Security, Audit & Governance

Viewer security starts with identity and authorization boundaries, not with the viewport

Universal viewers often sit between the EHR, archive APIs, and cross-enterprise exchange surfaces. That means they need clear rules for who the user is, what context they are acting under, and how that identity moves between systems.

Security layers that shape viewer trust

Layer	Question it answers	Why it matters to the viewer
User authentication	Who is this user?	The viewer should not guess or recreate identity outside the enterprise trust boundary
Authorization and scopes	What can this user do in this context?	Chart review, diagnostic reading, and export permissions are not the same thing
Cross-enterprise identity assertion	How is user context carried across domains?	Shared imaging environments need a trustworthy user assertion model, not just patient context

Official IHE Cross-Enterprise User Assertion actor diagram showing the X-Service User, X-Service Provider, and ancillary identity infrastructure around the assertion flow. — IHE XUA actor view. It is useful here because it separates the user assertion source from the service user and provider, which is the exact trust boundary a launched viewer has to preserve across systems.

Source: IHE Cross-Enterprise User Assertion actor diagramLast verified: 2026-03-11

IHE ATNA

Official IHE profile for audit trail and node authentication, foundational for secure interoperating imaging systems.

Read the ATNA profile overview

IHE Cross-Enterprise User Assertion

Official IHE profile describing how user identity and related assertions can be carried across enterprise boundaries.

Read the XUA profile overview

SMART App Launch scopes and launch context

Official SMART guidance for authorization scopes and launch-context patterns used by many EHR-integrated viewers.

Read the SMART security and scope guidance

Audit and derived-data governance matter because the viewer changes clinical decisions, not just pixels

The viewer should emit enough evidence for investigators and operators to reconstruct access and action context. That applies to study open events, exports, annotations, derived overlays, and any AI-generated content surfaced during review.

Audit flow around a viewed study

100%drag to pan

Loading diagram...

Official IHE Audit Trail and Node Authentication actor diagram showing secure applications, secure nodes, and the audit record repository. — IHE ATNA actor view. It makes the audit path explicit: the viewer and image services are not trusted just because they can connect; they need secure-node behavior and an auditable repository path.

Source: IHE Audit Trail and Node Authentication actor diagramLast verified: 2026-03-11

Governance reminder

Zero-footprint delivery does not prevent screenshots, exports, or AI overlays from becoming governance problems. Treat every persisted derivative or visible export path as part of the clinical control surface.

FHIR AuditEvent

Official HL7 resource for recording security-relevant events, including user, patient, action, and entity context.

Read the AuditEvent resource

IHE Basic Audit Log Patterns

Official IHE audit guidance for REST-era logging patterns, including correlation identifiers and structured audit expectations.

Read the audit-pattern guidance

REST-era viewers still need token enforcement, introspection, and correlated audit evidence

Web viewers and image APIs increasingly use OAuth-style token flows, but the authorization server is not the only control point. The resource server still decides whether the current user, patient, purpose, and local policy conditions justify releasing protected imaging content.

Token use and policy enforcement around a DICOMweb request

100%drag to pan

Loading diagram...

The token audience and scopes should be narrow enough for the actual image-serving resource
The image API may still enforce local policy, consent, or business rules beyond what the token already expresses
A shared request identifier helps correlate viewer-side and server-side audit trails during investigations

IHE Internet User Authorization (IUA)

Official IHE profile for OAuth-based delegated authorization between REST clients, authorization servers, and protected resources.

Read the IUA profile overview

IHE OAuth access token usage for comprehensive audits

Specific IHE audit pattern showing how token context participates in comprehensive REST audit records.

Read the token-audit pattern

Knowledge Check

Test your understanding with this quiz. You need to answer all questions correctly to mark this section as complete.

Quiz Progress

Question 1 of 5

What does ATNA add to an enterprise imaging environment?

← PreviousEHR Integration & Context Sharing Next →Cloud Platforms & AI Extensions

Layer

Question it answers

Why it matters to the viewer

User authentication

Who is this user?

The viewer should not guess or recreate identity outside the enterprise trust boundary

Authorization and scopes

What can this user do in this context?

Chart review, diagnostic reading, and export permissions are not the same thing

Cross-enterprise identity assertion

How is user context carried across domains?

Shared imaging environments need a trustworthy user assertion model, not just patient context

Knowledge Check

Test your understanding with this quiz. You need to answer all questions correctly to mark this section as complete.

Quiz Progress

Question 1 of 5

Security, Audit & Governance

Knowledge Tree

Viewer security starts with identity and authorization boundaries, not with the viewport

IHE ATNA

IHE Cross-Enterprise User Assertion

SMART App Launch scopes and launch context

Audit and derived-data governance matter because the viewer changes clinical decisions, not just pixels

Audit flow around a viewed study

Governance reminder

FHIR AuditEvent

IHE Basic Audit Log Patterns

REST-era viewers still need token enforcement, introspection, and correlated audit evidence

Token use and policy enforcement around a DICOMweb request

IHE Internet User Authorization (IUA)

IHE OAuth access token usage for comprehensive audits

Knowledge Check

What does ATNA add to an enterprise imaging environment?