CN108009443A - The access method and system of data - Google Patents
The access method and system of data Download PDFInfo
- Publication number
- CN108009443A CN108009443A CN201711243806.3A CN201711243806A CN108009443A CN 108009443 A CN108009443 A CN 108009443A CN 201711243806 A CN201711243806 A CN 201711243806A CN 108009443 A CN108009443 A CN 108009443A
- Authority
- CN
- China
- Prior art keywords
- data
- access
- desensitization
- medical
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to the access method and system of a kind of data, it is to determine target data unit and access rights to be visited according to access application, when access rights are matched with default decrypted rights, obtain and be returned as the decruption key of target data unit configuration to access end;The data access request that access end is initiated is received, is reversely desensitized to desensitization data according to decruption key therein, is obtained and return to target data;Wherein, desensitization data are obtained after carrying out data desensitization to target data unit according to the encryption key with decruption key pairing.In this scheme, when accessing data cell and access rights are matched with decrypted rights, the desensitization data carried out using decruption key to the encryption key by pairing after data desensitization are reversely desensitized, complete target data can be obtained, easy to accurately and effectively be handled data, meet that big data applies the application requirement with data sharing.
Description
Technical field
The present invention relates to technical field of data processing, more particularly to the access method and system of a kind of data.
Background technology
As big data application is more and more wider, important effect is all shown in every field;For example, medical data
Share and play huge effect using in following intelligent medical, accurate medical treatment, also electric quotient data etc..
Under normal circumstances, user data has to pass through desensitization process before the use, to hide some sensitive data,
Such as the name in medical data, identity card, address etc..But current treatment mechanism after desensitization process, then is interviewed in data
Ask or in use, desensitization data can only be called, the data of each user can not be carried out for big data application and data sharing
It is uniformly processed, causes the access efficiency of shared data low;As in above-mentioned medical data, medical big data apply and medical data without
The medical data of each patient is uniformly processed in method, and the access efficiency that have impact on medical shared data is low.
The content of the invention
Based on this, it is necessary to the problem of causing the access efficiency of shared data low for traditional data desensitization technology, carry
For the access method and system of a kind of data.
A kind of access method of data, comprises the following steps:
Receive and access application, target data unit to be visited is determined according to application is accessed, apply judging to visit according to accessing
Ask authority;
If access rights are matched with default decrypted rights, the decryption for obtaining and being returned as target data unit configuration is close
Key;
Data access request is received, the decruption key in data access request reversely desensitizes desensitization data,
Obtain and return to target data;Wherein, desensitization data are obtained after carrying out data desensitization to target data unit according to encryption key
, encryption key is the key with decruption key pairing for target data unit configuration.
According to the desensitization method of the medical data of the invention described above, it is to determine number of targets to be visited according to access application
According to unit and access rights, when access rights are matched with default decrypted rights, obtain and be returned as target data unit and match somebody with somebody
The decruption key put is to access end;The data access request that access end is initiated is received, according to decruption key therein to the number that desensitizes
According to reversely being desensitized, obtain and return to target data;Wherein, desensitization data are according to the encryption key with decruption key pairing
To what is obtained after target data unit progress data desensitization.In this scheme, weighed in access data cell and access rights with decryption
During limit matching, the desensitization data carried out using decruption key to the encryption key by pairing after data desensitization are reversely taken off
It is quick, complete target data can be obtained, easy to accurately and effectively be handled data, meets that big data is applied and data are total to
The application requirement enjoyed.
Further, the step of accessing application is received to comprise the following steps:
Identity information is received, identity information is authenticated according to authentication database, if certification is by receiving and accessing Shen
Please.
Further, the access method of data is further comprising the steps of:
If access rights are mismatched with default decrypted rights, after data access request is received, desensitization data are returned to.
Further, target data unit is target medical data unit.
Further, the access method of data is further comprising the steps of:
Original medical data are gathered, by original medical data conversion into medical data unit;
To the encryption key and decruption key of the configuration pairing of each medical data unit, according to encryption key to corresponding doctor
Treat data cell and carry out data desensitization, obtain the desensitization data of different medical data cell.
Further, original medical data conversion was comprised the following steps into the step of medical data unit:
Original medical data are converted into multiple medical data units in units of patient cases' data.
Further, the content of medical data unit includes patient information, medical institutions' title, medical data type, doctor
Treat data service index and medical data generation time.
Further, the access method of data is further comprising the steps of:
After access, the encryption key of target medical data unit is updated, it is close according to the encryption after renewal
Key carries out data desensitization to target medical data unit, regains the desensitization data of target medical data unit.
Further, the access method of data is further comprising the steps of:
Receiving access request and after the default access right time, the encryption to target medical data unit is close
Key is updated, and is carried out data desensitization to target medical data unit according to the encryption key after renewal, is regained target doctor
Treat the desensitization data of data cell.
A kind of access system of data, including:
Authorization center module, application is accessed for receiving, and target data unit to be visited, root are determined according to application is accessed
Judge access rights according to application is accessed;If access rights are matched with default decrypted rights, obtain and be returned as target data list
The decruption key of member configuration;
Data center module, for receiving data access request, the decruption key in data access request is to desensitization
Data are reversely desensitized, and are obtained and are returned to target data;Wherein, the data that desensitize are to target data unit according to encryption key
Obtained after progress data desensitization, encryption key is that authorization center module configures for target data unit and decruption key matches
Key.
According to the desensitization system of the medical data of the invention described above, authorization center module is definite to be visited according to application is accessed
Target data unit and access rights, when access rights are matched with default decrypted rights, obtain and be returned as number of targets
According to the decruption key that unit configures to access end;Data center module receives the data access request that access end is initiated, according to it
In decruption key to desensitization data reversely desensitized, obtain and return to target data;Wherein, desensitization data are basis and solution
The encryption key of close key pair obtains after carrying out data desensitizations to target data unit.In this scheme, data sheet is being accessed
When first and access rights are matched with decrypted rights, after carrying out data desensitization to the encryption key by pairing using decruption key
Desensitization data are reversely desensitized, and can obtain complete target data, easy to accurately and effectively be handled data, are met
Big data is applied and the application requirement of data sharing.
A kind of readable storage medium storing program for executing, is stored thereon with executable program, which realizes above-mentioned when being executed by processor
The step of access method of data.
A kind of access equipment, including memory, processor and storage on a memory and can run on a processor can
The step of executive program, when processor executive program, realize the access method of above-mentioned data.
According to the access method of the medical data of the invention described above, the present invention also provides a kind of readable storage medium storing program for executing and access
Equipment, for realizing the access method of above-mentioned data by program.
Brief description of the drawings
Fig. 1 is the flow diagram of the access method of the data of one of embodiment;
Fig. 2 is the structure diagram of the access system of the data of one of embodiment;
Fig. 3 is the structure diagram of the access system of the data of one of embodiment;
Fig. 4 is the application scenarios schematic diagram of the desensitization method of the data of one of embodiment;
The principle mechanisms schematic diagram that Fig. 5 is the medical data desensitization of one of specific embodiment and dynamic authorization accesses;
The principle mechanisms schematic diagram that Fig. 6 is the medical data desensitization of one of specific embodiment and dynamic authorization accesses.
Embodiment
For the objects, technical solutions and advantages of the present invention are more clearly understood, with reference to the accompanying drawings and embodiments, to this
Invention is described in further detail.It should be appreciated that the specific embodiments described herein are only to explain the present invention,
Do not limit protection scope of the present invention.
It is shown in Figure 1, it is the flow diagram of the access method of the data of one embodiment of the invention.In the embodiment
Data access method, comprise the following steps:
Step S110:Access application is received, target data unit to be visited is determined according to application is accessed, according to access Shen
It please judge access rights;
In this step, accessing application can be initiated by access end, be analyzed accessing application, it is possible to determine target
Data cell and access rights;
Step S120:If access rights are matched with default decrypted rights, obtain and be returned as target data unit configuration
Decruption key;
In this step, the effect of decrypted rights is the decruption key for allowing to obtain target data unit;
Step S130:Data access request is received, the decruption key in data access request carries out desensitization data
Reversely desensitization, obtains and returns to target data;Wherein, desensitization data are to carry out data to target data unit according to encryption key
Obtained after desensitization, encryption key is the key with decruption key pairing for target data unit configuration.
In this step, data access request can be initiated by access end, wherein comprising decruption key, receive data
During access request, decruption key can be used reversely to desensitize the desensitization data for carrying out desensitization process by encryption key,
Obtain complete target data.
In the present embodiment, according to application definite target data unit and access rights to be visited is accessed, in access right
Limit is with default decrypted rights when matching, and obtains and be returned as decruption key that target data unit configures to access end;Receive
The data access request that access end is initiated, reversely desensitizes desensitization data according to decruption key therein, obtains and return
Target data;Wherein, desensitization data are to carry out data to target data unit according to the encryption key with decruption key pairing to take off
Obtained after quick.In this scheme, when accessing data cell and access rights are matched with decrypted rights, using decruption key to logical
The desensitization data crossed after the encryption key progress data desensitization of pairing are reversely desensitized, and can obtain complete target data,
Easy to accurately and effectively be handled data, meet that big data applies the application requirement with data sharing.
Optionally, the data in the present embodiment can apply to the various types of data of big data application, bag
Include but be not limited to electric quotient data, medical data, finance data, logistics data etc.;
Optionally, encryption key and decruption key be pairing, can be calculated using symmetric key algorithm two it is close
Key, when one of them is as encryption key, another is as decruption key;Specifically, symmetric key algorithm can use " state
The 256 of family's commercial code management office " issue are SM3 algorithms, SM4 algorithms or AE5 algorithms.
In one of the embodiments, the step of accessing application is received to comprise the following steps:
Identity information is received, identity information is authenticated according to authentication database, if certification is by receiving and accessing Shen
Please.
In the present embodiment, it is necessary to be authenticated to the identity information for accessing promoter, conjunction before access application is received
The identity information of method is stored in authentication database, as long as certification of the authentication database to identity information is by representing to access hair
It is legal identity to play person, can receive the access application of its initiation, avoid data from maliciously being revealed.
In one of the embodiments, the access method of data is further comprising the steps of:
If access rights are mismatched with default decrypted rights, after data access request is received, desensitization data are returned to.
In the present embodiment, access rights are mismatched with default decrypted rights, although representing that visitor can access number
According to, but it does not have decrypted rights, that is, the sensitive information in data cannot be obtained, in such cases, accessed receiving
After request, desensitization data can only be returned, hide sensitive information, it is allowed to accesses other nonsensitive datas, realizes the use of data
Maximize.
In one of the embodiments, target data unit is target medical data unit.
In the present embodiment, the object of data desensitization can be medical data, since medical data is related to the base of patient
The privacy information such as this information and medical information, it is necessary to hidden by the means of desensitizing, and need carry out data sharing or
Other have under the application scenarios that management needs person, and desensitization data can not normal use, it is therefore necessary to by the embodiment of the present invention
Scheme is applied to medical data, easy to be shared and managed to medical data.
In one of the embodiments, the access method of data is further comprising the steps of:
Original medical data are gathered, by original medical data conversion into medical data unit;
To the encryption key and decruption key of the configuration pairing of each medical data unit, according to encryption key to corresponding doctor
Treat data cell and carry out data desensitization, obtain the desensitization data of different medical data cell.
In the present embodiment, original medical data include needing all initial medical datas used, medical data list
Member can be the minimum unit of medical data management, and encryption key is corresponding with data cell, make the security of desensitization data more
Height, decruption key can be used when accessing data.
In one of the embodiments, the step of initial data being converted into data cell comprises the following steps:
Original medical data are converted into multiple medical data units in units of patient cases' data.
In the present embodiment, when initial data being converted into data cell, changed in units of patient cases' data,
After data desensitization is carried out, the case data of the different phase of different patients and same patient can be made to be subject to different visits
Ask limitation;Medical data is the data to become more meticulous, for the safety of data, can limit a certain disease that user is directed to a certain patient
Number of cases evidence accesses, it is impossible to accesses to the medical data unit where other case data of the sufferer, can not be right
Medical data unit where the case data of other patients accesses, and doctor can be being accessed to avoid user by such a mode
Unauthorized access when treating data.
In one of the embodiments, the content of medical data unit includes patient information, medical institutions' title, medical number
According to type, medical data business index and medical data generation time.
In the present embodiment, the content of medical data unit can include a variety of data, such as patient information, medical institutions' name
Title, medical data type, medical data business index and medical data generation time etc., to support the data of high-fineness to add
It is close.
It should be noted that medical data business index includes main rope quotation marks, medical record number, admission number, outpatient service number etc.,
The index entry that the above can be indexed as medical data, for user index to find the medical data of needs in time.
In one of the embodiments, the access method of data is further comprising the steps of:
After access, the encryption key of target medical data unit is updated, it is close according to the encryption after renewal
Key carries out data desensitization to target medical data unit, regains the desensitization data of target medical data unit.
In the present embodiment, after access, the encryption key of target medical data unit can be updated, and
Data desensitization is re-started, avoids decruption key from being stolen the risk for causing medical data to be revealed.
Optionally, at the end of access, medical data is existed in the form of the data that desensitize, and can first be obtained at this time original
Decruption key, reversely desensitized to desensitization data according to original decruption key, acquisition target medical data unit, then is used
Encryption key after renewal carries out data desensitization to obtained target medical data unit, regains the de- of target data unit
Quick data.In addition, decruption key is updated according to the encryption key after renewal at the same time.
In one of the embodiments, the access method of data is further comprising the steps of:
Receiving access request and after the default access right time, the encryption to target medical data unit is close
Key is updated, and is carried out data desensitization to target medical data unit according to the encryption key after renewal, is regained target doctor
Treat the desensitization data of data cell.
In the present embodiment, it can set the access right time of decruption key, when receiving access request, start to make
Reverse data desensitization is carried out to desensitization data with decruption key, can be to target medical data list after the access right time
The encryption key of member is updated, and re-starts data desensitization, and the decruption key for avoiding, which is stolen, causes medical data
The risk of leakage.
In one of the embodiments, the step of initial data being converted into data cell comprises the following steps:
Original medical data are checked according to default data type and number range, if original medical data is interior
Appearance matches with default data type and number range, by original medical data conversion into medical data unit.
In the present embodiment, original medical data during acquisition there may be error in data, can be according to default
Data type and number range it is checked, ensure the accuracy of medical data unit after conversion.
In one of the embodiments, original medical data are checked according to default data type and number range
The step of comprise the following steps:
Data Source Object where recording original medical data gathers the operation object of original medical data with execution.
In the present embodiment, during checking original medical data, original medical data institute can be recorded
Data Source Object and perform the operation objects of collection original medical data, can so occur in original medical data wrong
Mistake, search corresponding Data Source Object and perform the operation object of collection, original medical data are modified in time.
According to the access method of above-mentioned data, the present invention also provides a kind of access system of data, below with regard to the present invention's
The embodiment of the access system of data is described in detail.
It is shown in Figure 2, it is the structure diagram of the access system of the data of one embodiment of the invention.In the embodiment
The access systems of data include:
Authorization center module 210, application is accessed for receiving, and target data list to be visited is determined according to application is accessed
Member, judges access rights according to application is accessed;If access rights are matched with default decrypted rights, obtain and be returned as number of targets
The decruption key configured according to unit;
Data center module 220, for receiving data access request, the decruption key in data access request is to de-
Quick data are reversely desensitized, and are obtained and are returned to target data;Wherein, the data that desensitize are to target data list according to encryption key
Obtained after member progress data desensitization, encryption key is authorization center module matching somebody with somebody with decruption key for target data unit configuration
To key.
In the present embodiment, authorization center module 210 determines target data unit to be visited and visit according to application is accessed
Ask authority, when access rights are matched with default decrypted rights, the decryption for obtaining and being returned as target data unit configuration is close
Key is to access end;Data center module 220 receives the data access request that access end is initiated, according to decruption key therein to de-
Quick data are reversely desensitized, and are obtained and are returned to target data;Wherein, desensitization data are according to the encryption with decruption key pairing
Key obtains after carrying out data desensitizations to target data unit.In this scheme, data cell and access rights and solution are being accessed
During close permission match, the desensitization data after data desensitization are carried out to the encryption key by pairing using decruption key and are carried out reversely
Desensitization, can obtain complete target data, easy to accurately and effectively be handled data, meet big data application and data
Shared application requirement.
In one of the embodiments, as shown in figure 3, the access system of data further includes authentication center's module 230, it is used for
Receive identity information, identity information is authenticated according to authentication database, certification by when, authorization center module 210 connects
Receive and access application.
In one of the embodiments, data center module 220 is when access rights and default decrypted rights mismatch,
After receiving data access request, desensitization data are returned.
In one of the embodiments, target data unit is target medical data unit.
In one of the embodiments, data center module 220 gathers original medical data, by original medical data conversion
Into medical data unit;To the encryption key and decruption key of the configuration pairing of each medical data unit, according to encryption key pair
Corresponding medical data unit carries out data desensitization, obtains the desensitization data of different medical data cell.
In one of the embodiments, data center module 220 in units of patient cases' data by original medical data
Be converted to multiple medical data units.
In one of the embodiments, the content of medical data unit includes patient information, medical institutions' title, medical number
According to type, medical data business index and medical data generation time.
In one of the embodiments, authorization center module 210 adds target medical data unit after access
Key is updated, and data center module 220 carries out data according to the encryption key after renewal to target medical data unit
Desensitization, regains the desensitization data of target medical data unit.
In one of the embodiments, authorization center module 210 is receiving access request and is passing through the default right to use
After between in limited time, the encryption key of target medical data unit is updated, data center module 220 is according to the encryption after renewal
Key carries out data desensitization to target medical data unit, regains the desensitization data of target medical data unit.
In one of the embodiments, data center module 220 according to default data type and number range to original
Medical data is checked, will be original if the content of original medical data matches with default data type and number range
Medical data is converted into medical data unit.
In one of the embodiments, data center module 220 records the Data Source Object where original medical data
With the operation object for performing collection original medical data.
The access system of the data of the present invention and the access method of the data of the present invention correspond, in the visit of above-mentioned data
Ask method embodiment illustrate technical characteristic and its advantage suitable for the embodiment of the access system of data.
According to the access method of above-mentioned data, the embodiment of the present invention also provides a kind of readable storage medium storing program for executing and a kind of access is set
It is standby.Executable program is stored with readable storage medium storing program for executing, which realizes the access method of above-mentioned data when being executed by processor
The step of;The executable journey that detection device includes memory, processor and storage on a memory and can run on a processor
The step of sequence, when processor executive program, realize the access method of above-mentioned data.
In a specific embodiment, the scheme of the embodiment of the present invention can be applied to a large amount of medicinal data institutes
The intelligent big data of medical treatment of formation is in the scene of core.
Sharing and using for medical data plays huge effect in following intelligent medical, accurate medical treatment.Auxiliary is examined
It is all the doctor formed with a large amount of medicinal data to treat, be classified many application scenarios such as diagnosis and treatment, chronic diseases management, Collaboration on Scientific Research
It is core to treat intelligent big data, it is desirable to carries out regulation and standardization, centralization and hardware and software platform management to medicinal data.
Medicinal data are before big data platform is entered, and real medical data has to pass through desensitization process, with hidden
Hide some sensitive data, such as name, identity card, address etc..Desensitization to data can be confused using different algorithms or
Hide all or part data.But traditional treatment mechanism is all by the way of unidirectionally handling, or is referred to as unidirectional desensitization.It is single
Refer to data after desensitization process to desensitization, then be accessed or in use, the data before desensitization cannot be returned to.But with doctor
Complex answer cannot be met using the further development with medical data sharing application, simple unidirectionally desensitize by treating big data
With requiring.
Such as in classification diagnosis and treatment, chronic diseases management and Collaboration on Scientific Research application scenarios, the data to have desensitized when in use,
Original data display can be reduced into by asking, that is to say, that desensitization data are wanted can be resilient.
The embodiment of the present invention proposes one and supports the recoverable high-fineness desensitization mode of data.Which combines elder generation
Into data encryption and data dynamic access control mechanism, realize to the desensitization of the data of medicinal big data platform and safety
The support of access.
Application scenarios are as shown in Figure 4.The data of hospital A and the data of hospital B enter data cloud platform after desensitization
In.User using cloud platform data when, can effectively obtain authority permission data, including authority allow can
The data of recovery.
The data of desensitization can be used for dynamic access, and the access of patient data can dynamically be licensed to hospital, Yi Shenghe
Scientific research personnel, because medical data is the data to become more meticulous, the different necks of the different phase of different patients and same patient
The data in domain may be subject to different access privilege controls, that is for the safety of data, authorizing will be directed to some patient's
Some case data carries out.So as to avoid the user for being authorized to some patient can be with the data of other patients of unauthorized access, institute
Also there is the requirement of higher with the precision to data empowerment management.
The principle mechanisms that medical data desensitizes and dynamic authorization accesses are as shown in Figure 5 and Figure 6:
Authentication center:It is responsible for the authentication of user, confirms the authenticity of user identity.Authentication center is required using non-right
Title property Encryption Algorithm.Authentication key is made of personal public key and private key, is coordinated using public key and private key and is completed authentication, and passed through
Cross digital signature identification.In the disclosure in this patent, the certification authority that authentication center is authorized using country.
ID authentication mechanism:Authentication key is made of personal public key and private key, and passes through digital signature identification.Utilize public key
Coordinate with private key and complete authentication.
Authorization center:It is responsible for the dynamic realtime mandate to access privilege.Authorization center is responsible for providing data encryption institute
The required decruption key of encryption key and restoring data needed.
Data center:Data are provided in a secured manner for user.If the data provided need restoring data, data
Center needs to obtain the required decruption key of restoring data from authorization center.
User:The Business Entity of desensitization data is accessed, can be user or system.
Operation system authority:It is external module, defines the data access authority of business.
In data desensitization, the key of data desensitization is the generation and use of encryption key.All sensitive datas
It will comprise the following steps into data desensitization flow is crossed:
Raw data acquisition:Original medical clinical data refers to needs desensitization and is loaded into the data of data center.Original number
Refer to the preparation to the data before desensitization according to collection.The data of collection will ensure transmitting and can detect data in storing process
Integrality, confidentiality, availability.Each operating system user of data acquisition and database user can be examined at the same time
Meter.
Data cell determines:It is responsible for the business module of gathered data the original medical clinical data collected, is organized into
For data cell.
Data cell refers to the least unit for the medicinal data that the embodiment of the present invention can manage, and uses disease number of cases
According to as data cell.The size of data cell, all dimensions depending on data cell.The index dimension of patient cases' data
Including patient information, medical institutions' information, data type information, data service index information (master index, case number, admission number,
Outpatient service number etc.), data time information etc., to support the data encryption of high-fineness.Concrete application can be according to the demand of business
Index dimension is increased or decreased, to define required data unit size.
Encryption key application:Data desensitization module (business module for being responsible for data desensitization) is encrypted close to authorization center application
Key.
Encryption key produces:The application of authorization center processing data desensitization module, produces encryption in units of data cell
Key, and return to data desensitization module.
Data encryption:Data desensitization module obtains required encryption key from authorization center, and is applied to data cell
On, produce corresponding desensitization data.
Data load:The desensitization data to data center that data desensitization module loading produces.
Authorization center can produce case key, case key is with each trouble when receiving the application of data desensitization module
The case data of person are configured the key pair exclusively enjoyed by data unit, including an encryption for being used for the desensitization of medicinal data is close
Key, and the decruption key of user's restoring data, are calculated with symmetric key algorithm.Each data cell corresponds to a disease
Example key.Case key is calculated using symmetric key algorithm.Symmetric key algorithm use " business is close to do " issue 256 SM3 or
SM4 algorithms, or aes algorithm.Case key is responsible for by authorization center, is used by data desensitization module.Authorization center is born
Duty generation or the case key of renewal patient data, and notify data desensitization module.It is close that data desensitization module is connected to new case
During key, data are carried out with desensitization again (desensitizing after old access key reversely desensitization, then with new encryption key).
Data access needs to authorize, and only in the case where being authorized to, data could be checked and used, in section entitlement
Or can only see data after desensitization in the case of with no authorized, that is, encrypted data.Data access flow include with
Lower step:
Apply for authentication:User applies for authentication to authentication center.User provide oneself public key and private key to recognizing
Card center.
Authentication:Authentication center's processing application, certification user identity.
Application authorizes:After authenticating user identification, data access application is proposed to authorization center.Required parameter includes using
Family and data area (being used for determining need which data cell accessed) and any and relevant parameter of authority.
Authorize:Authorization center determines the data cell of this access of the user according to operation system mandate, and per number
According to the access level of unit, corresponding decruption key is obtained.And return to user.
Data access:User utilizes the data access rights limit information obtained from authorization center, proposes to read to data center
Request of data.
Data deciphering and delivery:Data center asked according to user in data permission message reference data.Data permission
Information is in units of data cell.If data are decrypted in access level requirement, data center utilizes data permission
Decruption key in information is decrypted desensitization data and returns to user.
The embodiment of the present invention uses the licensing scheme of dynamic key management, realizes authority control when user accesses desensitization data
System and decryption key authorization management:
Case key is managed concentratedly:Encryption and decryption are required for obtaining case key by access mandate center.Case is close
Key has access right time limit.
Data permission integrates:The data access authority of medical applications operation system will be integrated into the dynamic authorization of authorization center
In access mechanism.In units of data cell, for some user, external service system authority will provide the user and can visit
The data cell asked, and the access level of each data cell.
The data that desensitize generation:The data that desensitize generation is a data encryption process, its key is the design of encryption key.It is first
First be responsible for the business module of generation desensitization data becomes data cell initial data, arrangement.Again from needed for authorization center reading
The encryption key wanted, and be applied in these data cells, produce corresponding desensitization data.
The data that desensitize use:Data use of desensitizing is a digital independent and data decrypting process.Use the business of data
Module or user access mandate center first obtain dynamic data access authority and corresponding decruption key in real time.It is so-called dynamic
State refers to that access rights can change according to operation system authority.User reuses obtained authority and accesses data center to obtain
Obtain data.Data center is responsible for, according to authority, handling data, including data deciphering.
Each technical characteristic of embodiment described above can be combined arbitrarily, to make description succinct, not to above-mentioned reality
Apply all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, the scope that this specification is recorded all is considered to be.
Can be with one of ordinary skill in the art will appreciate that realizing that all or part of step in above-described embodiment method is
Relevant hardware is instructed to complete by program.The program can be stored in read/write memory medium.The program exists
During execution, including the step described in the above method.The storage medium, including:ROM/RAM, magnetic disc, CD etc..
Embodiment described above only expresses the several embodiments of the present invention, its description is more specific and detailed, but simultaneously
Cannot therefore it be construed as limiting the scope of the patent.It should be pointed out that come for those of ordinary skill in the art
Say, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the protection of the present invention
Scope.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.
Claims (10)
1. a kind of access method of data, it is characterised in that comprise the following steps:
Receive and access application, apply determining target data unit to be visited according to described access, sentenced according to the access application
Disconnected access rights;
If the access rights are matched with default decrypted rights, obtain and be returned as the decryption of the target data unit configuration
Key;
Data access request is received, the decruption key in the data access request reversely desensitizes desensitization data,
Obtain and return to target data;Wherein, the desensitization data are to carry out data to the target data unit according to encryption key
Obtained after desensitization, the encryption key is the key with decruption key pairing for target data unit configuration.
2. the access method of data according to claim 1, it is characterised in that described the step of receiving access application includes
Following steps:
Identity information is received, the identity information is authenticated according to authentication database, if certification is by receiving and accessing Shen
Please.
3. the access method of data according to claim 1, it is characterised in that further comprising the steps of:
If the access rights are mismatched with the default decrypted rights, after data access request is received, return described de-
Quick data.
4. the access method of data according to claim 1, it is characterised in that the target data unit is target medical treatment
Data cell.
5. the access method of data according to claim 4, it is characterised in that further comprising the steps of:
Original medical data are gathered, by the original medical data conversion into medical data unit;
To the encryption key and decruption key of the configuration pairing of each medical data unit, according to encryption key to corresponding medical number
Data desensitization is carried out according to unit, obtains the desensitization data of different medical data cell.
6. the access method of data according to claim 5, it is characterised in that described by the original medical data conversion
Comprise the following steps into the step of medical data unit:
The original medical data are converted into multiple medical data units in units of patient cases' data.
7. the desensitization method of medical data according to claim 5, it is characterised in that the content of the medical data unit
Including patient information, medical institutions' title, medical data type, medical data business index and medical data generation time.
8. the access method of data according to claim 5, it is characterised in that further comprising the steps of:
After access, the encryption key of the target medical data unit is updated, it is close according to the encryption after renewal
Key carries out data desensitization to the target medical data unit, regains the desensitization data of the target medical data unit.
9. the access method of data according to claim 5, it is characterised in that further comprising the steps of:
Receiving access request and after the default access right time, the encryption to the target medical data unit is close
Key is updated, and is carried out data desensitization to the target medical data unit according to the encryption key after renewal, is regained institute
State the desensitization data of target medical data unit.
A kind of 10. access system of data, it is characterised in that including:
Authorization center module, application is accessed for receiving, and applies determining target data unit to be visited, root according to described access
Apply judging access rights according to described access;If the access rights are matched with default decrypted rights, obtain and be returned as institute
State the decruption key of target data unit configuration;
Data center module, for receiving data access request, the decruption key in the data access request is to desensitization
Data are reversely desensitized, and are obtained and are returned to target data;Wherein, the desensitization data are to the target according to encryption key
Obtained after data cell progress data desensitization, the encryption key is that the authorization center module is the target data unit
The key with decruption key pairing of configuration.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711243806.3A CN108009443A (en) | 2017-11-30 | 2017-11-30 | The access method and system of data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711243806.3A CN108009443A (en) | 2017-11-30 | 2017-11-30 | The access method and system of data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108009443A true CN108009443A (en) | 2018-05-08 |
Family
ID=62055805
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711243806.3A Pending CN108009443A (en) | 2017-11-30 | 2017-11-30 | The access method and system of data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108009443A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109063507A (en) * | 2018-07-13 | 2018-12-21 | 上海派兰数据科技有限公司 | A kind of general design model for hospital information system analysis |
| CN109726586A (en) * | 2018-12-17 | 2019-05-07 | 杭州安恒信息技术股份有限公司 | Data fine granularity authorization sharing method, system and electronic equipment |
| CN109871703A (en) * | 2019-02-28 | 2019-06-11 | 佛山市云端容灾信息技术有限公司 | Big data exchange management method, device, storage medium and server |
| CN111193755A (en) * | 2020-04-14 | 2020-05-22 | 傲林科技有限公司 | Data access method, data encryption method and data encryption and access system |
| CN111460512A (en) * | 2020-04-21 | 2020-07-28 | 重庆忽米网络科技有限公司 | Automatic desensitization data acquisition and distribution system and method |
| CN112541196A (en) * | 2020-12-23 | 2021-03-23 | 北京理工大学 | Dynamic data desensitization method and system |
| CN113010919A (en) * | 2021-03-22 | 2021-06-22 | 北京神州数字科技有限公司 | Protection method for sensitive data and private data |
| CN113259382A (en) * | 2021-06-16 | 2021-08-13 | 上海有孚智数云创数字科技有限公司 | Data transmission method, device, equipment and storage medium |
| CN113285942A (en) * | 2021-05-19 | 2021-08-20 | 广东电网有限责任公司 | Data sharing method and device for transformer substation, electronic equipment and storage medium |
| CN115361683A (en) * | 2022-08-19 | 2022-11-18 | 中移互联网有限公司 | Service access method, SIM card, server and service platform |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6946445B1 (en) * | 1998-03-13 | 2005-09-20 | The University Of British Columbia | Therapeutic chemokine receptor antagonists |
| CN104392405A (en) * | 2014-11-14 | 2015-03-04 | 杭州银江智慧医疗集团有限公司 | Electronic medical record safety system |
| CN105138927A (en) * | 2015-08-12 | 2015-12-09 | 中国联合网络通信集团有限公司 | Privacy data protection method and apparatus |
| CN105787381A (en) * | 2014-12-26 | 2016-07-20 | 北大医疗信息技术有限公司 | Data access control method and apparatus |
| CN105975870A (en) * | 2016-05-19 | 2016-09-28 | 上海点荣金融信息服务有限责任公司 | Data desensitization method and system |
-
2017
- 2017-11-30 CN CN201711243806.3A patent/CN108009443A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6946445B1 (en) * | 1998-03-13 | 2005-09-20 | The University Of British Columbia | Therapeutic chemokine receptor antagonists |
| CN104392405A (en) * | 2014-11-14 | 2015-03-04 | 杭州银江智慧医疗集团有限公司 | Electronic medical record safety system |
| CN105787381A (en) * | 2014-12-26 | 2016-07-20 | 北大医疗信息技术有限公司 | Data access control method and apparatus |
| CN105138927A (en) * | 2015-08-12 | 2015-12-09 | 中国联合网络通信集团有限公司 | Privacy data protection method and apparatus |
| CN105975870A (en) * | 2016-05-19 | 2016-09-28 | 上海点荣金融信息服务有限责任公司 | Data desensitization method and system |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109063507A (en) * | 2018-07-13 | 2018-12-21 | 上海派兰数据科技有限公司 | A kind of general design model for hospital information system analysis |
| CN109726586A (en) * | 2018-12-17 | 2019-05-07 | 杭州安恒信息技术股份有限公司 | Data fine granularity authorization sharing method, system and electronic equipment |
| CN109871703B (en) * | 2019-02-28 | 2024-03-12 | 佛山市云端容灾信息技术有限公司 | Big data transaction management method, device, storage medium and server |
| CN109871703A (en) * | 2019-02-28 | 2019-06-11 | 佛山市云端容灾信息技术有限公司 | Big data exchange management method, device, storage medium and server |
| CN111193755A (en) * | 2020-04-14 | 2020-05-22 | 傲林科技有限公司 | Data access method, data encryption method and data encryption and access system |
| CN111193755B (en) * | 2020-04-14 | 2020-08-21 | 傲林科技有限公司 | Data access method, data encryption method and data encryption and access system |
| CN111460512A (en) * | 2020-04-21 | 2020-07-28 | 重庆忽米网络科技有限公司 | Automatic desensitization data acquisition and distribution system and method |
| CN112541196A (en) * | 2020-12-23 | 2021-03-23 | 北京理工大学 | Dynamic data desensitization method and system |
| CN113010919A (en) * | 2021-03-22 | 2021-06-22 | 北京神州数字科技有限公司 | Protection method for sensitive data and private data |
| CN113285942A (en) * | 2021-05-19 | 2021-08-20 | 广东电网有限责任公司 | Data sharing method and device for transformer substation, electronic equipment and storage medium |
| CN113259382A (en) * | 2021-06-16 | 2021-08-13 | 上海有孚智数云创数字科技有限公司 | Data transmission method, device, equipment and storage medium |
| CN115361683A (en) * | 2022-08-19 | 2022-11-18 | 中移互联网有限公司 | Service access method, SIM card, server and service platform |
| CN115361683B (en) * | 2022-08-19 | 2023-07-04 | 中移互联网有限公司 | Service access method, SIM card, server and service platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108009443A (en) | The access method and system of data | |
| US11416602B2 (en) | Methods and systems for identity creation, verification and management | |
| Abouelmehdi et al. | Big healthcare data: preserving security and privacy | |
| US10749681B2 (en) | Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features | |
| CN108021822A (en) | The desensitization method and system of data | |
| US20130318361A1 (en) | Encrypting and storing biometric information on a storage device | |
| JP2021520009A (en) | Integration of biometric data on the blockchain system | |
| Zhao et al. | Research on electronic medical record access control based on blockchain | |
| CN103971039B (en) | Access control system and method with GPS location verification | |
| CN102981980A (en) | Method for control access in storage device | |
| US20160283944A1 (en) | Method and apparatus for personal virtual authentication and authorization using digital devices and as an alternative for chip card or smart card | |
| AU2018256929B2 (en) | Systems and methods for identity atomization and usage | |
| AU2018100478A4 (en) | Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features | |
| JP4027776B2 (en) | Data processing system, processing apparatus and computer program | |
| CN109784073A (en) | Data access method and device, storage medium, computer equipment | |
| CN108345804A (en) | A kind of storage method in trusted computation environment and device | |
| WO2021124568A1 (en) | Access control device, control method, and program | |
| Meints et al. | Biometric systems and data protection legislation in germany | |
| US20240338423A1 (en) | Cryptographically proving identity uniqueness | |
| TWI470990B (en) | Radio frequency identification (RFID) tag to link the individual information disclosure method, the right to grant the method and authority control and management system | |
| EP3616108A1 (en) | Systems and methods for identity atomization and usage | |
| WO2023094906A1 (en) | Privacy regulatory system | |
| NZ758522B2 (en) | Systems and methods for identity atomization and usage | |
| NZ741673B2 (en) | Methods and systems for identity creation, verification and management | |
| RU2016136961A (en) | ACCESS DIVISION SUBSYSTEM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180508 |
|
| RJ01 | Rejection of invention patent application after publication |