Grid Based Infrastructure for Distributed
Medical Imaging
Carl Kesselman
ISI Fellow
Director, Center for Grid Technologies
Information Sciences Institute
Research Professor
Computer Science
Viterbi School of Engineering
University of Southern California
Joint work with Stephan G. Erberich, Ann Chervenak, Robert Schuler, Laura
Pearlman, Jonathan C. Silverstein
2
Problem

Doctor A needs image records from
Hospital B


Collaborative clinical trials, provider
networks, offsite archiving/storage
Solution


Create a Virtual Organization on a SOA architecture
Issues
Minimal disturbance of enterprise
environment
 Co-existence with existing medical imaging
tools and user interfaces
 Privacy/security requirements

3
The MEDICUS Solution



Medical Imaging and Computing for Unified
Information Sharing (MEDICUS)
Exploit existing imaging standards and
tools in local enterprise
Gateway into standard Grid services for
federation

Security/privacy

Data discovery

Data movement
Globus MEDICUS Proto-Project @ http://dev.globus.org/wiki/Incubator/MEDICUS
4
Digital Imaging and Communications
in Medicine (DICOM)

Defines image format


Simple communication protocol for image
access and publication


Standard header (metadata) and image
formats
store, find, get, move, …
Used by existing medical imaging systems

Picture Archiving and Communications
Systems (PACS)
5
Open Source Grid Software
Globus Toolkit v4
www.globus.org
Data
Replication
Credential
Mgmt
Replica
Location
Grid
Telecontrol
Protocol
Delegation
Data Access
& Integration
Community
Scheduling
Framework
WebMDS
Python
Runtime
Community
Authorization
Reliable
File
Transfer
Workspace
Management
Trigger
C
Runtime
Authentication
Authorization
GridFTP
Grid Resource
Allocation &
Management
Index
Java
Runtime
Security
Data
Mgmt
Execution
Mgmt
Info
Services
Common
Runtime
6
Major Components of Medicus

DICOM Grid Interface Service


OGSA-DAI


Meta-catalog
Data Replication Service (DRS)



OGSA web service to translate between DICOM and
Grid operations
Data replication/data discovery
Utilized RLS and GridFTP for disovery, replica
management and data movement
Grid Security Infrastructure

Security, authorization
7
The Grid is the PACS

Meets image exchange needs






Not limited to research use (e.g. BIRN, caBIG)
Single architecture for Clinical and Research use
Federate image references (Meta Catalog) - IHE XDS model
X.509 authentication security model + SAML assertions
Hide Grid workflow from user if possible, e.g. DICOM
workflow
Meets image storage needs




FT and DR by replicas
PACS-Grid-PACS too slow for clinical use
Integrate hospital PACS
Data integrity by CRC checksums
8
Medicus System Design
9
DICOM Globus Interface Service
DICOM Protocols
DGIS
Grid Protocols
(Web services)
• Drive Grid workflows from DICOM protocol operations
• Manage security interface between DICOM/Grid
10
Meta Catalog Service for Medical Images


OGSA-DAI + Data Base (e.g. MySQL, Derby,
Oracle, ..)
DICOM meta data

Patient level (e.g. encrypted name, id, etc.)

Study level (e.g. date, time, protocol, etc.)

Series level (e.g. imaging type, modality, etc.)

Image level (e.g. position, level, exposure, etc.)

Keys are DICOM UIDs (Study, Series, Image)

Health meta data

Flexible Annotation, e.g. ICD-9
11
DGIS: Image Discovery
DICOM C-FIND Operation
Health Care
Provider
Display
Workstation
Radiologist
DICOM query
C-FIND
Grid Node
Globus
Dicom Grid Interface Service
(DGIS)
1. Meta Catalog Query
Grid PACS Meta Catalog
(DICOM Image Attributes)
Globus OGCE-DAI
Globus MEDICUS Proto-Project @ http://dev.globus.org/wiki/Incubator/MEDICUS
12
DGIS: Image Delivery
DICOM C-GET/C-MOVE Operations
Grid Node
Health Care
Provider
Display
Workstation
3. Retrieve image series
DICOM retrieve
C-GET/C-MOVE
Radiologist
Cache Image
Storage
2. Check
Grid PACS
(Image Storage)
Globus GridFTP Server
Grid Node
1. Get image series storage location
Globus
Dicom Grid Interface Service
(DGIS)
Grid PACS Meta Catalog
(DICOM Image Attributes)
Globus OGCE-DAI
Globus MEDICUS Proto-Project @ http://dev.globus.org/wiki/Incubator/MEDICUS
13
MEDICUS Fault Tolerance and Disaster Recovery

Fault Tolerance and Disaster Recovery
through replicas
OGSA compliant Replication Location
Service (RLS)
 Index encrypted DICOM keys
(study and series UIDs)
 Index which storage has physical
representation of series record
 Local replica index (RLS)
 VO replica index (RLS master)

14
DGIS: Image publication
DICOM C-STORE Operation
Grid Node
Health Care
Provider
PACS
Technologist
PACS Administrator
Auto-Scheduler
DICOM push
C-STORE DICOM push
C-STORE
1. Update
Cache Image
Storage
Modality
Grid PACS
(Image Storage)
Globus GridFTP Server
2. Image series publication
Grid Node
3. Meta Catalog publication
Globus
Dicom Grid Interface Service
(DGIS)
Grid PACS Meta Catalog
(DICOM Image Attributes)
Globus OGCE-DAI
Globus MEDICUS Proto-Project @ http://dev.globus.org/wiki/Incubator/MEDICUS
15
Protected Health Information

Underlying principal:


MEDICUS v1




Patient ownership, covered consent
Single layer GSI security model
X.509 proxy certificate standards based
Typical use case: Closed VO like Healthcare provider
network, Military network, research network.
MEDICUS v2





Patient Centric Authorization using assertions
Patient advocacy – patient controlled access
Logging of “on behalf actor” at Grid Service
All patient data on the Grid
Typical use-case: SOA of third-party storage, image
processing services require no-PHI access to DICOM
16
VO Security Services
Requestor's
Domain
Trust
Service
Attribute
Service
Service Provider's
Domain
Authorization
Service
Audit/
Secure-Logging
Service
Authorization
Service
Privacy
Service
Trust
Service
Attribute
Service
Audit/
Secure-Logging
Service
Privacy
Service
Credential
Validation
Service
Credential
Validation
Service
Bridge/
Translation
Service
Requestor
Application
WS-Stub
Secure Conversation
WS-Stub
Credential
Validation
Service
Service
Provider
Application
Credential
Validation
Service
Authorization
Service
Authorization
Service
Attribute
Service
Attribute
Service
Trust
Service
Trust
Service
VO
Domain
Jan 16, 2008
VOs & Security
16
17
Policy Assertions from Everywhere
Jan 16, 2008
VOs & Security
17
18
PERMIS
Policy Assertions from Everywhere (2)
CAS
VOMS
XACML
Shib
SAML
LDAP
SAZ
Handle
PRIMA
Grouper
gpBox
Active Role
XACML
Proxy Issuing
Jan 16, 2008
VOs & Security
LCAS
Gridmap
CSM
LCMAPS
18
19
Patient Authorized Grid Image Workflow
3.1
Internet2 IdP
GridShib
Patient
2.1
1.1
2.2
Globus OGSA-DAI
Meta Catalog Service
PHI safe entries
4.1
Healthcare Provider
5.1
2.3
4.4
4.3
Physician
Globus GridFTP
Storage Service Provider
Compressed DICOM Series Records
4.2
Hippocratic Verification Service
Policy Decision Point (PDP)
Globus RLS
Replica Location Service
20
Patient Authorized Grid Image Workflow
3.1
Internet2 IdP
GridShib
Patient
2.1
1.1
2.2
Globus OGSA-DAI
Meta Catalog Service
PHI safe entries
4.1
Healthcare Provider
5.1
2.3
4.4
4.3
Physician
Globus GridFTP
Storage Service Provider
Compressed DICOM Series Records
4.2
Hippocratic Verification Service
Policy Decision Point (PDP)
Globus RLS
Replica Location Service
21
Globus MEDICUS Use-Cases

Multi-center clinical trials



Off-site Medical Image Storage



Children’s Oncology Group Phase-I
28 international medical centers (since 09/2003)
NANT Cancer Foundation
13 national medical centers (since 12/2005)
Enterprise PACS / Grid PACS
FT and DR by replication using Globus Data Replication
Service (DRS)
Medical Image Federation




Enterprise Hospital VO
Military VO
Community Practices VO
Etc.
MEDICUS use cases:
Childrens Oncology Group and
Neuroblastoma Cancer Foundation Grids
22
23
Summary

MEDICUS vertically integrates existing standards
based GT4 components – no research specific layer

Fast and efficient DICOM off-site storage

Integrates with hospital PACS + FT and DR

Transparent image workflow for Physician



Flexible and cost efficient deployment using opensource (~ $500 per TB)
PHI protected at patient level
Single HealthGrid solution for Clinical and Research
use of same images
24
Conclusion




MEDICUS present one piece to HealthGrid puzzle
Modular SOA design ideal for collaborative
extension, e.g. image processing web services
using DICOM image resources on the Grid
Open-source (Apache license), part of the
Globus Toolkit Development release:
ou are invited to contribute your field of expertise
dev.globus.org/wiki/Incubator/MEDICUS
Roadmap: Standards based PHR, Workstation Grid
plug-in, IHE XDS/-I WebServices
25
Acknowledgment
http://dev.globus.org/wiki/Incubator/MEDICUS
Horizon Award Winner 2007
Information Science Institute
IDEA Award
NIH/NCI Grant: UO1-BA97452
Winner 2007