Radiology Service — Security Model

Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template · 03 platform-services · 02 DDD

---

1. Authentication

Layer	Mechanism
External (Kong)	JWT validated against Keycloak JWKS
Service-to-service	JWT service account
PACS credentials	Encrypted in auth_config column; decrypted at adapter layer only

---

2. RBAC Matrix

Role	Scopes	Capabilities
rad:read	svc:radiology:read	View studies, reports, worklist
rad:reporter	svc:radiology:read + report write	Submit prelim/final reports
rad:radiologist	All + svc:radiology:sign	Sign and amend reports
rad:admin	All + svc:radiology:admin	Manage PACS endpoints, tenant config
platform:admin	All scopes	Platform-wide

---

3. ABAC Rules

Rule	Enforcement
Tenant isolation	tenant_id from JWT; RLS at DB layer
Patient access for viewer launch	ABAC policy check via access-policy-service before issuing token
Module entitlement	ModuleEntitlementGuard validates diag.radiology

---

4. Viewer Launch Security

• Viewer tokens are short-lived (default 60 min); signed with HS256 using a rotated secret.
• Token binds studyId, userId, tenantId, and expiresAt.
• PACS credentials are never sent to the browser; viewer uses the signed token to authorize via the radiology-service proxy or PACS's own token exchange.

---

5. Encryption Classes

Data	Encryption
PACS endpoint auth_config	AES-256 column-level encryption at application layer
Report content	AES-256 at rest (PostgreSQL tablespace)
Event payloads	TLS in transit

---

6. Audit Events

Event	When
rad.study.viewed	Clinician opens study detail
rad.viewer.launched	Viewer launch token issued
rad.report.signed	Report finalized
rad.report.amended	Amendment submitted
rad.critical.flagged	Critical finding flagged

---

7. GDPR / Data Residency

Patient imaging metadata stored within Afghanistan MoPH data residency boundary. Pixel data in external PACS; radiology-service does not replicate pixels. Cross-border PACS federation disabled by default.