Diagnostic Delivery

Storing the data securely and efficiently in the AWS cloud is only part of the architectural equation; clinicians require highly performant visual interfaces to interact with the data.

The shift to AWS architecture supports two distinct delivery mechanisms for diagnostic viewing, catering to both modern web applications and legacy software dependencies.

Delivery Architecture Overview

Australian healthcare organizations must carefully evaluate their clinical workflows, existing software investments, and network infrastructure when choosing between zero-footprint web viewers and application streaming solutions.

The most agile and modern approach leverages web-based, zero-footprint viewers, such as the open-source OHIF Viewer, which can be directly and seamlessly integrated with AHI's backend.

Utilizing an AWS Cloud Development Kit (CDK) deployment, the viewer's frontend application code is hosted and globally distributed via Amazon CloudFront, AWS's Content Delivery Network.

View full size

Source: OHIF Viewer demo galleryLast verified: 2026-03-11

That end-user view is the reason the architecture matters. The point of CloudFront, DICOMweb, and token signing is not abstract modernization; it is to give clinicians a responsive viewer with measurement and hanging-protocol style workflows without deploying thick-client software to every endpoint.

OHIF Architecture Components

Authentication Flow

User authentication is managed dynamically at the network edge utilizing Amazon Cognito acting as the identity provider via OpenID Connect (OIDC) protocols. Lambda@Edge functions intercept HTTP requests and cryptographically sign the API calls before they reach the backend.

Despite the advantages of web viewers, many healthcare facilities remain heavily dependent on highly proprietary, heavily customized Windows-based diagnostic software.

These "thick clients" often contain FDA-approved specialized tools for intricate tasks like cardiac mapping or oncological volumetric analysis, and they cannot be easily or quickly rewritten as web applications. Providing remote access via traditional VPNs and RDP exposes patient data to severe security risks and suffers from crippling latency.

To modernize the delivery of these legacy applications, AWS Solution Architects deploy Amazon AppStream 2.0, a fully managed application streaming service that allows users to access demanding desktop applications through a standard HTML5 web browser.

Users access an AppStream 2.0 URL and authenticate via SAML through their hospital's existing Active Directory. Upon successful authentication, the browser receives a SAML assertion from Amazon Cognito, granting temporary, scoped AWS security credentials.

The user is then connected to an ephemeral AppStream 2.0 streaming instance—backed by scalable Amazon EC2 compute. For heavy radiological interpretation, architects deploy high-performance graphics instances equipped with dedicated GPUs.

The legacy PACS software runs entirely within the secure enclave of the AWS VPC. The crucial innovation is that no actual DICOM data or patient files are ever downloaded to the user's remote device; instead, AppStream 2.0 utilizes the NICE DCV protocol to stream only the encrypted, changing pixels of the application interface.

The following table compares the two diagnostic delivery mechanisms available on AWS.

For further reading on diagnostic delivery and viewer technologies: