAA did not support Node Authentication.
Ver6.33
Node Authentication ON ON OFF OFF
Storage Commitment Not used Used Not used Used
Operation OK NG OK OK
[Operation with CXDI Ver6.3]
Ver6.4
Node Authentication ON ON OFF OFF
Storage Commitment Not used Used Not used Used
Operation OK OK OK OK
[Operation with CXDI Ver6.4]
50
V6.4 New Function Descriptions Appendix 6
CXDI Ver6.40 (DMW PS2_Ver4.1) supports the following features, which were not supported in the
former Storage Commitment function.
- Auto-deletion of images and deletion of images from Study List are possible only after
notification of storage commitment request to the storage transfer destination, reception of
storage commitment results from the destination, and storage commitment result was successful.
- Study information of incomplete storage commitment can also be deleted from “User” with
displaying a confirmation dialog message.
- Node Authentication for Storage Commitment Request (N-ACTION) and Storage Commitment
Result (N-EVENT-REPORT) is available.
2. Preconditions
- Transfer destination PACS supports the storage commitment.
- DMW_PS2 Ver4.1 is installed.
- The port to be used for receiving storage commitment result is set to Permit in the Firewall
setting.
-> At Startup, message concerning Firewall is displayed. Be sure to set it to Permit.
- It is recommended that Retry operation is available when transfer destination PACS failed in
returning storage commitment result to CXDI.
3. Structure (outline)
Commit folder
Node authentication
commit.exe Request Association Connection
Storage commitment result (N-EVENT-REPORT)
51
V6.4 New Function Descriptions Appendix 6
4. GUI
SC1: Storage Commitment1 (Storage Commitment Request Destination Storage 1)
SC2: Storage Commitment2 (Storage Commitment Request Destination Storage 2)
(1)
(2) (3)
(4)
Storage Commitment: CXDI issued Storage Commitment Request but no result has been
RQ returned from PACS.
awaiting result.
(4) NG Storage Commitment: failed. PACS sent back Storage Commitment: failed.
5. Outline of Functions
Outline of Functions related to Storage Commitment Request is as shown below.
52
V6.4 New Function Descriptions Appendix 6
53
V6.4 New Function Descriptions Appendix 6
6. Setup
6.1 HIPAA Setup
The following are details of setup related to Storage Commitment Request. The setup is made with
HIPAA setup tool by service technician.
(For details of authentication and private key, refer to APPENDIX-6 HIPAA function.)
[Figure 1] [Figure 2[
(3)
(4)
(1) (5)
(2) (6)
(7)
(8)
(9)
(10)
[Figure 3] [Figure 4]
54
V6.4 New Function Descriptions Appendix 6
No Item Description
Input authentication file needed for image storage request
(C-STORE) with Node Authentication: ON. Up to 64 characters
(1) Certificate
are allowed. Use relative path to input.
Refer to 7.4.6 Node Authentication Combination
Input private key file needed for Storage Commitment Request
(N-ACTION) with Node Authentication: ON. Use relative path to
(2) Private Key
input.
Refer to 7.4.6 Node Authentication Combination
Set On/Off for Storage1-4 Storage Commitment Request.
(3) Storage1-Storage4
Checking this enables the following settings.
Input Port No. to receive the result of Storage Commitment
(4) Port No. Request (N-ACTION)with Node Authentication: OFF.
Numbers from 1 to 65535 are allowed.
(5) Called AE Title Input AE Title on CXDI side. Up to 64 characters are allowed.
-m maxPDU: Specifying this enables changing internally used
maxPDU value (131072) (Unit: byte). To comply with
(6) Option parameter DICOM standard, specify 131072 or smaller value.
-j timeout: Reception Timeout time can be specified (unit: second).
Default value (180 second) can be changed here.
Input Port No. to receive the result of Storage Commitment
(7) Port No. Request (N-ACTION) with Node Authentication: ON.
Numbers from 1 to 65535 are allowed.
Input authentication file needed for Storage Commitment result
(N-EVENT-REPORT) with Node Authentication: ON. Use the
certificate that has not been specified in (1). Up to 64 characters
are allowed. Use relative path to input.
(8) Certificate
If all Node Authentications for Image Storage Request (C-Store),
Storage Commitment Request (N-ACTION) are set to Off (Figure
4), this field is not available (Disable). Refer to 7.4.6 Node
Authentication Combination.
Input private key file needed for Node Authentication
(N-EVENT-REPORT).
If all Node Authentications for Image Storage Request (C-Store),
(9) Private key Storage Commitment Request (N-ACTION) are set to Off (Figure
4), this field is not available (Disable). Use the Private key that
has not been specified in (2). Use the relative path to input. Refer
to 7.4.6 Node Authentication Combination.
Compulsory Specify whether to include studies with incomplete Storage
auto-deletion of Commitment at auto-deletion.
(10)
temporary stored If “Yes” is selected, study with incomplete Storage Commitment
images will also be auto-deleted.
(3) to (10) Additions available with Storage Commitment function.
Note: Setup must be done when CXDI system is not operating. (Finish Ccr before work)
55
V6.4 New Function Descriptions Appendix 6
-- commit.ini --
[LIB_INFO]
LOG_LEVEL=0
Level Description
0 No output
1 Output Error
2 Output Error/Warning
3 Output Error/Warning/Debug
56
V6.4 New Function Descriptions Appendix 6
7. Details of Functions
7.1 Operation when Storage Commitment Request function is ON/OFF
Function ON OFF Description
Node Authentication Setup Enable Disable When OFF, Node Authentication is always skipped.
Storage Commitment Request Enable Disable When OFF, Storage Commitment Request is not conducted.
Awaiting Storage Commitment
Enable Disable When OFF, commitment.exe is not started.
Result
Controlling deletion from Study
Enable Enable [Delete] button can be used for deletion regardless of ON/OFF.
List
When OFF, images are auto-deleted in chronological order (from
Auto-deletion control Enable Disable
the oldest) as usual.
Disk space control Enable Disable When OFF, alert is not displayed.
Display of Storage
Always displayed regardless of ON/OFF.
Commitment Information Enable Enable
Setup of Study List display.
(SC1/SC2)
Display of the number of
studies with incomplete Enable Disable When the number of studies is zero, the number is not displayed.
Storage Commitment
Note: Setting must not be changed when there is a study with Storage Commitment in progress.
If setting has been changed during Storage Commitment, Storage Commitment result might
not be received and errors could occur on the PACS side.
57
V6.4 New Function Descriptions Appendix 6
If you select more than one image and attempt to delete from Study List by using [Delete] button the
image that is either awaiting the result of Storage Commitment (SC1/SC2:RQ) , or has failed in
Storage Commitment (SC1/SC2:NG), the following dialog appears.
Pressing [OK] will forcibly delete the image.
Alert
The amount of available internal storage space has dropped below xxxGB.
58
V6.4 New Function Descriptions Appendix 6
Store Recovery MB
7.4.3 Auto-deletion
- Delete from the image for which Storage Commitment has completed (Unit: four studies). The
image with incomplete Storage Commitment will be skipped.
- If auto-deletion has left only studies with incomplete Storage Commitment, and auto-deletion
starting space has not been reached, either processing set up by HIPAA setup tool will work. (To
auto-delete/not to auto-delete)
- Timing for start auto-deletion:
1) At CXDI startup
2) Just before QA processing after exposure
3) Just before internal temporary store (dtstore)
59
V6.4 New Function Descriptions Appendix 6
60
V6.4 New Function Descriptions Appendix 6
8. Error
8.1 When Storage Commitment Request failed in transmission
If an error occurred during transmission of Storage Commitment Request from CXDI to PACS, the
warning dialog is displayed as shown below. The message is the same as that for storage transfer
errors except for Error Code and the first line.
Error -540 to -543 corresponds to Error -502 to -505, respectively.
61
V6.4 New Function Descriptions Appendix 6
62
V6.4 New Function Descriptions Appendix 6
Code Description
0x0110
A general failure in processing the operation was encountered.
Processing failure
0x0112 One or more of the elements in the Referenced SOP Instance
No such object instance Sequence was not available.
0x0213 The SCP does not currently have enough resources to store
Resource limitation the requested SOP Instance(s).
0x0122 Referenced SOP Class not supported.
Referenced SOP Class not Storage Commitment has been requested for a SOP Instance
supported. with a SOP Class that is not supported by the SCP.
The SOP Class of an element in the Referenced SOP Instance
0x0119
Sequence did not correspond to the SOP class registered for
Class/Instance conflict
this SOP Instance at the SCP.
0x0131 The Transaction UID of the Storage Commitment Request is
Duplicate transaction UID already in use.
63
V6.4 New Function Descriptions Appendix 6
-34 TLS Client BAD MAC Message authentication Code (MAC) generation failure
-64 TLS No Shared Cipher Cipher suites do not match. Report it to Canon Inc.
-137 TLS Cert Unknown Format Certificate format is invalid. Installation mistake.
-2070 TLS (A) Protocol Version TLS protocol versions do not match. Report it to Canon Inc.
64
V6.4 New Function Descriptions Appendix 6
65