JP2014153943A - Information processing apparatus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique which sufficiently anonymizes information of an individual and enables the anonymized data to be used for an information distribution between the individual and the other company.SOLUTION: An information processing apparatus receives object data including a plurality of items corresponding to individuals, generates abstraction candidate data by changing a word which is a value of an item in the object data to an abstracted word, receives worth of a word included in the abstraction candidate data and obtains worth of the abstraction candidate data on the basis of the worth of the word included in the abstraction candidate data, examines on condition that a combination of the values of the items corresponding to an individual of the abstraction candidate data is not single in the abstraction candidate data, selects the abstraction candidate data on the basis of the worth of the abstraction candidate data which satisfies the condition of the examination, receives distribution information for a specific value of abstraction data, and distributes the distribution information to an individual corresponding to the specific value.

Description

  The present invention relates to a technique for using personal information by making it anonymous or diversified.

  With the development of information processing technology, information is collected in many everyday situations, and processing using the collected information is performed. For example, when a consumer purchases a product as a member of a store, the consumer's name, age, gender, address, e-mail address, etc. are often registered at the time of membership registration. When a consumer purchases a product, the store-side system records the consumer and the purchased product information in association with each other. By accumulating and analyzing information on purchased products in this way, it is possible to estimate the consumer's preferences and perform a service such as sending a direct mail when a new product preferred by the consumer is released. it can. Furthermore, by analyzing information on many consumers, classified consumer information such as products preferred by women in their 20s and products preferred in the Kanto area can be derived and used for marketing and the like.

  Such information has high utility value not only for the store but also for the manufacturer of the product and other companies, and there has been a demand to use it for recommendations such as advertisements and coupons.

  However, the consumer's personal information in the store cannot be provided to others without obtaining the consent of each consumer. Similarly, there is a request to use information (medical care information) when a patient has received medical care at a medical institution, etc., but providing medical information that is also sensitive information to another person without obtaining the consent of each patient. I can't.

  For this reason, a system has been proposed in which information collected from individuals is anonymized and provided to other businesses and the like, and advertisements from other businesses are mediated to each individual. For example, in Japanese Patent Laid-Open No. 2005-346248 (Patent Document 5), anonymized personal information is provided to a registered business operator by excluding a name from medical information (personal identification information and diagnosis result information). In addition, an information mediating apparatus that accepts an advertisement mail for the anonymized personal information from a registered company and forwards the advertisement mail to each individual mail address corresponding to the anonymized personal information has been proposed.

JP 2003-196391 A JP 2003-233551A Japanese Patent Laid-Open No. 2005-100408 JP 2004-086383 A JP 2005-346248 A

  The system of Patent Document 5 performs anonymization by excluding a name and the like, but anonymization may be insufficient by simply hiding the name.

  For example, if the age and disease name data is 25 years old and there is only one person with the disease name X, the person can be identified when he / she knows that the 25-year-old acquaintance is a patient with the disease name X become. That is, if there is only one person with the attribute of disease name X at the age of 25, there is a high possibility that an individual can be identified by comparing with other information.

  Therefore, if the age description in the patient data is abstracted into 10-year breaks and there are multiple people with the same attributes, such as three people in their 20s who have a disease name X, whoever of the three It becomes impossible to specify whether or not. A state in which there are k or more people having the same attribute in this way is referred to as “k-anonymity” and processing such data is referred to as “k-anonymization”.

  In conventional anonymization devices, when abstracting the value of each item to satisfy k-anonymity, data is simply separated so that the same attribute value becomes multiple, so even if anonymity is satisfied Sometimes it becomes worthless data. For example, when data is used to study growth, the age item is important, and if the age item is too abstract for anonymization, the utility value is lost. In this case, the operator specifies the priority of the items to be abstracted, reduces the abstraction of the items of age, and satisfies the k-anonymity by abstracting items other than the age. For anonymization, if the age item is divided into 17 years old or older and less than 22 years old, adults and minors may be mixed in the same group, and high school students and adults may be mixed. Depending on the situation, it will be worthless data. In this case, the operator specifies the age item separator according to the purpose of use, and abstracts other items so as to satisfy anonymity.

  As described above, when k-anonymization is performed by a conventional anonymization apparatus, there are many occasions that require an operator's judgment, which is not practical.

  Therefore, in the system that personal information is mechanically anonymized with a conventional device and output to the outside and used for recommendations such as advertisements and coupons, anonymization that satisfies k-anonymity cannot be performed, and it is sufficient Anonymization was not performed.

  Therefore, the present invention provides a technology for sufficiently anonymizing personal information and making the anonymized data available for information distribution between the individual and another business operator.

In order to solve the above problems, an information processing apparatus of the present invention provides:
A data receiving unit that receives target data including a plurality of items associated with an individual;
An abstraction unit that generates abstraction candidate data by replacing a word that is a value of an item in the target data with an abstracted word;
A value determination unit that receives the value of the word included in the abstraction candidate data and obtains the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
A test unit that tests on condition that a combination of values of items of the abstraction candidate data is not limited to one individual of the target data;
An output unit that outputs the abstraction candidate data selected based on the value of the abstraction candidate data satisfying the test condition as anonymous information;
A distribution information receiving unit for receiving distribution information for a specific value of the anonymous information;
A distribution unit that distributes the distribution information to an individual corresponding to the specific value;
Is provided.

In order to solve the above-mentioned problem, an information processing method according to the present invention includes:
Receiving target data including a plurality of items associated with an individual;
Generating abstract candidate data by replacing words that are values of items in the target data with abstract words;
Receiving the value of the word included in the abstraction candidate data, and determining the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
Testing a condition that a combination of values of the abstraction candidate data items is not limited to one individual of the target data;
Selecting abstraction candidate data based on the value of abstraction candidate data satisfying the test condition; receiving distribution information for a specific value of the abstraction data;
Delivering the delivery information to an individual corresponding to the specific value;
Is executed by the computer.

  The present invention may be a program for causing a computer to execute the above method. Furthermore, the program may be recorded on a computer-readable recording medium.

  Here, the computer-readable recording medium refers to a recording medium that accumulates information such as data and programs by electrical, magnetic, optical, mechanical, or chemical action and can be read from the computer. . Examples of such a recording medium that can be removed from the computer include a flexible disk, a magneto-optical disk, a CD-ROM, a CD-R / W, a DVD, a DAT, an 8 mm tape, and a memory card.

  Further, there are a hard disk, a ROM (read only memory), and the like as a recording medium fixed to the computer.

  The present invention can provide a technique for sufficiently anonymizing personal information and making the anonymized data available for information distribution between the individual and another business operator.

FIG. 1 is an explanatory diagram of anonymization processing. FIG. 2 is a functional block diagram of the information processing system. FIG. 3 is a diagram illustrating a hardware configuration of the hospital information server. FIG. 4 is a diagram illustrating an example of the medical information DB. FIG. 5 is a diagram illustrating an example of the anonymous information DB. FIG. 6 is a schematic configuration diagram of the anonymous value evaluation system. FIG. 7 is a diagram showing an example of the search information storage DB. FIG. 8 is a diagram showing an example of a part of the age item in the target data. FIG. 9 is a diagram showing an example of value data acquired from the search information storage DB for age. FIG. 10 shows the value of the age item. FIG. 11 shows the value of the age item. FIG. 12 is a diagram illustrating an example of a part of the age item in the abstraction candidate. FIG. 13 is a diagram showing an example of value data of each word acquired for the age. FIG. 14 is a diagram showing the value of the item of the age. FIG. 15 is a diagram showing the value of the item of the age. FIG. 16 is a schematic configuration diagram of a distribution information management system. FIG. 17 is a diagram illustrating an example of request information that the distribution information management system receives from a terminal of another business operator. FIG. 18 is a diagram illustrating an example of a moral DB. FIG. 19 is an explanatory diagram of anonymization processing by the information processing system. FIG. 20 is an explanatory diagram of candidate patterns. FIG. 21 is an explanatory diagram of a process in which the information processing system outputs distribution information to a patient. FIG. 22 is an explanatory diagram of the anonymization process according to the modification. FIG. 23 is an explanatory diagram of processing in which the information processing system outputs distribution information to a patient. FIG. 24 is a functional block diagram of the information processing system according to the second embodiment. FIG. 25 is a diagram illustrating a hardware configuration of the information processing system according to the second embodiment. FIG. 26 is a diagram illustrating an example of the user information DB. FIG. 27 is an explanatory diagram of processing for anonymizing (diversifying) notification data and distributing it by the information processing system.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. The configuration of the following embodiment is an exemplification, and the present invention is not limited to the configuration of the embodiment.

<Embodiment 1>
FIG. 1 is an explanatory diagram of anonymization processing, and FIG. 2 is a functional block diagram of the information processing system.

  FIG. 1A shows an example in which the last name item is deleted from the member information including the last name, age, and gender items. As shown in Fig. 1 (A), if there is only one 16-year-old woman in the member information in which the age is described, when the 16-year-old woman is found to be this member, the person is identified. it can. That is, if there is only one person with the attribute of 16 years old and female, there is a possibility that an individual can be identified by comparing with other information.

  In FIG. 1 (B), the description of the age in the member list is abstracted and classified by age, such as 0's (under 10 years), 10's, and 20's. However, even in this case, there is only one female teenager, and an individual can be identified as in FIG. 1A, which is insufficient for anonymization.

  Therefore, in FIG. 1 (C), it was further abstracted and the age divisions were changed to those in their teens (under 19 years old) and those in their 20s. In the case of FIG. 1C, there are two women in their teens or less, and the attributes of “10 or less” and [female] are not single. For this reason, even if it turns out that a 16-year-old woman is this member as mentioned above, it cannot be specified which is the data of the 16-year-old woman. A state in which there are k or more people having the same attribute in this way is referred to as “k-anonymity” and processing such data is referred to as “k-anonymization”.

As shown in FIG. 2, the information processing system 100 includes a hospital information system (HIS) 10, an anonymous value evaluation system 20, and a distribution information management system 30. The hospital information system 10 is a system that is provided in a medical institution such as a hospital or a medical examination center and manages medical information (personal information) of a person who receives treatment or diagnosis (hereinafter simply referred to as a patient or a user). The anonymous value evaluation system 20 is a system that calculates the value of an abstracted word based on the keyword statistical information used for the search by the search engine 40 and calculates the value of anonymous information composed of the abstracted word. is there. The distribution information management system 30 is a system that provides anonymous information to another business operator (distributor information sender), receives distribution information for anonymous information from the business operator, and distributes the information to each patient.

  The information processing system 100 according to the first embodiment uses the value obtained when the hospital information system 10 abstracts medical information as a plurality of abstract candidate data (hereinafter also simply referred to as abstract candidates) from the anonymous value evaluation system 20. The abstraction candidate that is acquired and selected based on the value after the abstraction is set as anonymous information, and is provided to other businesses via the distribution information management system 30. Then, the information processing system 100 receives distribution information such as advertisements and coupons for the anonymous information from the terminal 50 of another business operator, and outputs the distribution information to each individual corresponding to the anonymous information.

  As described above, the information processing system 100 according to the first embodiment provides medical information as anonymous information to other businesses, and individuals having specific attribute information based on the anonymous information, for example, high blood pressure, needing care, etc. By receiving distribution information targeted at individuals with attribute information such as from other companies and mediating to individuals with attribute information corresponding to this distribution information, distribution information is maintained while maintaining the anonymity of each individual Can be delivered. In other words, the information processing system 100 enables other companies to use medical information (personal information) for distribution of advertisements and the like.

  The hospital information system 10 includes an accepting machine 101 that accepts a patient's visit, an input / output terminal 102 that inputs / outputs medical information related to the patient, and a hospital information server 103 that manages the medical information input from the input / output terminal 102. Have.

  The accepting machine 101 is an information processing apparatus that includes a reading device that reads a patient's examination ticket and a printer that prints out a receipt receipt that describes a receipt number.

  The input / output terminal 102 is an information processing apparatus such as a personal computer, and displays a patient's medical record (medical record) from the hospital information server 103 and displays it, a doctor's diagnosis result and test result, medicine prescription, It has an input unit for inputting medical information such as the order of examination.

  Further, the input / output terminal 102 may be used as a terminal that performs accounting processing or a terminal that receives dispensing.

  The hospital information server 103 includes functional units such as a medical information DB (database) 19, an anonymous information DB 18, a data update unit 15, a data reception unit 16, and an output control unit 17.

  The data receiving unit 16 reads (acquires) target data including a plurality of items associated with individuals from the medical information DB 19 and stores the target data in the anonymous information DB 18.

  The data update unit 15 updates the value of each item of the target data (personal information) stored in the anonymous information DB 18 to a value that is abstracted based on an abstraction candidate described later, thereby making the target data anonymous information. .

  The output control unit 17 causes the distribution information received from the distribution information management system 30 to be output to the patient. Here, output of distribution information includes display output by a display device, print output by a printer, transmission to another device, writing to a storage medium, and the like. For example, the output control unit 17 transmits the distribution information to the reception device 101 and causes the printer of the reception device 101 to print the distribution information on the reception receipt. In the present embodiment, the output control unit 17 is a form of a distribution unit that distributes distribution information to a patient (individual).

  The output to the patient is not limited to this. The output to the control panel (not shown) of the accepting machine 101, the print output to the receipt or reservation slip at the time of accounting, and the display of the terminal (not shown) for accounting The display output may be to send an e-mail to the patient's e-mail address. Further, the output to the patient is not limited to outputting only to the patient as long as the patient can receive the distribution information, and may be output to an unspecified person including the patient.

  For example, it may be possible to display and output an advertisement on digital signage installed in a waiting room while the patient is waiting for payment, or to output an advertisement in the pharmacy when the patient requests dispensing at the pharmacy. . The distribution information may be data in a format that can be output by the above output method, and may be, for example, text, an image, a moving image, sound data, or the like.

  The medical information DB 19 stores medical information of each patient input by the input / output terminal 102. This medical information is read out by the input / output terminal 102 when the patient is examined, for example, and used as an electronic medical record. Further, the medical information in the medical information DB 19 is read by the data receiving unit 16 as anonymization target data.

  The anonymous information DB 18 receives personal information (target data), and the data update unit 15 rewrites the value of each item of the target data to an abstracted value based on the abstraction candidate and holds it as anonymous information. The anonymous information DB 18 retains destination information such as an e-mail address and a FAX number in the personal information in association with the anonymous information so that the output control unit 17 can read it as a delivery destination of the delivery information. Also good.

  The anonymous value evaluation system 20 includes an abstraction unit 11, a test unit 13, a selection unit 14, a value data acquisition unit 21, a value determination unit 22, a word category analysis unit 23, a value calculation unit 24, a search information storage DB 25, and the like. It has a functional part.

  When the target data is anonymized or diversified, the abstraction unit 11 generates abstract candidates by replacing words (words) that are values of items in the target data with abstracted words. In this embodiment, a word (word) is a group of words such as a word or a phrase, a numerical value such as location information or a telephone number, identification information such as an e-mail address or an IP address, a symbol having the same meaning as the word, or the like. May be included.

  The test unit 13 does not limit the combination of the item values of the abstraction candidate data to one individual of the target data. That is, the combination of the value of the item corresponding to one individual of the abstraction candidate is a single candidate among the abstraction candidates. It is tested on the condition that it is not. For example, the test unit 13 tests whether the abstraction candidate satisfies k-anonymity.

  The selection unit 14 selects an abstraction candidate based on the value calculated by the anonymous value evaluation system 20 for the abstraction candidate that satisfies the test condition. For example, the selection unit 14 selects a predetermined number of abstraction candidates in descending order of value from a plurality of abstraction candidates that satisfy k-anonymity.

  The value data acquisition unit 21 acquires (receives) word value data included in the abstraction candidate from the search information storage DB. In addition, when the value data of the word is not registered in the search information storage DB 25, the value data acquisition unit 21 makes a request to another device, for example, the search engine 40, and registers the acquired value data in the search information storage DB 25. It has a function (data request) and a function (data crawler) that periodically visits other devices to acquire the latest value data and updates the value data registered in the search information storage DB 25.

In this embodiment, the statistical information of each word is received from the search engine 40 as this value data. Here, the statistical information of each word includes, for example, an SEM (Search Engine Marketing) advertising unit price (CPC unit price), a click rate, an average ranking, the number of display times per day, the number of clicks per day, and the like. Note that the value acquisition destination is not limited to a search engine, and may be a web page, an SNS, or the like. In this case, for example, the use frequency of each word in a web page or SNS may be used as the value.

  The value determination unit 22 obtains the value of the abstraction candidate based on the value of the word included in the abstraction candidate, and notifies the hospital information server 103 of the value.

  The word category analysis unit 23 analyzes data on a website or the like, obtains a new word or a word (category) obtained by abstracting the word, and registers it in the search information accumulation DB.

  Based on the value of the word acquired by the value data acquisition unit 21, the value calculation unit 24 obtains statistical information on the value of the word such as an annual average, a monthly average, and a weekly average of the word value.

  The search information storage DB 25 stores the value of the word acquired by the value data acquisition unit 21, information of the word and category obtained by the word category analysis unit 23, statistical information of the value obtained by the value calculation unit 24, and the like.

  The distribution information management system 30 includes an anonymous data output unit 31, a distribution data reception unit (distribution information reception unit) 32, and a moral DB 33.

  The anonymous data output unit 31 reads anonymous information from the anonymous information DB 18 of the hospital information server 103 and transmits it to the terminal 50 of another business operator. Here, the transmission to the terminal 50 may be one that transmits an e-mail or the like to the address of each terminal 50, or may provide anonymous information as a web page.

  For example, when an information condition requested by another business operator (hereinafter also referred to as a request condition) is received from the terminal 50, the anonymous data output unit 31 conforms to the request condition and conflicts with the moral of the moral DB 33. The anonymous information that is not read is read from the anonymous information DB 18 and transmitted by e-mail or the like.

  Further, the anonymous data output unit 31 may return, as a response, a web page in which anonymous information is described, that is, a file described in HTML or the like, in response to a browsing request from the terminal 50.

  The distribution data reception unit 32 receives distribution information for a specific attribute value of the anonymous information from the terminal 50 of another business operator, and transmits this distribution information to the hospital information server 103.

  In FIG. 2, a search engine 40 is a site (computer) that provides a search function for information existing on a network such as the Internet. That is, when the search engine 40 receives a keyword to be searched from the user terminal, the search engine 40 provides a list such as a URL of a web page including the keyword as a search result, and displays the list on the user terminal.

  In addition, the search engine 40 uses this search function to display an advertisement linked to a keyword in a search result, or to display a link to a sponsor site that has paid an advertisement fee according to the keyword. This advertisement fee is determined by, for example, presenting the value of each keyword (statistical information of each word) and bidding for each keyword (advertisement auction). For this reason, the search engine 40 performs the number of searches per day (display count), the number of clicks on the search result advertisement (clicks), the advertising fee per click (cost per click), etc. Are stored as word statistics.

  Also, based on this information, the search engine 40 determines the click rate obtained by dividing the number of times of display by the number of clicks, the value obtained by multiplying the number of clicks per day by the cost per click (cost per day), the time of application for advertisement (advertisement) Also ask for the ranking of the advertisement according to the cost presented at the time of the auction.

  The search engine 40 provides the anonymous value evaluation system 20 with the data output unit 41 that provides information such as the number of clicks, the number of display times, the ranking, the cost of the day, the click rate, the cost per click, and the information about these words. A search word storage DB 42 for storing is provided.

FIG. 3 is a diagram illustrating a hardware configuration of the hospital information server 103. Hospital information server 10
Reference numeral 3 denotes a so-called information processing device (computer) having an arithmetic processing unit 1, a communication control unit 3, a storage device 4, and an input / output interface 5.

  The arithmetic processing unit 1 includes a CPU and a main memory, and the CPU executes a program expanded in an executable manner in the main memory, so that the data updating unit 15, the data receiving unit 16, and the output control unit 17 described above are executed. Provide functionality.

  The main memory can also be called a main storage device. The main memory stores, for example, a program executed by the CPU, data received via the communication control unit 3, data read from the storage device 4, and other data.

  The communication control unit 3 is connected to another device, for example, the accepting device 101 or the input / output terminal 102 via a network, and controls communication with the device.

  The input / output interface 5 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray Disc. The drive device reads the program from the removable storage medium and stores it in the storage device 4.

The storage device 4 can also be called an external storage device (auxiliary storage device). The storage device 4 may be an SSD (Solid State Drive), an HDD, or the like. The storage device 4 exchanges data with the drive device. For example, the storage device 4 stores an information processing program installed from the drive device. In the storage device 4, the program and data are read by the arithmetic processing unit 1 and delivered to the main memory. In the present embodiment, the storage device 4 stores the medical information DB 19 and the anonymous information DB 18 described above.

  Note that the basic hardware configuration of the accepting machine 101 and the input / output terminal 102 is the same as that shown in FIG. 3. The accepting machine 101 and the input / output terminal 102 include an arithmetic processing unit, a communication control unit, a storage device, and an input / output. An information processing apparatus having an interface. For example, in the accepting machine 101, an examination ticket reading device is connected to the input / output interface, and the arithmetic processing unit controls the reading device to read patient identification information (patient ID) from the examination ticket, via the communication control unit. Transmit to the hospital information server 103. The accepting machine 101 is connected to a printer with an input / output interface, and outputs a receipt printed with a receipt number and distribution information.

  In the input / output terminal 102, the arithmetic processing unit reads out the medical information of the patient from the hospital information server 103 via the communication control unit and displays the medical information on the display device, and the doctor inputs the result of the diagnosis by operating the keyboard and the mouse. The data is transmitted to the hospital information server 103 via the communication control unit and stored in the medical information DB 19.

  FIG. 4 is a diagram illustrating an example of the medical information DB 19. The medical information DB 19 in FIG. 4 stores items of patient ID, name, age, sex, mail address, and medical history as medical information in association with each patient.

  The patient ID is information for uniquely identifying a patient, and is, for example, a medical examination number or an insurance card number.

  The e-mail address is information indicating the contact information of the patient, and may be a telephone number or an address.

  The medical history is history information in which the contents of past medical care are recorded together with the medical treatment date, and FIG. 4 shows the contents of medical treatment for the latest three times. It should be noted that the medical history may be one in which the entire history is recorded, or a part of history (for example, history for a predetermined period) may be extracted. The contents of medical care may include the name of the wound, the site of the wound, the department (internal medicine, surgery, etc.), the examination result, the name of the prescribed medicine, and the like.

  FIG. 5 is a diagram illustrating an example of the anonymous information DB 18, FIG. 5A is a diagram illustrating an example immediately after the target data is written, and FIG. 5B is a diagram illustrating an example after anonymization. As shown in FIG. 5B, the anonymous information DB 18 stores anonymous information ID, age group, and medical history as anonymous information in association with the patient ID. Here, anonymous information ID is the identification information allocated to each patient's anonymous information for every anonymization process. Since the anonymous information ID is given only to the anonymized information and is not used in other processing, even if the anonymous information ID is individually given to each record of the anonymous information, the individual is identified by collating with other information. There is no.

  FIG. 6 is a schematic configuration diagram of the anonymous value evaluation system 20. The anonymous value evaluation system 20 is a so-called information processing apparatus (computer) including an arithmetic processing unit 201, a communication control unit 203, a storage device 204, and an input / output interface 205.

  The arithmetic processing unit 201 includes a CPU and a main memory, and the CPU executes a program expanded in an executable manner in the main memory, so that the abstraction unit 11, the test unit 13, the selection unit 14, and the value data described above are executed. The function of the acquisition part 21, the value determination part 22, the word category analysis part 23, and the value calculation part 24 is provided.

  The main memory can also be called a main storage device. The main memory stores, for example, programs executed by the CPU, data received via the communication control unit 203, data read from the storage device 204, and other data.

  The communication control unit 203 is connected to another device such as the hospital information server 103 via the network, and controls communication with the device.

  The input / output interface 205 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device.

The storage device 204 can also be called an external storage device (auxiliary storage device). The storage device 204 may be an SSD (Solid State Drive), an HDD, or the like. Storage device 204
Transmits and receives data to and from the drive device. For example, the storage device 204 stores an information processing program installed from the drive device. The storage device 4 reads out the program and delivers it to the memory. In the present embodiment, the storage device 204 stores the search information accumulation DB 25 described above.

FIG. 7 is a diagram illustrating an example of the search information accumulation DB 25. The search information accumulation DB 25 stores the word acquired from the search engine 40 and its price (unit price) in association with each other as value data. Based on the value data of each word, the value of each abstraction candidate is calculated,
Next, the value of data in the present embodiment will be described with reference to FIGS. FIG. 8 is a diagram showing an example of a part of the age item in the target data. As shown in FIG. 8, the target data has the number of people ci for each age si. For example, the number of people (c1) at the age of 18 (s1) is 30, and the number of people (c2) at the age of 19 (s2) is 10.

FIG. 9 shows an example of value data acquired from the search information storage DB 25 for the age si. The value data in FIG. 9 has a SEM unit price ei for each age si. Here, the SEM unit price ei is a price that the search engine 40 presents for SEM such as an advertisement auction.

  The value of this age si is a value obtained by multiplying the SEM unit price ei by the number of people ci, and is represented by Equation 1.

si = ci × ei (Formula 1)
As shown in FIG. 10, the value of the age item S (e) is the total of each age si, and is expressed by Equation 2. In FIG. 10, n is 5. Therefore, the value of the age item S (e) is 2446 yen as shown in FIG. The value of the target data is the sum of the values of all items in the target data.

  On the other hand, FIG. 12 is a diagram showing an example of a part of the age item in the abstraction candidate. As shown in FIG. 12, the abstraction candidates have the number of people ci for each age ki. For example, the number of teenagers (k1) (c1) is 40, and the number of people in their 20s (k2) (c2) is 22.

  FIG. 13 shows an example of value data of each word acquired for the age ki. The value data in FIG. 13 has a SEM unit price ei for each age ki.

  The value of this age ki is a value obtained by multiplying the SEM unit price ei by the number of people ci, and is expressed by Equation 3.

ki = ci × ei (Formula 3)
Then, as shown in FIG. 14, the value of the item S (k) of the age is the total of each age ki, and is expressed by Equation 4. In FIG. 14, n is 2. Therefore, the value of the item S (k) of the age is 2134 yen as shown in FIG. In other words, the value was lost by 312 yen by abstracting the age item into the age. The sum of the values of all items in the abstraction candidate is the value of the abstraction candidate.

  Then, as the value of the abstraction candidate obtained in step S150, for example, as shown in Equation 5, an impairment rate M (k) obtained by dividing the value of the abstraction candidate by the sum of the value of the abstraction candidate and the value of the target data is obtained. .

M (k) = S (k) / (S (k) + S (e)) (Formula 5)
FIG. 16 is a schematic configuration diagram of the distribution information management system 30. The distribution information management system 30 is a so-called information processing apparatus (computer) including an arithmetic processing unit 301, a communication control unit 303, a storage device 304, and an input / output interface 305.

  The arithmetic processing unit 301 has a CPU and a main memory, and the CPU provides the functions of the above-described anonymous data output unit 31 and the distribution data receiving unit 32 by executing a program that is executable on the main memory. To do.

  The main memory can also be called a main storage device. The main memory stores, for example, a program executed by the CPU, data received via the communication control unit 303, data read from the storage device 204, other data, and the like.

  The communication control unit 303 is connected to another device, such as the hospital information server 103 or another business operator's terminal 50, via a network, and controls communication with the device.

  The input / output interface 305 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device.

The storage device 304 can also be called an external storage device (auxiliary storage device). The storage device 304 may be an SSD (Solid State Drive), an HDD, or the like. Storage device 304
Transmits and receives data to and from the drive device. For example, the storage device 304 stores an information processing program installed from the drive device. The storage device 304 stores the moral DB 33 described above.

  FIG. 17 is a diagram illustrating an example of request information that the distribution information management system 30 receives from the terminal 50 of another business operator. The request information in FIG. 17 stores the business name, address, condition, and unit price in association with each other.

  The company name is information for identifying the company, and is not limited to the name but may be an ID or the like.

  The address is information indicating a transmission destination of anonymous information, and may be information that can specify the transmission destination such as an IP address and a FAX number in addition to a mail address.

  The condition is a condition for requesting anonymous information, and in the example of FIG.

  The unit price is a price per unit (consideration) paid from the business operator to the information processing system 100 when the distribution information is distributed to the patient.

  The summary of distribution information is information indicating the target and type of distribution information. In the example of FIG. 17, taxis, sphygmomanometers, meal guidance, and the like are targeted, and types such as coupons, advertisements, and information provision are shown.

  FIG. 18 is a diagram illustrating an example of a moral DB. For example, it is not desirable to deliver alcohol and tobacco advertisements to hypertensive patients. In this way, the moral DB 33 stores the distribution information object and the attribute value that are against the morals in association with each other so that the distribution is not performed against the morals.

  In the example of FIG. 18, combinations of inappropriate objects and attribute values are stored, such as high blood pressure and alcohol / cigarettes, asthma and tobacco, hospitalization and travel.

  As described above, in the first embodiment, the hospital information system 10, the anonymous value evaluation system 20, and the distribution information management system 30 are configured by different information processing apparatuses. However, the hospital information system 10, the anonymous value evaluation system 20, and distribution The information management system 30 may be configured with a single information processing apparatus.

  FIG. 19 is an explanatory diagram of anonymization processing by the information processing system 100. The hospital information server 103 starts a program at a predetermined timing such as nighttime batch processing, and starts the processing of FIG.

  The hospital information server 103 first reads target data from the hospital medical information DB 19 (step S10). That is, the CPU receives target data from the storage device 4. The hospital information server 103 is not limited to the configuration in which the target data is read from the internal storage device 4, but may be configured to receive the target data from an external file server or the like. The target data may be extracted from medical information within a predetermined period such as one day, one month, or one year, or may be extracted from data having a predetermined attribute value such as internal medicine, surgery, cardiology. .

  Next, the hospital information server 103 normalizes the notation of the read target data and the data length and order of each item in a predetermined format, registers them in the anonymous information DB 18, and notifies the anonymous value evaluation system 20. (Step S20).

  The anonymous value evaluation system 20 reads the target data from the anonymous information DB 18 (step S30), and determines whether or not the value data exists in the search information storage DB 25 for each word in the target data (step S40). The anonymous value evaluation system 20 proceeds to step S60 when the value data of all words exist in the search information storage DB 25 (step S40, Yes), and when there is insufficient value data (step S40, No), Value data of the word is acquired from an external device, in this example, the search engine 40 (step S50). Note that the value information of the words existing in the search information storage DB 25 other than the value data acquired from the search engine is acquired from the search information storage DB 25 (step S60).

  Further, the anonymous value evaluation system 20 creates abstraction candidates by replacing each item of the target data with an abstracted word (category) to satisfy anonymity (step S70). When there are a plurality of items that can be abstracted, all patterns are created when each item is abstracted and when it is not abstracted. For example, if the target data includes three items A, B, and C and all items can be abstracted, and the abstracted items are A ′, B ′, and C ′, as shown in FIG. Seven candidate patterns can be created, such as A ′, B, C when only A is abstracted, and A ′, B ′, C when items A and B are abstracted.

  Next, the anonymous value evaluation system 20 calculates the value of the abstraction candidate of each pattern based on the value data of each word included in the abstraction candidate (step S80), and performs the test based on the value of this abstraction candidate. The order is determined (step S90). For example, the test order is determined in descending order of the value. Although it is desirable to test all candidate patterns, abstract candidates that are too low in value may be removed from the order based on the values of the abstract candidates. For example, you may remove the abstraction candidates of less than a predetermined ratio, such as after a predetermined number or less than half, in order of high value. Moreover, you may remove the abstraction candidate from which the value of the abstraction candidate became less than the predetermined ratio with respect to the value of object data. This reduces the number of tests and shortens the processing time.

  According to the order of this test, the anonymous value evaluation system 20 tests the anonymity of the abstraction candidate (step S100). For example, in order to test k-anonymity, the number (existence number) of combinations of different item values associated with one individual in the abstraction candidate is obtained. Alternatively, in order to test l diversity, the number (existence number) of combinations of values of the same item associated with one individual in the abstraction candidate is obtained. Then, the smallest of the existence numbers is obtained as the minimum number of appearances (k value) (step S110), and it is determined whether or not the minimum number of appearances exceeds 1 (step S120). That is, if the k value exceeds 1, k-anonymity is satisfied, and if it is 1, k-anonymity is not satisfied. Similarly, if the l value exceeds 1, l-diversity is satisfied, and if l value is 1, l-diversity is not satisfied.

  When the minimum number of appearances (k value / l value) does not exceed 1 (step S120, No), the anonymous value evaluation system 20 further abstracts the value of at least one item among the abstraction candidates, that is, Replacing with the abstracted word (step S130), the process returns to step S100. For example, if one patient has an attribute value of “foot fracture, 15 years old, male”, the patient is abstracted as “foot wound disease, 15 years old, male”.

On the other hand, when the minimum number of appearances (k value / l value) exceeds 1 (step S120, Yes), the anonymous value evaluation system 20 calculates the difference between the value of the abstraction candidate and the value of the original target data. Determining (step S140), and determining the difference, a value based on the difference, for example, the ratio of the difference to the value of the target data, and the ratio of the value of the abstraction candidate to the value of the target data as the value of the abstraction candidate (step S150).

  Further, the anonymous value evaluation system 20 determines whether there is a candidate pattern that has not been verified (step S160), and if there is a candidate pattern that has not been verified (step S160, Yes), the order determined in step S90. Then, the next abstraction candidate is identified (step S170), and the process returns to step S100 to test the next abstraction candidate.

  In this way, when the test is repeated for the abstraction candidates of each pattern and the next candidate pattern disappears (No in step S160), the anonymous value evaluation system 20 determines in step S150 based on the value of each abstraction candidate. Abstraction candidates to be adopted are selected and notified to the hospital information server 103 (step S180).

  For selection of abstraction candidates, for example, a predetermined number of abstraction candidates are selected in descending order of value among all candidate patterns. That is, the anonymization information is not limited to one pattern, and a plurality of patterns may be created.

  Further, the anonymous value evaluation system 20 may acquire request information from the distribution information management system 30 and select a predetermined number of abstraction candidates in descending order of value among candidate patterns that match the request information. Furthermore, the anonymous value evaluation system 20 outputs a plurality of abstraction candidates in descending order of value from all candidate patterns, and designates an abstraction candidate that the operator thinks appropriate from the output abstraction candidates. The designated abstraction candidate may be selected.

  The anonymous information DB 18 may be updated by overwriting the target data with the selected abstraction candidate to be anonymized data, or abstracting a word in the target data in the same way as the selected abstraction candidate. It may be anonymized data.

  The hospital information server 103 updates the target data in the anonymous information DB 18 based on the selected abstraction candidate, and notifies the distribution information management system 30 (step S190).

  The distribution information management system 30 reads anonymous information from the anonymous information DB 18, selects request information that matches the anonymous information, and transmits anonymous information that matches the destination address of the request information (step S200). Here, the matching between the anonymous information and the request information may be made when the attribute value of the anonymous information such as foot injury or hypertension and the word included in the condition of the request information match. In addition, the attribute value of the anonymous information and the request information are not limited to the case where the attribute value of the anonymous information and the word included in the request information condition are completely matched. May be determined to be suitable if the word is in a predetermined relationship such as a higher / lower relationship, a partial / whole relationship, a synonym relationship, or a synonym relationship.

  FIG. 21 is an explanatory diagram of processing in which the information processing system 100 outputs distribution information to a patient (user).

  The distribution information management system 30 receives distribution information for a specific attribute value of the anonymous information from the terminal 50 of another business operator (step S210). Here, the distribution information includes an attribute value indicating a distribution target and distribution contents such as an advertisement or a coupon output to the patient. For example, the terminal 50 transmits distribution information whose attribute value is “foot injury” and the distribution content is “taxi coupon”, and the distribution information management system 30 receives this distribution information.

Next, the distribution information management system 30 transmits the received distribution information, that is, the distribution target attribute value and the distribution content to the hospital information server 103 (step S220).

  The output control unit of the hospital information server 103 refers to the anonymous information DB, identifies the patient ID of the patient having the same attribute value as the received distribution information, in this example, the examination ticket number, and refers to the moral DB 33 to determine the patient. It is confirmed that the combination of the attribute value and the distribution information does not correspond to the moral DB (that is, it does not violate the morality), and the patient's examination ticket number and the distribution content are associated with each other and stored in the storage device 4 (step S230). In addition, when the combination of the attribute value and delivery information of the patient corresponds to the moral DB, the association with the patient ID is not performed.

  The hospital information server 103 reads the distribution information at a predetermined timing such as when each patient visits and outputs it to the patient (step S240).

  For example, when the patient causes the reception device 101 to read the examination ticket and receives it, the examination ticket number read by the reception device 101 is transmitted to the hospital information server 103, and the output control unit 17 of the hospital information server 103 The distribution information corresponding to the received medical examination ticket number is read from the storage device 4 and transmitted to the reception device 101, and the distribution information is printed on the reception sheet of the patient.

  Further, the output to the patient is not limited to this, and when performing the accounting process by reading the examination ticket number at the accounting input / output terminal, the examination ticket number is transmitted from the input / output terminal to the hospital information server 103, and the hospital information server 103, the output control unit 17 reads out the distribution information corresponding to the received examination ticket number from the storage device 4 and returns it to the input / output terminal, displays the distribution information together with the accounting amount on the display device of the input / output terminal, and May be presented.

  In addition, the patient information is output to the digital signage installed in the accounting waiting room when the examination ticket number is read and processed by the accounting input / output terminal, to the unspecified person including the patient. Alternatively, delivery information may be output.

  As described above, the information processing system 100 according to the first embodiment anonymizes medical information in a state of high utility value and provides anonymous information to the sender of the distribution information. The distribution information for the anonymous information corresponds to the anonymous information. Output for each individual. As a result, the information processing system 100 sufficiently anonymizes medical information so that a sender such as a recommendation can use the anonymized information.

  Further, since the information processing system 100 according to the first embodiment calculates the value of anonymous information based on the keyword statistical information used for the search by the search engine 40, sufficient anonymity is not required without requiring judgment by the operator. And can provide anonymous information and mediate distribution information mechanically.

<Modification>
In the first embodiment, the example in which the target data is collectively processed has been described. However, the present invention is not limited thereto, and the target data may be individually processed and distributed. FIG. 22 is an explanatory diagram of the anonymization process according to this modification. In addition, this modification differs in the flow of the anonymization process shown in FIG. 22 compared with the above-mentioned Embodiment 1, and the other structure is the same. For example, the hardware configuration of the information processing system 100 is the same, and the description thereof is omitted.

  When the patient causes the reception machine 101 to read the examination ticket, the reception machine 101 transmits the read examination ticket number to the hospital information server 103, and the hospital information server 103 sends the patient corresponding to this examination ticket number (hereinafter, target patient). Medical information including the information is also read from the medical information DB 19 as target information (step S10).

  Next, the hospital information server 103 normalizes the notation of the read target data and the data length, order, etc. of each item into a predetermined format, stores them in the memory, and notifies the anonymous value evaluation system 20 (step) S25).

  The anonymous value evaluation system 20 receives the target data (step S30), and determines whether value data exists in the search information storage DB 25 for each word in the target data (step S40). The hospital information server 103 proceeds to step S60 when the value data of all words exist in the search information storage DB 25 (step S40, Yes), and if there is insufficient value data (step S40, No), Word value data is acquired from an external device, in this example, the search engine 40 (step S50). Note that the value information of the words existing in the search information storage DB 25 other than the value data acquired from the search engine 40 is acquired from the search information storage DB 25 (step S60).

  Further, the anonymous value evaluation system 20 creates abstraction candidates by replacing each item of the target data with an abstracted word (category) so as to satisfy the anonymity of the data of the target patient (step S70). When there are a plurality of items that can be abstracted, all patterns are created when each item is abstracted and when it is not abstracted.

  Next, the anonymous value evaluation system 20 calculates the value of the abstraction candidate of each pattern based on the value data of each word included in the abstraction candidate (step S80), and performs a test based on the value of the abstraction candidate. An abstraction candidate to be performed is determined (step S95). For example, the abstraction candidates are determined as a predetermined number of abstraction candidates in descending order of value among all candidate patterns. Further, the anonymous value evaluation system 20 outputs a plurality of abstraction candidates in descending order of value from all candidate patterns, and designates an abstraction candidate that the operator thinks appropriate from the output abstraction candidates. The designated abstraction candidate may be determined.

  For these abstraction candidates, the anonymity value evaluation system 20 tests the anonymity of the abstraction candidates (step S100). For example, in order to test k-anonymity, the number (existence number) of combinations of different item values associated with one individual in the abstraction candidate is obtained. Alternatively, in order to test l diversity, the number (existence number) of combinations of values of the same item associated with one individual in the abstraction candidate is obtained. Then, the smallest of the existence numbers is obtained as the minimum number of appearances (k value / l value) (step S110), and it is determined whether or not the minimum number of appearances exceeds 1 (step S120).

  When the minimum number of appearances (k value / l value) does not exceed 1 (step S120, No), the anonymous value evaluation system 20 further abstracts the value of at least one item among the abstraction candidates, that is, Replacing with the abstracted word (step S130), the process returns to step S100.

  On the other hand, when the minimum number of appearances (k value / l value) exceeds 1 (step S120, Yes), the anonymous value evaluation system 20 selects the abstraction candidate and transmits it to the hospital information server 103 (step). S145).

  The hospital information server 103 updates the target data in the anonymous information DB 18 based on the selected abstraction candidate (step S155), and adds a unique anonymous information ID to the target patient's anonymous information (step S165). That is, this anonymous information ID is stored in the anonymous information DB 18 in association with the patient's examination ticket number, and the target patient can be identified from the anonymous information ID by referring to the anonymous information DB 18.

Then, the hospital information server 103 transmits the anonymous information of the target patient to which the anonymous information ID is added to the distribution information management system 30 (step S175). The anonymous information includes an anonymous information ID, an anonymized medical history, and the like, and does not include an examination ticket number.

  The distribution information management system 30 selects request information that matches the anonymous information received from the hospital information server 103, and transmits the anonymous information of the target patient to the transmission destination address of the request information (step S185).

  FIG. 23 is an explanatory diagram of processing in which the information processing system 100 outputs distribution information to a patient (user).

  The distribution information management system 30 receives distribution information for a specific anonymous information ID (attribute value) of the anonymous information from the terminal 50 of another business operator (step S210). Here, the distribution information has an anonymous information ID (attribute value) indicating a distribution target and distribution contents such as an advertisement and a coupon output to the patient. For example, the terminal 50 transmits distribution information whose anonymous information ID (attribute value) is “999” and the distribution content is “taxi coupon”, and the distribution information management system 30 receives this distribution information.

  Next, the distribution information management system 30 transmits the received distribution information, that is, the distribution target anonymous information ID (attribute value) and the distribution contents to the hospital information server 103 (step S220).

  The output control unit 17 of the hospital information server 103 refers to the anonymous information DB, and specifies a patient's examination ticket number having an attribute value corresponding to the anonymous information ID of the received distribution information (step S235).

  The hospital information server 103 outputs the distribution information to the patient by printing the distribution information associated with the examination ticket number on the reception receipt of the target patient (step S245). Note that the output to the patient is not limited to this, and when performing the accounting process by reading the examination ticket number at the accounting input / output terminal, the examination ticket number is transmitted from the input / output terminal to the hospital information server 103, and the hospital information server 103, the output control unit 17 reads out the distribution information corresponding to the received examination ticket number from the storage device 4 and returns it to the input / output terminal, displays the distribution information together with the accounting amount on the display device of the input / output terminal, and May be presented. Also, when reading the examination ticket number with the accounting input / output terminal and performing the accounting process, the distribution information is output to the digital signage installed in the accounting waiting room, and the distribution information is sent to unspecified persons including the patient. It may be output.

  As described above, the information processing system 100 according to the present modification anonymizes medical information of each patient as needed to provide anonymous information to the sender of the distribution information, and the patient corresponding to the distribution information for the anonymous information corresponds to the anonymous information. Can output.

<Embodiment 2>
FIG. 24 is a functional block diagram of the information processing system 200 according to the second embodiment, and FIG. 25 is a hardware configuration diagram of the information processing system 200. As shown in FIG. 24, the information processing system 200 is a system that notifies a user that a trespassing has been detected via a network such as a smart home appliance.

  When illegal intrusion is detected, it is necessary to notify the user promptly, and it may be possible to notify the user's mobile phone, but if the user does not have the mobile phone at hand, the notification may not be noticed. .

  For example, if the user is notified while driving, taking a bath, watching TV, or the like, the user may not notice the notification. For this reason, it is convenient that notification is performed not only on a mobile phone but also on a car navigation system, a television, or the like.

  However, when a notification is sent to a car navigation system or a TV, the notification is made through a system such as a server operated by the manufacturer of the car navigation system or the TV (other business operators). It cannot be provided to other companies without the user's consent.

  For this reason, for example, it is conceivable to ensure anonymity by encrypting the notification content, but even if the notification content is encrypted, if a specific user is notified when an illegal intrusion occurs, the user is notified. Since it is known that the intruder itself has been reported as an incident, there is a possibility that this user will be identified as a person involved in the incident, so anonymity is not sufficiently secured. .

  Therefore, the information processing system 200 according to the second embodiment performs abstract notification so as to sufficiently satisfy anonymity including the diversity of users who perform notification.

  The information processing system 200 according to the second embodiment includes a user information DB 219, an abstraction unit 211, a test unit 213, a selection unit 214, an encryption unit 215, a data reception unit 216, an output control unit 217, a value data acquisition unit 221, and a value determination. Functional units such as a unit 222, a value calculation unit 224, and a search information storage DB 225.

  The data reception unit 216 receives report data including identification information (anonymous information ID) of a notification destination user from the system 70 of the security company, and reads the user information of the user from the user information DB 219 onto the memory. In the present embodiment, the data receiving unit 216 also serves as a distribution information receiving unit that receives distribution information for a specific value (anonymous information ID) of anonymous information. In this example, an anonymous information ID is assigned in advance to each user who uses information for identifying the user, for example, the security company system 70, and the anonymous information ID is notified to the security company as the user identification information. .

  When diversifying the target data, the abstraction unit 211 generates abstraction candidates by replacing words (words) that are values of items in the target data with abstracted words. In this embodiment, a word (word) is a group of words such as a word or a phrase, a numerical value such as location information or a telephone number, identification information such as an e-mail address or an IP address, a symbol having the same meaning as the word, or the like. May be included.

  The test unit 213 performs test on the condition that the combination of the value of the item corresponding to one individual of the abstraction candidate is not single among the abstraction candidates. For example, the test unit 213 tests whether the abstraction candidate satisfies l-diversity.

  The selection unit 214 selects an abstraction candidate based on the value calculated by the anonymous value evaluation system 20 for the abstraction candidate that satisfies the test condition. For example, the selection unit 214 selects a predetermined number of abstraction candidates in descending order of value from a plurality of abstraction candidates satisfying l-diversity.

  The encryption unit 215 encrypts the notification data notified to the user. For example, the encryption unit 215 may encrypt the content with the target user's private key so that the notification content can be confirmed only on the target user's terminal.

  The output control unit 217 transmits the anonymized information to the system 60 of another business operator based on the distribution destination of the user information. In addition, in this embodiment, since it is the structure which distributes the anonymized notification data (distribution information) to the user terminal 80 via the server 60 of another provider, the output control part 17 is an output which outputs anonymous information. And a distribution unit that distributes distribution information to a user (individual).

  The user information DB 219 stores information on each user who performs notification (hereinafter also referred to as user information).

  The value data acquisition unit 221 acquires (receives) word value data included in the abstraction candidates generated by the abstraction unit 211 from the search information storage DB. In addition, when the value data of the word is not registered in the search information storage DB 225, the value data acquisition unit 221 makes a request to another device such as the search engine 40 or the SNS server, and stores the acquired value data as the search information storage. It has a function to register in the DB 225 (data request) and a function to periodically visit other devices to acquire the latest value data and update the value data registered in the search information storage DB 225.

The value determination unit 222 obtains the value of the abstraction candidate based on the value of the word included in the abstraction candidate.
The search information accumulation DB 225 stores the value of the word acquired by the value data acquisition unit 211 and the like. In the present embodiment, the value of the word may be a value (weight) indicating a priority when performing abstraction. For example, it may be a plurality of levels of weights that the operator defines in advance for each word.

  When the security company system 70 receives information (notification data) indicating that an abnormality has been detected from a detection device provided in each user's house, car, store, or the like, the notification data and the identification information of the user. Is transmitted to the information processing system 200.

  The detection device 71 detects an abnormality such as illegal intrusion, and transmits information indicating the abnormality (notification content) and information for specifying a user who notifies the abnormality (for example, a user ID) to the system 70 as notification data. The information for specifying the user may be the installation location (home address or the like) of the detection device 71 associated with the user ID, the address of the detection device 71, or the like. The detection device 71 is not limited to the detection of illegal intrusion, but also notifies the system 70 when a vehicle impact is detected and it is determined that there is an accident, or when the child or the elderly carries an abnormality. 70 may be notified.

  Further, the system 60 of another business operator relays the notification data received from the information processing system 200 to each user terminal 80. The user terminal 80 is a device having a function of receiving and outputting notification data, such as a mobile phone, a television, a car navigation system, and an audio. In addition, a so-called smart home appliance having a function of displaying information received via a network on an operation panel or the like may be used as the user terminal 80 even in an air conditioner, a refrigerator, a microwave oven, or the like.

  The user terminal 80 has, for example, a configuration that receives and displays a television program for a television as a main function unit, and a configuration that provides route guidance for a car navigation system as a main function. A decoding unit for decoding and an output control unit for outputting notification data are provided. The output of the notification data may be audio output or print output in addition to display output to the display device.

  As illustrated in FIG. 25, the information processing system 200 is a so-called information processing apparatus (computer) including an arithmetic processing unit 291, a communication control unit 293, a storage device 294, and an input / output interface 295.

The arithmetic processing unit 291 has a CPU and a main memory, and the CPU executes the program expanded in an executable manner in the main memory, whereby the abstraction unit 211, the test unit 213, the selection unit 214, and the encryption The function of the part 215, the data reception part 216, the output control part 217, the value data acquisition part 221, and the value determination part 222 is provided.

  The main memory can also be called a main storage device. The main memory stores, for example, a program executed by the CPU, data received via the communication control unit 293, data read from the storage device 294, and other data.

  The communication control unit 293 is connected to another device, for example, the detection device 71 or the system 60 of another business operator via a network, and controls communication with the device.

  The input / output interface 295 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray Disc. The drive device reads the program from the removable storage medium and stores it in the storage device 294.

The storage device 294 can also be referred to as an external storage device (auxiliary storage device). The storage device 294 may be an SSD (Solid State Drive), an HDD, or the like. Storage device 294
Transmits and receives data to and from the drive device. For example, the storage device 294 stores an information processing program installed from the drive device. In the storage device 204, a program and data are read by the arithmetic processing unit 291 and delivered to the main memory. In the second embodiment, the storage device 294 stores the user information DB 219 and the search information accumulation DB 225 described above.

  The basic hardware configuration of the security company system 70, the detection device 71, the system 60 of another business operator, and the user terminal 80 is the same as that shown in FIG. 71, the user terminal 80 is an information processing apparatus having an arithmetic processing unit, a communication control unit, a storage device, and an input / output interface.

  For example, in the detection device 71, a sensor for detecting an abnormality such as an infrared sensor, a glass breakage sensor, and an open / close sensor is connected to the input / output interface, and when the sensor detects an abnormality, the arithmetic processing unit passes through the communication control unit. The notification data is transmitted to the system 70.

  Further, in the user terminal 80, the arithmetic processing unit functions as a decoding unit and an output control unit, decodes the notification data received via the communication control unit, displays the output to the display device via the input / output interface, the speaker Audio output from the printer, print output by the printer, and the like.

  FIG. 26 is a diagram illustrating an example of the user information DB 219. The user information DB 219 of FIG. 26 stores, as user information, the user ID, name, age, sex, secret key, and transmission destination item for each user in association with each other.

  The user ID is information that uniquely identifies the user. The user ID is stored in association with an ID used in the security company system 70 and an ID used in the system 60 of another provider.

The secret key is key information for encrypting the notification data when transmitting the notification data.
The transmission destination is an address for transmitting notification data to the user terminal 80 used by each user, and is, for example, a mail address or an IP address.

  FIG. 27 is an explanatory diagram of a process of anonymizing (diversifying) notification data by the information processing system 200 and distributing it.

  When the detection device 71 detects an abnormality and transmits notification data to the security company system 70, the system 70 transfers the notification data to the information processing system 200, and when the information processing system 200 receives the information processing system 200. Reads the user information of the user (hereinafter also referred to as the target user) corresponding to the identification information of the notification data from the user information DB 219 (step S310).

  Next, the information processing system 200 normalizes the notation of the read target data, the data length of each item, the order, and the like into a predetermined format and stores them in the memory (step S325).

  The information processing system 200 reads the target data from the memory (step S330), and determines whether value data exists in the search information storage DB 225 for each word in the target data (step S340).

  The information processing system 200 proceeds to step S360 when the value data of all words are present in the search information storage DB 225 (step S340, Yes), and when there is insufficient value data (step S340, No), Word value data is obtained from an external device, in this example, the search engine 40 (step S350). In addition, the value information of the words existing in the search information storage DB 25 other than the value data acquired from the search engine 40 is acquired from the search information storage DB 225 (step S60).

  Further, the information processing system 200 creates abstraction candidates by replacing each item of the target data with an abstracted word (category) so as to satisfy the anonymity of the target user's data (step S370). When there are a plurality of items that can be abstracted, all patterns or a predetermined number of patterns in which each item is abstracted and not abstracted are created.

  Next, the information processing system 200 calculates the value of the abstraction candidate of each pattern based on the value data of each word included in the abstraction candidate (step S380), and performs a test based on the value of the abstraction candidate. Abstraction candidates are determined (step S395). The abstraction candidate is determined, for example, as an abstraction candidate having the highest value among all candidate patterns.

  For these abstraction candidates, the information processing system 200 tests the anonymity of the abstraction candidates (step S400). For example, in order to test 1 diversity, the number (existence number) of combinations of values of the same item associated with one user in the abstraction candidate is obtained. Then, the smallest one of the existence numbers is obtained as the minimum appearance number (l value) (step S410), and it is determined whether or not the minimum appearance number exceeds 1 (step S420).

  When the minimum appearance number (l value) does not exceed 1 (No in step S420), the information processing system 200 further abstracts the value of at least one item among the abstract candidates, that is, the abstract word (Step S430), and the process returns to step S400.

  On the other hand, when the minimum number of appearances (l value) exceeds 1 (step S420, Yes), the information processing system 200 selects the abstraction candidate (step S445).

  The information processing system 200 extracts user information having an attribute value corresponding to the selected abstraction candidate (step S455), and obtains the transmission destination of each user (step S465).

  Further, the information processing system 200 encrypts the notification data with the private key of the target user (step S475).

  Then, the information processing system 200 transmits the encrypted notification data to the transmission destination of each user obtained in step S465 (step S485).

  The transmitted notification data is received by each user terminal 80 via each system 60 of another business operator. Each user terminal 80 that has received the notification data reads the secret key of each user stored in the memory, and decrypts the notification data using the secret key.

  Here, the user terminal 80 of the target user can be correctly decrypted because the secret keys match, and the decrypted notification content is output. On the other hand, in the user terminal 80 of another user, since the secret key is different from that used for the encryption, the decryption fails, so that no output is performed. That is, the notification content is notified only to the target user.

  As described above, if notification data is notified only to a target user, there is a possibility that an individual can be identified. Therefore, in the second embodiment, a plurality of users satisfying l-diversity including a dummy user in addition to the target user are included. To send notification data.

  Thereby, the information processing system 200 of this embodiment can notify sensitive information via the system of another provider while maintaining anonymity.

<Others>
The present invention is not limited to the illustrated examples described above, and various modifications can be made without departing from the scope of the present invention.

3 Communication Control Unit 4 Storage Device 5 Input / Output Interface 10 Hospital Information System 11 Abstraction Unit 13 Testing Unit 14 Selection Unit 15 Data Update Unit 16 Data Accepting Unit 17 Output Control Unit 20 Anonymous Value Evaluation System 21 Value Data Acquisition Unit 22 Value Determination Unit 23 Word category analysis unit 24 Value calculation unit 30 Distribution information management system 31 Anonymous data output unit 32 Distribution data reception unit 40 Search engine 41 Data output unit 50 Terminal 60 System of other business operator 70 Security company system 71 Detection device 80 User terminal 100 Information processing system 101 Reception machine 102 Input / output terminal 103 Hospital information server 200 Information processing system

Claims (3)

A data receiving unit that receives target data including a plurality of items associated with an individual;
An abstraction unit that generates abstraction candidate data by replacing a word that is a value of an item in the target data with an abstracted word;
A value determination unit that receives the value of the word included in the abstraction candidate data and obtains the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
A test unit that tests on condition that a combination of values of items of the abstraction candidate data is not limited to one individual of the target data;
An output unit that outputs the abstraction candidate data selected based on the value of the abstraction candidate data satisfying the test condition as anonymous information;
A distribution information receiving unit for receiving distribution information for a specific value of the anonymous information;
A distribution unit that distributes the distribution information to an individual corresponding to the specific value;
An information processing apparatus comprising: Receiving target data including a plurality of items associated with an individual;
Generating abstract candidate data by replacing words that are values of items in the target data with abstract words;
Receiving the value of the word included in the abstraction candidate data, and determining the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
Testing a condition that a combination of values of the abstraction candidate data items is not limited to one individual of the target data;
Selecting abstraction candidate data based on the value of abstraction candidate data satisfying the test condition; receiving distribution information for a specific value of the abstraction data;
Delivering the delivery information to an individual corresponding to the specific value;
An information processing method in which a computer executes. Receiving target data including a plurality of items associated with an individual;
Generating abstract candidate data by replacing words that are values of items in the target data with abstract words;
Receiving the value of the word included in the abstraction candidate data, and determining the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
Testing a condition that a combination of values of the abstraction candidate data items is not limited to one individual of the target data;
Selecting abstraction candidate data based on the value of abstraction candidate data satisfying the test condition; receiving distribution information for a specific value of the abstraction data;
Delivering the delivery information to an individual corresponding to the specific value;
Processing program for causing a computer to execute.

Images