CN106131225A - The security system accessed for medical treatment case information - Google Patents

Abstract

Present invention provide for the security system that medical treatment case information accesses, it includes medical user mobile terminal, accesses customer mobile terminal, cloud storage service centre and access information management；Described cloud storage service centre is for providing the storage service of medical treatment case information；Described medical user mobile terminal is registered for medical user and provides the interface of storage medical treatment case information；Described access customer mobile terminal, for providing user the interface accessing case information；Described access information management is for processing case information, it is ensured that the access safety of medical record information.The present invention is prevented from the leakage of medical record information, and effectively the safety of the medical record information of protection medical user mobile terminal, has stronger usability and practicality.

Description

The security system accessed for medical treatment case information

Technical field

The present invention relates to medical data security technology area, be particularly used for the safety system that medical treatment case information accesses System.

Background technology

In correlation technique, medical record information system provides real-time, comprehensive, authoritative health and fitness information collection, biography for people Defeated, store, share and process function, but there is the safety problem of the following aspects in it: 1) medical record information is in transmission During, easily it is stolen and propagates；2) medical information scale is very big, and the storage of magnanimity information exists potential safety hazard；3) medical treatment The access control management system of medical record information is unsound, makes the sensitive data of medical user mobile terminal can be entered doctor easily Anyone acquisition in treatment system.

Summary of the invention

For solving the problems referred to above, the present invention is provided to the security system that medical treatment case information accesses.

The purpose of the present invention realizes by the following technical solutions:

Providing the security system accessed for medical treatment case information, it includes medical user mobile terminal, accesses user Mobile terminal, cloud storage service centre and access information management；Described cloud storage service centre is used for providing medical treatment case information Storage service；Described medical user mobile terminal is registered for medical user and provides the interface of storage medical treatment case information； Described access customer mobile terminal, for providing user the interface accessing case information；Described access information management is for disease Example information processes, it is ensured that the access safety of medical record information.

The invention have the benefit that and arrange in medical user mobile terminal, access customer mobile terminal, cloud storage service The heart and access information management, it is possible to prevent the leakage of medical record information, the effectively medical treatment of protection medical user mobile terminal are sick Go through the safety of information, there is stronger usability and practicality, thus solve above-mentioned technical problem.

Accompanying drawing explanation

The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limit to the present invention System, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to the following drawings Other accompanying drawing.

Fig. 1 is present configuration connection diagram.

Fig. 2 is the structural representation of access information management of the present invention.

Reference:

Medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3, access information management 4, number Data preprocess system 41, cloud storage encrypting and deciphering system 42, control system 43, security management center 44.

Detailed description of the invention

The invention will be further described with the following Examples.

Application scenarios 1

See Fig. 1, Fig. 2, the security system accessed for medical treatment case information of an embodiment of this application scene, its Including medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3 and access information management 4；Described cloud Storage service centre 3 is for providing the storage service of medical treatment case information；Described medical user mobile terminal 1 is for medical user Register and provide the interface of storage medical treatment case information；Described access customer mobile terminal 2, is used for providing user to access case letter The interface of breath；Described access information management 4 is for processing case information, it is ensured that the access safety of medical record information.

Preferably, described cloud storage service centre 3 includes local storage and cloud storage.

The above embodiment of the present invention arranges medical user mobile terminal 1, accesses in customer mobile terminal 2, cloud storage service The heart 3 and access information management 4, it is possible to prevent the leakage of medical record information, effectively protect the medical treatment of medical user mobile terminal 1 The safety of medical record information, has stronger usability and practicality, thus solves above-mentioned technical problem.

Preferably, described cloud storage include client and high in the clouds, described client be responsible for monitoring and capture local be System operation, described high in the clouds is provided with control data corporation, is responsible for the storage of medical treatment case information, backs up and inquire about, described data Administrative center has each expert data center.

This preferred embodiment high in the clouds arranges control data corporation, it is achieved that in cloud storage deposit medical treatment case information Storage, the management backed up and inquire about, it is simple to realize data unified management, improve work efficiency, cost-effective.

Preferably, described responsible medical treatment case information storage, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to client according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described access information management 4 includes data pretreatment 41, cloud storage encrypting and deciphering system 42, controls System 43 and security management center 44；Described data pretreatment 41 for needing the medical record Information Number uploaded by user According to carrying out pretreatment；Described cloud storage encrypting and deciphering system 42 is used for according to the access control safety strategy optimized storing cloud Medical record information data in memorizer is encrypted or deciphers；Described control system 43 for needing the doctor uploaded by user Treat medical record information data and store the relevant device to cloud storage service centre 3；Described security management center 44 is for each system System safety carries out unified monitoring management.

This preferred embodiment constructs the system structure of access information management 4.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for cloud storage service centre 3, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) effective Data Security is set up, to the peace in medical record information data storing, transmission, access process Entirely considering, be not only encrypted medical record information data, the transmission to medical record information data simultaneously is assisted View is encrypted；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit is for needing the medical record information data uploaded to be divided into described user The data acquisition system of multiple mutual exclusions；Described data pick-up unit is for advising according to self-defining sequence the data acquisition system of described mutual exclusion Then it is ranked up, first data cell in each data acquisition system is sequentially extracted, protects together with described ordering rule Depositing as small block data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system；Institute State access control safety policy optimization unit raw for access control safety policy optimization method based on fine granularity division of resources The access control safety strategy of one-tenth system, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described user need the medical record information data storing uploaded to the phase in cloud storage service centre Answer equipment, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) data that the residue after being encrypted by cloud storage encrypting and deciphering system 42 need to be stored in cloud storage are passed through Internet network is transferred to high in the clouds；Wherein, after high in the clouds receives data, cloud preserves after these data carry out completeness check In memory node.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first to needs storage to cloud storage service centre 3 In medical record information data carry out data segmentation and data pick-up processes, then the rule controlled in security strategy that conducts interviews Refinement, it is possible to reduce the amount of physical memory of data storage, reduces the expense of storage, and eliminates in access control safety strategy Conflict and redundancy, improve access control decision efficiency；Process extracting part divided data by data pick-up and store local storage In, remainder data stores to cloud storage after arranging corresponding access control safety strategy, solves traditional based on merely The bigger overhead that the cloud storage data-privacy security mechanism of encryption technology is brought in actual process operation data With loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting the private data of user, improve doctor Treat the security performance of medical record information data storage.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to storing in cloud storage are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_X=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes the data key data encryption to storing in cloud storage, obtains Ciphertext CT, is then utilized respectively identity public key and attribute PKI and encrypts data key, generate identity key ciphertext CT_UAnd attribute Key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK to residue need to store the data encryption in cloud storage, after obtaining ciphertext CT, utilize AK is encrypted by attribute PKI, generates attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key ciphertext CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the particulate to eurypalynous big data Degree accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously；To the data of cloud storage need to be stored, respectively Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data, Thus the user only meeting identity and attribute double condition can decipher, and greatly improves the safety of big data sharing simultaneously Energy.

In this application scenarios, update cycle T takes 6, and the safety of system improves 12% relatively.

Application scenarios 2

See Fig. 1, Fig. 2, the security system accessed for medical treatment case information of an embodiment of this application scene, its Including medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3 and access information management 4；Described cloud Storage service centre 3 is for providing the storage service of medical treatment case information；Described medical user mobile terminal 1 is for medical user Register and provide the interface of storage medical treatment case information；Described access customer mobile terminal 2, is used for providing user to access case letter The interface of breath；Described access information management 4 is for processing case information, it is ensured that the access safety of medical record information.

Preferably, described cloud storage service centre 3 includes local storage and cloud storage.

The above embodiment of the present invention arranges medical user mobile terminal 1, accesses in customer mobile terminal 2, cloud storage service The heart 3 and access information management 4, it is possible to prevent the leakage of medical record information, effectively protect the medical treatment of medical user mobile terminal 1 The safety of medical record information, has stronger usability and practicality, thus solves above-mentioned technical problem.

Preferably, described cloud storage include client and high in the clouds, described client be responsible for monitoring and capture local be System operation, described high in the clouds is provided with control data corporation, is responsible for the storage of medical treatment case information, backs up and inquire about, described data Administrative center has each expert data center.

This preferred embodiment high in the clouds arranges control data corporation, it is achieved that in cloud storage deposit medical treatment case information Storage, the management backed up and inquire about, it is simple to realize data unified management, improve work efficiency, cost-effective.

Preferably, described responsible medical treatment case information storage, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to client according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described access information management 4 includes data pretreatment 41, cloud storage encrypting and deciphering system 42, controls System 43 and security management center 44；Described data pretreatment 41 for needing the medical record Information Number uploaded by user According to carrying out pretreatment；Described cloud storage encrypting and deciphering system 42 is used for according to the access control safety strategy optimized storing cloud Medical record information data in memorizer is encrypted or deciphers；Described control system 43 for needing the doctor uploaded by user Treat medical record information data and store the relevant device to cloud storage service centre 3；Described security management center 44 is for each system System safety carries out unified monitoring management.

This preferred embodiment constructs the system structure of access information management 4.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for cloud storage service centre 3, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) effective Data Security is set up, to the peace in medical record information data storing, transmission, access process Entirely considering, be not only encrypted medical record information data, the transmission to medical record information data simultaneously is assisted View is encrypted；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit is for needing the medical record information data uploaded to be divided into described user The data acquisition system of multiple mutual exclusions；Described data pick-up unit is for advising according to self-defining sequence the data acquisition system of described mutual exclusion Then it is ranked up, first data cell in each data acquisition system is sequentially extracted, protects together with described ordering rule Depositing as small block data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system；Institute State access control safety policy optimization unit raw for access control safety policy optimization method based on fine granularity division of resources The access control safety strategy of one-tenth system, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described user need the medical record information data storing uploaded to the phase in cloud storage service centre Answer equipment, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) data that the residue after being encrypted by cloud storage encrypting and deciphering system 42 need to be stored in cloud storage are passed through Internet network is transferred to high in the clouds；Wherein, after high in the clouds receives data, cloud preserves after these data carry out completeness check In memory node.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first to needs storage to cloud storage service centre 3 In medical record information data carry out data segmentation and data pick-up processes, then the rule controlled in security strategy that conducts interviews Refinement, it is possible to reduce the amount of physical memory of data storage, reduces the expense of storage, and eliminates in access control safety strategy Conflict and redundancy, improve access control decision efficiency；Process extracting part divided data by data pick-up and store local storage In, remainder data stores to cloud storage after arranging corresponding access control safety strategy, solves traditional based on merely The bigger overhead that the cloud storage data-privacy security mechanism of encryption technology is brought in actual process operation data With loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting the private data of user, improve doctor Treat the security performance of medical record information data storage.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to storing in cloud storage are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes the data key data encryption to storing in cloud storage, obtains Ciphertext CT, is then utilized respectively identity public key and attribute PKI and encrypts data key, generate identity key ciphertext CT_UAnd attribute Key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK to residue need to store the data encryption in cloud storage, after obtaining ciphertext CT, utilize AK is encrypted by attribute PKI, generates attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key ciphertext CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the particulate to eurypalynous big data Degree accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously；To the data of cloud storage need to be stored, respectively Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data, Thus the user only meeting identity and attribute double condition can decipher, and greatly improves the safety of big data sharing simultaneously Energy.

In this application scenarios, update cycle T takes 7, and the safety of system improves 11% relatively.

Application scenarios 3

See Fig. 1, Fig. 2, the security system accessed for medical treatment case information of an embodiment of this application scene, its Including medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3 and access information management 4；Described cloud Storage service centre 3 is for providing the storage service of medical treatment case information；Described medical user mobile terminal 1 is for medical user Register and provide the interface of storage medical treatment case information；Described access customer mobile terminal 2, is used for providing user to access case letter The interface of breath；Described access information management 4 is for processing case information, it is ensured that the access safety of medical record information.

Preferably, described cloud storage service centre 3 includes local storage and cloud storage.

The above embodiment of the present invention arranges medical user mobile terminal 1, accesses in customer mobile terminal 2, cloud storage service The heart 3 and access information management 4, it is possible to prevent the leakage of medical record information, effectively protect the medical treatment of medical user mobile terminal 1 The safety of medical record information, has stronger usability and practicality, thus solves above-mentioned technical problem.

Preferably, described cloud storage include client and high in the clouds, described client be responsible for monitoring and capture local be System operation, described high in the clouds is provided with control data corporation, is responsible for the storage of medical treatment case information, backs up and inquire about, described data Administrative center has each expert data center.

This preferred embodiment high in the clouds arranges control data corporation, it is achieved that in cloud storage deposit medical treatment case information Storage, the management backed up and inquire about, it is simple to realize data unified management, improve work efficiency, cost-effective.

Preferably, described responsible medical treatment case information storage, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to client according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described access information management 4 includes data pretreatment 41, cloud storage encrypting and deciphering system 42, controls System 43 and security management center 44；Described data pretreatment 41 for needing the medical record Information Number uploaded by user According to carrying out pretreatment；Described cloud storage encrypting and deciphering system 42 is used for according to the access control safety strategy optimized storing cloud Medical record information data in memorizer is encrypted or deciphers；Described control system 43 for needing the doctor uploaded by user Treat medical record information data and store the relevant device to cloud storage service centre 3；Described security management center 44 is for each system System safety carries out unified monitoring management.

This preferred embodiment constructs the system structure of access information management 4.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for cloud storage service centre 3, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) effective Data Security is set up, to the peace in medical record information data storing, transmission, access process Entirely considering, be not only encrypted medical record information data, the transmission to medical record information data simultaneously is assisted View is encrypted；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit is for needing the medical record information data uploaded to be divided into described user The data acquisition system of multiple mutual exclusions；Described data pick-up unit is for advising according to self-defining sequence the data acquisition system of described mutual exclusion Then it is ranked up, first data cell in each data acquisition system is sequentially extracted, protects together with described ordering rule Depositing as small block data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system；Institute State access control safety policy optimization unit raw for access control safety policy optimization method based on fine granularity division of resources The access control safety strategy of one-tenth system, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described user need the medical record information data storing uploaded to the phase in cloud storage service centre Answer equipment, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) data that the residue after being encrypted by cloud storage encrypting and deciphering system 42 need to be stored in cloud storage are passed through Internet network is transferred to high in the clouds；Wherein, after high in the clouds receives data, cloud preserves after these data carry out completeness check In memory node.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first to needs storage to cloud storage service centre 3 In medical record information data carry out data segmentation and data pick-up processes, then the rule controlled in security strategy that conducts interviews Refinement, it is possible to reduce the amount of physical memory of data storage, reduces the expense of storage, and eliminates in access control safety strategy Conflict and redundancy, improve access control decision efficiency；Process extracting part divided data by data pick-up and store local storage In, remainder data stores to cloud storage after arranging corresponding access control safety strategy, solves traditional based on merely The bigger overhead that the cloud storage data-privacy security mechanism of encryption technology is brought in actual process operation data With loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting the private data of user, improve doctor Treat the security performance of medical record information data storage.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to storing in cloud storage are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes the data key data encryption to storing in cloud storage, obtains Ciphertext CT, is then utilized respectively identity public key and attribute PKI and encrypts data key, generate identity key ciphertext CT_UAnd attribute Key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK to residue need to store the data encryption in cloud storage, after obtaining ciphertext CT, utilize AK is encrypted by attribute PKI, generates attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key ciphertext CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the particulate to eurypalynous big data Degree accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously；To the data of cloud storage need to be stored, respectively Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data, Thus the user only meeting identity and attribute double condition can decipher, and greatly improves the safety of big data sharing simultaneously Energy.

In this application scenarios, update cycle T takes 8, and the safety of system improves 10% relatively.

Application scenarios 4

See Fig. 1, Fig. 2, the security system accessed for medical treatment case information of an embodiment of this application scene, its Including medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3 and access information management 4；Described cloud Storage service centre 3 is for providing the storage service of medical treatment case information；Described medical user mobile terminal 1 is for medical user Register and provide the interface of storage medical treatment case information；Described access customer mobile terminal 2, is used for providing user to access case letter The interface of breath；Described access information management 4 is for processing case information, it is ensured that the access safety of medical record information.

Preferably, described cloud storage service centre 3 includes local storage and cloud storage.

The above embodiment of the present invention arranges medical user mobile terminal 1, accesses in customer mobile terminal 2, cloud storage service The heart 3 and access information management 4, it is possible to prevent the leakage of medical record information, effectively protect the medical treatment of medical user mobile terminal 1 The safety of medical record information, has stronger usability and practicality, thus solves above-mentioned technical problem.

Preferably, described cloud storage include client and high in the clouds, described client be responsible for monitoring and capture local be System operation, described high in the clouds is provided with control data corporation, is responsible for the storage of medical treatment case information, backs up and inquire about, described data Administrative center has each expert data center.

This preferred embodiment high in the clouds arranges control data corporation, it is achieved that in cloud storage deposit medical treatment case information Storage, the management backed up and inquire about, it is simple to realize data unified management, improve work efficiency, cost-effective.

Preferably, described responsible medical treatment case information storage, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to client according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described access information management 4 includes data pretreatment 41, cloud storage encrypting and deciphering system 42, controls System 43 and security management center 44；Described data pretreatment 41 for needing the medical record Information Number uploaded by user According to carrying out pretreatment；Described cloud storage encrypting and deciphering system 42 is used for according to the access control safety strategy optimized storing cloud Medical record information data in memorizer is encrypted or deciphers；Described control system 43 for needing the doctor uploaded by user Treat medical record information data and store the relevant device to cloud storage service centre 3；Described security management center 44 is for each system System safety carries out unified monitoring management.

This preferred embodiment constructs the system structure of access information management 4.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for cloud storage service centre 3, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) effective Data Security is set up, to the peace in medical record information data storing, transmission, access process Entirely considering, be not only encrypted medical record information data, the transmission to medical record information data simultaneously is assisted View is encrypted；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit is for needing the medical record information data uploaded to be divided into described user The data acquisition system of multiple mutual exclusions；Described data pick-up unit is for advising according to self-defining sequence the data acquisition system of described mutual exclusion Then it is ranked up, first data cell in each data acquisition system is sequentially extracted, protects together with described ordering rule Depositing as small block data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system；Institute State access control safety policy optimization unit raw for access control safety policy optimization method based on fine granularity division of resources The access control safety strategy of one-tenth system, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described user need the medical record information data storing uploaded to the phase in cloud storage service centre Answer equipment, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) data that the residue after being encrypted by cloud storage encrypting and deciphering system 42 need to be stored in cloud storage are passed through Internet network is transferred to high in the clouds；Wherein, after high in the clouds receives data, cloud preserves after these data carry out completeness check In memory node.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first to needs storage to cloud storage service centre 3 In medical record information data carry out data segmentation and data pick-up processes, then the rule controlled in security strategy that conducts interviews Refinement, it is possible to reduce the amount of physical memory of data storage, reduces the expense of storage, and eliminates in access control safety strategy Conflict and redundancy, improve access control decision efficiency；Process extracting part divided data by data pick-up and store local storage In, remainder data stores to cloud storage after arranging corresponding access control safety strategy, solves traditional based on merely The bigger overhead that the cloud storage data-privacy security mechanism of encryption technology is brought in actual process operation data With loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting the private data of user, improve doctor Treat the security performance of medical record information data storage.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to storing in cloud storage are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes the data key data encryption to storing in cloud storage, obtains Ciphertext CT, is then utilized respectively identity public key and attribute PKI and encrypts data key, generate identity key ciphertext CT_UAnd attribute Key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK to residue need to store the data encryption in cloud storage, after obtaining ciphertext CT, utilize AK is encrypted by attribute PKI, generates attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key ciphertext CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the particulate to eurypalynous big data Degree accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously；To the data of cloud storage need to be stored, respectively Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data, Thus the user only meeting identity and attribute double condition can decipher, and greatly improves the safety of big data sharing simultaneously Energy.

In this application scenarios, update cycle T takes 9, and the safety of system improves 9% relatively.

Application scenarios 5

See Fig. 1, Fig. 2, the security system accessed for medical treatment case information of an embodiment of this application scene, its Including medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3 and access information management 4；Described cloud Storage service centre 3 is for providing the storage service of medical treatment case information；Described medical user mobile terminal 1 is for medical user Register and provide the interface of storage medical treatment case information；Described access customer mobile terminal 2, is used for providing user to access case letter The interface of breath；Described access information management 4 is for processing case information, it is ensured that the access safety of medical record information.

Preferably, described cloud storage service centre 3 includes local storage and cloud storage.

The above embodiment of the present invention arranges medical user mobile terminal 1, accesses in customer mobile terminal 2, cloud storage service The heart 3 and access information management 4, it is possible to prevent the leakage of medical record information, effectively protect the medical treatment of medical user mobile terminal 1 The safety of medical record information, has stronger usability and practicality, thus solves above-mentioned technical problem.

Preferably, described cloud storage include client and high in the clouds, described client be responsible for monitoring and capture local be System operation, described high in the clouds is provided with control data corporation, is responsible for the storage of medical treatment case information, backs up and inquire about, described data Administrative center has each expert data center.

This preferred embodiment high in the clouds arranges control data corporation, it is achieved that in cloud storage deposit medical treatment case information Storage, the management backed up and inquire about, it is simple to realize data unified management, improve work efficiency, cost-effective.

Preferably, described responsible medical treatment case information storage, back up and inquire about, including:

(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing；

(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered Row storage, during storage, all data all back up；The strategy of described centralized and distributed combination includes: for higher than presetting The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified According to using distributed storage, safeguard respectively at each expert data center；

(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue Rope；Input key word at search engine, data are carried out precise search；Search engine finds the number of coupling according to certain mode According to, and be ranked up feeding back to client according to the matching degree of data Yu key word.

This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately Data.

Preferably, described access information management 4 includes data pretreatment 41, cloud storage encrypting and deciphering system 42, controls System 43 and security management center 44；Described data pretreatment 41 for needing the medical record Information Number uploaded by user According to carrying out pretreatment；Described cloud storage encrypting and deciphering system 42 is used for according to the access control safety strategy optimized storing cloud Medical record information data in memorizer is encrypted or deciphers；Described control system 43 for needing the doctor uploaded by user Treat medical record information data and store the relevant device to cloud storage service centre 3；Described security management center 44 is for each system System safety carries out unified monitoring management.

This preferred embodiment constructs the system structure of access information management 4.

Preferably, described each security of system is carried out unified monitoring management, including:

(1) for cloud storage service centre 3, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43 Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace Full protection system；

(2) effective Data Security is set up, to the peace in medical record information data storing, transmission, access process Entirely considering, be not only encrypted medical record information data, the transmission to medical record information data simultaneously is assisted View is encrypted；

(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.

This preferred embodiment achieves the management of the unified monitoring to each security of system.

Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace Full policy optimization unit, described data partitioning unit is for needing the medical record information data uploaded to be divided into described user The data acquisition system of multiple mutual exclusions；Described data pick-up unit is for advising according to self-defining sequence the data acquisition system of described mutual exclusion Then it is ranked up, first data cell in each data acquisition system is sequentially extracted, protects together with described ordering rule Depositing as small block data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system；Institute State access control safety policy optimization unit raw for access control safety policy optimization method based on fine granularity division of resources The access control safety strategy of one-tenth system, including:

(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy Comprise the data cell in the data acquisition system of all mutual exclusions；

(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy On, thus the rule in access control safety strategy is refine to data dimension；

(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often The conflict of the rule in individual data cell and redundancy；

(4) merge the rule after optimizing, generate the access control safety strategy optimized.

Preferably, described user need the medical record information data storing uploaded to the phase in cloud storage service centre Answer equipment, including:

(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out Encryption；

(2) data that the residue after being encrypted by cloud storage encrypting and deciphering system 42 need to be stored in cloud storage are passed through Internet network is transferred to high in the clouds；Wherein, after high in the clouds receives data, cloud preserves after these data carry out completeness check In memory node.

Above-mentioned two preferred embodiment arranges data pretreatment 41, first to needs storage to cloud storage service centre 3 In medical record information data carry out data segmentation and data pick-up processes, then the rule controlled in security strategy that conducts interviews Refinement, it is possible to reduce the amount of physical memory of data storage, reduces the expense of storage, and eliminates in access control safety strategy Conflict and redundancy, improve access control decision efficiency；Process extracting part divided data by data pick-up and store local storage In, remainder data stores to cloud storage after arranging corresponding access control safety strategy, solves traditional based on merely The bigger overhead that the cloud storage data-privacy security mechanism of encryption technology is brought in actual process operation data With loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting the private data of user, improve doctor Treat the security performance of medical record information data storage.

Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use Five, family entity is constituted, and the described data to storing in cloud storage are encrypted or decipher, including:

(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism AID, including:

A, initializing, credible tripartite's initialization system parameter isWherein α is random integers；

B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:

$Certificate\left(UAID\right)=\hat{E}{\left(H\right(UAID),g)}^{C_{UAID}}$

Meanwhile, the authentication parameter of validated user is announcedWherein, C_UAID∈Z_P；

C, generate identity key pair for data owner and validated user；

(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said The encryption and decryption key of identity-based includes identity public key GK_UAIDWith identity private key CK_UAID, described attribute encryption and decryption key includes belonging to Property PKI GK_AIDWith attribute private key CK_AID:

${\mathrm{GK}}_{UAID}=\hat{E}{(g,g)}^{{\∝}_{AID}}$

${\mathrm{GK}}_{AID}=\{\∀x\∈{\mathrm{AS}}_{AID}:{\mathrm{GK}}_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}}\}$

CK_UAID=(∝_AID,β_AID)

${\mathrm{CK}}_{AID}=(K_0=g^{{\∝}_{AID}}{g}^{\mathrm{\α}\mathrm{\γ}},K_1=g^{\mathrm{\α}\mathrm{\γ}},\∀x\∈{\mathrm{AS}}_{UAID,AID}:K_x=H{\left(x\right)}^{B_x{\mathrm{\β}}_{AID}\mathrm{\γ}})$

Wherein, AS_AIDThe community set that can distribute for single attribute mechanism, GK_xFor the PKI of attribute x, B_xFor attribute x's Version number, ∝_AIDFor the private key parameter of attribute mechanism, β_AIDFor attribute undated parameter, AS_UAID,AIDFor the identity according to attribute mechanism The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝_AID,β_AID∈Z_P；

(3) cloud storage encrypting and deciphering system 42 utilizes the data key data encryption to storing in cloud storage, obtains Ciphertext CT, is then utilized respectively identity public key and attribute PKI and encrypts data key, generate identity key ciphertext CT_UAnd attribute Key ciphertext CT_A, including:

A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:

DK=IK | | AK

B, utilize data key DK to residue need to store the data encryption in cloud storage, after obtaining ciphertext CT, utilize AK is encrypted by attribute PKI, generates attribute key ciphertext CT_A, utilize identity public key that IK is encrypted, generate identity key ciphertext CT_U；

(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close Key ciphertext CT_UBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner Private key and identity public key calculate and generate；

(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CK_UAIDWith attribute private key CK_AID Decryption identity key ciphertext CT_UWith attribute key ciphertext CT_A, then reconstruct data key, decrypting ciphertext CT；

(6) renewal of attribute and identity key is carried out.

This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the particulate to eurypalynous big data Degree accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously；To the data of cloud storage need to be stored, respectively Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data, Thus the user only meeting identity and attribute double condition can decipher, and greatly improves the safety of big data sharing simultaneously Energy.

In this application scenarios, update cycle T takes 10, and the safety of system improves 8% relatively.

Last it should be noted that, above example is only in order to illustrate technical scheme, rather than the present invention is protected Protecting the restriction of scope, although having made to explain to the present invention with reference to preferred embodiment, those of ordinary skill in the art should Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention Matter and scope.

Claims (3)

1. the security system accessed for medical treatment case information, it is characterised in that include medical user mobile terminal, access user Mobile terminal, cloud storage service centre and access information management；Described cloud storage service centre is used for providing medical treatment case information Storage service；Described medical user mobile terminal is registered for medical user and provides the interface of storage medical treatment case information； Described access customer mobile terminal, for providing user the interface accessing case information；Described access information management is for disease Example information processes, it is ensured that the access safety of medical record information.

The security system accessed for medical treatment case information the most according to claim 1, it is characterised in that described cloud storage Service centre includes local storage and cloud storage.

The security system accessed for medical treatment case information the most according to claim 2, it is characterised in that described cloud storage Device includes that the system operation of monitoring and capture this locality is responsible in client and high in the clouds, described client, and described high in the clouds is provided with data Administrative center, is responsible for the storage of medical treatment case information, backs up and inquire about, and described control data corporation has in each expert data The heart.