Part 2 of 5 in Circle's Coronary Plaque series. Also read:

Part 1 — How Advanced Plaque Analysis Changes the Clinical Calculus

When clinical cardiology adopts a new capability, IT inherits the infrastructure. And right now, coronary plaque analysis is moving from research tool to clinical standard fast enough that many IT and PACS teams are still catching up.

The demand is real. The 2021 ACC/AHA Chest Pain Guidelines made CCTA a Class I recommendation for stable chest pain evaluation. More recent trial data — including 10-year outcomes from SCOT-HEART and the ongoing SCOT-HEART 2 trial — is driving cardiology programs to go further, adding quantitative plaque characterization alongside standard stenosis reporting. That means new software, new data flows, new integrations — and new complexity landing in your environment.

How that complexity lands depends almost entirely on the path the department chooses. There are essentially two: a unified platform that performs plaque analysis natively, inside your existing environment — or a send-away service that moves CCTA data out of your network to a vendor cloud, runs the analysis there, and returns a result. Those two paths lead to very different IT outcomes.

What a Send-Away Plaque Service Actually Means for IT

Most CCTA plaque analysis tools on the market today are delivered as cloud-based send-away services. The CCTA dataset is auto-routed or uploaded to a vendor endpoint, the analysis runs on the vendor's infrastructure, and a structured report or DICOM-encapsulated result comes back. A smaller number are delivered as on-premise standalone applications. Either way, when a clinical team selects a single-purpose plaque tool, the IT implications are predictable — and the send-away flavor stacks an additional layer of concerns on top of the standard point-solution overhead:

A new outbound PHI transfer for every CCTA. A send-away plaque service moves your CCTA datasets out of your network, through your perimeter, to a vendor cloud — and back. That is a new firewall rule, a new egress route, a new TLS or VPN tunnel to monitor, and a new bandwidth profile for studies that can easily exceed several hundred megabytes each. Every CCTA your department reads becomes an outbound transfer of protected health information.

A new BAA scope to enforce. Once the data crosses your perimeter, your Business Associate Agreement with the vendor governs everything that happens next — where the data sits during analysis, who at the vendor can access it, how long it is retained, whether it can be used to train models, what your notification timeline looks like if the vendor is breached. The BAA is the contract; verifying it holds in practice is your security team's job.

A new data-residency question. If the vendor processes data in a cloud region outside your jurisdiction — or outside your patients' — your compliance officer needs to know. State health information laws, cross-border PHI handling rules, and institutional policy on where patient data can sit are not always obvious from a vendor's marketing page.

A new DICOM routing configuration. CCTA datasets need to route from the PACS or modality to the plaque analysis endpoint, then results need to route back. That means new DICOM rules, new AE titles, new storage overhead, and at least one new server or cloud endpoint to maintain.

A new integration to validate and support. Whether that's a HL7 or FHIR-based results feed to the EMR, or a custom PACS integration, someone on your team owns it — and every upgrade cycle on either side potentially breaks it.

A new access control and identity layer. New users, new roles, new authentication paths. If the tool sits outside your existing SSO environment, that's additional credential management, additional offboarding risk, and another surface in your HIPAA access control audit.

A new patching, update, and uptime dependency. A send-away service patches on the vendor's schedule and is available when the vendor is available. Maintenance windows, regional cloud outages, and version changes happen outside your change-management process — and your readers feel them.

A new vendor relationship and support queue. When something breaks at 11 PM during a busy cardiac imaging day, you're working two support channels — the plaque service vendor and your existing imaging vendor — and neither owns the end-to-end workflow.

None of these things are insurmountable. But each adds overhead. And when you're already managing a cardiology IT environment with cardiac MRI post-processing, CT reporting, structural heart planning, and electrophysiology tools — all with their own integrations and maintenance schedules — adding another point solution means adding to a stack that's already complex.

The Security Dimension

Healthcare cybersecurity risk scales with surface area. The HIMSS Healthcare Cybersecurity Survey consistently shows that fragmented, multi-vendor IT environments are harder to secure, harder to audit, and slower to recover after incidents. Cardiovascular imaging data is high-value — it's PHI, it's voluminous, and a send-away plaque workflow moves it across organizational and often geographic boundaries on every study.

Each additional tool in the stack is another endpoint, another authentication boundary, another data transit path. A send-away plaque analysis service introduces a specific set of questions your security team will need answered:

• Where does the data sit during analysis, and how long does it persist after the result returns?
• Is the transit encrypted end-to-end, with mutually authenticated TLS, and is the encryption-at-rest configuration documented?
• Which cloud region processes the data, and does that satisfy your institution's data-residency policy and any applicable state or cross-border regulation?
• Can the vendor's audit logs be reconciled with your own audit trail end-to-end, so that a single study's access history is reconstructable across both environments?
• What is the vendor's breach-notification SLA, and how does their incident-response process integrate with yours?
• Is the data used for model training or other secondary purposes, and is your consent or opt-out clearly documented in the BAA?

These aren't hypothetical concerns. They're exactly the questions your security team and your compliance officer — and you're the one who has to answer them. The more of those answers that live inside someone else's cloud, the longer your security review takes and the thinner your assurance is.

What a Unified Platform Changes

The alternative is a post-processing platform that includes CCTA plaque analysis as a native, in-house capability — not as an external integration or a send-away service, but as part of the same application your team already uses for cardiac MRI, CT function analysis, and structural heart planning.

cvi42 is built on this architecture. Plaque quantification, stenosis analysis, high-risk plaque feature assessment, and coronary reporting all occur within the same application environment as CMR function, tissue characterization, and EP planning. From an IT standpoint, the implications are materially different:

Data stays inside your network. Plaque analysis runs in the environment you already operate. There is no outbound PHI transfer for each study, no new BAA scope to negotiate for plaque, no third-party cloud to add to your annual security review. The data never crosses your perimeter to be read.

One DICOM routing path. CCTA data routes to the same destination it always has. No new AE titles, no new storage nodes, no new routing rules.

One EMR integration to maintain. Results — including plaque metrics — flow through the existing reporting integration. No second results feed to configure or maintain.

One authentication environment. SSO, role-based access, audit trails — all managed within a single application. Your access control policies apply uniformly, and your offboarding process remains clean.

One patching cadence, one uptime profile. One vendor, one release schedule, one compatibility matrix to track. When cvi42 updates, plaque analysis updates with it. Availability is yours to manage, not a third party's to schedule.

One support relationship. When something needs attention, there is one call to make.

This is the architectural difference between adding a capability and adding a system. The former extends what you already manage. The latter multiplies it — and, in the send-away case, exports part of it to someone else's data center.

A Note on Deployment: In-House Doesn't Have to Mean Inflexible

A send-away service often gets positioned as the "easier" deployment because there is no software to install. That framing ignores the actual operational burden: every CCTA produces a new PHI egress event, every result depends on the vendor's cloud being available, and every security review has to extend into a third-party environment your team does not control.

In-house plaque analysis does not have to mean a heavyweight on-premise project. cvi42 supports on-premise, hosted, and hybrid deployment models, and can be configured to fit within existing hospital IT architectures — your PACS admin does not have to stand up a new server, and your security team does not have to open new outbound firewall paths to a vendor cloud just to read coronary plaque. The capability extends from within the environment you already secure.

For IT and PACS teams evaluating any new cardiovascular imaging tool, the DICOM standards compliance, EMR integration model, and PHI data-flow diagram are the right starting questions. A platform that speaks the same interoperability language as your existing infrastructure — and keeps the data inside it — is always easier to deploy, maintain, and defend than one that requires custom bridging to a vendor cloud.

The Bottom Line for IT

CCTA plaque analysis is coming to your department whether the decision is made with IT input or not. The question is whether it arrives as a send-away service that exports your CCTA data to a vendor cloud on every study, or as an in-house capability that extends a platform you already manage.

The IT case for a unified, in-house post-processing platform isn't about clinical preferences — it's about surface area, security posture, integration count, PHI egress, and maintenance overhead. Fewer systems to manage and fewer outbound data paths to defend mean a cleaner, more defensible environment. That's an outcome worth advocating for in the vendor selection conversation.

Explore cvi42's deployment and integration architecture →

Stay tuned for more on Advanced Plaque Analysis from the perspective of CFOs and finance leadership, imaging lab directors and department heads.