For IT Departments

Security & Compliance

Everything your IT department needs to evaluate, approve, and deploy RadSwift — including network requirements, data handling, and our HIPAA compliance posture.

Email Our Team Book a Demo

HIPAA-Ready BAA Available TLS 1.2+ Encrypted

How data flows

When a study completes, your PACS sends the imaging data to RadSwift via DICOM C-STORE (port 4242, TLS 1.2) to a dedicated Orthanc DICOM server running on GCP. RadSwift processes the imaging data and returns structured measurement text to your reporting system within seconds. No inbound connections are ever opened on your network.

Data flow diagram: Your PACS sends imaging data via DICOM C-STORE (port 4242) through a firewall to RadSwift on GCP (Orthanc DICOM server), which passes through a second firewall and delivers results to Your Reporting System (PowerScribe/Epic) and Your Browser (dashboard.radswift.com)

Firewall requirements

RadSwift requires three separate firewall rules to be enabled by your IT team. The first two are outbound connections initiated from inside the hospital network. The third is an outbound connection from the RadSwift cloud server to your reporting system. No unexpected inbound ports need to be opened on your network.

PACS → Cloud Server

Required

Direction Outbound from hospital network

Destination api.radswift.com

Port 4242 (DICOM standard port)

Protocol DICOM C-STORE with TLS 1.2

Access control Cloud server accepts connections from whitelisted hospital IP ranges only. Unlisted IPs are rejected at the firewall.

Your institution's outbound IP range must be provided to RadSwift at setup. We add it to the server-side allowlist before your PACS is configured to send.

Cloud Server → Dashboard

Required

Direction Outbound from hospital network — staff open the dashboard in their browser

Destination dashboard.radswift.com

Port 443 (HTTPS)

Protocol HTTPS (standard web browser)

Access control Dashboard access is restricted to whitelisted IPs. Only users connecting from an approved network can log in — public internet access is blocked.

Staff accessing the dashboard from outside the hospital network (e.g., from home) will need to connect via your institution's VPN first.

Cloud Server → Reporting System

Required

Direction Outbound from GCP to your reporting system

Destination Your reporting system API endpoint (e.g. PowerScribe, Epic)

Port 443 (HTTPS — confirm with your vendor)

Protocol HTTPS REST API

Access control RadSwift authenticates to the reporting system API using credentials provided at setup. No open inbound ports are required on the hospital network.

The specific endpoint and credentials are configured during onboarding. Common integrations include the PowerScribe 360 API and Epic SMART on FHIR.

We provide a complete firewall configuration document during onboarding. Email us to request it in advance for your security review.

HIPAA compliance posture

RadSwift is designed to support HIPAA-compliant workflows. Below is a summary of our posture across the key rules.

BAA Available

We provide a Business Associate Agreement to covered entities and business associates that require one.

Access Controls

Per-institution API keys, role-based access internally, and MFA required for all RadSwift employee access to cloud infrastructure.

Audit Logs

All processing events are logged with tamper-evident, append-only audit trails and retained for 6 years.

Firewalls

All traffic to RadSwift's GCP infrastructure passes through a cloud firewall. Only authenticated, encrypted connections on port 443 are accepted — all other traffic is rejected by default.

IT FAQ

Common questions from IT and security teams.

Does RadSwift require any inbound firewall rules?

No. All connections are outbound only. Your PACS initiates an outbound DICOM C-STORE on port 4242, and staff browser access to the dashboard uses standard outbound HTTPS on port 443. No new inbound rules are required on your network.

Does RadSwift modify our PACS or DICOM router configuration?

No. RadSwift receives studies via DICOM C-STORE (port 4242, TLS 1.2) initiated by your PACS to a dedicated Orthanc DICOM server on GCP. It does not query or pull data from the PACS, does not write to the PACS database, does not modify DICOM tags, and requires no changes to your PACS configuration beyond adding RadSwift as a DICOM destination.

Where is patient data processed and how long is it kept?

Imaging data is transmitted over TLS to Google Cloud Platform (GCP) for AI processing. Data is retained on GCP infrastructure for a maximum of 24 hours to support processing and error recovery, then permanently deleted. GCP maintains its own HIPAA-eligible infrastructure certifications, and we execute a BAA with Google as our sub-processor.

Who has access to patient data on GCP?

Access to the RadSwift GCP environment is restricted to authorized RadSwift engineers via multi-factor authentication. Patient imaging data is processed automatically by the service — no human reviews individual studies. All access is logged and auditable.

Is a Business Associate Agreement (BAA) available?

Yes. We provide a standard BAA for institutions that require one under HIPAA. Contact us at [email protected] to request a copy for review before any commitment.

How is the RadSwift service updated and maintained?

RadSwift runs entirely on GCP — there is no client software installed on your network. Updates and maintenance are applied server-side by the RadSwift team with no action required from your IT department. Planned maintenance windows are communicated in advance.

Questions for your IT or security team?

We're happy to join a call with your IT department, answer a security questionnaire, or provide additional documentation.

[email protected] Book a Demo