AWS Government, Education, & Nonprofits Blog

How to Bring Your PACS Solution to AWS

A post by Melissa Ravanini, Solutions Architect, AWS Worldwide Public Sector

Healthcare providers have to purchase hardware, storage, and licenses, and then renew all of that when they are deprecated. They have to project future growth and then make large purchases based on that projection, which may turn out to be over or under estimated. Effort is spent on matters that are not core to the healthcare business.

One of the main solutions for patient care is the PACS (Picture Archiving and Communication System). This solution is responsible for storing, retrieving, presenting, and sharing medical images, like X-Rays, CT scans, MRIs, and Ultrasounds. Durability, availability, and lowering expenditures are top priorities for companies hosting PACS solutions.

According to the 2017 American College of Healthcare Executives’ annual survey, 57% of Healthcare CEOs list that reducing operating costs is among their main concerns. Forty-seven percent say it’s transitioning from volume to value.

So, how can AWS help?

AWS healthcare customers are storing their PACS images on Amazon S3. It offers 99.99% availability and is designed to achieve 99.999999999% durability. It can store any amount of data and you only pay for what you use, with no need to provision in advance.

Amazon S3 has its own API and many PACS solutions are not natively integrated with it. So, in order to make that integration more transparent with no impact to the application, you can use AWS Storage Gateway.

AWS Storage Gateway is a solution that exposes Amazon S3 as an iSCSI, NFS, or SMB drive to the operating system. Once this is done, the operating system will have a native integration with Amazon S3, as if it was a SAN or a network attached storage (NAS). For instance, our customers can map Amazon S3 as a D:/ drive in Windows or some mount point on Linux.

Why is this important?

If PACS’ data is on D: drive today and you want to migrate it all to AWS, you can just move your data to Amazon S3, mount Amazon S3 as a D: drive using AWS Storage Gateway, and everything will work seamlessly. For doctors who need to analyze those exam images or others with PACS solutions, it will seem like nothing has changed.

What if you only want to migrate all the data, but only part of the data?

Some of our customers want to migrate only part of the data, the “nearline” data. Nearline is all the data that was generated a few months ago, or even years ago. This strategy offloads less frequently accessed data to AWS, leaving only the data most likely to be accessed in a short period of time on-premises.

In that scenario, the operating system is already mounting the storage with online data in a drive letter, so you need to mount Amazon S3 in a different drive letter that it is today, p. ex., drive E:.

Once all the nearline data has been migrated to Amazon S3, the PACS solution will need to re-index that data, since it is no longer reachable in drive D:.

How can you import and re-index part of your data in a simple, fast, and cost-effective way?

Instead of buying or renting new storage just to re-index nearline data mapped in a different drive letter, our customers can leverage AWS Snowball to move their data, so it can then be re-indexed and imported into AWS.

AWS Snowball is a petabyte-scale solution used to transfer large amounts of data into and out of the AWS Cloud. AWS Snowball can be connected to your infrastructure using 10-Gigabit Ethernet and only paying for the days that the appliance is in your possession, plus shipping charges. There will be no charge for data transferred into AWS. For more information about AWS Snowball pricing, see here.

Once all the necessary data is migrated into AWS Snowball, you can use it to re-index data through a PACS solution. AWS Snowball will be exposed as an NAS drive and must be mounted with the same drive letter that will be exposed when the data is served in Amazon S3 through AWS Storage Gateway.

The step-by-step solution can be found in the diagrams below:

What about the latency of retrieving medical images so doctors can evaluate them?

Whenever doctors have to evaluate a patient’s image, depending on the exam, they need to investigate the historical data of that patient. In order for them to do that, they must load all the images and metadata related to that patient through their PACS solution.

AWS Storage Gateway offers an opportunity to implement a cache solution for more frequently accessed images and data. This helps to avoid latency during the doctors’ evaluation process, providing a better user experience. See Figure 2 and Figure 3 for more details.

It is recommended that the cache must be at least 20% of the total data stored on Amazon S3. In practice, our customers have a better experience when they provision cache enough to hold one month of data, or, depending on their use case, as much data as it is necessary in order for the doctors to finish most of their exam analysis for the current period.

One other benefit of the AWS Storage Gateway cache is that it reduces the charges with data egress, that is, data transferred outside of AWS data centers, since cache data is not in AWS facilities.

What if most of the data won’t need to be accessed for a long period of time?

Amazon S3 has many types of storage classes, that varies from hot to cold storage. Amazon S3 Standard is our hottest storage used to store frequently accessed data. It servers content online and there is no charge for retrieving data. Amazon S3-Infrequent Access, on the other hand, is our warm storage. It also serves content online, but it charges a small fee when data is retrieved.

We just made it simpler for our customers who don’t know the usage pattern of their data, to store their data in the most cost-effective way. Amazon S3 Intelligent-Tiering is a storage class that automatically transitions data between frequent access and infrequent access storage tier based on access patterns.

For you to benefit from that feature, you must enable a Lifecycle Rule on the bucket that is receiving PACS’ images, as shown in Figure 4.

To use Amazon S3 Intelligent-Tiering, customers will pay a small monthly monitoring fee. There are no costs for transitioning data between storage classes. Costs for storage are the same charged for Amazon S3 – Standard and Amazon S3 – Infrequent Access when access directly.

For more information about Amazon S3 storage classes and prices, visit here. For more information on how to enable a Lifecycle Rule on an Amazon S3 bucket, visit here.

So, how to implement security?

For the sake of security, Snowball encrypts all data by default. You can use an AWS randomly generated encryption key or bring your own key to AWS. Data is encrypted by an AES-GCM algorithm with 256-bit secret key. Note that the keys are never stored inside the Snowball appliance. In order for Snowball to encrypt the data to be uploaded, it uses a key written in the manifest file that the customer must download prior to the import job. The encryption is done in the memory of our customers’ computers, not in the Snowball itself, so the data never leaves our customers’ facilities without encryption. Also, all data in transit is encrypted using SSL. For more information about how to implement security using Snowball, see here.

What if you need to be HIPAA compliant?

HIPAA stands for Health Insurance Portability and Accountability Act of 1996, which is legislation designed to assure the security and privacy of protected health information (PHI). PHI may be diagnosis data, patient data, lab results, and more. HIPAA applies to any entity that directly deals with patients and patient data.

All of the AWS services mentioned in this blog post are HIPAA eligible. If you plan to include Protected Health Information (as defined by HIPAA) on AWS , you must first accept the AWS Business Associate Addendum (AWS BAA). You can review, accept, and check the status of your AWS BAA through a self-service portal available in AWS Artifact. For a list of all HIPAA-eligible AWS services, see the link.


With AWS, our healthcare customers can tier their PACS data into the cloud in a seamless and secure way, served by 11 9s of durability, without the need to plan how much storage they will need to grow. You can host data at a fraction of what it costs to host and maintain it on-premises, using a service that replicates data in multiple facilities, increasing availability and durability of your PACS medical data.