CN106131225A - The security system accessed for medical treatment case information - Google Patents
The security system accessed for medical treatment case information Download PDFInfo
- Publication number
- CN106131225A CN106131225A CN201610778967.1A CN201610778967A CN106131225A CN 106131225 A CN106131225 A CN 106131225A CN 201610778967 A CN201610778967 A CN 201610778967A CN 106131225 A CN106131225 A CN 106131225A
- Authority
- CN
- China
- Prior art keywords
- data
- cloud storage
- medical
- user
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Storage Device Security (AREA)
Abstract
Present invention provide for the security system that medical treatment case information accesses, it includes medical user mobile terminal, accesses customer mobile terminal, cloud storage service centre and access information management;Described cloud storage service centre is for providing the storage service of medical treatment case information;Described medical user mobile terminal is registered for medical user and provides the interface of storage medical treatment case information;Described access customer mobile terminal, for providing user the interface accessing case information;Described access information management is for processing case information, it is ensured that the access safety of medical record information.The present invention is prevented from the leakage of medical record information, and effectively the safety of the medical record information of protection medical user mobile terminal, has stronger usability and practicality.
Description
Technical field
The present invention relates to medical data security technology area, be particularly used for the safety system that medical treatment case information accesses
System.
Background technology
In correlation technique, medical record information system provides real-time, comprehensive, authoritative health and fitness information collection, biography for people
Defeated, store, share and process function, but there is the safety problem of the following aspects in it: 1) medical record information is in transmission
During, easily it is stolen and propagates;2) medical information scale is very big, and the storage of magnanimity information exists potential safety hazard;3) medical treatment
The access control management system of medical record information is unsound, makes the sensitive data of medical user mobile terminal can be entered doctor easily
Anyone acquisition in treatment system.
Summary of the invention
For solving the problems referred to above, the present invention is provided to the security system that medical treatment case information accesses.
The purpose of the present invention realizes by the following technical solutions:
Providing the security system accessed for medical treatment case information, it includes medical user mobile terminal, accesses user
Mobile terminal, cloud storage service centre and access information management;Described cloud storage service centre is used for providing medical treatment case information
Storage service;Described medical user mobile terminal is registered for medical user and provides the interface of storage medical treatment case information;
Described access customer mobile terminal, for providing user the interface accessing case information;Described access information management is for disease
Example information processes, it is ensured that the access safety of medical record information.
The invention have the benefit that and arrange in medical user mobile terminal, access customer mobile terminal, cloud storage service
The heart and access information management, it is possible to prevent the leakage of medical record information, the effectively medical treatment of protection medical user mobile terminal are sick
Go through the safety of information, there is stronger usability and practicality, thus solve above-mentioned technical problem.
Accompanying drawing explanation
The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limit to the present invention
System, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to the following drawings
Other accompanying drawing.
Fig. 1 is present configuration connection diagram.
Fig. 2 is the structural representation of access information management of the present invention.
Reference:
Medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3, access information management 4, number
Data preprocess system 41, cloud storage encrypting and deciphering system 42, control system 43, security management center 44.
Detailed description of the invention
The invention will be further described with the following Examples.
Application scenarios 1
See Fig. 1, Fig. 2, the security system accessed for medical treatment case information of an embodiment of this application scene, its
Including medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3 and access information management 4;Described cloud
Storage service centre 3 is for providing the storage service of medical treatment case information;Described medical user mobile terminal 1 is for medical user
Register and provide the interface of storage medical treatment case information;Described access customer mobile terminal 2, is used for providing user to access case letter
The interface of breath;Described access information management 4 is for processing case information, it is ensured that the access safety of medical record information.
Preferably, described cloud storage service centre 3 includes local storage and cloud storage.
The above embodiment of the present invention arranges medical user mobile terminal 1, accesses in customer mobile terminal 2, cloud storage service
The heart 3 and access information management 4, it is possible to prevent the leakage of medical record information, effectively protect the medical treatment of medical user mobile terminal 1
The safety of medical record information, has stronger usability and practicality, thus solves above-mentioned technical problem.
Preferably, described cloud storage include client and high in the clouds, described client be responsible for monitoring and capture local be
System operation, described high in the clouds is provided with control data corporation, is responsible for the storage of medical treatment case information, backs up and inquire about, described data
Administrative center has each expert data center.
This preferred embodiment high in the clouds arranges control data corporation, it is achieved that in cloud storage deposit medical treatment case information
Storage, the management backed up and inquire about, it is simple to realize data unified management, improve work efficiency, cost-effective.
Preferably, described responsible medical treatment case information storage, back up and inquire about, including:
(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing;
(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered
Row storage, during storage, all data all back up;The strategy of described centralized and distributed combination includes: for higher than presetting
The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified
According to using distributed storage, safeguard respectively at each expert data center;
(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue
The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue
Rope;Input key word at search engine, data are carried out precise search;Search engine finds the number of coupling according to certain mode
According to, and be ranked up feeding back to client according to the matching degree of data Yu key word.
This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately
Data.
Preferably, described access information management 4 includes data pretreatment 41, cloud storage encrypting and deciphering system 42, controls
System 43 and security management center 44;Described data pretreatment 41 for needing the medical record Information Number uploaded by user
According to carrying out pretreatment;Described cloud storage encrypting and deciphering system 42 is used for according to the access control safety strategy optimized storing cloud
Medical record information data in memorizer is encrypted or deciphers;Described control system 43 for needing the doctor uploaded by user
Treat medical record information data and store the relevant device to cloud storage service centre 3;Described security management center 44 is for each system
System safety carries out unified monitoring management.
This preferred embodiment constructs the system structure of access information management 4.
Preferably, described each security of system is carried out unified monitoring management, including:
(1) for cloud storage service centre 3, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43
Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace
Full protection system;
(2) effective Data Security is set up, to the peace in medical record information data storing, transmission, access process
Entirely considering, be not only encrypted medical record information data, the transmission to medical record information data simultaneously is assisted
View is encrypted;
(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take
The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.
This preferred embodiment achieves the management of the unified monitoring to each security of system.
Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace
Full policy optimization unit, described data partitioning unit is for needing the medical record information data uploaded to be divided into described user
The data acquisition system of multiple mutual exclusions;Described data pick-up unit is for advising according to self-defining sequence the data acquisition system of described mutual exclusion
Then it is ranked up, first data cell in each data acquisition system is sequentially extracted, protects together with described ordering rule
Depositing as small block data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system;Institute
State access control safety policy optimization unit raw for access control safety policy optimization method based on fine granularity division of resources
The access control safety strategy of one-tenth system, including:
(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described
Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number
According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy
Comprise the data cell in the data acquisition system of all mutual exclusions;
(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class
Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy
On, thus the rule in access control safety strategy is refine to data dimension;
(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often
The conflict of the rule in individual data cell and redundancy;
(4) merge the rule after optimizing, generate the access control safety strategy optimized.
Preferably, described user need the medical record information data storing uploaded to the phase in cloud storage service centre
Answer equipment, including:
(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out
Encryption;
(2) data that the residue after being encrypted by cloud storage encrypting and deciphering system 42 need to be stored in cloud storage are passed through
Internet network is transferred to high in the clouds;Wherein, after high in the clouds receives data, cloud preserves after these data carry out completeness check
In memory node.
Above-mentioned two preferred embodiment arranges data pretreatment 41, first to needs storage to cloud storage service centre 3
In medical record information data carry out data segmentation and data pick-up processes, then the rule controlled in security strategy that conducts interviews
Refinement, it is possible to reduce the amount of physical memory of data storage, reduces the expense of storage, and eliminates in access control safety strategy
Conflict and redundancy, improve access control decision efficiency;Process extracting part divided data by data pick-up and store local storage
In, remainder data stores to cloud storage after arranging corresponding access control safety strategy, solves traditional based on merely
The bigger overhead that the cloud storage data-privacy security mechanism of encryption technology is brought in actual process operation data
With loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting the private data of user, improve doctor
Treat the security performance of medical record information data storage.
Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use
Five, family entity is constituted, and the described data to storing in cloud storage are encrypted or decipher, including:
(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism
AID, including:
A, initializing, credible tripartite's initialization system parameter isWherein α is random integers;
B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:
Meanwhile, the authentication parameter of validated user is announcedWherein, CUAID∈ZP;
C, generate identity key pair for data owner and validated user;
(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said
The encryption and decryption key of identity-based includes identity public key GKUAIDWith identity private key CKUAID, described attribute encryption and decryption key includes belonging to
Property PKI GKAIDWith attribute private key CKAID:
CKUAID=(∝AID,βAID)
Wherein, ASAIDThe community set that can distribute for single attribute mechanism, GKxFor the PKI of attribute x, BxFor attribute x's
Version number, ∝AIDFor the private key parameter of attribute mechanism, βAIDFor attribute undated parameter, ASUAID,AIDFor the identity according to attribute mechanism
The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝AID,βAID∈ZP;
(3) cloud storage encrypting and deciphering system 42 utilizes the data key data encryption to storing in cloud storage, obtains
Ciphertext CT, is then utilized respectively identity public key and attribute PKI and encrypts data key, generate identity key ciphertext CTUAnd attribute
Key ciphertext CTA, including:
A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:
DK=IK | | AK
B, utilize data key DK to residue need to store the data encryption in cloud storage, after obtaining ciphertext CT, utilize
AK is encrypted by attribute PKI, generates attribute key ciphertext CTA, utilize identity public key that IK is encrypted, generate identity key ciphertext CTU;
(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close
Key ciphertext CTUBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner
Private key and identity public key calculate and generate;
(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CKUAIDWith attribute private key CKAID
Decryption identity key ciphertext CTUWith attribute key ciphertext CTA, then reconstruct data key, decrypting ciphertext CT;
(6) renewal of attribute and identity key is carried out.
This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the particulate to eurypalynous big data
Degree accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously;To the data of cloud storage need to be stored, respectively
Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data,
Thus the user only meeting identity and attribute double condition can decipher, and greatly improves the safety of big data sharing simultaneously
Energy.
In this application scenarios, update cycle T takes 6, and the safety of system improves 12% relatively.
Application scenarios 2
See Fig. 1, Fig. 2, the security system accessed for medical treatment case information of an embodiment of this application scene, its
Including medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3 and access information management 4;Described cloud
Storage service centre 3 is for providing the storage service of medical treatment case information;Described medical user mobile terminal 1 is for medical user
Register and provide the interface of storage medical treatment case information;Described access customer mobile terminal 2, is used for providing user to access case letter
The interface of breath;Described access information management 4 is for processing case information, it is ensured that the access safety of medical record information.
Preferably, described cloud storage service centre 3 includes local storage and cloud storage.
The above embodiment of the present invention arranges medical user mobile terminal 1, accesses in customer mobile terminal 2, cloud storage service
The heart 3 and access information management 4, it is possible to prevent the leakage of medical record information, effectively protect the medical treatment of medical user mobile terminal 1
The safety of medical record information, has stronger usability and practicality, thus solves above-mentioned technical problem.
Preferably, described cloud storage include client and high in the clouds, described client be responsible for monitoring and capture local be
System operation, described high in the clouds is provided with control data corporation, is responsible for the storage of medical treatment case information, backs up and inquire about, described data
Administrative center has each expert data center.
This preferred embodiment high in the clouds arranges control data corporation, it is achieved that in cloud storage deposit medical treatment case information
Storage, the management backed up and inquire about, it is simple to realize data unified management, improve work efficiency, cost-effective.
Preferably, described responsible medical treatment case information storage, back up and inquire about, including:
(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing;
(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered
Row storage, during storage, all data all back up;The strategy of described centralized and distributed combination includes: for higher than presetting
The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified
According to using distributed storage, safeguard respectively at each expert data center;
(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue
The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue
Rope;Input key word at search engine, data are carried out precise search;Search engine finds the number of coupling according to certain mode
According to, and be ranked up feeding back to client according to the matching degree of data Yu key word.
This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately
Data.
Preferably, described access information management 4 includes data pretreatment 41, cloud storage encrypting and deciphering system 42, controls
System 43 and security management center 44;Described data pretreatment 41 for needing the medical record Information Number uploaded by user
According to carrying out pretreatment;Described cloud storage encrypting and deciphering system 42 is used for according to the access control safety strategy optimized storing cloud
Medical record information data in memorizer is encrypted or deciphers;Described control system 43 for needing the doctor uploaded by user
Treat medical record information data and store the relevant device to cloud storage service centre 3;Described security management center 44 is for each system
System safety carries out unified monitoring management.
This preferred embodiment constructs the system structure of access information management 4.
Preferably, described each security of system is carried out unified monitoring management, including:
(1) for cloud storage service centre 3, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43
Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace
Full protection system;
(2) effective Data Security is set up, to the peace in medical record information data storing, transmission, access process
Entirely considering, be not only encrypted medical record information data, the transmission to medical record information data simultaneously is assisted
View is encrypted;
(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take
The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.
This preferred embodiment achieves the management of the unified monitoring to each security of system.
Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace
Full policy optimization unit, described data partitioning unit is for needing the medical record information data uploaded to be divided into described user
The data acquisition system of multiple mutual exclusions;Described data pick-up unit is for advising according to self-defining sequence the data acquisition system of described mutual exclusion
Then it is ranked up, first data cell in each data acquisition system is sequentially extracted, protects together with described ordering rule
Depositing as small block data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system;Institute
State access control safety policy optimization unit raw for access control safety policy optimization method based on fine granularity division of resources
The access control safety strategy of one-tenth system, including:
(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described
Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number
According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy
Comprise the data cell in the data acquisition system of all mutual exclusions;
(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class
Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy
On, thus the rule in access control safety strategy is refine to data dimension;
(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often
The conflict of the rule in individual data cell and redundancy;
(4) merge the rule after optimizing, generate the access control safety strategy optimized.
Preferably, described user need the medical record information data storing uploaded to the phase in cloud storage service centre
Answer equipment, including:
(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out
Encryption;
(2) data that the residue after being encrypted by cloud storage encrypting and deciphering system 42 need to be stored in cloud storage are passed through
Internet network is transferred to high in the clouds;Wherein, after high in the clouds receives data, cloud preserves after these data carry out completeness check
In memory node.
Above-mentioned two preferred embodiment arranges data pretreatment 41, first to needs storage to cloud storage service centre 3
In medical record information data carry out data segmentation and data pick-up processes, then the rule controlled in security strategy that conducts interviews
Refinement, it is possible to reduce the amount of physical memory of data storage, reduces the expense of storage, and eliminates in access control safety strategy
Conflict and redundancy, improve access control decision efficiency;Process extracting part divided data by data pick-up and store local storage
In, remainder data stores to cloud storage after arranging corresponding access control safety strategy, solves traditional based on merely
The bigger overhead that the cloud storage data-privacy security mechanism of encryption technology is brought in actual process operation data
With loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting the private data of user, improve doctor
Treat the security performance of medical record information data storage.
Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use
Five, family entity is constituted, and the described data to storing in cloud storage are encrypted or decipher, including:
(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism
AID, including:
A, initializing, credible tripartite's initialization system parameter isWherein α is random integers;
B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:
Meanwhile, the authentication parameter of validated user is announcedWherein, CUAID∈ZP;
C, generate identity key pair for data owner and validated user;
(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said
The encryption and decryption key of identity-based includes identity public key GKUAIDWith identity private key CKUAID, described attribute encryption and decryption key includes belonging to
Property PKI GKAIDWith attribute private key CKAID:
CKUAID=(∝AID,βAID)
Wherein, ASAIDThe community set that can distribute for single attribute mechanism, GKxFor the PKI of attribute x, BxFor attribute x's
Version number, ∝AIDFor the private key parameter of attribute mechanism, βAIDFor attribute undated parameter, ASUAID,AIDFor the identity according to attribute mechanism
The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝AID,βAID∈ZP;
(3) cloud storage encrypting and deciphering system 42 utilizes the data key data encryption to storing in cloud storage, obtains
Ciphertext CT, is then utilized respectively identity public key and attribute PKI and encrypts data key, generate identity key ciphertext CTUAnd attribute
Key ciphertext CTA, including:
A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:
DK=IK | | AK
B, utilize data key DK to residue need to store the data encryption in cloud storage, after obtaining ciphertext CT, utilize
AK is encrypted by attribute PKI, generates attribute key ciphertext CTA, utilize identity public key that IK is encrypted, generate identity key ciphertext CTU;
(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close
Key ciphertext CTUBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner
Private key and identity public key calculate and generate;
(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CKUAIDWith attribute private key CKAID
Decryption identity key ciphertext CTUWith attribute key ciphertext CTA, then reconstruct data key, decrypting ciphertext CT;
(6) renewal of attribute and identity key is carried out.
This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the particulate to eurypalynous big data
Degree accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously;To the data of cloud storage need to be stored, respectively
Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data,
Thus the user only meeting identity and attribute double condition can decipher, and greatly improves the safety of big data sharing simultaneously
Energy.
In this application scenarios, update cycle T takes 7, and the safety of system improves 11% relatively.
Application scenarios 3
See Fig. 1, Fig. 2, the security system accessed for medical treatment case information of an embodiment of this application scene, its
Including medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3 and access information management 4;Described cloud
Storage service centre 3 is for providing the storage service of medical treatment case information;Described medical user mobile terminal 1 is for medical user
Register and provide the interface of storage medical treatment case information;Described access customer mobile terminal 2, is used for providing user to access case letter
The interface of breath;Described access information management 4 is for processing case information, it is ensured that the access safety of medical record information.
Preferably, described cloud storage service centre 3 includes local storage and cloud storage.
The above embodiment of the present invention arranges medical user mobile terminal 1, accesses in customer mobile terminal 2, cloud storage service
The heart 3 and access information management 4, it is possible to prevent the leakage of medical record information, effectively protect the medical treatment of medical user mobile terminal 1
The safety of medical record information, has stronger usability and practicality, thus solves above-mentioned technical problem.
Preferably, described cloud storage include client and high in the clouds, described client be responsible for monitoring and capture local be
System operation, described high in the clouds is provided with control data corporation, is responsible for the storage of medical treatment case information, backs up and inquire about, described data
Administrative center has each expert data center.
This preferred embodiment high in the clouds arranges control data corporation, it is achieved that in cloud storage deposit medical treatment case information
Storage, the management backed up and inquire about, it is simple to realize data unified management, improve work efficiency, cost-effective.
Preferably, described responsible medical treatment case information storage, back up and inquire about, including:
(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing;
(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered
Row storage, during storage, all data all back up;The strategy of described centralized and distributed combination includes: for higher than presetting
The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified
According to using distributed storage, safeguard respectively at each expert data center;
(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue
The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue
Rope;Input key word at search engine, data are carried out precise search;Search engine finds the number of coupling according to certain mode
According to, and be ranked up feeding back to client according to the matching degree of data Yu key word.
This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately
Data.
Preferably, described access information management 4 includes data pretreatment 41, cloud storage encrypting and deciphering system 42, controls
System 43 and security management center 44;Described data pretreatment 41 for needing the medical record Information Number uploaded by user
According to carrying out pretreatment;Described cloud storage encrypting and deciphering system 42 is used for according to the access control safety strategy optimized storing cloud
Medical record information data in memorizer is encrypted or deciphers;Described control system 43 for needing the doctor uploaded by user
Treat medical record information data and store the relevant device to cloud storage service centre 3;Described security management center 44 is for each system
System safety carries out unified monitoring management.
This preferred embodiment constructs the system structure of access information management 4.
Preferably, described each security of system is carried out unified monitoring management, including:
(1) for cloud storage service centre 3, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43
Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace
Full protection system;
(2) effective Data Security is set up, to the peace in medical record information data storing, transmission, access process
Entirely considering, be not only encrypted medical record information data, the transmission to medical record information data simultaneously is assisted
View is encrypted;
(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take
The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.
This preferred embodiment achieves the management of the unified monitoring to each security of system.
Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace
Full policy optimization unit, described data partitioning unit is for needing the medical record information data uploaded to be divided into described user
The data acquisition system of multiple mutual exclusions;Described data pick-up unit is for advising according to self-defining sequence the data acquisition system of described mutual exclusion
Then it is ranked up, first data cell in each data acquisition system is sequentially extracted, protects together with described ordering rule
Depositing as small block data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system;Institute
State access control safety policy optimization unit raw for access control safety policy optimization method based on fine granularity division of resources
The access control safety strategy of one-tenth system, including:
(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described
Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number
According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy
Comprise the data cell in the data acquisition system of all mutual exclusions;
(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class
Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy
On, thus the rule in access control safety strategy is refine to data dimension;
(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often
The conflict of the rule in individual data cell and redundancy;
(4) merge the rule after optimizing, generate the access control safety strategy optimized.
Preferably, described user need the medical record information data storing uploaded to the phase in cloud storage service centre
Answer equipment, including:
(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out
Encryption;
(2) data that the residue after being encrypted by cloud storage encrypting and deciphering system 42 need to be stored in cloud storage are passed through
Internet network is transferred to high in the clouds;Wherein, after high in the clouds receives data, cloud preserves after these data carry out completeness check
In memory node.
Above-mentioned two preferred embodiment arranges data pretreatment 41, first to needs storage to cloud storage service centre 3
In medical record information data carry out data segmentation and data pick-up processes, then the rule controlled in security strategy that conducts interviews
Refinement, it is possible to reduce the amount of physical memory of data storage, reduces the expense of storage, and eliminates in access control safety strategy
Conflict and redundancy, improve access control decision efficiency;Process extracting part divided data by data pick-up and store local storage
In, remainder data stores to cloud storage after arranging corresponding access control safety strategy, solves traditional based on merely
The bigger overhead that the cloud storage data-privacy security mechanism of encryption technology is brought in actual process operation data
With loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting the private data of user, improve doctor
Treat the security performance of medical record information data storage.
Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use
Five, family entity is constituted, and the described data to storing in cloud storage are encrypted or decipher, including:
(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism
AID, including:
A, initializing, credible tripartite's initialization system parameter isWherein α is random integers;
B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:
Meanwhile, the authentication parameter of validated user is announcedWherein, CUAID∈ZP;
C, generate identity key pair for data owner and validated user;
(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said
The encryption and decryption key of identity-based includes identity public key GKUAIDWith identity private key CKUAID, described attribute encryption and decryption key includes belonging to
Property PKI GKAIDWith attribute private key CKAID:
CKUAID=(∝AID,βAID)
Wherein, ASAIDThe community set that can distribute for single attribute mechanism, GKxFor the PKI of attribute x, BxFor attribute x's
Version number, ∝AIDFor the private key parameter of attribute mechanism, βAIDFor attribute undated parameter, ASUAID,AIDFor the identity according to attribute mechanism
The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝AID,βAID∈ZP;
(3) cloud storage encrypting and deciphering system 42 utilizes the data key data encryption to storing in cloud storage, obtains
Ciphertext CT, is then utilized respectively identity public key and attribute PKI and encrypts data key, generate identity key ciphertext CTUAnd attribute
Key ciphertext CTA, including:
A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:
DK=IK | | AK
B, utilize data key DK to residue need to store the data encryption in cloud storage, after obtaining ciphertext CT, utilize
AK is encrypted by attribute PKI, generates attribute key ciphertext CTA, utilize identity public key that IK is encrypted, generate identity key ciphertext CTU;
(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close
Key ciphertext CTUBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner
Private key and identity public key calculate and generate;
(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CKUAIDWith attribute private key CKAID
Decryption identity key ciphertext CTUWith attribute key ciphertext CTA, then reconstruct data key, decrypting ciphertext CT;
(6) renewal of attribute and identity key is carried out.
This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the particulate to eurypalynous big data
Degree accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously;To the data of cloud storage need to be stored, respectively
Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data,
Thus the user only meeting identity and attribute double condition can decipher, and greatly improves the safety of big data sharing simultaneously
Energy.
In this application scenarios, update cycle T takes 8, and the safety of system improves 10% relatively.
Application scenarios 4
See Fig. 1, Fig. 2, the security system accessed for medical treatment case information of an embodiment of this application scene, its
Including medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3 and access information management 4;Described cloud
Storage service centre 3 is for providing the storage service of medical treatment case information;Described medical user mobile terminal 1 is for medical user
Register and provide the interface of storage medical treatment case information;Described access customer mobile terminal 2, is used for providing user to access case letter
The interface of breath;Described access information management 4 is for processing case information, it is ensured that the access safety of medical record information.
Preferably, described cloud storage service centre 3 includes local storage and cloud storage.
The above embodiment of the present invention arranges medical user mobile terminal 1, accesses in customer mobile terminal 2, cloud storage service
The heart 3 and access information management 4, it is possible to prevent the leakage of medical record information, effectively protect the medical treatment of medical user mobile terminal 1
The safety of medical record information, has stronger usability and practicality, thus solves above-mentioned technical problem.
Preferably, described cloud storage include client and high in the clouds, described client be responsible for monitoring and capture local be
System operation, described high in the clouds is provided with control data corporation, is responsible for the storage of medical treatment case information, backs up and inquire about, described data
Administrative center has each expert data center.
This preferred embodiment high in the clouds arranges control data corporation, it is achieved that in cloud storage deposit medical treatment case information
Storage, the management backed up and inquire about, it is simple to realize data unified management, improve work efficiency, cost-effective.
Preferably, described responsible medical treatment case information storage, back up and inquire about, including:
(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing;
(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered
Row storage, during storage, all data all back up;The strategy of described centralized and distributed combination includes: for higher than presetting
The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified
According to using distributed storage, safeguard respectively at each expert data center;
(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue
The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue
Rope;Input key word at search engine, data are carried out precise search;Search engine finds the number of coupling according to certain mode
According to, and be ranked up feeding back to client according to the matching degree of data Yu key word.
This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately
Data.
Preferably, described access information management 4 includes data pretreatment 41, cloud storage encrypting and deciphering system 42, controls
System 43 and security management center 44;Described data pretreatment 41 for needing the medical record Information Number uploaded by user
According to carrying out pretreatment;Described cloud storage encrypting and deciphering system 42 is used for according to the access control safety strategy optimized storing cloud
Medical record information data in memorizer is encrypted or deciphers;Described control system 43 for needing the doctor uploaded by user
Treat medical record information data and store the relevant device to cloud storage service centre 3;Described security management center 44 is for each system
System safety carries out unified monitoring management.
This preferred embodiment constructs the system structure of access information management 4.
Preferably, described each security of system is carried out unified monitoring management, including:
(1) for cloud storage service centre 3, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43
Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace
Full protection system;
(2) effective Data Security is set up, to the peace in medical record information data storing, transmission, access process
Entirely considering, be not only encrypted medical record information data, the transmission to medical record information data simultaneously is assisted
View is encrypted;
(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take
The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.
This preferred embodiment achieves the management of the unified monitoring to each security of system.
Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace
Full policy optimization unit, described data partitioning unit is for needing the medical record information data uploaded to be divided into described user
The data acquisition system of multiple mutual exclusions;Described data pick-up unit is for advising according to self-defining sequence the data acquisition system of described mutual exclusion
Then it is ranked up, first data cell in each data acquisition system is sequentially extracted, protects together with described ordering rule
Depositing as small block data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system;Institute
State access control safety policy optimization unit raw for access control safety policy optimization method based on fine granularity division of resources
The access control safety strategy of one-tenth system, including:
(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described
Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number
According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy
Comprise the data cell in the data acquisition system of all mutual exclusions;
(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class
Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy
On, thus the rule in access control safety strategy is refine to data dimension;
(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often
The conflict of the rule in individual data cell and redundancy;
(4) merge the rule after optimizing, generate the access control safety strategy optimized.
Preferably, described user need the medical record information data storing uploaded to the phase in cloud storage service centre
Answer equipment, including:
(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out
Encryption;
(2) data that the residue after being encrypted by cloud storage encrypting and deciphering system 42 need to be stored in cloud storage are passed through
Internet network is transferred to high in the clouds;Wherein, after high in the clouds receives data, cloud preserves after these data carry out completeness check
In memory node.
Above-mentioned two preferred embodiment arranges data pretreatment 41, first to needs storage to cloud storage service centre 3
In medical record information data carry out data segmentation and data pick-up processes, then the rule controlled in security strategy that conducts interviews
Refinement, it is possible to reduce the amount of physical memory of data storage, reduces the expense of storage, and eliminates in access control safety strategy
Conflict and redundancy, improve access control decision efficiency;Process extracting part divided data by data pick-up and store local storage
In, remainder data stores to cloud storage after arranging corresponding access control safety strategy, solves traditional based on merely
The bigger overhead that the cloud storage data-privacy security mechanism of encryption technology is brought in actual process operation data
With loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting the private data of user, improve doctor
Treat the security performance of medical record information data storage.
Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use
Five, family entity is constituted, and the described data to storing in cloud storage are encrypted or decipher, including:
(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism
AID, including:
A, initializing, credible tripartite's initialization system parameter isWherein α is random integers;
B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:
Meanwhile, the authentication parameter of validated user is announcedWherein, CUAID∈ZP;
C, generate identity key pair for data owner and validated user;
(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said
The encryption and decryption key of identity-based includes identity public key GKUAIDWith identity private key CKUAID, described attribute encryption and decryption key includes belonging to
Property PKI GKAIDWith attribute private key CKAID:
CKUAID=(∝AID,βAID)
Wherein, ASAIDThe community set that can distribute for single attribute mechanism, GKxFor the PKI of attribute x, BxFor attribute x's
Version number, ∝AIDFor the private key parameter of attribute mechanism, βAIDFor attribute undated parameter, ASUAID,AIDFor the identity according to attribute mechanism
The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝AID,βAID∈ZP;
(3) cloud storage encrypting and deciphering system 42 utilizes the data key data encryption to storing in cloud storage, obtains
Ciphertext CT, is then utilized respectively identity public key and attribute PKI and encrypts data key, generate identity key ciphertext CTUAnd attribute
Key ciphertext CTA, including:
A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:
DK=IK | | AK
B, utilize data key DK to residue need to store the data encryption in cloud storage, after obtaining ciphertext CT, utilize
AK is encrypted by attribute PKI, generates attribute key ciphertext CTA, utilize identity public key that IK is encrypted, generate identity key ciphertext CTU;
(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close
Key ciphertext CTUBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner
Private key and identity public key calculate and generate;
(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CKUAIDWith attribute private key CKAID
Decryption identity key ciphertext CTUWith attribute key ciphertext CTA, then reconstruct data key, decrypting ciphertext CT;
(6) renewal of attribute and identity key is carried out.
This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the particulate to eurypalynous big data
Degree accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously;To the data of cloud storage need to be stored, respectively
Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data,
Thus the user only meeting identity and attribute double condition can decipher, and greatly improves the safety of big data sharing simultaneously
Energy.
In this application scenarios, update cycle T takes 9, and the safety of system improves 9% relatively.
Application scenarios 5
See Fig. 1, Fig. 2, the security system accessed for medical treatment case information of an embodiment of this application scene, its
Including medical user mobile terminal 1, access customer mobile terminal 2, cloud storage service centre 3 and access information management 4;Described cloud
Storage service centre 3 is for providing the storage service of medical treatment case information;Described medical user mobile terminal 1 is for medical user
Register and provide the interface of storage medical treatment case information;Described access customer mobile terminal 2, is used for providing user to access case letter
The interface of breath;Described access information management 4 is for processing case information, it is ensured that the access safety of medical record information.
Preferably, described cloud storage service centre 3 includes local storage and cloud storage.
The above embodiment of the present invention arranges medical user mobile terminal 1, accesses in customer mobile terminal 2, cloud storage service
The heart 3 and access information management 4, it is possible to prevent the leakage of medical record information, effectively protect the medical treatment of medical user mobile terminal 1
The safety of medical record information, has stronger usability and practicality, thus solves above-mentioned technical problem.
Preferably, described cloud storage include client and high in the clouds, described client be responsible for monitoring and capture local be
System operation, described high in the clouds is provided with control data corporation, is responsible for the storage of medical treatment case information, backs up and inquire about, described data
Administrative center has each expert data center.
This preferred embodiment high in the clouds arranges control data corporation, it is achieved that in cloud storage deposit medical treatment case information
Storage, the management backed up and inquire about, it is simple to realize data unified management, improve work efficiency, cost-effective.
Preferably, described responsible medical treatment case information storage, back up and inquire about, including:
(1) data form is changed, set up and be applicable to the form that non-relational database carries out storing;
(2) split data into basic data and expert data, use the strategy of centralized and distributed combination that data are entered
Row storage, during storage, all data all back up;The strategy of described centralized and distributed combination includes: for higher than presetting
The basic data of frequency uses centralised storage, is safeguarded, for the professional number less than predeterminated frequency by control data corporation is unified
According to using distributed storage, safeguard respectively at each expert data center;
(3) setting up corresponding data retrievad algorithm, data carry out quick-searching, described data retrievad algorithm uses catalogue
The mode that retrieval and search engine combine is carried out, and specifically includes: set up data directory, tentatively examines data according to catalogue
Rope;Input key word at search engine, data are carried out precise search;Search engine finds the number of coupling according to certain mode
According to, and be ranked up feeding back to client according to the matching degree of data Yu key word.
This preferred embodiment uses the searching algorithm that catalogue retrieval and search engine combine, it is possible to obtain fast and accurately
Data.
Preferably, described access information management 4 includes data pretreatment 41, cloud storage encrypting and deciphering system 42, controls
System 43 and security management center 44;Described data pretreatment 41 for needing the medical record Information Number uploaded by user
According to carrying out pretreatment;Described cloud storage encrypting and deciphering system 42 is used for according to the access control safety strategy optimized storing cloud
Medical record information data in memorizer is encrypted or deciphers;Described control system 43 for needing the doctor uploaded by user
Treat medical record information data and store the relevant device to cloud storage service centre 3;Described security management center 44 is for each system
System safety carries out unified monitoring management.
This preferred embodiment constructs the system structure of access information management 4.
Preferably, described each security of system is carried out unified monitoring management, including:
(1) for cloud storage service centre 3, data pretreatment 41, cloud storage encrypting and deciphering system 42, control system 43
Different security protections requires to take the safety protection technique of correspondence, is equipped with relevant safety protection equipment, forms complete peace
Full protection system;
(2) effective Data Security is set up, to the peace in medical record information data storing, transmission, access process
Entirely considering, be not only encrypted medical record information data, the transmission to medical record information data simultaneously is assisted
View is encrypted;
(3) setting up virus and wooden horse defense mechanism, regular update virus base and upgrading fire wall, the update cycle is that T, T take
The abnormal data detected, for 6-10 days, will be analyzed, and send early warning by value.
This preferred embodiment achieves the management of the unified monitoring to each security of system.
Preferably, described data pretreatment 41 includes data partitioning unit, data pick-up unit and accesses control peace
Full policy optimization unit, described data partitioning unit is for needing the medical record information data uploaded to be divided into described user
The data acquisition system of multiple mutual exclusions;Described data pick-up unit is for advising according to self-defining sequence the data acquisition system of described mutual exclusion
Then it is ranked up, first data cell in each data acquisition system is sequentially extracted, protects together with described ordering rule
Depositing as small block data, wherein said mutual exclusion represents and there is not any association between the data cell two-by-two in data acquisition system;Institute
State access control safety policy optimization unit raw for access control safety policy optimization method based on fine granularity division of resources
The access control safety strategy of one-tenth system, including:
(1) based on the data acquisition system by the mutual exclusion after data pick-up cell processing, hierarchical data table structure is built, described
Hierarchical data tree construction is three layer data tree constructions, and it includes that service layer, logical layer and physical layer, described service layer are and number
According to the root vertex that dispatch service is relevant, described logical layer is the data of association, described physical layer in access control safety strategy
Comprise the data cell in the data acquisition system of all mutual exclusions;
(2) based on accessing the access control safety controlling markup language XACML formulation for the data of different safety class
Strategy, projects to the data cell in the data acquisition system of described mutual exclusion by rule with data association in access control safety strategy
On, thus the rule in access control safety strategy is refine to data dimension;
(3) the data cell enterprising line discipline optimization in the data acquisition system of each described mutual exclusion, to delete distribution often
The conflict of the rule in individual data cell and redundancy;
(4) merge the rule after optimizing, generate the access control safety strategy optimized.
Preferably, described user need the medical record information data storing uploaded to the phase in cloud storage service centre
Answer equipment, including:
(1) small block data is stored to local storage, and use user-defined encryption technology that small block data is carried out
Encryption;
(2) data that the residue after being encrypted by cloud storage encrypting and deciphering system 42 need to be stored in cloud storage are passed through
Internet network is transferred to high in the clouds;Wherein, after high in the clouds receives data, cloud preserves after these data carry out completeness check
In memory node.
Above-mentioned two preferred embodiment arranges data pretreatment 41, first to needs storage to cloud storage service centre 3
In medical record information data carry out data segmentation and data pick-up processes, then the rule controlled in security strategy that conducts interviews
Refinement, it is possible to reduce the amount of physical memory of data storage, reduces the expense of storage, and eliminates in access control safety strategy
Conflict and redundancy, improve access control decision efficiency;Process extracting part divided data by data pick-up and store local storage
In, remainder data stores to cloud storage after arranging corresponding access control safety strategy, solves traditional based on merely
The bigger overhead that the cloud storage data-privacy security mechanism of encryption technology is brought in actual process operation data
With loaded down with trivial details, can effectively prevent malicious user or cloud storage manager from illegally stealing, distorting the private data of user, improve doctor
Treat the security performance of medical record information data storage.
Preferably, described cloud storage encrypting and deciphering system 42 is main by data owner, attribute mechanism, cloud, credible tripartite, use
Five, family entity is constituted, and the described data to storing in cloud storage are encrypted or decipher, including:
(1) credible tripartite is respectively allocated User Identity UAID and attribute authority identity mark for user and attribute mechanism
AID, including:
A, initializing, credible tripartite's initialization system parameter isWherein α is random integers;
B, for each validated user, credible tripartite distributes UAID and Generates Certificate for it:
Meanwhile, the authentication parameter of validated user is announcedWherein, CUAID∈ZP;
C, generate identity key pair for data owner and validated user;
(2) generate the encryption and decryption key of identity-based, attribute encryption and decryption key and act on behalf of re-encrypted private key, wherein said
The encryption and decryption key of identity-based includes identity public key GKUAIDWith identity private key CKUAID, described attribute encryption and decryption key includes belonging to
Property PKI GKAIDWith attribute private key CKAID:
CKUAID=(∝AID,βAID)
Wherein, ASAIDThe community set that can distribute for single attribute mechanism, GKxFor the PKI of attribute x, BxFor attribute x's
Version number, ∝AIDFor the private key parameter of attribute mechanism, βAIDFor attribute undated parameter, ASUAID,AIDFor the identity according to attribute mechanism
The community set of distribution, γ is the parameter that attribute mechanism randomly chooses, γ, ∝AID,βAID∈ZP;
(3) cloud storage encrypting and deciphering system 42 utilizes the data key data encryption to storing in cloud storage, obtains
Ciphertext CT, is then utilized respectively identity public key and attribute PKI and encrypts data key, generate identity key ciphertext CTUAnd attribute
Key ciphertext CTA, including:
A, character string IK of two regular lengths of stochastic generation, AK, merge and generate data key DK:
DK=IK | | AK
B, utilize data key DK to residue need to store the data encryption in cloud storage, after obtaining ciphertext CT, utilize
AK is encrypted by attribute PKI, generates attribute key ciphertext CTA, utilize identity public key that IK is encrypted, generate identity key ciphertext CTU;
(4) carrying out acting on behalf of re-encryption, when receiving the request of data of user, re-encrypted private key is acted on behalf of in cloud utilization, and identity is close
Key ciphertext CTUBeing converted into the ciphertext specifying user to decipher, wherein said re-encrypted private key of acting on behalf of is used self by data owner
Private key and identity public key calculate and generate;
(5), when carrying out data deciphering, after user receives data, it is utilized respectively identity private key CKUAIDWith attribute private key CKAID
Decryption identity key ciphertext CTUWith attribute key ciphertext CTA, then reconstruct data key, decrypting ciphertext CT;
(6) renewal of attribute and identity key is carried out.
This preferred embodiment is by arranging cloud storage encrypting and deciphering system 42, it is possible to realize the particulate to eurypalynous big data
Degree accesses and controls and secret protection, resists user and the collusion of attribute mechanism simultaneously;To the data of cloud storage need to be stored, respectively
Structure the encryption and decryption key of identity-based, attribute encryption and decryption key, merge composition data encryption key and be encrypted these data,
Thus the user only meeting identity and attribute double condition can decipher, and greatly improves the safety of big data sharing simultaneously
Energy.
In this application scenarios, update cycle T takes 10, and the safety of system improves 8% relatively.
Last it should be noted that, above example is only in order to illustrate technical scheme, rather than the present invention is protected
Protecting the restriction of scope, although having made to explain to the present invention with reference to preferred embodiment, those of ordinary skill in the art should
Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention
Matter and scope.
Claims (3)
1. the security system accessed for medical treatment case information, it is characterised in that include medical user mobile terminal, access user
Mobile terminal, cloud storage service centre and access information management;Described cloud storage service centre is used for providing medical treatment case information
Storage service;Described medical user mobile terminal is registered for medical user and provides the interface of storage medical treatment case information;
Described access customer mobile terminal, for providing user the interface accessing case information;Described access information management is for disease
Example information processes, it is ensured that the access safety of medical record information.
The security system accessed for medical treatment case information the most according to claim 1, it is characterised in that described cloud storage
Service centre includes local storage and cloud storage.
The security system accessed for medical treatment case information the most according to claim 2, it is characterised in that described cloud storage
Device includes that the system operation of monitoring and capture this locality is responsible in client and high in the clouds, described client, and described high in the clouds is provided with data
Administrative center, is responsible for the storage of medical treatment case information, backs up and inquire about, and described control data corporation has in each expert data
The heart.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610778967.1A CN106131225A (en) | 2016-08-30 | 2016-08-30 | The security system accessed for medical treatment case information |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610778967.1A CN106131225A (en) | 2016-08-30 | 2016-08-30 | The security system accessed for medical treatment case information |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106131225A true CN106131225A (en) | 2016-11-16 |
Family
ID=57273261
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610778967.1A Pending CN106131225A (en) | 2016-08-30 | 2016-08-30 | The security system accessed for medical treatment case information |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106131225A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106682530A (en) * | 2017-01-10 | 2017-05-17 | 杭州电子科技大学 | Method and device for medical information sharing privacy protection based on blockchain technology |
CN107591193A (en) * | 2017-09-13 | 2018-01-16 | 张桂霞 | Clinical laboratory's blood drawing sequence number and the preparation method of checking information integration system |
CN109450631A (en) * | 2018-12-27 | 2019-03-08 | 石更箭数据科技(上海)有限公司 | Key generation device and management system, data processing equipment, data transacting system |
CN109451077A (en) * | 2019-01-04 | 2019-03-08 | 大连大学 | The model that medical cloud search permission is shared |
CN109558461A (en) * | 2018-10-23 | 2019-04-02 | 平安医疗健康管理股份有限公司 | A kind of medical data classification storage method and apparatus |
CN109886027A (en) * | 2019-01-14 | 2019-06-14 | 湘潭大学 | A kind of medical data secure sharing method based on block chain |
CN112382357A (en) * | 2020-11-11 | 2021-02-19 | 武汉蓝星软件技术有限公司 | Medical electronic medical record storage system with high confidentiality |
CN116846685A (en) * | 2023-08-30 | 2023-10-03 | 中通服建设有限公司 | Remote access method and system for medical information security |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101271489A (en) * | 2008-04-29 | 2008-09-24 | 南京医科大学第一附属医院 | Medicine case information management system |
CN102281314A (en) * | 2011-01-30 | 2011-12-14 | 程旭 | Realization method and apparatus for high-efficient and safe data cloud storage system |
US8407244B2 (en) * | 2010-04-23 | 2013-03-26 | Datcard Systems, Inc. | Management of virtual packages of medical data in interconnected content-addressable storage systems |
CN103902836A (en) * | 2014-04-14 | 2014-07-02 | 康博嘉信息科技(北京)有限公司 | Method, device and system for medical information interaction based on cloud service platform |
CN105450650A (en) * | 2015-12-03 | 2016-03-30 | 中国人民大学 | Safety mobile electronic health record access control system |
CN105577368A (en) * | 2016-01-14 | 2016-05-11 | 西安电子科技大学 | Two-way privacy protective system and method for inquiring medical diagnostic service |
-
2016
- 2016-08-30 CN CN201610778967.1A patent/CN106131225A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101271489A (en) * | 2008-04-29 | 2008-09-24 | 南京医科大学第一附属医院 | Medicine case information management system |
US8407244B2 (en) * | 2010-04-23 | 2013-03-26 | Datcard Systems, Inc. | Management of virtual packages of medical data in interconnected content-addressable storage systems |
CN102281314A (en) * | 2011-01-30 | 2011-12-14 | 程旭 | Realization method and apparatus for high-efficient and safe data cloud storage system |
CN103902836A (en) * | 2014-04-14 | 2014-07-02 | 康博嘉信息科技(北京)有限公司 | Method, device and system for medical information interaction based on cloud service platform |
CN105450650A (en) * | 2015-12-03 | 2016-03-30 | 中国人民大学 | Safety mobile electronic health record access control system |
CN105577368A (en) * | 2016-01-14 | 2016-05-11 | 西安电子科技大学 | Two-way privacy protective system and method for inquiring medical diagnostic service |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106682530A (en) * | 2017-01-10 | 2017-05-17 | 杭州电子科技大学 | Method and device for medical information sharing privacy protection based on blockchain technology |
CN107591193A (en) * | 2017-09-13 | 2018-01-16 | 张桂霞 | Clinical laboratory's blood drawing sequence number and the preparation method of checking information integration system |
CN109558461A (en) * | 2018-10-23 | 2019-04-02 | 平安医疗健康管理股份有限公司 | A kind of medical data classification storage method and apparatus |
CN109558461B (en) * | 2018-10-23 | 2023-08-18 | 深圳平安医疗健康科技服务有限公司 | Medical data classified storage method and device |
CN109450631A (en) * | 2018-12-27 | 2019-03-08 | 石更箭数据科技(上海)有限公司 | Key generation device and management system, data processing equipment, data transacting system |
CN109451077A (en) * | 2019-01-04 | 2019-03-08 | 大连大学 | The model that medical cloud search permission is shared |
CN109886027A (en) * | 2019-01-14 | 2019-06-14 | 湘潭大学 | A kind of medical data secure sharing method based on block chain |
CN112382357A (en) * | 2020-11-11 | 2021-02-19 | 武汉蓝星软件技术有限公司 | Medical electronic medical record storage system with high confidentiality |
CN116846685A (en) * | 2023-08-30 | 2023-10-03 | 中通服建设有限公司 | Remote access method and system for medical information security |
CN116846685B (en) * | 2023-08-30 | 2023-11-10 | 中通服建设有限公司 | Remote access method and system for medical information security |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106203146B (en) | Big data safety management system | |
CN106131225A (en) | The security system accessed for medical treatment case information | |
US9031876B2 (en) | Managing keys for encrypted shared documents | |
WO2016106752A1 (en) | Shared data access control method, device and system | |
CN112765650A (en) | Attribute-based searchable encryption block chain medical data sharing method | |
KR102224998B1 (en) | Computer-implemented system and method for protecting sensitive data via data re-encryption | |
CN108092972B (en) | Multi-authorization-center attribute-based searchable encryption method | |
CN106326666A (en) | Health record information management service system | |
CN112751670B (en) | Attribute-based searchable encryption of multi-center ciphertext strategy and corresponding method for searching and acquiring data | |
CN106356066A (en) | Speech recognition system based on cloud computing | |
US20230094541A1 (en) | Dynamic encryption/decryption of genomic information | |
CN106254510A (en) | The Internet financial resources integrates shared system | |
CN109740378B (en) | Security pair index structure resisting keyword privacy disclosure and retrieval method thereof | |
CN106161654A (en) | A kind of cloud educational system | |
Lin et al. | Preserving Privacy in Outsourced Database | |
CN116611083A (en) | Medical data sharing method and system | |
Fimiani | Supporting privacy in a cloud-based health information system by means of fuzzy conditional identity-based proxy re-encryption (FCI-PRE) | |
CN106131224A (en) | A kind of data transmission system | |
CN106230856A (en) | A kind of System of Industrial Device Controls based on Internet of Things | |
Raj et al. | Efficient mechanism for sharing private data in a secured manner | |
Han et al. | DSSPs: a data sharing security protection scheme based on consortium blockchain and ciphertext-policy attribute-based encryption | |
CN106355328A (en) | Statement data management system | |
Alamri et al. | Secure sharing of health data over cloud | |
CN106339596A (en) | Human body medical information remote monitoring system | |
Kayem | On monitoring information flow of outsourced data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161116 |