HIPAA

Copyright by Canon
Mar. 2006 Rev.02
HIPAA
Canon Inc. Japan
Copyright (C) Canon Inc. Medical Technical Service Dept. All rights reserved
CONTENT
1. HIPAA................................................................................................................................................1
1) Overview ........................................................................................................................................1
2) Functions........................................................................................................................................1
3) Overall image of HIPAA support....................................................................................................1
4) Strage Commitment (Structuring) ..................................................................................................2
5) Installation .....................................................................................................................................3
2. User Authentication Function ..........................................................................................................6
1) Purpose ..........................................................................................................................................6
2) Overview ........................................................................................................................................6
3) Login operation flow ......................................................................................................................7
4) LOGIN screen details.....................................................................................................................8
5) Auto Logout function......................................................................................................................9
6) Logout function ............................................................................................................................10
7) User authentication setup ............................................................................................................ 11
8) User Management screen and User Properties screen ................................................................12
9) Summary of User Privileges.........................................................................................................13
10) Installation, operation and service..........................................................................................14
11) Operator’s Name display on the STUDY INFO. screen...........................................................15
12) Summary of setting items (MenuPara.ini file).........................................................................16
13) Setup procedure.......................................................................................................................16
3. Audit Log.........................................................................................................................................17
1) Overview ......................................................................................................................................17
2) Operating environment ................................................................................................................17
3) Configuration ...............................................................................................................................18
4) Audit Log Module functions .........................................................................................................19
5) Operation log ...............................................................................................................................20
6) CONFIG file setting items............................................................................................................21
7) Setup procedure............................................................................................................................22
4. Maintain Time Setup ......................................................................................................................23
1) Overview ......................................................................................................................................23
2) Setup procedure............................................................................................................................23
i
5. Node Authentication Function .......................................................................................................24
1) Overview ......................................................................................................................................24
2) Purpose ........................................................................................................................................24
3) Functions......................................................................................................................................25
4) TLS ...............................................................................................................................................26
5) Public key encoding method.........................................................................................................27
6) Electronic certificates ..................................................................................................................29
7) Certificate installation .................................................................................................................31
8) Operation method ........................................................................................................................31
9) Setup method ................................................................................................................................32
10) Troubleshooting.......................................................................................................................34
6. Reject Reason Function..................................................................................................................35
1) Overview ......................................................................................................................................35
2) Setup Procedure ...........................................................................................................................35
7. Strage Commitment Functions ......................................................................................................50
1) Overview ......................................................................................................................................50
2) Setup Procedure ...........................................................................................................................50
ii
V6.4 New Function Descriptions Appendix 6
1. HIPAA
1) Overview
HIPAA (Health Insurance Portability and Accountability Act of 1996) is a law that should be strictly
observed by hospitals.
The CXDI with system software versions 6.3 and later provides a device that makes it easy for
hospitals to support HIPAA.
2) Functions
System software versions 6.3 and later support HIPAA, so the IHE Basic Security Integration Profile
is supported.
This support can be broadly divided into the following four functions.
・User Authentication ......................................* For details, see “2. User Authentication Function”.
・Log Generation (Generation of audit records) * For details, see “3. Audit Log”.
・Time Synchronization ...................................* For details, see “4. Maintain Time Setup”.
・Node Authentication .....................................* For details, see “5. Node Authentication Function”.
System software version6.4 and later versions are supported “Reject Reason function”.
And also, combination DMW_PS2 Ver4.1 or later versions are support “storage commitment
function”.
・Reject Reason ...............................................* For details, see “6. Reject Reason Function”.
・Storage Commitment ....................................* For details, see “7. Storage commitment Function”.
3) Overall image of HIPAA support

The following shows an overall image including CXDI support for HIPAA.
User Authentication
PACS
Auto Logoff
Printer
Node
Authentic
RIS,
CXDI etc
Audit Log
Maintain Time
WindowsTimeService
TimeServer ARR
1
4) Storage commitment (Structuring)
CXDI Node Authentication, Request Association Connection

- Auto-delete control
PACS
Request image storage (C-STORE)
-Control deletion
from Study list
Node Authentication, Request Association Connection
Storage Commitment Request (N-ACTION)
Commit folder
Node authentication
commit.exe Request Association Connection
Storage commitment result (N-EVENT-REPORT)
2
5) Installation
Before running HIPAASetupTool.exe, upgrade to version 6.4 and complete installation with the
CXDI environment setup tool (CxdiEnv.exe).
For details, see “V6.4 New Function Descriptions - APPENDIX-3. Upgrade Procedure Manual”.
The six functions mentioned above can be turned ON and OFF using the HIPAA setup tool
HIPAASetupTool.exe. The installation defaults set the HIPAA functions to the disabled state.
1. Run HIPAASetupTool.exe contained in the directory D:\ccr.

Select “Use”, then click [NEXT].
（HIPAA Setup Customize Screen）
2. Make the necessary User Authentication function settings and Reject Reason, then click [NEXT].
* For details, see “2. User Authentication Function”,”6.Reject Reason function”.
（User Authentication Setup Screen）
3
3. Make the necessary Audit Log settings, then click [NEXT].

* For details, see “3. Audit Log”.
（Audit Log Setup Screen）
4. Make the necessary Maintain Time settings, then click [NEXT].

* For details, see “4. Maintain Time Setup”.
（Maintain Time Setup Screen）
4
5. Make the necessary Node Authentication function settings, then click [NEXT].
* For details, see “5. Node Authentication Function”.
（Node Authentication Setup Printer Screen）
6. Make the necessary Storage commitment function settings, then click [NEXT].
* For details, see “7. Storage commitment Function”.
（Node Authentication Setup Printer Screen / Storage Commitment Setup）
5
2. User Authentication Function
1) Purpose
User authentication is a part of HIPAA support, and improves security by having CXDI operators
login and logout.
2) Overview
・ The User Authentication function is comprised of a database for saving user names, passwords,
operators’ names, and privileges, and modules for database registration and editing.
OPU Opera Opera

Module MDB
Operator’s
User name Password name Privilege
HIPAA
Log
Module
・ The Opera Module (Opera.DLL) controls the operator information for the User Authentication
function (login), and has an interface for the OPU and the operator information.
・ The Opera Module is started up from the OPU, and outputs the log to the HIPAA Audit Log
Module as necessary.
・ During the initial user authentication (login) when there is no Opera.MDB, an Opera.MDB is
generated by the Opera Module.
At this time the service engineer logs in with the administrator privilege of the default “user
name: admin” and “password: xxxxx”.
・ When the Opera.MDB contents are changed, the Opera Module creates a backup of the database
file.
File backups are saved in D:\ccr\OLD as the file name “Operayyyymmddhhmmss.MDB”. Up to
ten backup files are stored, and the superfluous files are deleted in time order from the oldest
one.
admin
6
3) Login operation flow

・ CXDI startup => LOGIN screen => (User name and password input) => Exposure screen
・ A SHUTDOWN button is displayed only on the initial LOGIN screen after CXDI startup. Touch
this button to shut down the OS.
↓（CXDI Startup Screen）
↓（Initial LOGIN Screen）
（Exposure Screen）
7
4) LOGIN screen details

・ User names and passwords up to 16 characters long can be input.
・ However, the number of characters valid for login is 4 to 8 characters for both user names and
passwords.
・ Check the input character type (upper-case/lower-case) for both user names and passwords.
・ Error button, output lamp and sensor READY indicators.
・ When an error occurs, an error button is displayed but the error button cannot be pressed.
However, when the following critical errors occur, an error panel is displayed.
Fatal
Alert
Error
（LOGIN Screen）
・ The following errors may occur at the LOGIN screen depending on the circumstances.
User name could not be found. User Name or Password is wrong. Enter the correct User Name
Password does not match. and Password.
Database file cannot be read. Database file cannot be read. Database is broken or user data
cannot be found. CXDI will shut down. Please call service.
⇒SHUTDOWN Menu
8
5) Auto Logout function

・ If operations are not performed for a certain period of time*1, the Auto Logout function activates
and the LOGIN screen appears as if the LOGOUT button had been touched.
1
* However, the system is considered to be in operation during the period from X-ray exposure to
preview image display.
・ The Auto Logout function operates at all screens except the following.*2
*2① Each setup screens under the Setup Menu, Edit Exposure Mode, Calibration, Self Test, Error
panel, Call Image.
② All message boxes.
(However, the Auto Logout function operates for gray message boxes displayed by modules
other than OPU or by CCR and DLL.)
③ When using two-way type generator communication.
When Auto Logout is enabled during startup, a message appears and Auto Logout is set to
“DISABLE”.
When Auto Logout is enabled on the LOGIN/LOGOUT Setup screens, a message appears and
Auto Logout is set to “DISABLE”.
Message: “Because Generator Communication Module is set to Two-Way Communication type,
Auto Logout Setting will be invalidated.”
・ Auto Logout EABLE/DISABLE and the Auto Logout Time can be set.
(Setting range: 1 to 60 minutes. The default is 10 minutes.)
These operations are available only to users with administrator privileges, and cannot be
performed by general users.
（LOGIN/LOGOUT Screen）
9
6) Logout function
・ Logout is performed by touching the LOGOUT button and by the Auto Logout function.
・ The user name is displayed on the LOGOUT button.
・ When the LOGOUT button is touched, a confirmation message appears.

“Are you sure you want to logout?”
If the button is touched during an examination, the following message appears and urge caution.
“Now performing examination! Are you sure you want to logout?”
(LOGOUT Button and Confirmation Message on the Exposure Screen)
・ In principle, the screen immediately after login displays the status immediately before the
LOGOUT button was pressed.
・ Magnified screens*1 and other window displays in positions that differ from the OPU main unit
are hidden during logout.
1
* Magnified screen, second monitor, high resolution monitor
・ When logout is performed in the Sensor READY state, X-ray exposure is not allowed even if the
Sensor READY lamp is illuminated.*2
*2 The Sensor READY timeout time (illuminated time) is 10 minutes (default) as set in the
cxdcap.ini file. (This function is enabled even when logged out.)
・ PATIENT INFO. notices, END STUDY notices, and generator communication (PreCond and
UnPreCond from the generator) are not accepted from the RIS when logged out.
10
7) User authentication setup

・ User authentication is set from the LOGIN/LOGOUT screen.
[Exposure Screen SYSTEM] => [SETUP MENU] => [ADMINISTRATOR SETUP] =>
[LOGIN/LOGOUT]
Touch the User Registration button.
↓（Administrator Setup Screen）
（LOGIN/LOGOUT Screen）
11
8) User Management screen and User Properties screen

User Management screen
・ Touch the User Registration button to display and set all the users that use the CXDI.
・ Touch the ADD button to add a user, or touch the CHANGE button after selecting the user name
to change a user. To delete a user, select the user name and then touch the DELETE button.
These operations are available only to administrative user. Also, the user currently logged in
cannot be deleted.
・ When logged in as a general user, only the password for that user can be changed.
・ The User Management screen display can be rearranged in the privilege order, or alphabetical
order by user name.
（User Management Screen (Administrator login)）
(User Management Screen (General user login))
12
User Properties screen

・ Touch the ADD or CHANGE buttons on the User Management screen to display and set the user
properties for a single user.
The contents changed or registered at this time are valid the next time login is performed.
Therefore, the previous contents remain valid until logout is performed.
・ Both the user name and password are restricted to between 4 and 8 characters.
If either the user name or the password do not meet this condition, a dialog box is displayed.
Alphabet letters are case sensitive, and numeric input is also allowed.
・ The operator’s name must be 63 characters or less. Japanese input is also allowed.
(User Properties Screen)

9) Summary of User Privileges
Contents Auto Logout setting Database operations

Privilege
Administrator Setting allowed All users displayed

User registration
User deletion
Changing user properties
(User name, password,
operator's name, privilege)
General user Setting prohibited Only logged in user displayed

Only the password for that user
can be changed
13
10) Installation, operation and service
① During the initial user authentication (login) when there is no Opera.MDB, an Opera.MDB is
generated by the Opera Module. At this time the service engineer logs in with the administrator
privilege of the default “user name: admin” and “password: xxxxx”.
② After the CXDI administrator (Chief Radiologist, etc.) has been determined and the
administrator and operators have been registered within the hospital facility, the user name and
password of the “admin” user should be changed or deleted.
③ In the event that the database is corrupted, the backup file (extender .MDB) saved in
D:\ccr\OLD is renamed as Opera.MDB.
④ If a general user (operator, etc.) forgets his or her password, the administrator should perform
operations to assign a new one.

If the administrator (Chief Radiologist, etc.) forgets his or her password, the service engineer
should delete and recreate the database.
⑤ When the User Authentication function is used, service cannot be performed without logging in.
In these cases, service can be supported by the following procedure.

・ Have the administrator login when providing service, or obtain the agreement of the
administrator and register a general user for service purposes that is not deleted and remains in
the system.
Thereafter, cancel the OS operation restriction setting, rename the existing Opera.MDB file or
save it in a different directory, and then login with the administrator privilege of the default
“user name: admin” and “password: xxxxx” to allow service.
After service is completed, be sure to restore the original Opera.MDB file and set the OS
operation restriction again.
14
11) Operator’s Name display on the STUDY INFO. screen

・ The operator’s name of the currently logged-in user is displayed in the Operator’s Name field of
STUDY INFO. during exposure. In addition, log output to the audit record (4. Audit Log) which
is another HIPAA function is also performed under the logged-in user name.
・ When the operator’s name received from the HIS (RIS) differs from the currently logged-in
operator’s name, the logged-in operator’s name is input to the Operator’s Name field of STUDY
INFO.
The operator’s name is saved in the image header simultaneously with input. The name of the
operator that performed the exposure is set and notified for each series due to RIS.
Notes
・ The operator’s name displayed in the STUDY INFO. screen cannot be changed during exposure
or when reproducing images.
・ When a different operator logs in and retakes an image, the name is changed from the original
operator’s name to the current operator’s name, and the name of the operator who performed the
retake is applied.
・ “Operator’s Name” is the name of the person who takes the image, and when an image is
retaken, the name of the operator performing the operation is not input.
(STUDY INFO. Screen)
15
12) Summary of setting items (MenuPara.ini file)
[USER] section Item contents Default Setting contents

Login User Authentication DISABLE “0” ENABLE 1,
function DISABLE 0
ENABLE/DISABLE
UserNameDisplay Display previous user Display “0” Display: 1, Don’t
name on LOGIN display: 0
screen
AutoLogout Auto Logout function ENABLE “1” ENABLE: 1,
ENABLE/DISABLE DISABLE: 0
AutoLogoutTime Auto Logout time 10 (minutes) Range: 1 to 60
(minutes) (minutes)
13) Setup procedure

Set the User Authentication function using HIPAASetupTool.exe.
(User Authentication Setup Screen)
・ Set whether to display the previous user name on the LOGIN screen.
・ Set Auto Logout function ENABLE/DISABLE.
・ Set the Auto Logout time.
16
3. Audit Log
1) Overview
The IHE Basic Security Integration Profile severely restricts the use and the disclosure of Protected
Health Information (PHI) in order to protect privacy.
Therefore, log output must be performed to allow post-facto tracking of who performed what, when
and on what system in order to monitor system security and whether privacy is protected.
The Audit Log Module supports HIPAA and outputs logs generated by the CXDI control software to
the AuditRecordRepository server (ARR) in the XML schemer format prescribed by the IHE
Technical Framework. The SYSLOG protocol is used when outputting to the ARR.
・ Log output to the ARR is possible when the Log output are enabled by HIPAA Set-up tool.
・ Log output is performed when the OPU is started up and shut down, the destination setting is
changed, the login password is changed, data is saved to an external disk storage or output to a
printer or storage, the study list display is selected, and so on.
2) Operating environment
The Audit Log Module requires the following operating environment.
[Japanese edition]
・ .NET Framework 1.1 Redistributable package (Japanese edition) installation
・ .NET Framework 1.1 Language Pack installation
[English edition]
・ .NET Framework 1.1 Redistributable package (English edition) installation
[Common to both Japanese and English editions]

・ .NET Framework 1.1 SP1 installation
・ MSMQ installation
・ Time server setup (as necessary.)
17
3) Configuration
The Audit Log Module is comprised of the following four files.
IheAuditLogIF.dll Audit Log Module interface block DLL.

IheAuditLog.dll Log output block DLL. Audit Log Module main unit.
IheAuditLog.config Audit Log Module setup file.
ihe_schema.xsd XML schemer prescribed by the IHE Technical Framework.
OPU CCR
Audit Log Module
Interface block
Log output block
MSMQ ARR
MSMQ: This temporarily saves the logs generated by the CXDI control software. When a large
number of logs are output at once from the CXDI control software, the logs are temporarily saved
here.
ARR: AuditRecordRepository server. This receives and saves the logs in SYSLOG protocol.
18
4) Audit Log Module functions

Interface block
[Overview]
The interface block has functions for interfacing with the CXDI control software and other external
modules.
[Functions]
・ The interface block gets the information required for log output from the CXDI control software
and transmits it to the log output block.
The time stamp when the log was received is recorded in the structure, and the name of the
receiving host is also recorded in the structure by the initialization function.
Log output block functions

[Overview]
The log output block creates XML text from the received structure and outputs it in SYSLOG
protocol to the ARR.
[Functions]
・ The log output block transmits the log information received from the CXDI control software to
the MSMQ service provided by Windows and saves it in a queue. The queue name saved at this
time differs for each Audit Log Module client, and is “HIPAA_+client process name”.
In addition, the queue presence is checked during Audit Log Module startup, and a queue is
automatically generated if one is not present.
・ The log information read from the queue is converted into XML text in accordance with the
XML schemer, and XML schemer verification is performed.
XML schemer verification checks whether the items needed to create the XML text are set
appropriately.
・ The format of the schemer verified XML text is converted based on the SYSLOG protocol, and
the log is then output to the ARR.
Functions that depend on the SYSLOG protocol

[Overview]
The SYSLOG protocol limits the length of a single log to 1024 bytes or less.
However, when following the XML schemer format prescribed by the IHE Technical Framework,
logs that exceed this SYSLOG protocol limitation may be created. Therefore, Audit Log Module
operation can be controlled by setting two functions in the 6) CONFIG file setting items in
consideration of the SYSLOG protocol log length.
19
[Function]
① Operation when the log length exceeds 1024 bytes is controlled according to the following
setting.
・ When the TruncateLog key in the CONFIG file is “0”, the 1024-byte limitation is ignored and
the entire log is output including the excess portion.
・ When the TruncateLog key in the CONFIG file is “1”, the log is truncated at 1024 bytes and
output without the portion exceeding 1024 bytes.
Note: The TruncateLog function has the following restrictions, so care should be taken during use.
・ Simple truncation processing is performed at 1024 bytes from the start, so the XML in the log
may not be appropriate.
・ The XML in the log is encoded, so a single character may be converted into multiple bytes by
the encoding. Therefore, a byte arrangement that ends partway through a character may be sent
to the ARR when 1024-byte truncation processing is performed.
In this case the audit logs output thereafter may not be saved properly depending on the ARR
specifications (for example, when received audit log byte arrangements are added continuously
to the file).
② Whether or not to control output log per patient for import and export events where the log
length is highly likely to exceed 1024 bytes is controlled according to the following setting.
・ When the DivideLog key in the CONFIG file is “0”, import and export events are output as a
single log regardless of whether the information for multiple patients is included.
However, when the log length exceeds 1024 bytes, operation conforms to the function (1) above.
・ When the DivideLog key in the CONFIG file is “1” and an import or export event contains the
information for multiple patients, the log is divided and per patient.
The number of output logs is equal to the number of patients contained in the import or export
event.
However, when an individual log length exceeds 1024 bytes after division, operation conforms
to the function (1) above.
5) Operation log
The Audit Log Module outputs an internal operation log to the IheAuditLog.log file. The
information output in the operation log is determined by the PerformanceLogLevel key in the 6)
CONFIG file setting items.
Operation log output format
Item Detailed description
Log recording date Date and time that the operation log was recorded in the file.
and time Output format: [mm/dd/yyyy hh:mm:ss:xxx]
Process name Audit Log Module client process name
Log output DLL DLL that output the operation log
Log level Level of the output operation log
Log contents Detailed operation log contents
20
6) CONFIG file setting items

The following items are set by the IheAuditLog.Config file.
Key Initial value Value

LogOutput 0 Audit log output destination setting.
0: Not output
1: Output to the ARR
ArrLogPath 127.0.0.1 ARR IP address.
PortTo 514 ARR transmit destination port number.
PerformanceLogLevel 2 Operation log output level in Audit Log Module.
0: Not output
1: Fatal error output
2: 1 + Error output
3: 2 + Warning output
4: 3 + Info output
TruncateLog 0 Operation setting when the log length exceeds 1024 bytes.
0: The entire log including the portion exeeding 1024 bytes
is output to the ARR.
1: The log is truncated at 1024 bytes and output to the ARR.
DivideLog 0 Operation setting for import and export event log output.
0: The log is not divided per patient, and all patients
included in the event are output as a single log to the ARR.
1: The log is divided per patient and output to the ARR.
Note: The HIPAA Setup Tool should be used to edit the CONFIG file. However, operation is not
guaranteed when directly edited.
21
7) Setup procedure
Perform the audit log setup using HIPAASetupTool.exe.
(Audit Log Setup Screen)
・ Input the IP address and port number of the ARR for log output.
・ Touch the [Ping] button to confirm that network communication is possible with the ARR.
・ Set the operation when the log length exceeds 1024 bytes.
・ Set whether to control output logs of Import and Export event per patient.
・ Set the operation log output level in the Audit Log Module.
22
4. Maintain Time Setup
1) Overview
When performing log output to the ARR, the time and the date recorded in the log have to be same
for all modalities on the network. Therefore, the time on time server and the time on CXDI are
synchronized using the Windows Time Service (W32Time) function.
2) Setup procedure
In Windows XP, an “Internet Time” tab has been added to “Date & Time Properties” in the task tray.
Input the name (or IP address) of the SNTP server to be synchronized using HIPAASetupTool.exe.
The time.windows.com NTP server is referenced as the default.
If there is another NTP server that can be used, input that SNTP server name (or IP address).
(Maintain Time Setup Screen)
・ Touch the [Ping] button to confirm that network communication is possible with the NTP server
to be synchronized.
・ The Maintain Time operation cycle can be set in hour units.
23
5. Node Authentication Function
1) Overview
A Node Authentication function has been added as an essential IHE Basic Security function.
This function supports authentication between DICOM Secure Nodes using TLS (Transport Layer
Security) which is a protocol for sending and receiving encrypted information over the internet.
2) Purpose
Node1 authentication is considered a necessary technical approach to prevent leaks of patient
electronic data2 and support the USA’s HIPAA and Japan’s Personal Information Protection Act.
IHE3 adopts TLS (Transport Layer Security; see the following section) as a technology for realizing
node authentication. The purpose of node authentication is to prevent the following four potential
risks.
1. Spoofing: A third party pretending to have sent something or pretending to be the intended
recipient. Impersonation fraud is a type of spoofing.
Example: The CXDI supposedly sent the data to a PACS, but the data was intercepted by a
different server that changed the PACS IP address.
2. Falsification: Changing the data partway along the transmission route.

Example: Rewriting some of the images or exposure data sent by the CXDI to a PACS.
3. Wiretapping: Illegally viewing data.

Example: When the CXDI received an order from RIS, another device accessed the network
illegally and obtained the patient study list.
4. Repudiation: Denying that data was sent or received.

Example: Data was supposedly sent normally from the CXDI to a PACS, but the other party
insists that the data was not received by the PACS. When asked whether the data might have
been sent to a spoofing party, it cannot be proven.
1
A node refers to a connection point on a LAN or a computer installed at that connection point.
2
This is referred to as PHI (Target of Medical information Protected ) by IHE.
3
Integrating the Healthcare Enterprise; a joint initiative committee comprised of RSNA and HIMSS that uses
DICOM and HL7 as standards.
24
3) Functions
・ Install the certificates required for Node Authentication in the CXDI, then add the following to
the DESTINATION OPTION parameters to enable Node Authentication.
-h client certificate client private key
・ The electronic key and certificate format conform to X.509.
・ The operation method of the certificate differs according to the hospital’s security policy.
・ Possible authentication bureau (authentication agency) operation and certificate issue methods
are as follows:
(A) Having the system vendor prepare keys and certificates issued by an internet certificate authority
(for example, Verisign, Hitachi Systems, etc.)
(B) Having the system vendor establish an independent authentication server (Example: Microsoft
WindowsServer2003 Active Directory) within the hospital for issuing keys and certificates.
25
4) TLS
クライアント
Client TLS サーバ
Server
Attack
Third
第三者 party
Fig. 1 TLS Communication and Attacks
TLS is a communication protocol created by IETF (Internet Engineering Task Force 4 ) by

standardizing SSL (Secure Sockets Layer5). SSL is a technology for encoding HTTP, FTP and other
data that is widely used on the internet, and it is well known that when the padlock icon appears in
the bottom right corner of Internet Explorer, encoded communication is being performed by SSL.
TLS 1.0 (RFC22466) is for all practical purposes SSL 3.1, and is able to prevent data wiretapping,
falsification and spoofing by a combination of technologies such as public key code, (digital)
certificates, and hash functions7.
TLS can also be used in a transmissive manner without changing higher order protocols, making it
possible to achieve encoding without remounting or changing the DICOM. For example,
conventional DICOM communication to a printer can be performed without TLS, and DICOM
communication can be performed to a PACS via TLS.
Printer CXDI PACS
DICOM DICOM DICOM

TLS TLS
TCP TCP TCP
IP IP IP
Ethernet Ethernet Ethernet
Fig. 2 Relationship between DICOM and TLS
4
An organization for standardizing the technology used by the internet. The official issuer of RFC.
5
A protocol developed by Netscape Communications Corporation for sending and receiving encoded information
over the internet.
6
RFC (Request For Comment) is a document issued by IETF that assigns serial numbers to and releases the
protocols used by the internet as well as other specifications and requirements for various internet-related
technologies.
7
This is also called the Message Digest Function, and is an arithmetic algorithm for generating a quasi-random
number of a fixed length from a raw document. It is used to detect document falsification, and is also applied to
digital signatures. In Internet Explorer it is expressed as a thumbprint algorithm.
26
5) Public key encoding method
Encoded keys and certificates of the public key encoding method to use TLS with DICOM. Keys are
able to ensure security in combination with locks8. In encoding circles, methods where the locking
key and unlocking key are the same like a key to a house are called common key encoding methods.
Here, the keys used for encoding are long bit electronic data.
When this method is applied to the CXDI, the encoding and decoding keys are the same, so the key
must be given to the communicating party in advance. Also using this same key for other
communicating parties increases the risk of spoofing, so a separate key is prepared for each
communicating party. That is to say, a exclusive key must be managed simply to communicate with
a particular device. For example, in order for the CXDI to get a work list from Company A’s RIS,
the hospital administrator must create a key for the CXDI and the RIS and install this key in both
units beforehand. Similarly, for the CXDI to transfer data to Company B’s PACS, a key must be
created for the CXDI and the PACS and installed in both units, and for the CXDI to print to
Company C’s imager, a key must be created for the CXDI and the imager and installed in both units.
In addition to the problem of key management, this method also has the problem that it is not
possible to confirm whether a key is actually that of the intended communicating party. However,
the public key encoding method solves these problems.
Public key code has the characteristic in that the locking key and unlocking key are different. That is
to say, the encoding and decoding keys used are expressed by bits that form a arithmetic pair.
Releasing the encoding key to communicating parties (public key) and keeping the decoding key a
secret to oneself (private key) has the advantage that only the user can perform decoding. That is to
say, even if there are eight other communicating parties, the only key that must be kept secret is a
single private key9.
Key Pair
Fig. 3 Public Key and Private Key
8
Locks for electronic keys correspond to cipher algorithms. However, an explanation of algorithms would deviate
from the purpose of this manual, so this is omitted.
9
The communicating party can use only the locking key, and only the user can use the unlocking key. The unlocking
key cannot be inferred from the locking key.
27
When the same public key is given to Company A’s RIS, Company B’s PACS and Company C’s
imager and encoding is performed using that public key, the communication results can be decoded
only by the CXDI which has the private key. In actual operation, data is sent from the CXDI to the
PACS, so communication can be concealed by encoding the image data using the PACS public key,
and having the PACS which receives the images decode the CXDI data using its own private key.
Image Data Image Data
encrypt
decrypt
PACS’ s PACS’ s
Public Key Private Key
CXDI PACS
Encrypted Image Data
Fig. 4 Encryption Using a Public Key
However, encoding/decryption processing using public keys generally requires significant CPU
power and time. Therefore, TLS authenticates the communicating party by the public key method,
generates a common key called a session key, and then encodes and sends only this session key
using the communicating party’s public key (Fig. 5). On the other hand, the exposure data is encoded
and sent using the previously generated session key. This session key is generated for each
communication, so there is no risk of reuse of the same key.
When the communicating party receives the exposure data, first it decodes the session key using its
own private key. Then secure communications can be established by using this session key to decode
the exposure data.
Image Data Image Data
Session key
use Session key
use
Session Key
encrypt
decrypt
Session Key
encrypt
decrypt
PACS’ s
PACS’ s
Public Key
Private Key
Encrypted Image Data
Encrypted Session Key
Fig. 5 TLS Performs Hybrid Encoding Using a Session Key
28
The CXDI’s private key format is a X.50910 DER (Distinguished Encoding Rule)11 format binary
file, and the private key is stored in the CXDI Run directory together with the certificates. Encoding
this private key with a password phrase12 is recommended. In addition, private keys are generated
as a pair with public keys, so certificate authority services generally issue them at the same time as
certificates.
6) Electronic certificates
Does a public key really correspond to the private key of the communicating party, and is it really a
public key? The public key infrastructure (PKI) is shown below. PKI refers to the overall
authentication technology and infrastructure that uses public key code. When using the public key
method alone, there is the vulnerability that a third party may send a fake public key.13
Therefore, electronic certificates were devised as a system to solve this problem. An electronic
certificate consists of the user’s information (name, e-mail), validity period, public key, certificate
authority information and other data, which is electronically signed14 by the certificate authority
(CA) (Fig. 6).
Version
Serial Number
Signature Algorithm
Issuer
Validity Period
Private Key Subject
Encrypt hash- value with
Public Key
CA’ s Private Key
Signature
Validate by decrypting the hash-

value with CA’ s Public Key
Fig. 6 Certificate Structure
10
Standard specification for electronic key certificates and certificate revocation lists (CRL). Recommended by the
ITU (International Telecommunications Union).
11
This is the format used by WWW browsers. Certificates are also distributed by a text format called PEM (Privacy
Enhanced Mail), but this is Base64 encoding so it cannot be read by humans without the use of some tool. PEM and
DER are mutually convertible.
12
In contrast to a single password, a password phrase is multiple words (or a sentence) including spaces. The number
of bits increases, so there is less vulnerability compared to a password.
13
This is called a man-in-the-middle attack.
14
A hash-value encoded by a secret key in order to confirm that a certificate (and particularly the public key) has not
been falsified.
29
Encoding the signature with the CA’s public key makes it possible to verify whether the
communicating party’s certificate is correct.
In addition, it is natural to question whether the CA’s public key can be trusted. Therefore, in order
to confirm the CA’s public key, have another CA issue a certificate and repeat this authentication
process further. This method of confirming certificate reliability by retracing a layered structure
until a reliable CA is finally reached is called the X.509 authentication model.
Private key Self-

signed
signature Root- CA’ s

certificate
root CA
Sub- CA’ s trust

certificate
sub CA
trust
Private key trust
signature
signature
CXDI’ s PACS’ s
certificate certificate
CXDI PACS
Fig. 7 Chain of Trust Using Keys and Certificates
However, anyone can create electronic certificates by following X.509, so just because there is a
certificate does not mean it is secure. Certificate reliability depends on the certificate authority
established by the hospital system vendor or the specified certificate authority. Considering the use
in the closed environment within a hospital, that is to say without an internet connection, the
necessity of using certificates created by a well-known CA on DICOM is unclear. However,
environments that are connected to the internet have a high security risk, so the costs should be
accepted and certificates from a legitimate CA (the well-known VeriSign.com etc.) should be used.
30
7) Certificate installation
Install keys and certificates in D:\ccr (Copy in DER format)
When intermediate certificates and route certificates are installed in D:\ccr\srv-certs (copied in DER
format), the communicating party’s certificates that are exchanged during TLS communication are
automatically traced and authenticated. When authentication of the communicating party
(certificates) succeeds, a DICOM Association can be established.
A maximum two years of validity period for a certificate is recommended by IHE.
Keys and certificates are issue by the system vendor in accordance with the specifications required
by the hospital. Note that using a validity period that is shorter than necessary will increase the time
and effort needed for renewal.
8) Operation method
The detailed operation method depends on the specifications required by the security policy of each
hospital. The system vendor issues certificates and keys that allow authentication between the
various devices, so these certificates and keys for the CXDI are renewed by copying the provided
files to the specified directories.
31
9) Setup method
After completing certificate installation, perform the Node Authentication function setup using
HIPAASetupTool.exe.
Specify the certificate and private key files specify the certificate and private key files for CXDI in
association with a printer number registered as a printer on the output destination setting of CXDI
system software.
The next time the CXDI is started up, these certificates and keys are added to the PRINTER
OPTION parameters registered in the printer setup. (Example: -h client.der privkey.der)
(Node Authentication Setup Printer Screen)
↓CXDI startup
(PRINTER OPTION Parameters)
32
The settings on the storage side should also be made likewise by adding the certificates and keys to
the STORAGE OPTION parameters.
（Node Authentication Setup Storage Screen）
33
10) Troubleshooting
When an error occurs during DICOM communication, the error is displayed in the OPU dialog and
on the CCR console screen.
The major error causes are as follows.

(1) Incorrect certificate format (Only DER format can be used for CXDI)
(2) Certificate(s) installed in incorrect folder (No installed Certificates in d:\ccr\srv-certs)
(3) Valid certificate(s) are not available (No Link, Expiration of expiry date)
34
6. Reject Reason Function
1) Overview
The CXDI System Software earlier than V. 6.4 did not support a function that allows the X-ray
operator to enter the reason for rejection when the operator has rejected the image or when the
operator retakes an image. In addition, it did not support a function that allows an administrator to
view the whole information about rejected images.
Therefore, it has been difficult for the administrator in the hospital to know why and how often
individual X-ray operators have rejected and retaken images.
To overcome such a difficulty and meet the strong demands of the marketplace, the CXDI System
Software V. 6.4 or later support a function that allows the X-ray operator to enter the reason for
image rejection and a function that allows the administrator to view the information about rejected
images. Thus, the administrator can collect and analyze the information about rejected images.
(Before release of V. 6.4, there was a site that allowed the administrator to know the reason for
rejection according to the series description.)
2) Setup procedure
[Technical Description]
1. GUI
[SYSTEM]->[SETUP MENU]->[SYSTEM SEUP]->[REJECT REASON]
(For the setup method, refer to Section 3 “Setup”.)
35
2. Operation
1) The administrator can view the image rejection information by accessing the CXDI (Cont PC)
from another PC over the network. The administrator can also copy data to his/her PC over the
network.
2) Combined use of the reject reason information function with the User Authentication function (a
new function supported by V. 6.3 or later) allows the administrator to identify operator's name
efficiently.
3) It is recommended that the [Erase Study] button be undisplayed.
(Ver. 6.4 or later can undisplay the [Erase Study] button in the Exposure screen.)
4) The service technician must set up the reject reason function at installation.
5) The administrator must create (or edit) a reject reason list.
Person in
Description
charge
Service
Sets up the reject reason function and the network.
technician
Creates (or edits) a reject reason list and analyzes the
Administrator
rejection information.
Operator Enters the reason for rejection.
3. Setup
(1) Use the HIPAA setup tool or Ccr Console Menu to set up the reject reason function.
(The parameters set using the HIPAA setup tool are reflected in the Ccr console Menu.)
3.1 HIPAA Setup Tool

1) Execute HIPAASetupTool.exe.
36
2) Check the [Use Reject Reason] check box and set parameters.
【Description of Setting Items】

Item Description Details
Use Reject Reason Reject Reason function Determine whether to use the reject reason
Enable/Disable function.
Enable or Disable(Default: Enable)
Reject Info. Folder Rejection information output This item can be set only when the [Use Reject
(Full Path is also OK) destination folder Reason] check box is checked (function
enabled).
Specify the path to the output destination folder.
Note:
Be sure to specify a local folder on the CXDI
PC. If a folder on another PC is specified,
proper operation is not guaranteed.
Specify the path with up to 64 characters.
No default value exists (blank).
Open Folder specification button This button can be used only when the [Use
Reject Reason] check box is checked (function
enabled).
Pressing this button displays the dialog used to
specify a folder.
Reject Info. File Rejection information file Details on rejection information file
Advanced Rejection information file This button can be used only when the [Use
button Reject Reason] check box is checked (function
enabled).
Pressing this button opens the [Reject Reason
Advanced Setup] screen.
37
Item Description Details

Reject Info File Format Rejection information file Enter the character string to be output to the
output format CSV file with an annotation macro and comma.
To output % as it is just like the annotation,
enter %%.
Up to 256 characters can be entered.
For the default, refer to [Annotation parameter
list].
When the number of % symbols is odd, an error
message appears.
(Refer to Section 8 “Errors”.)
Reject Info File Title Rejection information file Enter the title character string to be output to the
title first line of the CSV file.
Up to 256 characters can be entered.
No default value exists (blank).
3.2 Ccr Console Menu

Begin with the Ccr Console Menu.
1. Set-UP→1.Expert→5. Transmit Setup
Set the following parameters:

--- Transmit Setup -------
Use Reject Analysis? (0:No 1:Yes) [1 = 0x1] :
Reject Info. Directory (Full Path is also OK) [] :
Reject Info. File Format [%STUDY_D_MDY%,%ACS_NUM%,%OPE%,%REJECT_REASON%] :
Reject Info. File Title [] :
38
[Parameters list]
Name of Button Format Value displayed Film Note
%PID% Patient ID %DTOD_XXXX_S% Tube-Sensor distance
%PNAME% Patient Name %EXPTIME_S% Exposure Time (msec)
%PBIRTH_XXXXX% Patient Name %EXPMA_S% X-ray TubeCurrent (mA)
%AGE% Age %EXPMAS_S% Exposure (mAs)

%PSEX% Sex %MARK% Mark
%ACS_NUM% ACCS. NO. %LTRLTY% Laterality
%STUDY_T% Study Time %SRS_T% Series Time
%STUDY_DESC% Study Desc. %GRID% Grid Name
%STUDY_ID% Study ID %DTOP_XXXX_S% Tube-Patient distance
%FREE1% FREE #1 %FSPOT_S% Focal Spot Size
%FREE2% FREE #2 %IP_PARAM% QA Parameter
%PHYS% Physician %REX% REX
%REF_PHYS% Referring Physician %REQ_ID% Image ID
%OPE% Operator %ATTRSIZE% Image Size
%P_SIZE% Height %MR% Reduction Ratio
%P_WT% Weight %PROTO% Protocol Name
%SENSOR% Sensor Name %DOSE% Absorbed Dose
%BUTTON% Exposure Mode %DOSEAREA% Dose Area Product
%BODY% Body Part %MULTI_TEXT1% %MULTI_TEXT1%
%VPOS% View Position %MULTI_TEXT2% %MULTI_TEXT2%
%SRS_DESC% Series Description. %MULTI_TEXT3% %MULTI_TEXT3%
%KVP_S% KVP (kV) %STUDY_CNT% Study Counter
%EXP_CNT% Image Counter %SRS_D% Series Date
%SRS_ID% Im. Counter per Study %SRS_D_DMY% Series Date
%INST% Institution Name %SRS_D_MDY% Series Date
%ST_N% Instrument Name %FSPOT% Focal Spot Size (mm)
%GRP_ID% Area ID %FSPOT_INCH% Focal Spot Size (mm)
%GRP_N% Area Name %FSPOT_INCH_S% Focal Spot Size (mm)
%SN_NUM% Serial No. %KVP% kV
%VER% CXDI Ver. %STUDY_D% Study Date
%RIS_TEXT_FILM% RIS Text for Film %STUDY_D_DMY% Study Date
%P_AGE% Age (RIS) %STUDY_D_MDY% Study Date
%EXPMA% mA %EXPMAS% mAs
%EXPOTIME% msec
[Parameters list (disabled)]
39
Name of Button Format Value displayed Film Note

%STUDY_D_XXX% Study Date %SRS_D_XXX% Series Date
%PBIRTH% Birth Date %PBIRTH_D_MDY% Birth Date
Tube-Patient distance
%PBIRTH_D_DMY% Birth Date %DTOP%
(cm)
Tube-Sensor distance Tube-Patient distance
%DTOD% %DTOP_S%
(cm) (cm)
%DTOD_S% %DTOP_INCH%
(cm) (cm)
%DTOD_INCH% %DTOP_INCH_S%
(cm) (cm)
%DTOD_INCH_S% %DTOP_XXXX%
(cm) (cm)
Tube-Sensor distance
%DTOD_XXXX%
(cm)
40
4. Details on Function
4.1 Creating a Reject Reason List
[SYSTEM]-> [SETUP MENU]-> [SYSTEM SETUP]
-> [REJECT REASON]
1) If the character sting entered in the reject reason

list is longer than the list width, the characters at
the right end are replaced with “…”.
2) Up to 63 characters can be entered.
【Reject Reason list】
4.2 Entering a Reject Reason

1) Enter a reject reason directly or select it from the reject reason list.
2) Up to 63 characters can be entered.
Position
Too little Dos.
Display of rejection reason
41
4.3 Canceling the Reject Reason

1) Change the reject reason or cancel
the rejection to validate the image.
2) Pressing the [CHANGE REJECT REASON]
button displays the REJECT REASON
ENTRY dialog.
4.4 Setting Properties at Installation

1) At installation, the service technician must activate the reject reason function by setting
properties using the HIPAA setup tool or the Ccr Console Menu.
2) At installation (upgrading) of the CXDI System Software, the installer creates the following
Windows user for rejection information viewing. (The Windows user is automatically created
even if the reject reason function is not active.)
Properties Description
User name supervisor
Password supervisor
Privilege User privilege
Others Set the password as a permanent
password.
3) The CXDI outputs rejection information as a CSV text file. The service technician must create a
CSV file output destination folder on the CXDI PC using Explorer, or create a new folder using
the HIPAA setup tool.
(The CXDI does not create an output destination folder automatically.)
Note: Do not create an output destination folder on another PC on the network. If crated, proper
operation is not guaranteed.
For example, rejection information cannot be output when a network failure occurs.
This function is only capable of outputting a CSV file to the CXDI (Control PC).
Output destination folder sharing must be set to allow the administrator to view the created folder.
The procedure is described below.
Procedure
(1) Preparation
Have the keyboard and mouse ready.
(2) Using Explorer, display the Properties screen of the created folder.
42
(3) On the [Sharing] tab of the created folder, select “Share this folder”.
(4) Press the [Permissions] button, and then remove “Everyone” from the displayed list.
(5) Add “supervisor” as a user name, and then click the [Read] check box in the “Permissions for
Everyone” filed to grant permission for "Read only".
Be sure to select “Read” to set the "Read

only" permission.
43
Supplementary Explanation
In the work-group environment, the “Simple File Sharing” function of Windows XP must be
deactivated so that permission for access to the shared folders can be set for each user.
To deactivate the “Simple File Sharing” function, select [Explorer]-> [Tools]-> [Folder Options]. On
the [View] tab, uncheck the [Use simple file sharing (Recommended)] check box.
Supplementary Explanation
Setting of shared folders in domain environment, a shared folder can also be set using the user
specified from the hospital side without using the user “supervisor” which the installer of CXDI
creates. However, please note that the following two which are to be set up in Procedure 3) should
be performed simultaneously at the time of the setting of a shared folder.
-Be sure to delete “Everyone user” from the list of access privileges.
-For the user added to the list, be sure to set the access privilege as “Read”.
4) When the reject reason function is used, it is recommended that the [Erase Study] button be
undisplayed. (By default, this button is disabled.)
If study is finished by pressing the [Erase Study] button, the image information is not saved in
the CSV file.
5) When the reject reason function is active, it is recommended to activate the “user authentication”
function.
When the user authentication function is active, the administrator can exactly know the operators
who rejected individual images. Accordingly, the reject reason function can be effectively
implemented when combined with the user authentication function.
Of course this function can be used in an environment where the user authentication function is
inactive. This function can be implemented normally irrespective of whether “Essential” or
“Option” is selected for operator name input.
44
5. Properties Checked by CXDI

When a character string is entered using the HIPAA setup tool or Ccr Console Menu or when the
CXDI starts, the CXDI performs the checks listed below.
Checks 2-4 are performed only when the reject reason function is active.
Check at entry of character

No Property to be checked Check at start of CXDI
string
1 Reject Analysis Yes/No Not checked. Not checked.

An error message is An error message is displayed
CSV file output
2 displayed when no folder when the specified folder does
destination folder
name is specified. not exist.
An error message is
displayed when the number
of % symbols is odd. 257th
An error message is displayed
and later characters are
3 CSV file output format when the number of % symbols
truncated. When the line feed
is odd.
code is entered, the
subsequent characters are
truncated.
257th and later characters
are truncated. When the line
4 CSV file title line feed code is entered, the Not checked.
subsequent characters are
truncated.
6. Multi-view
The multi-view screen does not show the reject reason.
To view the reject reason, open the Reject Reason Entry screen.
45
7. Outputting the Rejection Information to the CSV File

When the Reject Analysis function is active, the CXDI outputs the rejection information to the CSV
file at completion of study. The administrator can view the rejection information by opening the
CSV file from the administrator’s PC over the network.
Let’s take a look at the contents of the CSV files and how to use them.
CXDI PC External PC
Administrator
CXDI program
Output destination folder
reject01.csv
reject02.csv
Rejection information ….. Logs in from a different
is output at reject12.csv network-connected PC as a
completion of study.
“Supervisor” user and opens
the folder on the CXDI
Network sharing
Supervisor: Read Only
Everyone: Deny
7.1 CSV File Names

CSV files with the following names are created in the CSV file output destination folders.
reject01.csv Log of January

reject02.csv Log of February
reject03.csv Log of March
… … Max. 12 files
reject11.csv Log of November
reject12.csv Log of December
For example, rejection information about the images taken in June 2005 is output to reject06.csv,
rejection information about the images taken in July 2005 is output to reject07.csv, and rejection
information about the images taken in June 2005 is output to reject06.csv respectively. When
rejection information is output to reject06.csv where the rejection information about the images
taken in the previous year already exists, the old information is deleted before new information is
stored (according to the file update date). Since all CSV files are overwritten when one year lapses,
the period of retention of reject reasons in the CXDI is set to one year. If the administrator wants to
retain reject reasons for more than one year, the administrator must manage it by coping CSV files to
another PC.
After completion of study and image transfer, the CXDI determines the destination CSV file
assuming that the time a reject reason is stored in the CSV file is the current time. If study started on
August 31 and ended on September 1, the rejection information is stored in reject09.csv.
46
7.2 CSV File Update Date Check Process

If study is completed in September 2006, the CXDI checks whether reject09.csv exists and the
update date of reject09.csv, then executes the following processing before outputting rejection
information.
Existence of file File update date

Create an empty reject09.csv, and then outputs
When reject09.csv does not exist
rejection information.
Deletes the reject09.csv, creates an empty
The year and month reject09.csv., and then outputs rejection
of the update date are information.
difference from those (Assume that the file already contains the rejection
of the current date. information stored in September of the previous
When
year (2005).)
reject09.csv
exists
Additionally stores the rejection information in the
The year and month
reject09.csv.
of the update date are
(Assume that the file contains the rejection
the same as those of
information stored up to August 31 of this year
the current date.
(2006).)
7.3 Character Strings Output to CSV Files

Character strings output to CSV files are as follows:
Specify an output format. %STUDY_D_MDY%,%ACS_NUM%,%OPE%,%REJECT_REASON%
Specify a title line

Double quotation marks
(“) are not added at the
time of setup.
When no title line is
specified
Output contents of CSV files
When the CXDI outputs
“9.12.2004”,”12579”,”JJ”,”motion”
rejection reasons to the CSV
“9.12.2004”,”12892”,”BT”,”position” files, it adds double quotation
“9.12.2004”,”12892”,”BT”,”motion” marks (“) before and after all
“9.12.2004”,”12897”,”JJ”,”motion” items including the first line.
Specify an output format. %STUDY_D_MDY%,%ACS_NUM%,%OPE%,%REJECT_REASON%
Specify a title line Study Date, Accession #, Operator, Reject Reason
When a title line

is specified
The title line is shown
Output contents of CSV files before file names
“Study Date” ,”Accession #”,”Operator”, ”Reject Reason”
“9.12.2004”,”12579”,”JJ”,”motion” One line is output for
“9.12.2004”,”12892”,”BT”,”position” each image using the
“9.12.2004”,”12892”,”BT”,”motion” specified format.
“9.12.2004”,”12897”,”JJ”,”motion”
47
The CXDI outputs rejection information in the CSV1 format (character-string-type item enclosed
with double quotation marks (”)) assuming that all items separated by commas (,) are character
strings. If a double quotation mark (”) is used in data, the CXDI replaces it with two double
quotation marks (””).
7.4 Timing of Output of Rejection Information to the CSV File

When the [END STUDY] button is pressed, the CXDI outputs rejection information to the CSV file
immediately before the END STUDY lamp goes out at completion of image transfer to all
destinations.
7.5 Changing the Reject Reason on the CALLED IMAGE Screen

When “study re-output” is selected from the study list or “study re-output/image re-output” is
selected on the CALLED IMAGE screen, the rejection information is not output to the CSV file.
The operation performed when reject reason is displayed on the CALLED IMAGE screen and the
operation performed when the [Reject] button is pressed on the CALLED IMAEG screen or
multi-view screen (after completion of image reproduction) are the same as that performed during
normal exposure. When the [Reject] button is pressed for an accepted image, the Reject Reason
Entry screen appears. When the [Reject] button is pressed for a rejected image, the SELECT
PROCESS dialog appears.
Note that the rejection/acceptance status and reject reason changed here are not reflected
in the current study. They are reflected in the newly created study only when transfer to
the internal temporary storage is specified for “study re-output/image re-output”.
8. Errors
8.1 Errors Occurring at CXDI Start
Error 535
Reject Info Output Error
Selected directory for reject list can only be read. Reject info cannot be
saved on the file.
Error 537
The file format for reject list includes incorrect strings. Reject info cannot
be saved on the file.
48
8.2 Warnings Occurring during Image Transfer
Warning 535
Selected directory for reject list does not exist, or attribution is incorrect.
Reject info cannot be saved on the file.
Warning 537
The file format for reject list includes incorrect strings. Reject info cannot
be saved on the file.
Warning 539
Error has occurred on saving reject info on the file. Do you retry it?
id=[Patient ID] name=[Patient name]
8.3 Others
Other possible errors are as follows (messages for these errors are not displayed on the CXDI).
Symptom Possible cause
The CXDI PC is invisible from
The CXDI PC has not started.
other PCs.
“Shared Folder Setting” is inactive.

Shared folders on the CXDI PC
The administrator has not logged in
cannot be opened from other PCs.
as a “supervisor” user.
49
7. Storage Commitment function
1) Overview
For the combination of CXDI System Software Ver6.4 and DMW_PS2 Ver4.1 or later, Storage
Commitment function of DICOM Standard has been officially supported.
For the former combination of already released CXDI System Software Ver6.33 and DMW_PS2
Ver4.0, this function was only tentatively supported because of residual problems such as
incompatibility with Node Authentication function, etc.
2) Function/Setup procedure
[Technical Explanation]
1. Difference from CXDI Ver6.33 (DMW PS2_Ver4.0)
CXDI Ver6.33 (DMW PS2_Ver4.0) had the following limitations:
-Formerly, image deletion control was not provided on CXDI side even when storage commitment
result from PACS (N-EVENT-REPORT) was received; It means images were automatically
deleted in chronological order (from the oldest) when HDD storage became full.
-HIPAA did not support Node Authentication.
CXDI DMW_PS2 Storage Commitment

Ver6.33 or later Ver4.00 OK
Ver6.40 Ver4.00 NG
Ver6.40 Ver4.1x OK
Ver6.33 or later Ver4.1x NG
[Operation with combination of CXDI and DMW_PS2]
Ver6.33
Node Authentication ON ON OFF OFF
Storage Commitment Not used Used Not used Used
Operation OK NG OK OK
[Operation with CXDI Ver6.3]
Ver6.4
Node Authentication ON ON OFF OFF
Storage Commitment Not used Used Not used Used
Operation OK OK OK OK
[Operation with CXDI Ver6.4]
50
CXDI Ver6.40 (DMW PS2_Ver4.1) supports the following features, which were not supported in the
former Storage Commitment function.
- Auto-deletion of images and deletion of images from Study List are possible only after
notification of storage commitment request to the storage transfer destination, reception of
storage commitment results from the destination, and storage commitment result was successful.
- Study information of incomplete storage commitment can also be deleted from “User” with
displaying a confirmation dialog message.
- Node Authentication for Storage Commitment Request (N-ACTION) and Storage Commitment
Result (N-EVENT-REPORT) is available.
2. Preconditions
- Transfer destination PACS supports the storage commitment.
- DMW_PS2 Ver4.1 is installed.
- The port to be used for receiving storage commitment result is set to Permit in the Firewall
setting.
-> At Startup, message concerning Firewall is displayed. Be sure to set it to Permit.
- It is recommended that Retry operation is available when transfer destination PACS failed in
returning storage commitment result to CXDI.
3. Structure (outline)
CXDI Node Authentication, Request Association Connection

- Auto-delete control
PACS
Request image storage (C-STORE)
-Control deletion
from Study list
Node Authentication, Request Association Connection
Storage Commitment Request (N-ACTION)
Commit folder
Node authentication
commit.exe Request Association Connection
Storage commitment result (N-EVENT-REPORT)
51
4. GUI
SC1: Storage Commitment1 (Storage Commitment Request Destination Storage 1)
SC2: Storage Commitment2 (Storage Commitment Request Destination Storage 2)
(1)
(2) (3)
(4)
[Study List Display Setting] [Study List]
No. Item Description Details

Incomplete Storage Study of incomplete Storage Sum of OK and RQ in SC1,SC2 (Max.9999)
(1) Commitment Commitment is displayed. Not displayed in Study List when external storage is used.
Storage Commitment Request
(2) SC1 Destination Storage 1
Displayed either in “Used Column” or “Unused Column.”
Storage Commitment Request
(3) SC2 Destination Storage 2
Displayed either in “Used Column” or “Unused Column.”
Storage Commitment: Storage Commitment has been completed normally.
OK completed
Storage Commitment: CXDI issued Storage Commitment Request but no result has been
RQ returned from PACS.
awaiting result.
(4) NG Storage Commitment: failed. PACS sent back Storage Commitment: failed.
No Storage Commitment Storage Commitment function is not used. Or no storage transfer is

== Request. conducted.
5. Outline of Functions
Outline of Functions related to Storage Commitment Request is as shown below.
5.1 HIPAA Setup (done by service technician)

Item Description Remarks
Storage Commitment function setup Use HIPAA setup tool. See 6.1HIPAA Setup
Setup auto-deletion “delete method” (Same as above) See 6.1HIPAA Setup
Setup Node Authentication at reception (Same as above) See 6.1HIPAA Setup
Log output setup Edit Commit.ini.for setup See 6.2 Log Output Setup
52
5.2 COMMIT (PACS-CXDI)

Reception of Storage Supports reception without Node

See 6.1HIPAA Setup
Commitment Request result Authentication.
-Node Authentication function is
switchable to ON/OFF.
Request of Association
-After Association connection request
connection by Node See 6.1HIPAA Setup
by Node Authentication succeeded,
Authentication
Storage Commitment result information
is received.
Errors in check/reception processing
Display Error Message See 8. Error
are displayed in Node Authentication.
5.3 CXDI (Doctor/Engineer)

-When [delete] button is pressed at See 8. Error
internal temporary storage study, no
response of Storage Commitment
Request result was returned. (Study
Control deletion from Study List: SC1/SC2 RQ) Or, alert message
List screen. of “incomplete” is issued to the study
that failed in Storage Commitment
Request (Study List: SC1/SC2 NG)
- After the alert is displayed, it can be
forcibly deleted.
Alert message at Deletion of See 8. Error
Display alert message incomplete Storage Commitment is
displayed.
On Study List screen of internal See 4. GUI
Display the number of studies temporary storage, the number of
with incomplete Storage studies that either in the middle of or
Commitment failed in Storage Commitment is
displayed.
On Study List SC1/SC2, Storage See 4. GUI
Display Storage Commitment Commitment result
result (Success, In Storage Commitment,
Failure, or No request) is displayed.
- If storage is included in re-output See 4. GUI
destination, Storage Commitment
Request will be newly issued.
- At re-output, Storage Commitment
Re-output from Study List
result for the old image is not taken
over. (E.g. If Storage Commitment
failed, old image remained “failed” on
Study List even at re-output.)
53
-The image that is in the middle of or

failed in Storage Commitment will be
Control Auto-deletion skipped. See 6.1HIPAA Setup
-By setting, it is also possible to forcibly
delete failure image.
If normal starting capacity for
Display alert message after auto-deletion cannot be restored after See 7. Details of Functions
auto-deletion auto-deletion, an alert message will be See 8. Error
displayed.
6. Setup
6.1 HIPAA Setup
The following are details of setup related to Storage Commitment Request. The setup is made with
HIPAA setup tool by service technician.
(For details of authentication and private key, refer to APPENDIX-6 HIPAA function.)
[Figure 1] [Figure 2[
(3)
(4)
(1) (5)
(2) (6)
(7)
(8)
(9)
(10)
[Figure 3] [Figure 4]
54
No Item Description
Input authentication file needed for image storage request
(C-STORE) with Node Authentication: ON. Up to 64 characters
(1) Certificate
are allowed. Use relative path to input.
Refer to 7.4.6 Node Authentication Combination
Input private key file needed for Storage Commitment Request
(N-ACTION) with Node Authentication: ON. Use relative path to
(2) Private Key
input.
Refer to 7.4.6 Node Authentication Combination
Set On/Off for Storage1-4 Storage Commitment Request.
(3) Storage1-Storage4
Checking this enables the following settings.
Input Port No. to receive the result of Storage Commitment
(4) Port No. Request (N-ACTION)with Node Authentication: OFF.
Numbers from 1 to 65535 are allowed.
(5) Called AE Title Input AE Title on CXDI side. Up to 64 characters are allowed.
-m maxPDU: Specifying this enables changing internally used
maxPDU value (131072) (Unit: byte). To comply with
(6) Option parameter DICOM standard, specify 131072 or smaller value.
-j timeout: Reception Timeout time can be specified (unit: second).
Default value (180 second) can be changed here.
Input Port No. to receive the result of Storage Commitment
(7) Port No. Request (N-ACTION) with Node Authentication: ON.
Numbers from 1 to 65535 are allowed.
Input authentication file needed for Storage Commitment result
(N-EVENT-REPORT) with Node Authentication: ON. Use the
certificate that has not been specified in (1). Up to 64 characters
are allowed. Use relative path to input.
(8) Certificate
If all Node Authentications for Image Storage Request (C-Store),
Storage Commitment Request (N-ACTION) are set to Off (Figure
4), this field is not available (Disable). Refer to 7.4.6 Node
Authentication Combination.
Input private key file needed for Node Authentication
(N-EVENT-REPORT).
If all Node Authentications for Image Storage Request (C-Store),
(9) Private key Storage Commitment Request (N-ACTION) are set to Off (Figure
4), this field is not available (Disable). Use the Private key that
has not been specified in (2). Use the relative path to input. Refer
to 7.4.6 Node Authentication Combination.
Compulsory Specify whether to include studies with incomplete Storage
auto-deletion of Commitment at auto-deletion.
(10)
temporary stored If “Yes” is selected, study with incomplete Storage Commitment
images will also be auto-deleted.
(3) to (10) Additions available with Storage Commitment function.
Note: Setup must be done when CXDI system is not operating. (Finish Ccr before work)
55
6.2 Log Output Setup

Editing commit.ini enables changing the log level.
“3commit.ini” will be automatically updated when it exceeds 3M bytes.
-- commit.ini --
[LIB_INFO]
LOG_LEVEL=0
Level Description
0 No output
1 Output Error
2 Output Error/Warning
3 Output Error/Warning/Debug
6.3 Setup on the side of Storage Commitment Request Destination Storage

Setup on the side of Storage Commitment Request destination storage should be done by OPU
system setup mode. (This is as usual.)
[SYSTEM]->[SETUP MENU]->[DESTINATION SETUP]->[STORAGE]
(If Storages 1 to 4 exist, setup for all of them is necessary. However, combinations of Storage 1+ 3
and Storage 2 + 4 are prohibited as usual.)
56
7. Details of Functions
7.1 Operation when Storage Commitment Request function is ON/OFF
Function ON OFF Description
Node Authentication Setup Enable Disable When OFF, Node Authentication is always skipped.
Storage Commitment Request Enable Disable When OFF, Storage Commitment Request is not conducted.
Awaiting Storage Commitment
Enable Disable When OFF, commitment.exe is not started.
Result
Controlling deletion from Study
Enable Enable [Delete] button can be used for deletion regardless of ON/OFF.
List
When OFF, images are auto-deleted in chronological order (from
Auto-deletion control Enable Disable
the oldest) as usual.
Disk space control Enable Disable When OFF, alert is not displayed.
Display of Storage
Always displayed regardless of ON/OFF.
Commitment Information Enable Enable
Setup of Study List display.
(SC1/SC2)
Display of the number of
studies with incomplete Enable Disable When the number of studies is zero, the number is not displayed.
Storage Commitment
Note: Setting must not be changed when there is a study with Storage Commitment in progress.
If setting has been changed during Storage Commitment, Storage Commitment result might
not be received and errors could occur on the PACS side.
7.2 If Storage AE Title has been changed

If storage AE Title has been changed with Storage Commitment function set to “Enable”, the
following alert dialog will appear to prompt you to restart.
7.3 Deletion from Study List

If you attempt to delete from Study List by using [Delete] button the image that is either awaiting the
result of Storage Commitment (SC1/SC2:RQ), or has failed in Storage Commitment (SC1/SC2:NG),
the following dialog appears.
Pressing [OK] will forcibly delete the image.
57
If you select more than one image and attempt to delete from Study List by using [Delete] button the
image that is either awaiting the result of Storage Commitment (SC1/SC2:RQ) , or has failed in
Storage Commitment (SC1/SC2:NG), the following dialog appears.
Pressing [OK] will forcibly delete the image.
7.4 Notes on Disk Space

7.4.1 The case to affect disk space
The following could affect disk space.
- Storage side does not support Storage Commitment.
Since Storage Commitment result cannot be received, the image will be left. In this case, either
delete the image by Study List, or use HIPAA setup tool to disable Storage Commitment function.
(Except the case when < Compulsory auto-deletion of temporary stored images> is set to ON by
using the HIPAA setup tool.)
- CXDI has not been started up when Storage sent Storage Commitment result to CXDI
The image will be left over unless Storage Commitment result for that image is sent from Storage
side. In this case,
1) If Storage has the function to retransmit Storage Commitment result, have it retransmitted.
2) If it’s impossible to retransmit Storage Commitment result, check if the image is stored in the
Storage side and if not, retransmit this image from Study List. In this case, the user must
forcibly delete the original image from Study List by using the [delete] button. If the image is
stored in Storage side, forcibly delete the image from Study List by using the [delete] button.
7.4.2 Disk Space Alert

If images with incomplete Storage Commitment are out of scope of auto-deletion (when HIPAA
setup tool is used to set <Compulsory auto-deletion of temporary stored images> to OFF), images
might be left over in internal temporary storage. The following alert message is displayed and call
user’s attentions.
Alert
Internal storage Limit Warning (-547)
The amount of available internal storage space has dropped below xxxGB.
Check the contents of the study List.
58
[Conditions for Displaying Alert]

Ccr Console Menu
1. Set-Up->0. Normal-> 5. Transmit
When the space becomes smaller than Store Recovery MB, auto-deletion function works. If the
prescribed space cannot be obtained by this, alert will appear.
When remaining space

D drive
becomes smaller than
this value, the oldest
(Drive where CXDI is
four studies will be
installed.) auto-deleted. However,
if the space cannot be
Store Recovery MB
7.4.3 Auto-deletion
- Delete from the image for which Storage Commitment has completed (Unit: four studies). The
image with incomplete Storage Commitment will be skipped.
- If auto-deletion has left only studies with incomplete Storage Commitment, and auto-deletion
starting space has not been reached, either processing set up by HIPAA setup tool will work. (To
auto-delete/not to auto-delete)
- Timing for start auto-deletion:
1) At CXDI startup
2) Just before QA processing after exposure
3) Just before internal temporary store (dtstore)
7.4.4 Re-output from Study List

- If [Image Re-output] or [Study Re-output] has been conducted from Study List, Storage
Commitment Request will be newly issued.
<Condition> This occurs only when internal temporary store is conducted at the same time. This
means if internal temporary store is not conducted, Storage Commitment Request
will not be issued.
- If [Image Re-output] or [Study Re-output] has been conducted to the image that is in the middle of
Storage Commitment, or has failed in Storage Commitment, Storage Commitment information will
not be taken over. (It will be treated as a new event.)
59
7.4.5 Action when exposure output or study cancel is selected

Storage Commitment Request is issued for each study; usually issued after the study is complete. So,
if study is cancelled, Storage Commitment Request will not be issued. Storage Commitment Request
will not be issued either when study cancel occurred after exposure output. At this time, the
following warning dialog will be displayed.
7.4.6 Node Authentication Combination

One of the following combinations is selected.
Image Store Request/
Storage Commitment result
Storage Commitment Request Combination
(N-EVENT-REPORT)
(C-STORE/N-ACTION)
Node Authentication ON Node Authentication ON Enable
Node Authentication OFF Node Authentication OFF Enable
Node Authentication ON Node Authentication OFF Disable
Node Authentication OFF Node Authentication ON Disable
60
8. Error
8.1 When Storage Commitment Request failed in transmission
If an error occurred during transmission of Storage Commitment Request from CXDI to PACS, the
warning dialog is displayed as shown below. The message is the same as that for storage transfer
errors except for Error Code and the first line.
Error -540 to -543 corresponds to Error -502 to -505, respectively.
8.2 When Storage Commitment Request failed in reception

This has the following three patterns when it occurs:
Node Authentication failed

CXDI PACS
Association Connection Request failed.
Commitment.exe
Storage Commitment
Request result failed.
8.2.1 When Node Authentication failed

Node Authentication has an error during execution, xxxxx.nod file (xxxxx: year, month, date, hour,
minute, and second) will be generated.
logs/err/xxxxxx.nod (binary file)
Item Max. Description
Error Type 2Byte Error type (1: Communication error)
Error Code 4Byte Error Code (See tables in 8.3 Error Code)
Host Name 64Byte Host Name (NULL fixed)
AE Title 64Byte Sender Title (NULL fixed)
Details of Error Message
Message 256Byte
(See Error codes in 8.3.2)
61
8.2.2 When Association Connection Request failed

When Association Connection Request has an error during execution, the file xxxxx.nod (xxxxx:
year, month, date, hour, minute, and second) will be generated.
logs/err/xxxxxx.nod (Binary file)
Error Type 2Byte Error type (2: Failure)
Error Code 4Byte Error Code (See tables in 8.3 Error Code)
Host Name 64Byte Host name (NULL fixed )
AE Title 64Byte Sender Title (NULL fixed)
Message 256Byte
(See Error Code tables in 8.3.2)
8.2.3 When Storage Commitment Request result failed

If the result of Storage Commitment Request has an error, the files QID_XXX.err and QID_XXX.txt
will be generated.
logs/err/QID_XXX.err (Binary file)
logs/err/QID_XXX.txt (Binary fiile)
Error Type 2Byte Error type (2: Failure)
Error Code 4Byte Error Code (See 6.1.2.4 tables in Error Code)
Host Name 64Byte Host Name
AE Title 64Byte Sender Title
Message 256Byte
(See Error Code tables in 8.3.1)
62
8.3 Error Code

8.3.1 Error Code for Storage Commitment Request Failure Reasons
Code Description
0x0110
A general failure in processing the operation was encountered.
Processing failure
0x0112 One or more of the elements in the Referenced SOP Instance
No such object instance Sequence was not available.
0x0213 The SCP does not currently have enough resources to store
Resource limitation the requested SOP Instance(s).
0x0122 Referenced SOP Class not supported.
Referenced SOP Class not Storage Commitment has been requested for a SOP Instance
supported. with a SOP Class that is not supported by the SCP.
The SOP Class of an element in the Referenced SOP Instance
0x0119
Sequence did not correspond to the SOP class registered for
Class/Instance conflict
this SOP Instance at the SCP.
0x0131 The Transaction UID of the Storage Commitment Request is
Duplicate transaction UID already in use.
63
8.3.2 Error Code for Node Authentication/Communication System Failure

Code Description TLS Library
-1 TLS Doesn't Connect Port No. setting mistakes, etc.
-33 TLS Client FIN Error
-34 TLS Client BAD MAC Message authentication Code (MAC) generation failure
-50 TLS Srv Hello No Data
-51 TLS Srv Fin No Data
-64 TLS No Shared Cipher Cipher suites do not match. Report it to Canon Inc.
-65 TLS Need Certificate Certificate is not specified. Installation mistake.
-137 TLS Cert Unknown Format Certificate format is invalid. Installation mistake.
-139 TLS Cert Invalid Sign Certificate signature is invalid.

Certificate validity is expired. Have it updated by your
-256 TLS Cert Expiration of Validity
network administrator.
Certificate Authority is invalid. (Untraceable to root
-384 TLS Cert Unknown CA
certificate.)
-385 TLS Cert Folder not found There is no certificate folder (srv-certs).
TLS (on Alert Protocol) decryption error. Certificate has
-2021 TLS (A) Decryption failed
been falsified.
-2022 TLS (A) Record Overflow
-2040 TLS (A) Handshake Failure TLS handshake error.
-2042 TLS (A) Bad Certificate Invalid certificate.

TLS (A) Unsupported
-2043 Certificate versions do not match.
Certificate
-2044 TLS (A) Certificate Revoked Certificate has been revoked.
-2046 TLS (A) Certificate Unknown
-2047 TLS (A) Illegal Parameter
-2048 TLS (A) Unknown CA
-2049 TLS (A) Access Denied
-2050 TLS (A) Decode Error
-2051 TLS (A) Decrypt Error
-2060 TLS (A) Export Restriction
-2070 TLS (A) Protocol Version TLS protocol versions do not match. Report it to Canon Inc.
-2071 TLS (A) Insufficient Security Report it to Canon Inc.
-3000 TLS Socket Error TLS socket cannot be obtained.
-3001 TLS Socket Option Error
-3002 TLS Bind Error
64
-3003 TLS Listen Error TLS socket cannot be obtained.

-3004 TLS Cert Folder Name. TLS folder name is invalid.
-3005 TLS Upper Version TLS upper version is invalid.
-3006 TLS Lower Version. TLS lower version is invalid.
-3007 TLS PrivateKey file RSA. TLS Private Key file designation mistake or it is revoked.
-3008 TLS Certificate file RSA. TLS Certificate file designation mistake or it is revoked.
TRUE SSLLIB_F IS NOT
-10000 Installation mistake, release mistake.
INSTALLED!
65

HIPAA

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

HIPAA

Caricato da

Copyright:

Formati disponibili

Copyright by Canon

Mar. 2006 Rev.02

Canon Inc. Japan

2. User Authentication Function ..........................................................................................................6

4. Maintain Time Setup ......................................................................................................................23

6. Reject Reason Function..................................................................................................................35

7. Strage Commitment Functions ......................................................................................................50

3) Overall image of HIPAA support

4) Storage commitment (Structuring)

CXDI Node Authentication, Request Association Connection

1. Run HIPAASetupTool.exe contained in the directory D:\ccr.

（HIPAA Setup Customize Screen）

（User Authentication Setup Screen）

3. Make the necessary Audit Log settings, then click [NEXT].

（Audit Log Setup Screen）

4. Make the necessary Maintain Time settings, then click [NEXT].

（Maintain Time Setup Screen）

（Node Authentication Setup Printer Screen）

（Node Authentication Setup Printer Screen / Storage Commitment Setup）

2. User Authentication Function

OPU Opera Opera

3) Login operation flow

↓（CXDI Startup Screen）

↓（Initial LOGIN Screen）

4) LOGIN screen details

5) Auto Logout function

panel, Call Image.

② All message boxes.

③ When using two-way type generator communication.

・ The user name is displayed on the LOGOUT button.

・ When the LOGOUT button is touched, a confirmation message appears.

(LOGOUT Button and Confirmation Message on the Exposure Screen)

7) User authentication setup

↓（Administrator Setup Screen）

8) User Management screen and User Properties screen

（User Management Screen (Administrator login)）

(User Management Screen (General user login))

User Properties screen

(User Properties Screen)

Contents Auto Logout setting Database operations

Administrator Setting allowed All users displayed

General user Setting prohibited Only logged in user displayed

10) Installation, operation and service

D:\ccr\OLD is renamed as Opera.MDB.

operations to assign a new one.

In these cases, service can be supported by the following procedure.

11) Operator’s Name display on the STUDY INFO. screen

(STUDY INFO. Screen)

12) Summary of setting items (MenuPara.ini file)

[USER] section Item contents Default Setting contents

13) Setup procedure

(User Authentication Setup Screen)

・ Set Auto Logout function ENABLE/DISABLE.

・ Set the Auto Logout time.

[Common to both Japanese and English editions]

IheAuditLogIF.dll Audit Log Module interface block DLL.

Audit Log Module

Log output block

4) Audit Log Module functions

Log output block functions

Functions that depend on the SYSLOG protocol

6) CONFIG file setting items

Key Initial value Value

(Audit Log Setup Screen)