Background technique
With the fast development and extensive use of computer and information technology, the information-based change of medical institutions is brought
Leather, electronic health record (Electronic Medical Records, EMR) be widely used to medical field bring it is very big just
Benefit, for a patient, during the inspection process illness may along with various features, diagnosis illness when
It waits, it is common practice that some history illnesss of inquiry patient, physical condition etc..Such way is there are two disadvantage: (1) it is difficult to ensure that
Patient can accurately remember quantized value, such as blood pressure historical record of history illness etc..(2) patient is past when describing illness
Toward amateur medicine word is mingled with, this will affect understanding of the doctor to patient's history's illness.Therefore a precisely accurate medical treatment
Record file undoubtedly provides relatively reliable reference for a doctor.Medical big data using more and more extensive, it is adjoint
And the problem come is also very prominent, what is most attracted people's attention is privacy concern.By Chinese web portal securities in 2015 of 360 companies publication
Report it is found that medical privacy leakage event next in number only to internet leakage of private information event, and medical web site loophole is made
At individual privacy leakage information content be the largest, it is seen that medical data leakage harm.The leakage of medical data is more than
Caused by medical institutions' Outer risks, there are also the factors of internal leakage.Medical institutions are careless to data management, and access authority is unknown
Really, internal individual persons happen occasionally and are being sent out the case where abundant undue profits to exchange for sacrifice the privacy information of patient
Problem place can not be traced when raw privacy leakage.2 months 2016, Ohio, USA mental health and habituation service in
The heart invites them to do online questionnaire survey, like this to the postcard for posting " sound of patient " printed words in this medical patient in the past
In telling themselves that once the heart was medical in service.In addition, postcard contains the essential information of patient, such as name, address, property
The information such as not, the essential information of patient in the available postcard of the people handled, then with Ohio mental health and habituation
The medical information of service centre is contacted, and then deduces the privacy information of patient, causes patients' privacy information leakage.2018
18 occur altogether and is related to the leaking data event that medical records quantity meets or exceeds 100,000 parts for whole year in the year U.S..Wherein there are 8
Accident even influences more than 500,000 parts medical records, separately has 3 to enable more than 1,000,000 parts health care records by accident in violation of rules and regulations
Exposure.Wherein, the medical charging manufacturer Med Associates company that general headquarters are located at New York La Sangmu is responsible for more than 70
Health care supplier provides claim service.They have found that the computer of an employee meets with unauthorized personal visit, attacker
The personal medical information of most 270,000 6057 patients may be obtained.Therefore, protection electronic health record sensitive data information privacy is protected
Shield problem is a big research hotspot and research tendency.In addition, management of the patient there is no participation to oneself medical information, oneself
Whom data used by, and with the use of which kind of purpose, patient is likely to be unwitting.In traditional medical database system, pipe
Reason person is can to record to modify to the access of medical data, is that can not determine once resulting in data to reveal in this way
Whom data are, when are revealing, can not accomplish accurately to call to account.Also it is envisaged that improving secret protection
Meanwhile utilization rate to medical data is often reduced, it cannot achieve the shared of medical data.
Currently, various medical treatment secret protection technologies are constantly updating development.Firstly, in terms of access control, based on visit
The secret protection research method for asking control is mainly the authentication algorithm of design safety, and limitation access main body is to electronic health record system
The access authority of system.Zhu et al. 2015 for cloud storage service propose a compatible RBAC it is user friendly, be easy to
The ABAC mechanism of management, while being attribute definition priority, refine the granularity that data access controls in cloud environment;
The comprehensive ABAC, RBAC of Somchart and Hiroyuki, symmetric cryptosystem and ciphertext policy ABE based encryption system (CP-ABE)
A new access control model C-CP-ARBE is proposed, access control policy is defined as a tree by model, by tree
It constantly calculates and distributes key to guarantee safety, which not only realizes fine-granularity access control, efficiency and tradition
ABAC is many compared to also improving.Belaazi etc. proposes the secret protection access control framework based on ontology, using certainly
The privacy ontology that row is established carrys out authentication-access control strategy, and carries out redundancy elimination and consistency check to strategy;lmran-
Daud etc. devises the access control system based on ontology and overcomes in distributed environment in conjunction with ABAC and ontology
The low problem of interoperability between each component.These researchs, which all demonstrate ontology, can apply distributed ring in big data
In border, the description of role, attribute etc. is subjected to unification.But description unification has only been focused in the research of current this respect, does not account for
How further private data leakage degree to be quantified, and these researchs all concentrate on how refining the grain of access control
It spends, improve efficiency and is adapted with present big data environment, it is seldom using secret protection as the research that emphasis is discussed.Root
According to patient to the different degrees of of self information secret protection demand, Hsu et al. is directed in medical information system with number of users
And information content increase and caused by user authorize difficulty increase the problem of, propose a kind of access control based roles side
Method can be supported to the authorization of different types of object and a new Authorized Domain.Huo Chengyi et al. is on the basis of RBAC model
On, propose the secret protection access control model POP-PAC towards patient, in the model, user can be according to self-demand
Definition meets the access control policy of itself preference, is able to solve the problem of private data is passively revealed.But the model does not have
Careful differentiation is carried out to the data of patient, while doctor obtains patient medical record, it is possible to obtain unrelated with the case
Case information, or even obtain the essential information of patient.It is flat that Shin M S et al. proposes the service of the personalized medicine based on RBAC
Platform is used for smart machine intelligent management personal health archives.Hui Zhen et al. proposes the adaptive access of the risk of medical big data
Controlling model.Access control behavior can be dynamically controlled, and meets certain data and utilizes demand.But this method only considered doctor
The data of patient are not carried out careful differentiation, do not consider data itself during utilization by the complexity of raw access data
Value.It is old to propose a kind of new authorization access control model, the data of patient are pressed into privacy class classification storage, according to not
With licensing mode obtain corresponding information, privacy class is configured as the case may be.But the model only solves to close
The medical information access control problem of method authorized user is not related to other kinds of medical information leakage and safety protection problem.
Above-mentioned medical treatment access control model can protect patients' privacy to a certain extent, but medical data interoperability
The problems such as difference, data are excessively concentrated, and the database bring risk of centralization increases, increased costs and point spread are limited.One
Denier central point goes wrong or collapses, and does not only result in whole nodes and is not available, increases risk, moreover, centre data one
Denier leakage, the leakage of privacy information also will be that database used in destructive, traditional medical system is can to distort number
According to, and trackability is poor, and block chain technology can efficiently solve these problems.
Block chain is a kind of distributed, decentralization the network number risen as bit coin etc. encrypts the appearance of currency
According to library, block chain uses the chain type block structure storing data with timestamp, increases time dimension for data, and on block
Every transaction all passes through cryptography method and is connected with two neighboring block, therefore any transaction is all retrospective.And
The All Activity data that store since system operation on block chain can based on the Log Types data that these can not be distorted
It easily restores, trace all historical operations.
Xue Tengfei etc. proposes a kind of electron medical treatment information sharing model, which is helped based on block chain technology
In solving the problems, such as between each medical institutions that it is difficult that information is shared.ShaeZ etc. proposes a kind of block platform chain framework to help
Medical clinical test and precisely medical treatment.Ivan D etc. is proposed using block chain as the novelty side of protection medical treatment & health data storage
Method, implementation barrier and from current techniques to the plan of block chain solution gradually transition.Azaria A etc. is using U.S. fiber crops
The mode that the OPAL/Enigma Encryption Platform of the Institute of Technology, province is combined with block chain technology proposes a kind of based on block chain
The medical data acquisition and Rights Management System of technology.Kuo T T etc. uses the online machine learning of secret protection and privately owned area
The mode that block chain technology combines.Witchey N describes medical trading card (Transaction) verifying system and method.Xia
It is various that Q etc. thinks that the medical records of patient may face privacy compromise, economic loss etc. during transmitting
Risk.In order to solve these problems, Xia Q proposes a kind of shared medical big data in the solution of weak trusted environment trustship problem
Scheme.The system is based on block chain, and can provide the functions such as data are traced to the source, Data Audit, shared medical data are managed.
Dubovitskaya A etc. is again based on the advantages that block chain is traceable, proposes a kind of secure and trusted medical electronics note
Recording system.AhramT describes a kind of medical treatment & health application Healthchain based on block chain.Above-mentioned various imaginations or solution
Certainly be that medical data can not update on block chain the shortcomings that scheme, and need to pay certain remuneration, cost compared with
It is high.
Comentropy is the effective tool of metric, and information content can indicate that privacy information can also be used with comentropy
Comentropy is measured, and comentropy has more application in location privacy protection, data anonymous.According to traditional access control
Simulation is it is found that method comparative maturity of the comentropy for privacy information access control, in the access control to privacy information
In system, system, which intuitively understands the privacy information amount that visitor is grasped, can assist the formulation of strategy and the execution of decision.Y
Liu et al. people proposes a kind of data access control and medical files shared mechanism based on privacy, wherein using comentropy to hidden
Personal letter breath is calculated, and identifies the intergration model having compared with large information capacity, is carried out using intergration model to distributed medical document
Inquiry.But privacy information has different sensitivitys, during data utilize, the use of data is often limited to privacy
Information protection requires and utilization rate is made to have a greatly reduced quality.
Summary of the invention
The technical problem to be solved by the present invention is to how provide a kind of doctor that user in service process not only may be implemented
Treat privacy information protection, moreover it is possible to allow patient automatically to manage the medical data of oneself, be advantageously implemented medical data it is shared under
The method of secret protection.
In order to solve the above technical problems, the technical solution used in the present invention is: a kind of electronic health record based on block chain
Access control method, it is characterised in that include the following steps:
Dynamic access control policy is formulated first to the distribution in electronic health record visitor progress permission, by access control
Strategy is written in intelligent contract, the authentication of complete paired data visitor;
Piecemeal storage is carried out to the medical data of patient, is disposed using decentralization network, use information entropy theory comes pair
Information carries out quantification treatment, according to the requirement of patient, to set the condition of access medical data.
A further technical solution lies in: access medical data condition include: 1) access purpose it is consistent with intention purpose;
2) quantification treatment, set information amount tolerance are carried out to medical information, institute's access information needs to be less than the information content tolerance of setting
Degree;If the access purpose of data access person and the intention purpose of patient are not inconsistent, or contain much information in set information content tolerance
Degree does not allow to access data, but can file an application again, only when patient agrees to, it is just allowed to check corresponding block
On the medical data that is stored.
A further technical solution lies in: every time when access data, access behavior is carried out to be recorded and stored in block chain
On, access record can not be distorted.
A further technical solution lies in the method that use information entropy theory to carry out information quantification treatment is as follows:
It copes with different privacy informations and different weights is set, difference is arranged according to stake in the privacy information of patient
Specific gravity;
Patients' privacy information is divided into 3 grades, the sensitivity of three classes privacy information according to secret protection sensitivity
It is different;A kind of privacy information susceptibility highest, then corresponding weight should be maximum, two classes, three classes privacy information weight successively
Reduce, different values can be set according to different patients for the setting of weight, but weight addition should be 1;
A kind of privacy information is the information for having directive property to patient, and this type of information will need higher secret protection sensitive
Degree, two class privacy informations are the medical records of patient, related to medical diagnosis on disease treatment, and the illness comprising patient is gone to a doctor history, sick
Disease and treatment method;Three classes privacy information is that record is chemically examined in the detection of patient, and this type of information is simple medical data, to patient
Do not have directive property, but contribute to the analysis of disease, diagnosis, there is researching value, it is quick not need high level secret protection
Sensitivity;
Defining a kind of privacy information weight is q1, two class privacy information weights are q2, three classes privacy information weight is q3;
Defining access information form is access={ id, a1,a2,a3……an, aiFor access information entry, access information
Item number is n, and when weight not being included in calculating, the information content for calculating each item request according to the definition of entropy is as follows:
EsIt is entire access request by the information content of acquisition, it is hidden by its after calculating every access information entry information amount
Personal letter breath classification, calculates all kinds of privacy information entropys, will obtain further according to the entire access request of weight computing of every kind of privacy information
Information content;System is set as E for the information content tolerance of each access requestt, this value can be by specific according to not homologous ray
Situation setting.
A further technical solution lies in need to follow following rule and realize visit when visitor wants access to medical data
Ask control:
1) visitor carries out authentication, such as authentification failure, and this visit terminates;If certification passes through, medical information is submitted
Access request;
2) access request is received, patient id and specific request entry ai are extracted;
3) classify to request entry according to L1, L2, L3, record all kinds of privacy information entry number s1, s2, s3;
4) accessing request information entropy Es is calculated;
5) access purpose and intention purpose, Es and Et, compare two-by-two, if access purpose is consistent with intention purpose, and Es <
Et, then allow to access;If accessing, purpose is different from intention purpose or Es > Et, does not allow to access.
A further technical solution lies in the method also includes increasing record for the electronic health record of patient:
When being treated for the first time to patient, each medical records of user is divided according to secret protection sensitivity
Block storage, when process is more, is first put into this with making patient's public key carry out encryption privacy information using asymmetric encryption techniques
Ground database is cached, and after waiting pending datas to store, then deletes the information of local data base;If the letter of the medical record information of patient
Breath amount is larger and degree of privacy is not high, can establish and establishes index on block chain, without storing the information into area
On block chain.
A further technical solution lies in the method also includes the interactions of privacy information:
Patient's node belongs to user terminal;Medical information access node is considered data requirements quotient, and database is local data
Library;
Visitor triggers the prepared access control policy of intelligent contract, carries out identity to it when submitting access request
Certification cannot propose access request if certification does not pass through;If certification passes through, sent to the EMR manager of access node
Its required patient information request;
EMR manager after receiving the request, first checks corresponding storage content whether is stored in local data base;Have three
Kind situation: exist, partially existence or non-existence;EMR manager need will be present the corresponding request of content be revised as it is whether correct,
Whether need to update, if not needing to change request, continuing subsequent operation without this content;
The public key of patient is sent to the EMR manager of access node by the EMR manager of patient's node;
The public key of request of data and visitor after patient's public key encryption is transferred to patient by the EMR manager of access node
Node;
The request of data that patient's node sends EMR manager judges, in conjunction with the degree of privacy of corresponding information, determines
To the content requests that visitor shares, it is sent to EMR manager;
After EMR manager receives the acknowledged request of patient's node, by the part agreed in request and the portion to be updated
System is given in distribution;If not needing to carry out following step without the part agreed to or updated in the request received;
System information obtained in the block chain is by patient's public key encryption data, it is therefore desirable to by the private key of patient
It is decrypted to obtain in plain text, is sent to EMR manager;
Result of the EMR manager of patient's node after the information or patient for needing visitor are refused completely is sent to
When the EMR manager of accessed node, the public key for the visitor for needing to receive before is encrypted, and reaches the mesh of secrecy transmission
's;
The EMR manager of medical information access node is deposited into local data after receiving encrypted result information first
In library, backup is retained;
The encrypted result received is decrypted first with visitor's key, is then forwarded to visitor, was interacted every time
This access is recorded after journey, and is stored on block chain.
The beneficial effects of adopting the technical scheme are that the method uses suitable access control plan first
Slightly, the leakage problem of medical record information user's medical treatment privacy information in use is solved.Then, using information entropy technique, come
Quantification treatment is carried out to medical data, realizes effectively and maximumlly utilizing to medical data.It is distributed using block chain
The characteristic of formula general ledger and itself intrinsic security attribute can eliminate data silo, push the data sharing between medical system,
It prevents from distorting access record, preferably support medical research and precisely medical treatment.By present study, not only may be implemented
The medical privacy information protection of user in service process, moreover it is possible to allow patient automatically to manage the medical data of oneself, be conducive to reality
Secret protection under existing medical data is shared.
Specific embodiment
With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete
Ground description, it is clear that described embodiment is only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
In the following description, numerous specific details are set forth in order to facilitate a full understanding of the present invention, but the present invention can be with
Implemented using other than the one described here other way, those skilled in the art can be without prejudice to intension of the present invention
In the case of do similar popularization, therefore the present invention is not limited by the specific embodiments disclosed below.
Medical block chain and medical block: the electronic health record of each user and the access record of data alone become a chain
Storage, medical block chain are mainly made of two parts: block (Block) and trading card (Transaction).One block chain by
Record the block composition of previous block ID one by one, and each block contains several trading cards.These trading cards are
The carrier of actual storage block chain (Blockchain) data.For example, a block chain can be regarded as a database,
Each block for constituting block chain can be regarded as a table in database, and trading card can be regarded as one on every table
Item records (Record).For example, this medical data just becomes a block and is added to the patient after patient treats
In the block chain of Electronic Health Record, it is broadly divided into two parts: starting block and increase block.Before each increase block includes
The cryptographic Hash of one block, starting block include the essential information of patient, patient per's obtained medical treatment number after treating
According to regard to need to only be linked to previous block.Structure is as shown in Figure 1.
One block is mainly by the Composition of contents other than block head and block head.Comprising a upper block in block head
ID, the public key of block generator are cut by the trading card ID Merkle tree root cryptographic Hash generated and the time for generating block.Block head
Content in addition includes digital signature of the block generator for block head, the number of trading card ID, and preservation in this block
All trading card ID.Digital signature be in order to guarantee that block content is not tampered, and ensure block generator generate dislike
It can not be denied after meaning block.In addition, only saving the ID of trading card in block, i.e., the index for being directed toward some trading card is only saved, and
Trading card itself is not saved, each block capacity can in this way reduced, convenient for synchronous and backup.Block, trading card are physically
It is all stored in lane database, is logically stored in the form of block chain.In trading card design storage, actually only
It is addition trading card ID in the data in normal storage in database, trading card type, timestamp, public key, digital signature etc. are handed over
Easy individual character segment information forms trading card in logic using the information to be stored as trading card content, in physical store and
General data storage has no too big difference.
Common recognition algorithm:
It is because PBFT algorithm is a kind of suitable for alliance using PBFT algorithm as the common recognition algorithm in medical block chain
The common recognition algorithm of chain, advantage are with advantage:
1) PBFT algorithm does not need the generation for leaning on a large amount of calculation power to avoid " 51% attack " as POW algorithm, without
It is needed as POS algorithm or DPOS algorithm by token as the standard for measuring franchise, so that it may be less than in permission systemThe case where a node error (loss of data does not work).
2) PBFT algorithm is as a kind of Byzantine failure tolerance algorithm (Byzantine fault tolerance, BFT) in system
Middle presence is less than or equal toIn the case where a failure or malicious node, it just can guarantee that primary distributed common recognition process is normal
It executes, this requires using the node in the system of PBFT algorithm, during each common recognition at leastA normal section
Point, therefore the environment that these nodes are run must be comparatively safe, stable.
3) medical block chain is a kind of alliance's chain, and the entity participated in medical block chain has government's endorsement, is had certain
Public credibility, and strictly supervised by administration of health department, there is the case where malicious act far less than blocks catenary systems such as bit coin.
Pass through the Informatization Development of many years simultaneously, each hospital has more complete network, server and Database Systems.Therefore, existing
There is medical system that can provide a comparatively safe, stable running environment to operate normally for PBFT algorithm.Meanwhile because operation
The case where each node status equality in the cluster of PBFT algorithm, there is no franchise height, medical block catenary system is avoided to test
Demonstrate,prove centralization when trading card or block chain.Therefore PBFT algorithm is very suitable for medical block chain.
Intelligent contract:
Intelligent contract is a kind of without intermediary, self-authentication, the automatic computer transactions agreement for executing agreement terms, in recent years
Come becoming increasingly popular and be concerned with block chain technology.Intelligent contract on block chain have decentralization, go to trust, can
It the characteristics such as programs, can not distort, can flexibly be embedded in various data and agreement, safe and efficient information exchange, value are realized in help
Transfer, administering of property.
Intelligent contract generally has two attributes of value and state, is prefixed conjunction with If-Then and What-If sentence in code
The about corresponding triggering scene and rule of response of clause, intelligent contract is after multi-party joint agreement, respective signature with Client-initiated
Transaction is submitted, and is stored in block chain particular block after P2P Internet communication, miner's verifying, the contract that user is returned
After the information such as location and contract-defined interface contract can be called by initiating transaction.Miner is motivated by the incentive mechanism of systemic presupposition,
Will be contributed from body calculate power come verify transaction, miner receive contract creation or call transaction after local sandbox performing environment (such as with
Too mill virtual machine) in creation contract or execute contract code, contract code according to trusted external data source (also referred to as prophesy machine,
Oracles it) judges automatically with the inspection information of world state and is presently in whether scene meets contract trigger condition strictly to hold
Row rule of response simultaneously updates world state.New data block is packed into after transaction verification is effective, new block is through algorithm of knowing together
Block chain main chain is linked to after certification, all updates come into force.
In conjunction with the above theory, as shown in Fig. 2, the invention discloses a kind of electronic health record access control sides based on block chain
Method mainly includes the following steps:
Formulate first dynamic access control policy to patient, doctor and other staff carry out permission on distribution,
Access control policy is write in intelligent contract, the authentication of paired data visitor has been carried out.Then, to the medical number of patient
It according to piecemeal storage is carried out, is disposed using decentralization network, the theory of use information entropy, quantification treatment, root is carried out to information
According to the requirement of patient, to set the condition of access medical data, first point, access purpose is consistent with intention purpose;Second point, it is right
Medical information carries out quantification treatment, set information amount tolerance, and institute's access information needs to be less than information content tolerance.If doctor or
The access purpose of other data access person and the intention purpose of patient are not inconsistent, or contain much information in set information content tolerance
Degree is not allow to access data, but can file an application again, only when patient agrees to, just it is allowed to check correspondence
The medical data stored on block.The information exchange solved in this way is poor, flexibility ratio is not high, and patient can not participate in data
Management the problems such as.And when accessing data every time, access behavior be recorded and stored on block chain, access record
It can not be distorted, this addresses the problem altered data present in traditional database, the problems such as distorting record, be improved
The intensity of secret protection.
Comentropy is to private data quantification treatment:
Medical data is related to health data and non-health data, and health data relates to the data of personal physical condition,
Such as medical information, non-health data are the information with personal health condition without direct relation.Different data are relative to patient's
Degree of privacy is different, and after visitor obtains medical data, the utility value of different privacy informations is different, and visitor obtains at this time
The privacy information amount obtained cannot then be measured with information content.It copes with different privacy informations and different weights is set, in the hidden of patient
Different specific gravity is set according to stake in personal letter breath.
Patients' privacy information is divided into 3 grades, three classes privacy according to secret protection sensitivity by herein described method
The sensitivity of information is different.A kind of privacy information susceptibility highest, then corresponding weight should be maximum, two classes, three classes privacy
The weight of information is sequentially reduced, and different values can be set according to different patients for the setting of weight, but weight addition should be
1.The setting of three classes privacy information secret protection weight is as shown in table 1 below.
Table is arranged in 1 privacy information weight of table
A kind of privacy information: patient basis, such as name, identification card number, address, contact method, grade is expressed as L1;
Two class privacy informations: patient medical records, grade are expressed as L2;
Three classes privacy information: the detection of patient, analysis data, grade are expressed as L3。
A kind of privacy information is the information for having directive property to patient, and this type of information will need higher secret protection sensitive
Degree, two class privacy informations are the medical records of patient, related to medical diagnosis on disease treatment, and the illness comprising patient is gone to a doctor history, sick
Disease, treatment method.Three classes privacy information is that record is chemically examined in the detection of patient, and this type of information is simple medical data, to patient
Do not have directive property, but contribute to the analysis of disease, diagnosis, there is researching value, it is quick not need high level secret protection
Sensitivity.
Defining a kind of privacy information weight is q1, two class privacy information weights are q2, three classes privacy information weight is q3。
Defining access information form is access={ id, a1,a2,a3……an, aiFor access information entry, access information
Item number is n, and when weight not being included in calculating, the information content for calculating each item request according to the definition of entropy is as follows:
EsIt is entire access request by the information content of acquisition, it is hidden by its after calculating every access information entry information amount
Personal letter breath classification, calculates all kinds of privacy information entropys, will obtain further according to the entire access request of weight computing of every kind of privacy information
Information content.System is set as E for the information content tolerance of each access requestt, this value can be by specific according to not homologous ray
Situation setting.
Access control policy:
In order to realize the fine granularity secret protection access control to data, on the basis of Role-based access control model
Upper progress user role design and authority distribution.Patient to data be arranged intention purpose, visitor when accessing data,
It needs to show to access purpose, be then compared again with intention purpose.
Visitor's identity multiplicity of electronic medical record system, respective demand are also different.It needs to be set according to different visitors
Different grades of access authority.The medical information system of hospital not only has internal department to access, while being additionally provided with external medical guarantor
Dangerous interface, urban community health services interface, remote medical consultation system interface, different visitors have different need to medical information
It asks.Patient should have complete right to access to the electronic health record of itself, unrestricted;It is mainly benefit that doctor, which accesses medical information,
Medical diagnosis and medical research are helped with medical information, there should be certain privacy to limit the access of medical information;Data
Admin Administration's medical data has great permission to data manipulation, and carries out human intervention to other people access authority, with
Meet the specific demand of medical Access Events, but administrator should carry out reading data privacy protecting, medical information content
It checks and is restricted, and outside access person's access has very low permission, the medical information of acquisition is less.
Medical data access behavior such as refers to the inquiry for medical information, processing, utilizes at the operation.Primary operational object is
Sufferers themselves, doctor, outside access person and data management staff.Different demand actions is carried out according to different visitors to draw
Point, different behavioral agents distributes different permissions.Prevent visitor from having unauthorized access behavior.Medical information of the user to itself
Possess whole access authority, doctor is mainly written, inquires and modifies operation, data management to the privacy information of patient
Member mainly carries out ranking score to the permission of other users and matches, and carries out system administration to data, but data are all by encryption
's.
The access control policy of formulation is realized with intelligent contract, so there is no need to third party go to authentication-access person's
Identity.Only visitor meets regulation, by authentication, can just propose the access request to medical information.
Access control method:
When visitor wants access to medical data, following rule need to be followed and realize access control.
1) visitor carries out authentication, such as authentification failure, and this visit terminates.If certification passes through, medical information is submitted
Access request;
2) access request is received, patient id and specific request entry ai are extracted;
3) classify to request entry according to L1, L2, L3, record all kinds of privacy information entry number s1, s2, s3;
4) accessing request information entropy Es is calculated;
5) access purpose and intention purpose, Es and Et, compare two-by-two, if access purpose is consistent with intention purpose, and Es <
Et then allows to access;If accessing, purpose is different from intention purpose or Es > Et, does not allow to access.
The foundation of block chain is mainly used to solve several lower Railway Projects: the dispersion of medical data, and access is slow;Between data
Interoperability it is poor;Need to improve the quality of data and quantity of medical research;Patient lacks ownership and management to data
Power, is not engaged in the management to itself medical data;Doctor may get when accessing data and treat unrelated trouble with this
The other information of person.The medical records of patient is put into block chain, the medical information of patient is deposited in the form of ciphertext
Storage, EMR administrator is the plaintext for being unable to get patient, and database is completely invisible to patients' privacy information.And by patient
Each medical records check the mark, carry out piecemeal, such as the essential information of user, medical diagnosis, medicine report after splitting
Accuse, medical experiment data etc., carry out piecemeal storage, when need to access any block number according to when, after obtaining patient and agreeing to, only take this
The data of block, improve Information Security.Record on block chain prevents from distorting using the method for keyed hash, thus with
Track data integrity.Database administrator can add new record associated with particular patient, and patient can authorize
Record is shared between visitor.The Fang Douhui for receiving new information receives automatic notice, and can accept or reject data it
Preceding verifying record.This makes participant go and find out what's going on and participates in the differentiation of its record.To have existed and widely used ID (such as
Title or user account) form is mapped to one of the people square address.After confirming permission, carry out database information and
Data exchange between visitor.Fig. 3 is the overview flow chart of herein described method, is broadly divided into two large divisions and carries out in detail
It introduces, a part is to increase medical data for patient, and being discussed in detail is that the medical treatment of patient how is protected in the storing data stage
The privacy of data.Another part is the interactive process between data, describe data technology used in interactive process with
And specific step.Next the function and principle of specific module will be introduced one by one.
Increase for patient and record:
When treating patient for the first time, need to carry out the data such as user's basic document, medical diagnosis, medical report
Storage, this work are responsible for by EMR manager, and in figure 1., 2., 3. and 4. step is by each medical records of user
Carry out piecemeal storage according to secret protection sensitivity, using asymmetric encryption techniques, is believed with making patient's public key carry out encryption privacy
Breath, when process is more, can first be put into local data base and be cached, and after waiting pending datas to store, delete local data base
Information.If the information content of the medical record information of patient is larger and degree of privacy is not high, it can establish and established on block chain
Index, without storing the information on block chain.
The interaction of privacy information:
The part includes two nodes, patient's node and medical information access node.Patient's node belongs to user terminal;Medical treatment
Message reference node may be considered data requirements quotient, can be medical institutions etc., and database is local data base.Part master
It is accomplished that the anonymity for the request and corresponding information that patient combines visitor to submit, selectively takes out phase from block chain
The information for answering block returns to the process of visitor.
8. step is visitor when submitting access request, the prepared access control policy of intelligent contract is triggered, to it
Authentication is carried out, if certification does not pass through, cannot propose access request.If certification passes through, to the EMR pipe of access node
Reason person sends its required patient information request.
9. EMR manager after receiving the request, first checks in local data base whether be stored in corresponding storage to step
Hold.At this time there are three types of situations: existing, partially exists, is not present.EMR manager needs will be present the corresponding request of content and repairs
Be changed to it is whether correct, whether need to update, if not needing to change request, continuing subsequent operation without this content.
It (because likely relating to the partial information of patient in request, needs to encrypt using the public key of patient, prevents from being let out
It is close)
10. step is that the public key of patient is sent to the EMR manager of access node by the EMR manager of patient's node.
StepIt is that the public key of request of data and visitor after patient's public key encryption is transferred to patient by EMR manager
Node.
StepIt is that the request of data sent to patient to EMR manager judges, in conjunction with the hidden of corresponding information
Private degree determines the content requests shared to visitor, is sent to EMR manager.Patient is utilized before being due to request of data
What public key encryption was crossed, so needing to be decrypted first with the private key of patient when checking again.
StepWhen EMR manager receives patient's acknowledged request after, by the part agreed in request and to be updated
Part is sent to system.If not needing to carry out step without the part agreed to or updated in the request received
System realizes be joining and participating in block chain network needed for repertoire.This can handle considerable task, such as
It is connected to peer-to-peer network, coding and the local replica by verifying for sending affairs and reservation block chain.StepIt is
Client obtains transaction key according to the hash of information needed block, block height and block Hash, to inquire relevant letter
Breath.
StepSystem information obtained in the block chain is by patient's public key encryption data, it is therefore desirable to by suffering from
The private key of person is decrypted to obtain in plain text, is sent to EMR manager.
StepIt is the EMR manager of patient's node after the information or patient for needing visitor are refused completely
When being as a result sent to the EMR manager of accessed node, the public key for the visitor for needing to receive before is encrypted, and is had reached
The purpose of secrecy transmission.
StepIt is to be deposited first after the EMR manager of medical information access node receives encrypted result information
Enter in local data base, retains backup.
StepIt is that the encrypted result that will be received is decrypted first with visitor's key, visitor is then forwarded to, every
This access is recorded after secondary interactive process, and is stored on block chain.
Instance analysis:
User carries out in request data in strict accordance with access control method.It next will be in conjunction with respective instance, to this
Model is explained.
Example one: dermatologist Cary proposes to access the inspection data of patient Bob bronchitis (Respiratory Medicine), purpose
It is for treating.Cary first will carry out authentication, and for the access control policy of formulation, the authentication of doctor Cary is
By not, there is no the corresponding permission to go to check the medical data of the patient of Fei Ben department.Thus pass through access control
The identity and permission of user are restricted, to achieve the purpose that data protection.
Example two: Internal Medicine-Cardiovascular Dept. doctor Mark proposes to access the medical data of patient's Mary cardiovascular disease, access purpose
It is for disease research, the purpose of intention of the medical data of patient's Mary cardiovascular disease is treatment.Doctor Mark has passed through accordingly
Authentication, access purpose and intention purpose it is inconsistent, thus It is not necessary to calculating this accessing request information entropy
Es, this access request are rejected, and can not check medical data.This reduces the risks of access data, pay the utmost attention to suffer from
The requirement of person;If doctor Mark thinks that this disease research is to play preventive effect to disease, be conducive to the health of patient,
Doctor Mark can be filed an application again, access purpose be described in detail, and calculate Es and be compared with Et, by result and public key
It is sent to EMR administrator together, EMR manager after receiving the request, will notify whether patient Mary agrees to the request, if suffering from
Person still request by denied access, and doctor will cannot get medical data, this access terminates;It, will be certainly if patient agrees to the request
Oneself stomach medical information, which is decrypted, is sent to EMR administrator, and administrator be encrypted in being sent to the public key of Mark
Mark, doctor Mark are decrypted using the private key of oneself, and then check data.Thus under the premise of protecting patients' privacy, increase
The flexibility of strong data access and real-time, interactive.
Example three: clinical section doctor Jack proposes to access the stomach health situation of patient Tom, it is therefore an objective to for further
Treatment.The role of doctor Jack first is clinical attending physician, has passed through corresponding authentication, access purpose and intention purpose
Unanimously, and compare Es and Et, if Es < Et, allow to access;The request of oneself and public key are sent to EMR pipe by doctor Jack
Reason person, EMR manager after receiving the request, will notify patient Tom, patient Tom to solve the stomach medical information of oneself
Close to be sent to EMR administrator, administrator be encrypted in the public key of Jack being sent to Jack, and this completes the biographies of information
It passs.Every time after access, EMR administrator will record lower current access process, and be stored on block chain, to solve data hair
Problem of calling to account after raw leakage.
Safety analysis:
1) file storage safety: a kind of account book of the characteristic of block chain as timestamp series, once common recognition mechanism confirmation,
Just modification content is not sent out.If attacker wants the data that modification stores in block catenary system, it is necessary to copy one with source chain
The same main chain, and this needs greatly to calculate power, this is nearly impossible.In addition the data stored in block chain are divided into area
Block sequence stores in systems, obtains these data and could form source file according to the splicing of certain sequence order, probability is non-
It is often low, it is desirable to synthesize these files in sequence, also be difficult.Assuming that attacker can obtain patient by certain means
Data in systems are saved, but the data can't be checked, will not be deleted or be modified, therefore data are peaces
Complete.
2) data are anti-tamper: the file by encryption is stored in block chain, in the case where cannot get patient's private key,
Timely file can not also decrypt file, i.e., attacker can not check the medical data of patient, to guarantee as source file
Patients' privacy safety.Assuming that attacker can be obtained the file for being divided into fragment by certain means and be spelled according to certain sequence
It picks up and, obtain the file as source file.Attacker wants to check to obtain file content, needs the private key ability by patient
File can be decrypted.And the data file for passing through asymmetric encryption, it is desirable to decrypt and be difficult in the case where mustn't go to private key.
3) data anti-theft is stolen: attacker attempts to replace storage in systems using a false file by certain means
Authentic document, in the presence of source file, this is highly difficult.Herein, the file of contract intelligent for execution
It needs to carry out cryptographic Hash iterative testing, when attacker intends to pass through Hash calculation using an intelligent contract of falseness file F' execution
The Hash that method obtains is hashF'.Source file F executes intelligent contract, is hash by the Hash that hash algorithm obtainsF.According to Kazakhstan
Uncommon rule, two contents are not that identical file is different by the hash value that Hash obtains, i.e. hashF'≠hashF。
Falseness file F' in this way cannot execute contract, and therefore, this makes it possible to the source files for guaranteeing user can not be by attacker
The false file used is replaced, to ensure that user's medical data file is traced to the source safety.
Comparative analysis:
Existing medical block catenary system and herein described method are compared by the way of comparative analysis, it is main at present
Medical block catenary system have MDSM, MedRec and ModelChain, it is as follows with existing solution comparing result:
The herein described method of table 2 and existing medical block chain compare
1) relative to first three medical block catenary system, herein described method use information entropy is to the medical information amount of progress
Change processing, the information for obtaining visitor have specific quantified controlling in internal system, and system believes the privacy that visitor grasps
Breath amount is known, and prevents visitor from deducing the other information of patient by the privacy information grasped.In addition to this, herein using dynamic
State access control policy to carry out the permission of user dynamic binding and revocation, and is realized with intelligent contract, thus subtracts
Human resources are lacked.Intelligent contract is executed when visitor files a request to carry out authentication, prevents the generation of ultra vires act,
These features are not available for other three medical block catenary systems.
2) relative to MDSM system, required starter node number is far less than MDSM, and MDSM needs to be manually set
Whether each hospital there is the power of ballot and ballot to determine the ratio in final result.
3) relative to MedRec, the number of nodes of required maintenance block catenary system is far less than MedRec, does not need to pay
Block catenary system common recognition participates in node remuneration, and does not need largely to calculate power and go to safeguard block catenary system.
4) ModelChain uses the form of privately owned block chain, and required node number is uncertain.But due to employee's card
Bright common recognition mechanism is easy by " 51% attack ", i.e. node just has the ability successfully to distort by grasping the calculation power that the whole network is more than 51%
With forgery block chain data, it is therefore desirable to which more node carrys out " average " calculation power, prevents the generation of this attack.So relative to
ModelChain does not need to pay common recognition participation node remuneration, and the number of nodes needed is also less.
Thus, it will be seen that herein described method does not need payt, required starting, node is few, the later period with operation
It is expansible, it is small to calculate power demand, and do not need that franchise specific gravity artificially is arranged, and may be implemented to private data quantification treatment, system
Determine dynamic access control strategy, realize effective management of permission, these are the exclusive features and advantage of this programme.
Herein described method uses access control technology first, carries out permission and angle to patient, doctor and other staff
First barrier is arranged for protection medical data in the division of color.Next use block chain technology, to the basic document of patient,
Medical diagnosis, medical report etc. carry out which type of case data piecemeal storage needs, suffering from when being treated next time
Under the premise of person agrees to, it is only necessary to the data for taking corresponding tighter manage data, prevent doctor or other
Personnel get excessive medical data and carry out illegal operation.And each interactive process is added and is recorded, traditional data base set
System is that can modify to the data and access record of storage, results in, when data leak, can not find in this way
Where problem.Block chain have the characteristics that can not tamper, access record and data can not be distorted on block chain,
Thus efficiently solve the problems, such as this.
Medical private data lacks always interoperability and sharing, and the way to manage of medical data centralization deprives patient
There is ownership to data, so that patient can not participate in the management of data.Herein described approach application access control skill
Art, information entropy technique and block chain technology, further promote the protection of medical data, improve the integrality of data, promote
Exchange between trust data carries out decentralization management to medical data, patient is made to can control data sharing, promoted hidden
Private protection.Piecemeal storage is carried out to the medical data of patient, the data occurred in data mining process can also be efficiently solved
Leakage problem, it is only necessary to data relevant to the state of an illness be analyzed, this can accomplish the prediction to certain state of an illness, in advance in advance
Anti-, preferably help patient keeps fit.