Posted on

One of the unique challenges of working in healthcare IT – especially in a mobile diagnostics business like Digirad – is finding ways to safely bridge the gap between legacy technology and modern compliance requirements.

Our core service involves deploying OEM nuclear imaging cameras into hospitals and clinics. These are large, sophisticated diagnostic machines operated by our technologists on-site. Once the scan is complete, we process and transmit the images via a PACS (Picture Archiving and Communication System) to a physician for interpretation.

Here’s the problem:
Many of these OEM systems still run on Windows XP – a platform that is, of course, completely non-compliant, unsupported, and riddled with known vulnerabilities. But replacing the systems wholesale isn’t an option – they’re still required for the imaging software to function properly, and OEM support for modern alternatives is limited at best.

So we had to get creative.

The Solution: A Physical Air Gap + Secure Relay

To mitigate the risk, we designed a hardened network configuration that keeps the XP-based systems off of any client networks, while still allowing us to extract and deliver the imaging data securely.

Each mobile setup now includes:

  • A physical firewall deployed between the imaging system and any external network

  • A compliant Windows 10+ workstation that sits downstream of the firewall and acts as a secure relay

  • A customized routing and access control configuration that ensures the XP system is fully isolated – it cannot reach the internet or any hospital/LAN resources

This setup acts as a one-way bridge, allowing the compliant workstation to pull the imaging data without ever exposing the XP box to broader threats. We also restrict all traffic to known, approved protocols and use logging and monitoring to ensure traceability.

Bonus Capability: On-Prem DICOM Routing

As an added benefit, this structure allows us to custom-build configurations for hospitals or clinics that want imaging delivered directly to their on-prem systems.

If the client is running an EHR that supports DICOM, we can configure the compliant workstation to push images directly to their internal PACS or archive server – without ever allowing the XP system to touch their network.

This gives us flexibility, maintains compliance, and helps build trust with our clinical partners – all while keeping legacy systems safely contained.

Balancing Innovation with Reality

Ideally, everything would be cloud-native, zero-trust, and freshly patched. But in healthcare – especially when dealing with regulated medical devices – ideal doesn’t always exist. Sometimes the right answer is a layered, practical workaround that respects reality while protecting data.

This was one of those wins.

  • Vince
Businesss, CIO, Technical

One Reply to “Outrunning OS: Securing a Legacy Imaging Workflow in the Modern Age”

  1. Pingback: Plug and Play Security: Infrastructure Overhaul in Motion – Vince Wheeler – Strategic IT Executive & Fractional CIO

Leave a Reply

Your email address will not be published. Required fields are marked *