This document applies to OnePacs Gateway version 3.0+.
What is the OnePacs Gateway?
The OnePacs Gateway is software that receives DICOM images from an imaging device or archive, then compresses and securely transfers them to OnePacs.
Where does it run?
The OnePacs Gateway runs on a Windows-based computer on the local network of an imaging facility or hospital. The computer may be a physical server or a virtual machine. The OnePacs Gateway runs as a system service on the computer and does not require a user to be logged in.
Does it require a VPN?
No. The OnePacs Gateway uses transport layer security (TLS) to securely communicate with the OnePacs Cloud over the internet.
Recommendations
It is recommended that the OnePacs Gateway server be used solely for the purpose of transmitting studies to OnePacs, and facilitating OnePacs EMR integration. Installing any unrelated software packages increases the risk of issues and may impact performance.
Requirements
The computer should be used exclusively for the purpose of running the OnePacs Gateway software. The OnePacs Gateway does not require a public IP address or any inbound ports to be opened in your organization's firewall. A static private IP address on a secure local area network is required to provide a fixed target for your DICOM devices to communicate with. Inbound DICOM traffic is received on the local network port 4104 (configurable), and the Gateway communicates with the OnePacs Cloud on a *.onepacs.com domain on port 443 using TLS. Please ensure your firewall allows this outgoing traffic. You must obtain a licensed AE title from OnePacs prior to installing the OnePacs Gateway as it will be required during the installation setup. OpenJDK, Zulu, Etc.Hardware, software and bandwidth requirements:
Computer A physical server, PC, or virtual machine. Operating System Windows 10, 11, or Windows Server 2016 through 2022 (64 bit) Processor High-end multicore modern processor required Memory 16 GB or more recommended (required w/ HL7 interface), 8 GB minimum Disk Space 2+ TB recommended, minimum 1 TB required Internet Connectivity Sufficient upload bandwidth required to handle the anticipated case transmission load. Generally, 20+ mbps upload bandwidth is recommended. Less than 5 mbps upload bandwidth is not supported. Software Environment Network Requirements:
Installation Requirements:
User Account A local Administrator Windows user account is required to perform the installation. It must be a local account - not a domain user. AE Title Host Name The Windows computer name must not contain the underscore (_) character Internet security permissions Ensure internet security settings allow localhost applications - pgadmin opgateway Whitelistings Whitelist *.OnePacs.com and Amazon's us-east-01 IP range. Additional Requirements For Interfaces:
Mirth Connect https://www.nextgen.com/solutions/interoperability/mirth-integration-engine Java
Security
Encryption in-flight
All information transmitted to the cloud platform is encrypted using using transport layer security (TLS) with a minimum of 128-bit Advanced Encryption Standard (AES) public key encryption utilizing a SHA-2 hash algorithm.
Physical Access Controls and Disk Encryption
The OnePacs license agreement requires physical access restrictions limiting physical access to the gateway computer to authorized personnel with a legitimate need to access the equipment and/or the use of whole hard disk encryption (e.g. BitLocker).
Anti-Virus
It is recommended that an anti-virus with a current subscription be in place on the Gateway PC. To ensure proper operation of the Gateway exclude the following directories from the anti-virus scans:
- C:\Program Files\OnePacs
- C:\Program Files\PostgreSQL
Segregation of Data
The OnePacs Gateway should not be configured to support storage of DICOM images from multiple unrelated organizations.
Secure Local Network
By default, the OnePacs Gateway is configured to receive DICOM images from a local PACS or local imaging modalities on a secure local area network (LAN). It is not recommended to store images to the gateway on an untrusted network unless TLS is enabled on the DICOM listener. All outbound DICOM image transmissions to the OnePacs Cloud uses mandatory TLS encryption by default.