CN108009443A - The access method and system of data - Google Patents

The access method and system of data Download PDF

Info

Publication number
CN108009443A
CN108009443A CN201711243806.3A CN201711243806A CN108009443A CN 108009443 A CN108009443 A CN 108009443A CN 201711243806 A CN201711243806 A CN 201711243806A CN 108009443 A CN108009443 A CN 108009443A
Authority
CN
China
Prior art keywords
data
access
desensitization
medical
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711243806.3A
Other languages
Chinese (zh)
Inventor
陆广林
陈逸龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Tian Peng Computer Science And Technology Co Ltd
Original Assignee
Guangzhou Tian Peng Computer Science And Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Tian Peng Computer Science And Technology Co Ltd filed Critical Guangzhou Tian Peng Computer Science And Technology Co Ltd
Priority to CN201711243806.3A priority Critical patent/CN108009443A/en
Publication of CN108009443A publication Critical patent/CN108009443A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Abstract

The present invention relates to the access method and system of a kind of data, it is to determine target data unit and access rights to be visited according to access application, when access rights are matched with default decrypted rights, obtain and be returned as the decruption key of target data unit configuration to access end;The data access request that access end is initiated is received, is reversely desensitized to desensitization data according to decruption key therein, is obtained and return to target data;Wherein, desensitization data are obtained after carrying out data desensitization to target data unit according to the encryption key with decruption key pairing.In this scheme, when accessing data cell and access rights are matched with decrypted rights, the desensitization data carried out using decruption key to the encryption key by pairing after data desensitization are reversely desensitized, complete target data can be obtained, easy to accurately and effectively be handled data, meet that big data applies the application requirement with data sharing.

Description

The access method and system of data
Technical field
The present invention relates to technical field of data processing, more particularly to the access method and system of a kind of data.
Background technology
As big data application is more and more wider, important effect is all shown in every field;For example, medical data Share and play huge effect using in following intelligent medical, accurate medical treatment, also electric quotient data etc..
Under normal circumstances, user data has to pass through desensitization process before the use, to hide some sensitive data, Such as the name in medical data, identity card, address etc..But current treatment mechanism after desensitization process, then is interviewed in data Ask or in use, desensitization data can only be called, the data of each user can not be carried out for big data application and data sharing It is uniformly processed, causes the access efficiency of shared data low;As in above-mentioned medical data, medical big data apply and medical data without The medical data of each patient is uniformly processed in method, and the access efficiency that have impact on medical shared data is low.
The content of the invention
Based on this, it is necessary to the problem of causing the access efficiency of shared data low for traditional data desensitization technology, carry For the access method and system of a kind of data.
A kind of access method of data, comprises the following steps:
Receive and access application, target data unit to be visited is determined according to application is accessed, apply judging to visit according to accessing Ask authority;
If access rights are matched with default decrypted rights, the decryption for obtaining and being returned as target data unit configuration is close Key;
Data access request is received, the decruption key in data access request reversely desensitizes desensitization data, Obtain and return to target data;Wherein, desensitization data are obtained after carrying out data desensitization to target data unit according to encryption key , encryption key is the key with decruption key pairing for target data unit configuration.
According to the desensitization method of the medical data of the invention described above, it is to determine number of targets to be visited according to access application According to unit and access rights, when access rights are matched with default decrypted rights, obtain and be returned as target data unit and match somebody with somebody The decruption key put is to access end;The data access request that access end is initiated is received, according to decruption key therein to the number that desensitizes According to reversely being desensitized, obtain and return to target data;Wherein, desensitization data are according to the encryption key with decruption key pairing To what is obtained after target data unit progress data desensitization.In this scheme, weighed in access data cell and access rights with decryption During limit matching, the desensitization data carried out using decruption key to the encryption key by pairing after data desensitization are reversely taken off It is quick, complete target data can be obtained, easy to accurately and effectively be handled data, meets that big data is applied and data are total to The application requirement enjoyed.
Further, the step of accessing application is received to comprise the following steps:
Identity information is received, identity information is authenticated according to authentication database, if certification is by receiving and accessing Shen Please.
Further, the access method of data is further comprising the steps of:
If access rights are mismatched with default decrypted rights, after data access request is received, desensitization data are returned to.
Further, target data unit is target medical data unit.
Further, the access method of data is further comprising the steps of:
Original medical data are gathered, by original medical data conversion into medical data unit;
To the encryption key and decruption key of the configuration pairing of each medical data unit, according to encryption key to corresponding doctor Treat data cell and carry out data desensitization, obtain the desensitization data of different medical data cell.
Further, original medical data conversion was comprised the following steps into the step of medical data unit:
Original medical data are converted into multiple medical data units in units of patient cases' data.
Further, the content of medical data unit includes patient information, medical institutions' title, medical data type, doctor Treat data service index and medical data generation time.
Further, the access method of data is further comprising the steps of:
After access, the encryption key of target medical data unit is updated, it is close according to the encryption after renewal Key carries out data desensitization to target medical data unit, regains the desensitization data of target medical data unit.
Further, the access method of data is further comprising the steps of:
Receiving access request and after the default access right time, the encryption to target medical data unit is close Key is updated, and is carried out data desensitization to target medical data unit according to the encryption key after renewal, is regained target doctor Treat the desensitization data of data cell.
A kind of access system of data, including:
Authorization center module, application is accessed for receiving, and target data unit to be visited, root are determined according to application is accessed Judge access rights according to application is accessed;If access rights are matched with default decrypted rights, obtain and be returned as target data list The decruption key of member configuration;
Data center module, for receiving data access request, the decruption key in data access request is to desensitization Data are reversely desensitized, and are obtained and are returned to target data;Wherein, the data that desensitize are to target data unit according to encryption key Obtained after progress data desensitization, encryption key is that authorization center module configures for target data unit and decruption key matches Key.
According to the desensitization system of the medical data of the invention described above, authorization center module is definite to be visited according to application is accessed Target data unit and access rights, when access rights are matched with default decrypted rights, obtain and be returned as number of targets According to the decruption key that unit configures to access end;Data center module receives the data access request that access end is initiated, according to it In decruption key to desensitization data reversely desensitized, obtain and return to target data;Wherein, desensitization data are basis and solution The encryption key of close key pair obtains after carrying out data desensitizations to target data unit.In this scheme, data sheet is being accessed When first and access rights are matched with decrypted rights, after carrying out data desensitization to the encryption key by pairing using decruption key Desensitization data are reversely desensitized, and can obtain complete target data, easy to accurately and effectively be handled data, are met Big data is applied and the application requirement of data sharing.
A kind of readable storage medium storing program for executing, is stored thereon with executable program, which realizes above-mentioned when being executed by processor The step of access method of data.
A kind of access equipment, including memory, processor and storage on a memory and can run on a processor can The step of executive program, when processor executive program, realize the access method of above-mentioned data.
According to the access method of the medical data of the invention described above, the present invention also provides a kind of readable storage medium storing program for executing and access Equipment, for realizing the access method of above-mentioned data by program.
Brief description of the drawings
Fig. 1 is the flow diagram of the access method of the data of one of embodiment;
Fig. 2 is the structure diagram of the access system of the data of one of embodiment;
Fig. 3 is the structure diagram of the access system of the data of one of embodiment;
Fig. 4 is the application scenarios schematic diagram of the desensitization method of the data of one of embodiment;
The principle mechanisms schematic diagram that Fig. 5 is the medical data desensitization of one of specific embodiment and dynamic authorization accesses;
The principle mechanisms schematic diagram that Fig. 6 is the medical data desensitization of one of specific embodiment and dynamic authorization accesses.
Embodiment
For the objects, technical solutions and advantages of the present invention are more clearly understood, with reference to the accompanying drawings and embodiments, to this Invention is described in further detail.It should be appreciated that the specific embodiments described herein are only to explain the present invention, Do not limit protection scope of the present invention.
It is shown in Figure 1, it is the flow diagram of the access method of the data of one embodiment of the invention.In the embodiment Data access method, comprise the following steps:
Step S110:Access application is received, target data unit to be visited is determined according to application is accessed, according to access Shen It please judge access rights;
In this step, accessing application can be initiated by access end, be analyzed accessing application, it is possible to determine target Data cell and access rights;
Step S120:If access rights are matched with default decrypted rights, obtain and be returned as target data unit configuration Decruption key;
In this step, the effect of decrypted rights is the decruption key for allowing to obtain target data unit;
Step S130:Data access request is received, the decruption key in data access request carries out desensitization data Reversely desensitization, obtains and returns to target data;Wherein, desensitization data are to carry out data to target data unit according to encryption key Obtained after desensitization, encryption key is the key with decruption key pairing for target data unit configuration.
In this step, data access request can be initiated by access end, wherein comprising decruption key, receive data During access request, decruption key can be used reversely to desensitize the desensitization data for carrying out desensitization process by encryption key, Obtain complete target data.
In the present embodiment, according to application definite target data unit and access rights to be visited is accessed, in access right Limit is with default decrypted rights when matching, and obtains and be returned as decruption key that target data unit configures to access end;Receive The data access request that access end is initiated, reversely desensitizes desensitization data according to decruption key therein, obtains and return Target data;Wherein, desensitization data are to carry out data to target data unit according to the encryption key with decruption key pairing to take off Obtained after quick.In this scheme, when accessing data cell and access rights are matched with decrypted rights, using decruption key to logical The desensitization data crossed after the encryption key progress data desensitization of pairing are reversely desensitized, and can obtain complete target data, Easy to accurately and effectively be handled data, meet that big data applies the application requirement with data sharing.
Optionally, the data in the present embodiment can apply to the various types of data of big data application, bag Include but be not limited to electric quotient data, medical data, finance data, logistics data etc.;
Optionally, encryption key and decruption key be pairing, can be calculated using symmetric key algorithm two it is close Key, when one of them is as encryption key, another is as decruption key;Specifically, symmetric key algorithm can use " state The 256 of family's commercial code management office " issue are SM3 algorithms, SM4 algorithms or AE5 algorithms.
In one of the embodiments, the step of accessing application is received to comprise the following steps:
Identity information is received, identity information is authenticated according to authentication database, if certification is by receiving and accessing Shen Please.
In the present embodiment, it is necessary to be authenticated to the identity information for accessing promoter, conjunction before access application is received The identity information of method is stored in authentication database, as long as certification of the authentication database to identity information is by representing to access hair It is legal identity to play person, can receive the access application of its initiation, avoid data from maliciously being revealed.
In one of the embodiments, the access method of data is further comprising the steps of:
If access rights are mismatched with default decrypted rights, after data access request is received, desensitization data are returned to.
In the present embodiment, access rights are mismatched with default decrypted rights, although representing that visitor can access number According to, but it does not have decrypted rights, that is, the sensitive information in data cannot be obtained, in such cases, accessed receiving After request, desensitization data can only be returned, hide sensitive information, it is allowed to accesses other nonsensitive datas, realizes the use of data Maximize.
In one of the embodiments, target data unit is target medical data unit.
In the present embodiment, the object of data desensitization can be medical data, since medical data is related to the base of patient The privacy information such as this information and medical information, it is necessary to hidden by the means of desensitizing, and need carry out data sharing or Other have under the application scenarios that management needs person, and desensitization data can not normal use, it is therefore necessary to by the embodiment of the present invention Scheme is applied to medical data, easy to be shared and managed to medical data.
In one of the embodiments, the access method of data is further comprising the steps of:
Original medical data are gathered, by original medical data conversion into medical data unit;
To the encryption key and decruption key of the configuration pairing of each medical data unit, according to encryption key to corresponding doctor Treat data cell and carry out data desensitization, obtain the desensitization data of different medical data cell.
In the present embodiment, original medical data include needing all initial medical datas used, medical data list Member can be the minimum unit of medical data management, and encryption key is corresponding with data cell, make the security of desensitization data more Height, decruption key can be used when accessing data.
In one of the embodiments, the step of initial data being converted into data cell comprises the following steps:
Original medical data are converted into multiple medical data units in units of patient cases' data.
In the present embodiment, when initial data being converted into data cell, changed in units of patient cases' data, After data desensitization is carried out, the case data of the different phase of different patients and same patient can be made to be subject to different visits Ask limitation;Medical data is the data to become more meticulous, for the safety of data, can limit a certain disease that user is directed to a certain patient Number of cases evidence accesses, it is impossible to accesses to the medical data unit where other case data of the sufferer, can not be right Medical data unit where the case data of other patients accesses, and doctor can be being accessed to avoid user by such a mode Unauthorized access when treating data.
In one of the embodiments, the content of medical data unit includes patient information, medical institutions' title, medical number According to type, medical data business index and medical data generation time.
In the present embodiment, the content of medical data unit can include a variety of data, such as patient information, medical institutions' name Title, medical data type, medical data business index and medical data generation time etc., to support the data of high-fineness to add It is close.
It should be noted that medical data business index includes main rope quotation marks, medical record number, admission number, outpatient service number etc., The index entry that the above can be indexed as medical data, for user index to find the medical data of needs in time.
In one of the embodiments, the access method of data is further comprising the steps of:
After access, the encryption key of target medical data unit is updated, it is close according to the encryption after renewal Key carries out data desensitization to target medical data unit, regains the desensitization data of target medical data unit.
In the present embodiment, after access, the encryption key of target medical data unit can be updated, and Data desensitization is re-started, avoids decruption key from being stolen the risk for causing medical data to be revealed.
Optionally, at the end of access, medical data is existed in the form of the data that desensitize, and can first be obtained at this time original Decruption key, reversely desensitized to desensitization data according to original decruption key, acquisition target medical data unit, then is used Encryption key after renewal carries out data desensitization to obtained target medical data unit, regains the de- of target data unit Quick data.In addition, decruption key is updated according to the encryption key after renewal at the same time.
In one of the embodiments, the access method of data is further comprising the steps of:
Receiving access request and after the default access right time, the encryption to target medical data unit is close Key is updated, and is carried out data desensitization to target medical data unit according to the encryption key after renewal, is regained target doctor Treat the desensitization data of data cell.
In the present embodiment, it can set the access right time of decruption key, when receiving access request, start to make Reverse data desensitization is carried out to desensitization data with decruption key, can be to target medical data list after the access right time The encryption key of member is updated, and re-starts data desensitization, and the decruption key for avoiding, which is stolen, causes medical data The risk of leakage.
In one of the embodiments, the step of initial data being converted into data cell comprises the following steps:
Original medical data are checked according to default data type and number range, if original medical data is interior Appearance matches with default data type and number range, by original medical data conversion into medical data unit.
In the present embodiment, original medical data during acquisition there may be error in data, can be according to default Data type and number range it is checked, ensure the accuracy of medical data unit after conversion.
In one of the embodiments, original medical data are checked according to default data type and number range The step of comprise the following steps:
Data Source Object where recording original medical data gathers the operation object of original medical data with execution.
In the present embodiment, during checking original medical data, original medical data institute can be recorded Data Source Object and perform the operation objects of collection original medical data, can so occur in original medical data wrong Mistake, search corresponding Data Source Object and perform the operation object of collection, original medical data are modified in time.
According to the access method of above-mentioned data, the present invention also provides a kind of access system of data, below with regard to the present invention's The embodiment of the access system of data is described in detail.
It is shown in Figure 2, it is the structure diagram of the access system of the data of one embodiment of the invention.In the embodiment The access systems of data include:
Authorization center module 210, application is accessed for receiving, and target data list to be visited is determined according to application is accessed Member, judges access rights according to application is accessed;If access rights are matched with default decrypted rights, obtain and be returned as number of targets The decruption key configured according to unit;
Data center module 220, for receiving data access request, the decruption key in data access request is to de- Quick data are reversely desensitized, and are obtained and are returned to target data;Wherein, the data that desensitize are to target data list according to encryption key Obtained after member progress data desensitization, encryption key is authorization center module matching somebody with somebody with decruption key for target data unit configuration To key.
In the present embodiment, authorization center module 210 determines target data unit to be visited and visit according to application is accessed Ask authority, when access rights are matched with default decrypted rights, the decryption for obtaining and being returned as target data unit configuration is close Key is to access end;Data center module 220 receives the data access request that access end is initiated, according to decruption key therein to de- Quick data are reversely desensitized, and are obtained and are returned to target data;Wherein, desensitization data are according to the encryption with decruption key pairing Key obtains after carrying out data desensitizations to target data unit.In this scheme, data cell and access rights and solution are being accessed During close permission match, the desensitization data after data desensitization are carried out to the encryption key by pairing using decruption key and are carried out reversely Desensitization, can obtain complete target data, easy to accurately and effectively be handled data, meet big data application and data Shared application requirement.
In one of the embodiments, as shown in figure 3, the access system of data further includes authentication center's module 230, it is used for Receive identity information, identity information is authenticated according to authentication database, certification by when, authorization center module 210 connects Receive and access application.
In one of the embodiments, data center module 220 is when access rights and default decrypted rights mismatch, After receiving data access request, desensitization data are returned.
In one of the embodiments, target data unit is target medical data unit.
In one of the embodiments, data center module 220 gathers original medical data, by original medical data conversion Into medical data unit;To the encryption key and decruption key of the configuration pairing of each medical data unit, according to encryption key pair Corresponding medical data unit carries out data desensitization, obtains the desensitization data of different medical data cell.
In one of the embodiments, data center module 220 in units of patient cases' data by original medical data Be converted to multiple medical data units.
In one of the embodiments, the content of medical data unit includes patient information, medical institutions' title, medical number According to type, medical data business index and medical data generation time.
In one of the embodiments, authorization center module 210 adds target medical data unit after access Key is updated, and data center module 220 carries out data according to the encryption key after renewal to target medical data unit Desensitization, regains the desensitization data of target medical data unit.
In one of the embodiments, authorization center module 210 is receiving access request and is passing through the default right to use After between in limited time, the encryption key of target medical data unit is updated, data center module 220 is according to the encryption after renewal Key carries out data desensitization to target medical data unit, regains the desensitization data of target medical data unit.
In one of the embodiments, data center module 220 according to default data type and number range to original Medical data is checked, will be original if the content of original medical data matches with default data type and number range Medical data is converted into medical data unit.
In one of the embodiments, data center module 220 records the Data Source Object where original medical data With the operation object for performing collection original medical data.
The access system of the data of the present invention and the access method of the data of the present invention correspond, in the visit of above-mentioned data Ask method embodiment illustrate technical characteristic and its advantage suitable for the embodiment of the access system of data.
According to the access method of above-mentioned data, the embodiment of the present invention also provides a kind of readable storage medium storing program for executing and a kind of access is set It is standby.Executable program is stored with readable storage medium storing program for executing, which realizes the access method of above-mentioned data when being executed by processor The step of;The executable journey that detection device includes memory, processor and storage on a memory and can run on a processor The step of sequence, when processor executive program, realize the access method of above-mentioned data.
In a specific embodiment, the scheme of the embodiment of the present invention can be applied to a large amount of medicinal data institutes The intelligent big data of medical treatment of formation is in the scene of core.
Sharing and using for medical data plays huge effect in following intelligent medical, accurate medical treatment.Auxiliary is examined It is all the doctor formed with a large amount of medicinal data to treat, be classified many application scenarios such as diagnosis and treatment, chronic diseases management, Collaboration on Scientific Research It is core to treat intelligent big data, it is desirable to carries out regulation and standardization, centralization and hardware and software platform management to medicinal data.
Medicinal data are before big data platform is entered, and real medical data has to pass through desensitization process, with hidden Hide some sensitive data, such as name, identity card, address etc..Desensitization to data can be confused using different algorithms or Hide all or part data.But traditional treatment mechanism is all by the way of unidirectionally handling, or is referred to as unidirectional desensitization.It is single Refer to data after desensitization process to desensitization, then be accessed or in use, the data before desensitization cannot be returned to.But with doctor Complex answer cannot be met using the further development with medical data sharing application, simple unidirectionally desensitize by treating big data With requiring.
Such as in classification diagnosis and treatment, chronic diseases management and Collaboration on Scientific Research application scenarios, the data to have desensitized when in use, Original data display can be reduced into by asking, that is to say, that desensitization data are wanted can be resilient.
The embodiment of the present invention proposes one and supports the recoverable high-fineness desensitization mode of data.Which combines elder generation Into data encryption and data dynamic access control mechanism, realize to the desensitization of the data of medicinal big data platform and safety The support of access.
Application scenarios are as shown in Figure 4.The data of hospital A and the data of hospital B enter data cloud platform after desensitization In.User using cloud platform data when, can effectively obtain authority permission data, including authority allow can The data of recovery.
The data of desensitization can be used for dynamic access, and the access of patient data can dynamically be licensed to hospital, Yi Shenghe Scientific research personnel, because medical data is the data to become more meticulous, the different necks of the different phase of different patients and same patient The data in domain may be subject to different access privilege controls, that is for the safety of data, authorizing will be directed to some patient's Some case data carries out.So as to avoid the user for being authorized to some patient can be with the data of other patients of unauthorized access, institute Also there is the requirement of higher with the precision to data empowerment management.
The principle mechanisms that medical data desensitizes and dynamic authorization accesses are as shown in Figure 5 and Figure 6:
Authentication center:It is responsible for the authentication of user, confirms the authenticity of user identity.Authentication center is required using non-right Title property Encryption Algorithm.Authentication key is made of personal public key and private key, is coordinated using public key and private key and is completed authentication, and passed through Cross digital signature identification.In the disclosure in this patent, the certification authority that authentication center is authorized using country.
ID authentication mechanism:Authentication key is made of personal public key and private key, and passes through digital signature identification.Utilize public key Coordinate with private key and complete authentication.
Authorization center:It is responsible for the dynamic realtime mandate to access privilege.Authorization center is responsible for providing data encryption institute The required decruption key of encryption key and restoring data needed.
Data center:Data are provided in a secured manner for user.If the data provided need restoring data, data Center needs to obtain the required decruption key of restoring data from authorization center.
User:The Business Entity of desensitization data is accessed, can be user or system.
Operation system authority:It is external module, defines the data access authority of business.
In data desensitization, the key of data desensitization is the generation and use of encryption key.All sensitive datas It will comprise the following steps into data desensitization flow is crossed:
Raw data acquisition:Original medical clinical data refers to needs desensitization and is loaded into the data of data center.Original number Refer to the preparation to the data before desensitization according to collection.The data of collection will ensure transmitting and can detect data in storing process Integrality, confidentiality, availability.Each operating system user of data acquisition and database user can be examined at the same time Meter.
Data cell determines:It is responsible for the business module of gathered data the original medical clinical data collected, is organized into For data cell.
Data cell refers to the least unit for the medicinal data that the embodiment of the present invention can manage, and uses disease number of cases According to as data cell.The size of data cell, all dimensions depending on data cell.The index dimension of patient cases' data Including patient information, medical institutions' information, data type information, data service index information (master index, case number, admission number, Outpatient service number etc.), data time information etc., to support the data encryption of high-fineness.Concrete application can be according to the demand of business Index dimension is increased or decreased, to define required data unit size.
Encryption key application:Data desensitization module (business module for being responsible for data desensitization) is encrypted close to authorization center application Key.
Encryption key produces:The application of authorization center processing data desensitization module, produces encryption in units of data cell Key, and return to data desensitization module.
Data encryption:Data desensitization module obtains required encryption key from authorization center, and is applied to data cell On, produce corresponding desensitization data.
Data load:The desensitization data to data center that data desensitization module loading produces.
Authorization center can produce case key, case key is with each trouble when receiving the application of data desensitization module The case data of person are configured the key pair exclusively enjoyed by data unit, including an encryption for being used for the desensitization of medicinal data is close Key, and the decruption key of user's restoring data, are calculated with symmetric key algorithm.Each data cell corresponds to a disease Example key.Case key is calculated using symmetric key algorithm.Symmetric key algorithm use " business is close to do " issue 256 SM3 or SM4 algorithms, or aes algorithm.Case key is responsible for by authorization center, is used by data desensitization module.Authorization center is born Duty generation or the case key of renewal patient data, and notify data desensitization module.It is close that data desensitization module is connected to new case During key, data are carried out with desensitization again (desensitizing after old access key reversely desensitization, then with new encryption key).
Data access needs to authorize, and only in the case where being authorized to, data could be checked and used, in section entitlement Or can only see data after desensitization in the case of with no authorized, that is, encrypted data.Data access flow include with Lower step:
Apply for authentication:User applies for authentication to authentication center.User provide oneself public key and private key to recognizing Card center.
Authentication:Authentication center's processing application, certification user identity.
Application authorizes:After authenticating user identification, data access application is proposed to authorization center.Required parameter includes using Family and data area (being used for determining need which data cell accessed) and any and relevant parameter of authority.
Authorize:Authorization center determines the data cell of this access of the user according to operation system mandate, and per number According to the access level of unit, corresponding decruption key is obtained.And return to user.
Data access:User utilizes the data access rights limit information obtained from authorization center, proposes to read to data center Request of data.
Data deciphering and delivery:Data center asked according to user in data permission message reference data.Data permission Information is in units of data cell.If data are decrypted in access level requirement, data center utilizes data permission Decruption key in information is decrypted desensitization data and returns to user.
The embodiment of the present invention uses the licensing scheme of dynamic key management, realizes authority control when user accesses desensitization data System and decryption key authorization management:
Case key is managed concentratedly:Encryption and decryption are required for obtaining case key by access mandate center.Case is close Key has access right time limit.
Data permission integrates:The data access authority of medical applications operation system will be integrated into the dynamic authorization of authorization center In access mechanism.In units of data cell, for some user, external service system authority will provide the user and can visit The data cell asked, and the access level of each data cell.
The data that desensitize generation:The data that desensitize generation is a data encryption process, its key is the design of encryption key.It is first First be responsible for the business module of generation desensitization data becomes data cell initial data, arrangement.Again from needed for authorization center reading The encryption key wanted, and be applied in these data cells, produce corresponding desensitization data.
The data that desensitize use:Data use of desensitizing is a digital independent and data decrypting process.Use the business of data Module or user access mandate center first obtain dynamic data access authority and corresponding decruption key in real time.It is so-called dynamic State refers to that access rights can change according to operation system authority.User reuses obtained authority and accesses data center to obtain Obtain data.Data center is responsible for, according to authority, handling data, including data deciphering.
Each technical characteristic of embodiment described above can be combined arbitrarily, to make description succinct, not to above-mentioned reality Apply all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, the scope that this specification is recorded all is considered to be.
Can be with one of ordinary skill in the art will appreciate that realizing that all or part of step in above-described embodiment method is Relevant hardware is instructed to complete by program.The program can be stored in read/write memory medium.The program exists During execution, including the step described in the above method.The storage medium, including:ROM/RAM, magnetic disc, CD etc..
Embodiment described above only expresses the several embodiments of the present invention, its description is more specific and detailed, but simultaneously Cannot therefore it be construed as limiting the scope of the patent.It should be pointed out that come for those of ordinary skill in the art Say, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the protection of the present invention Scope.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.

Claims (10)

1. a kind of access method of data, it is characterised in that comprise the following steps:
Receive and access application, apply determining target data unit to be visited according to described access, sentenced according to the access application Disconnected access rights;
If the access rights are matched with default decrypted rights, obtain and be returned as the decryption of the target data unit configuration Key;
Data access request is received, the decruption key in the data access request reversely desensitizes desensitization data, Obtain and return to target data;Wherein, the desensitization data are to carry out data to the target data unit according to encryption key Obtained after desensitization, the encryption key is the key with decruption key pairing for target data unit configuration.
2. the access method of data according to claim 1, it is characterised in that described the step of receiving access application includes Following steps:
Identity information is received, the identity information is authenticated according to authentication database, if certification is by receiving and accessing Shen Please.
3. the access method of data according to claim 1, it is characterised in that further comprising the steps of:
If the access rights are mismatched with the default decrypted rights, after data access request is received, return described de- Quick data.
4. the access method of data according to claim 1, it is characterised in that the target data unit is target medical treatment Data cell.
5. the access method of data according to claim 4, it is characterised in that further comprising the steps of:
Original medical data are gathered, by the original medical data conversion into medical data unit;
To the encryption key and decruption key of the configuration pairing of each medical data unit, according to encryption key to corresponding medical number Data desensitization is carried out according to unit, obtains the desensitization data of different medical data cell.
6. the access method of data according to claim 5, it is characterised in that described by the original medical data conversion Comprise the following steps into the step of medical data unit:
The original medical data are converted into multiple medical data units in units of patient cases' data.
7. the desensitization method of medical data according to claim 5, it is characterised in that the content of the medical data unit Including patient information, medical institutions' title, medical data type, medical data business index and medical data generation time.
8. the access method of data according to claim 5, it is characterised in that further comprising the steps of:
After access, the encryption key of the target medical data unit is updated, it is close according to the encryption after renewal Key carries out data desensitization to the target medical data unit, regains the desensitization data of the target medical data unit.
9. the access method of data according to claim 5, it is characterised in that further comprising the steps of:
Receiving access request and after the default access right time, the encryption to the target medical data unit is close Key is updated, and is carried out data desensitization to the target medical data unit according to the encryption key after renewal, is regained institute State the desensitization data of target medical data unit.
A kind of 10. access system of data, it is characterised in that including:
Authorization center module, application is accessed for receiving, and applies determining target data unit to be visited, root according to described access Apply judging access rights according to described access;If the access rights are matched with default decrypted rights, obtain and be returned as institute State the decruption key of target data unit configuration;
Data center module, for receiving data access request, the decruption key in the data access request is to desensitization Data are reversely desensitized, and are obtained and are returned to target data;Wherein, the desensitization data are to the target according to encryption key Obtained after data cell progress data desensitization, the encryption key is that the authorization center module is the target data unit The key with decruption key pairing of configuration.
CN201711243806.3A 2017-11-30 2017-11-30 The access method and system of data Pending CN108009443A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711243806.3A CN108009443A (en) 2017-11-30 2017-11-30 The access method and system of data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711243806.3A CN108009443A (en) 2017-11-30 2017-11-30 The access method and system of data

Publications (1)

Publication Number Publication Date
CN108009443A true CN108009443A (en) 2018-05-08

Family

ID=62055805

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711243806.3A Pending CN108009443A (en) 2017-11-30 2017-11-30 The access method and system of data

Country Status (1)

Country Link
CN (1) CN108009443A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109063507A (en) * 2018-07-13 2018-12-21 上海派兰数据科技有限公司 A kind of general design model for hospital information system analysis
CN109726586A (en) * 2018-12-17 2019-05-07 杭州安恒信息技术股份有限公司 Data fine granularity authorization sharing method, system and electronic equipment
CN109871703A (en) * 2019-02-28 2019-06-11 佛山市云端容灾信息技术有限公司 Big data exchange management method, device, storage medium and server
CN111193755A (en) * 2020-04-14 2020-05-22 傲林科技有限公司 Data access method, data encryption method and data encryption and access system
CN111460512A (en) * 2020-04-21 2020-07-28 重庆忽米网络科技有限公司 Automatic desensitization data acquisition and distribution system and method
CN112541196A (en) * 2020-12-23 2021-03-23 北京理工大学 Dynamic data desensitization method and system
CN113010919A (en) * 2021-03-22 2021-06-22 北京神州数字科技有限公司 Protection method for sensitive data and private data
CN113259382A (en) * 2021-06-16 2021-08-13 上海有孚智数云创数字科技有限公司 Data transmission method, device, equipment and storage medium
CN113285942A (en) * 2021-05-19 2021-08-20 广东电网有限责任公司 Data sharing method and device for transformer substation, electronic equipment and storage medium
CN115361683A (en) * 2022-08-19 2022-11-18 中移互联网有限公司 Service access method, SIM card, server and service platform

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6946445B1 (en) * 1998-03-13 2005-09-20 The University Of British Columbia Therapeutic chemokine receptor antagonists
CN104392405A (en) * 2014-11-14 2015-03-04 杭州银江智慧医疗集团有限公司 Electronic medical record safety system
CN105138927A (en) * 2015-08-12 2015-12-09 中国联合网络通信集团有限公司 Privacy data protection method and apparatus
CN105787381A (en) * 2014-12-26 2016-07-20 北大医疗信息技术有限公司 Data access control method and apparatus
CN105975870A (en) * 2016-05-19 2016-09-28 上海点荣金融信息服务有限责任公司 Data desensitization method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6946445B1 (en) * 1998-03-13 2005-09-20 The University Of British Columbia Therapeutic chemokine receptor antagonists
CN104392405A (en) * 2014-11-14 2015-03-04 杭州银江智慧医疗集团有限公司 Electronic medical record safety system
CN105787381A (en) * 2014-12-26 2016-07-20 北大医疗信息技术有限公司 Data access control method and apparatus
CN105138927A (en) * 2015-08-12 2015-12-09 中国联合网络通信集团有限公司 Privacy data protection method and apparatus
CN105975870A (en) * 2016-05-19 2016-09-28 上海点荣金融信息服务有限责任公司 Data desensitization method and system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109063507A (en) * 2018-07-13 2018-12-21 上海派兰数据科技有限公司 A kind of general design model for hospital information system analysis
CN109726586A (en) * 2018-12-17 2019-05-07 杭州安恒信息技术股份有限公司 Data fine granularity authorization sharing method, system and electronic equipment
CN109871703B (en) * 2019-02-28 2024-03-12 佛山市云端容灾信息技术有限公司 Big data transaction management method, device, storage medium and server
CN109871703A (en) * 2019-02-28 2019-06-11 佛山市云端容灾信息技术有限公司 Big data exchange management method, device, storage medium and server
CN111193755A (en) * 2020-04-14 2020-05-22 傲林科技有限公司 Data access method, data encryption method and data encryption and access system
CN111193755B (en) * 2020-04-14 2020-08-21 傲林科技有限公司 Data access method, data encryption method and data encryption and access system
CN111460512A (en) * 2020-04-21 2020-07-28 重庆忽米网络科技有限公司 Automatic desensitization data acquisition and distribution system and method
CN112541196A (en) * 2020-12-23 2021-03-23 北京理工大学 Dynamic data desensitization method and system
CN113010919A (en) * 2021-03-22 2021-06-22 北京神州数字科技有限公司 Protection method for sensitive data and private data
CN113285942A (en) * 2021-05-19 2021-08-20 广东电网有限责任公司 Data sharing method and device for transformer substation, electronic equipment and storage medium
CN113259382A (en) * 2021-06-16 2021-08-13 上海有孚智数云创数字科技有限公司 Data transmission method, device, equipment and storage medium
CN115361683A (en) * 2022-08-19 2022-11-18 中移互联网有限公司 Service access method, SIM card, server and service platform
CN115361683B (en) * 2022-08-19 2023-07-04 中移互联网有限公司 Service access method, SIM card, server and service platform

Similar Documents

Publication Publication Date Title
CN108009443A (en) The access method and system of data
Abouelmehdi et al. Big healthcare data: preserving security and privacy
US10706141B2 (en) Methods and systems for identity creation, verification and management
CN108021822A (en) The desensitization method and system of data
US20180115426A1 (en) Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features
EP2731040B1 (en) Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method
US20130318361A1 (en) Encrypting and storing biometric information on a storage device
Zhao et al. Research on electronic medical record access control based on blockchain
AU2018256929B2 (en) Systems and methods for identity atomization and usage
US20160283944A1 (en) Method and apparatus for personal virtual authentication and authorization using digital devices and as an alternative for chip card or smart card
AU2018100478A4 (en) Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features
JP4027776B2 (en) Data processing system, processing apparatus and computer program
CN108345804A (en) A kind of storage method in trusted computation environment and device
Ang et al. Healthcare information system: A public healthcare facility framework
Plateaux et al. A contactless e-health information system with privacy
Ko et al. A study on secure medical-contents strategies with DRM based on cloud computing
Sandeepkumar et al. Blockchain Assisted Cloud Storage For Electronic Health Records
TWI470990B (en) Radio frequency identification (RFID) tag to link the individual information disclosure method, the right to grant the method and authority control and management system
WO2021124568A1 (en) Access control device, control method, and program
EP3616108A1 (en) Systems and methods for identity atomization and usage
CN115470522A (en) Health report management method and device based on non-homogeneous evidence
WO2023094906A1 (en) Privacy regulatory system
CN110914821A (en) System and method for identity atomization and use
NZ758522B2 (en) Systems and methods for identity atomization and usage
NZ741673B2 (en) Methods and systems for identity creation, verification and management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180508

RJ01 Rejection of invention patent application after publication