How to configure a DICOM ECHO health check for medical imaging systems

Healthcare Published on 5 mins Last updated

You know that a single point of failure in a hospital is not an option. That's why you use a load balancer for high-availability. We thought it was important to have a specific health check built into our appliance for the commonly used DICOM protocol (Digital Imaging and Communications in Medicine).

Hang on, were you were looking for more general information on load balancing medical imaging systems? Then head to this page - otherwise continue reading this blog to find out how to configure a DICOM ECHO health check.

Why do I need a DICOM-ECHO health check?

Usually your load balancer would just check that the port (2762) is responding to TCP requests, which is fine. But wouldn't it be better if you could check the application was actually giving the correct response?

We've tried to make this easy for you in our appliance. You just need to edit the virtual server and configure an external health check script as follows:


This very simple check does an "echoscu" against your DICOM server and is authorized or not depending on the response obtained.

You will also need to edit the authentication credentials aet & aec in the script:

The DICOM echoscu check shown below is included in our appliance as standard since v8.2.3

# (c) Jan 2017 Andrew Smalley
# DICOM echoscu healthcheck v0.1
# DCMTK - DICOM Toolkit has been used to make this healthcheck possible
# For source code and copyright please see below
if [ -z $1 ] && [ -z $2 ] && [ -z $3 ] && [ -z $4 ]; then
        echo We need input "DICOM-C-ECHO vip vpt rip rpt"
        exit 1;
aet=LOADBALANCER  #  -aet  --aetitle  [a]etitle: string
                  #                   set my calling AE title     (default: ECHOSCU)
aec=LB-SCP        #  -aec  --call     [a]etitle: string
                  #                   set called AE title of peer
                  #                   (default: ANY-SCP)

if [[ $4 -eq 0 ]]
        rpt=$2; else rpt=$4
# Simple DICOM ECHO Check
/usr/local/bin/echoscu -aet $aet -aec $aec $rip $rpt

From the protocol point of view, the DICOM Storage service is implemented through the C-STORE message: the Service Class User (SCU) sends a C-STORE-RQ request message to the Service Class Provider (SCP), which including the actual dataset to transfer, and the SCP is expected to answer returning a C-STORE-RSP response message to the SCU, communicating success or failure of the storage request.

This is highly important as it allows the appliance to talk natively to your Picture Archiving and Communication (PACS) environment using the now standard DICOM methods.

Included SCP's are "storescp" and SCU's more interestingly "echoscu" "findscu" "movescu" "storescu" "termscu"

The sample DICOM-C-ECHO health check does a simple echoscu to the SCP defined.

You will be familiar with the term "aet" and "act" if you use the DICOM toolset and these can be configured to allow access from the the appliance to monitor the health of your PACS system and action taken on the responses obtained.

The next section is for GEEKS ONLY...

Now, you may wish to compile the DICOM toolkit for yourself. If you do then its as simple as following the instructions below.

First install your CentOS base or favorite Linux Distribution (You can compile for Windows with CMake and this is documented in the "INSTALL" file found in the dcmtk-3.6.2 directory once downloaded and extracted)

yum groupinstall "Development Tools"

Now you have a really simple development environment setup you will be able to compile the source available from dcmtk.php.en

To proceed with a very simple build you can follow these instructions after installing wget to download the sourcecode and a nice editor(in this case vim)

yum -y install wget vim 
cd /usr/src
tar -xzvf dcmtk-3.6.2.tar.gz
cd dcmtk-3.6.2
make -j$(cat /proc/cpuinfo | grep -c processor) 
# Time to make a coffee or step outside for some fresh air as the build process does take a while
make install

Thats it! You now have the "dcmtk" toolkit installed and ready to work with in


The complete help for "ecsuscu" is below and like all the dicom commands can be obtained with the "--help" switch.

$dcmtk: echoscu v3.6.0 2011-01-06 $

echoscu: DICOM verification (C-ECHO) SCU
usage: echoscu [options] peer port

  peer                         hostname of DICOM peer
  port                         tcp/ip port number of peer

general options:
  -h      --help               print this help text and exit
          --version            print version information and exit
          --arguments          print expanded command line arguments
  -q      --quiet              quiet mode, print no warnings and errors
  -v      --verbose            verbose mode, print processing details
  -d      --debug              debug mode, print debug information
  -ll     --log-level          [l]evel: string constant
                               (fatal, error, warn, info, debug, trace)
                               use level l for the logger
  -lc     --log-config         [f]ilename: string
                               use config file f for the logger
network options:
  application entity titles:
    -aet  --aetitle            [a]etitle: string
                               set my calling AE title (default: ECHOSCU)
    -aec  --call               [a]etitle: string
                               set called AE title of peer (default: ANY-SCP)
  association negotiation debugging:
    -pts  --propose-ts         [n]umber: integer (1..31)
                               propose n transfer syntaxes
    -ppc  --propose-pc         [n]umber: integer (1..128)
                               propose n presentation contexts
  other network options:
    -to   --timeout            [s]econds: integer (default: unlimited)
                               timeout for connection requests
    -ta   --acse-timeout       [s]econds: integer (default: 30)
                               timeout for ACSE messages
    -td   --dimse-timeout      [s]econds: integer (default: unlimited)
                               timeout for DIMSE messages
    -pdu  --max-pdu            [n]umber of bytes: integer (4096..131072)
                               set max receive pdu to n bytes (default: 16384)
          --repeat             [n]umber: integer
                               repeat n times
          --abort              abort association instead of releasing it
transport layer security (TLS) options:
  transport protocol stack:
    -tls  --disable-tls        use normal TCP/IP connection (default)
    +tls  --enable-tls         [p]rivate key file, [c]ertificate file: string
                               use authenticated secure TLS connection
    +tla  --anonymous-tls      use secure TLS connection without certificate
  private key password (only with --enable-tls):
    +ps   --std-passwd         prompt user to type password on stdin (default)
    +pw   --use-passwd         [p]assword: string 
                               use specified password
    -pw   --null-passwd        use empty string as password
  key and certificate file format:
    -pem  --pem-keys           read keys and certificates as PEM file (default)
    -der  --der-keys           read keys and certificates as DER file
  certification authority:
    +cf   --add-cert-file      [c]ertificate filename: string
                               add certificate file to list of certificates
    +cd   --add-cert-dir       [c]ertificate directory: string
                               add certificates in d to list of certificates
    +cs   --cipher             [c]iphersuite name: string
                               add ciphersuite to list of negotiated suites
    +dp   --dhparam            [f]ilename: string
                               read DH parameters for DH/DSS ciphersuites
  pseudo random generator:
    +rs   --seed               [f]ilename: string
                               seed random generator with contents of f
    +ws   --write-seed         write back modified seed (only with --seed)
    +wf   --write-seed-file    [f]ilename: string (only with --seed)
                               write modified seed to file f
  peer authentication:
    -rc   --require-peer-cert  verify peer certificate, fail if absent (default)
    -vc   --verify-peer-cert   verify peer certificate if present
    -ic   --ignore-peer-cert   don't verify peer certificate

Any questions?

Don't hesitate to comment below and we'll respond as soon as possible!