CN113766511A - Medical block chain data storage method and system - Google Patents

Medical block chain data storage method and system Download PDF

Info

Publication number
CN113766511A
CN113766511A CN202111315343.3A CN202111315343A CN113766511A CN 113766511 A CN113766511 A CN 113766511A CN 202111315343 A CN202111315343 A CN 202111315343A CN 113766511 A CN113766511 A CN 113766511A
Authority
CN
China
Prior art keywords
medical
blockchain
user
access
medical data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111315343.3A
Other languages
Chinese (zh)
Inventor
叶方全
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Tianpeng Computer Technology Co ltd
Original Assignee
Guangzhou Tianpeng Computer Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Tianpeng Computer Technology Co ltd filed Critical Guangzhou Tianpeng Computer Technology Co ltd
Priority to CN202111315343.3A priority Critical patent/CN113766511A/en
Publication of CN113766511A publication Critical patent/CN113766511A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H10/00ICT specially adapted for the handling or processing of patient-related medical or healthcare data
    • G16H10/60ICT specially adapted for the handling or processing of patient-related medical or healthcare data for patient-specific data, e.g. for electronic patient records
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/61Time-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/88Medical equipments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Automation & Control Theory (AREA)
  • Biomedical Technology (AREA)
  • Epidemiology (AREA)
  • Primary Health Care (AREA)
  • Public Health (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a medical big data information safety processing method and a system, wherein the method comprises the following steps: authenticating the patient mobile device and the mobile device of the medical institution; determining that a mobile device of a patient is geographically proximate to a node located at a medical facility location; sending a request to the patient mobile device to authorize a medical facility to access an electronic patient medical record stored in a remote medical data security processing system database remote from the node; based on a determination of the proximity detection, the authorization is obtained from the patient to enable a medical institution to access the patient's electronic medical record. The invention provides a medical big data information security processing method and a system, which allow patients to store medical information data in an independent database in a security format, allow different medical staff to access data in a limited range for each patient, allow the patients to store and store personal access keys and prevent unauthorized access to the medical information data.

Description

Medical block chain data storage method and system
Technical Field
The invention relates to big data security, in particular to a medical block chain data storage method and system.
Background
Today, medical data information of a patient is kept by different hospitals, doctors, pharmacies, etc. where the patient is treated. When a patient changes geographical location to receive treatment from different doctors, the system becomes more complex due to privacy protection and internal policies of different medical providers. On the one hand, the patient's health records must be secure and confidential, and access to these records must be strictly protected against access to medical information by unauthorized users; on the other hand, doctors must have complete and accurate information about medical data owners' medical history, illness, treatment plans. Currently existing systems allow patients to invite physicians to share their medical data. However, these systems require that the user identification and password of the doctor and his agent be used to grant them authorization. Thus, more and more user passwords are broadcast by medical data owners to access their medical information, increasing the likelihood of being provided to medical providers by illicitly obtaining medical data owners.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a medical block chain data storage method and a medical block chain data storage system, wherein the method comprises the following steps:
receiving a permission message indicating authorized access to a block stored in a multiuser medical blockchain storage and owned by a user; store a query to the multiuser medical blockchain for user-specific paths associated with the blocks indicated in the access permission message;
initializing a plurality of blockchain retrieval engines to access the tiles indicated in the permission message, wherein each blockchain retrieval engine corresponds to a plurality of user-specific paths for a single user, and wherein each blockchain retrieval engine of the plurality of blockchain retrieval engines is associated with an access role that restricts access to the tiles indicated in the permission message for the respective plurality of user-specific paths;
accessing, by the plurality of blockchain search engines, the chunks indicated in the grant message according to the access role in each blockchain search engine; wherein said initializing said plurality of blockchain retrieval engines further comprises: identifying a number of users of the user, wherein a number of blockchain retrieval engines are initialized for accessing the blocks indicated in the permission message, wherein the number of blockchain retrieval engines is equal to the number of identified users;
retrieving, by the plurality of blockchain retrieval engines, copies of the tiles from a multi-user medical blockchain store based on user-specific paths, wherein each blockchain retrieval engine retrieves a respective user-specific copy of the tiles corresponding to a single user;
broadcasting user-specific copies of the retrieved tiles at the plurality of blockchain retrieval engines, wherein each blockchain retrieval engine respectively hosts a respective user-specific copy of a tile corresponding to a single user; wherein the retrieved copies of the tiles correspond to a plurality of particular data types based on access roles in each tile chain retrieval engine;
determining a plurality of licensed users associated with the user's block, wherein the license message is received from a plurality of end nodes corresponding to the plurality of licensed users; receiving an initial access request message from a terminal node corresponding to a requesting user, the initial access request message comprising an indication of the tile and an indication of the user; transmitting an indication of an initial access request message to a plurality of end nodes corresponding to a plurality of licensed users, wherein receiving the license message is based on the initial access request message;
generating a temporary user profile based on the permission message, wherein the temporary user profile has access to a plurality of users; transmitting a temporary token associated with the temporary user profile to an end node corresponding to the requesting user, wherein the end node can use the temporary token to access a plurality of tiles stored in the multi-user medical blockchain storage and owned by a plurality of users.
Preferably, the method further comprises:
identifying an indication to revoke authorized access to the block;
revoking the temporary token associated with the temporary user profile from the terminal node corresponding to the requesting user;
the temporary user profile is deleted.
Preferably, the method further comprises:
identifying an indication to revoke authorized access to the block;
terminating a plurality of blockchain retrieval engines for accessing the blocks;
access to the blocks indicated in the grant message is relinquished according to the access role.
Preferably, the method further comprises:
identifying a deadline timestamp for accessing the block;
determining that the current timestamp exceeds the identified deadline timestamp;
revoking access to the block indicated in the permission message based on the determined result;
wherein querying the multi-user medical blockchain store for user-specific paths comprises:
sending a query message including a user ID of the user to a data pool associated with the multi-user medical blockchain storage and a metadata database associated with the multi-user medical blockchain storage;
the grant message indicates a plurality of block types corresponding to the block; and the user-specific path is based on a plurality of block types.
Preferably, wherein the blocks are accessed using read-only permissions according to the access role in each blockchain retrieval engine.
Preferably, wherein the access roles include identity and access management roles.
The invention further provides a medical blockchain data storage system, which is used for executing the medical blockchain data storage method.
Compared with the prior art, the invention has the following advantages:
the invention provides a medical blockchain data storage method and system, which allow medical data owners to store medical information in a blockchain in a secure format, enable each medical data owner to allow different requesters to access data in a limited range, allow the medical data owners to store and store private access keys, and prevent unauthorized access to the medical information.
Drawings
Fig. 1 is a flowchart of a medical blockchain data storage method according to an embodiment of the present invention.
Detailed Description
A detailed description of various embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.
The invention provides a medical treatment block chain data storage method and system. Fig. 1 is a flowchart of a medical blockchain data storage method and system according to an embodiment of the invention.
The medical treatment block chain data storage method comprises the following steps:
receiving a permission message indicating authorized access to a block stored in a multiuser medical blockchain storage and owned by a user; store a query to the multiuser medical blockchain for user-specific paths associated with the blocks indicated in the access permission message;
initializing a plurality of blockchain retrieval engines to access the tiles indicated in the permission message, wherein each blockchain retrieval engine corresponds to a plurality of user-specific paths for a single user, and wherein each blockchain retrieval engine of the plurality of blockchain retrieval engines is associated with an access role that restricts access to the tiles indicated in the permission message for the respective plurality of user-specific paths;
accessing, by the plurality of blockchain search engines, the chunks indicated in the grant message according to the access role in each blockchain search engine; wherein said initializing said plurality of blockchain retrieval engines further comprises: identifying a number of users of the user, wherein a number of blockchain retrieval engines are initialized for accessing the blocks indicated in the permission message, wherein the number of blockchain retrieval engines is equal to the number of identified users;
retrieving, by the plurality of blockchain retrieval engines, copies of the tiles from a multi-user medical blockchain store based on user-specific paths, wherein each blockchain retrieval engine retrieves a respective user-specific copy of the tiles corresponding to a single user;
broadcasting user-specific copies of the retrieved tiles at the plurality of blockchain retrieval engines, wherein each blockchain retrieval engine respectively hosts a respective user-specific copy of a tile corresponding to a single user; wherein the retrieved copies of the tiles correspond to a plurality of particular data types based on access roles in each tile chain retrieval engine;
determining a plurality of licensed users associated with the user's block, wherein the license message is received from a plurality of end nodes corresponding to the plurality of licensed users; receiving an initial access request message from a terminal node corresponding to a requesting user, the initial access request message comprising an indication of the tile and an indication of the user; transmitting an indication of an initial access request message to a plurality of end nodes corresponding to a plurality of licensed users, wherein receiving the license message is based on the initial access request message;
generating a temporary user profile based on the permission message, wherein the temporary user profile has access to a plurality of users; transmitting a temporary token associated with the temporary user profile to an end node corresponding to the requesting user, wherein the end node can use the temporary token to access a plurality of tiles stored in the multi-user medical blockchain storage and owned by a plurality of users.
Identifying an indication to revoke authorized access to the block; revoking the temporary token associated with the temporary user profile from the terminal node corresponding to the requesting user; the temporary user profile is deleted.
Identifying an indication to revoke authorized access to the block; terminating a plurality of blockchain retrieval engines for accessing the blocks; access to the blocks indicated in the grant message is relinquished according to the access role.
Identifying a deadline timestamp for accessing the block; determining that the current timestamp exceeds the identified deadline timestamp; revoking access to the block indicated in the permission message based on the determined result; wherein querying the multi-user medical blockchain store for user-specific paths comprises: sending a query message including a user ID of the user to a data pool associated with the multi-user medical blockchain storage and a metadata database associated with the multi-user medical blockchain storage;
the grant message indicates a plurality of block types corresponding to the block; and the user-specific path is based on a plurality of block types.
Wherein the blocks are accessed using read-only permissions according to the access role in each blockchain retrieval engine. The access roles include identity and access management roles.
The present invention allows different medical data owners to store their medical information in a secure and encrypted format at a decentralized location and to use only one key for accessing the medical information that they individually store in an encrypted format in a blockchain of medical data, and to deny access or access to the medical information stored by the medical data owner if there is no correct key for the medical data owner, so that the medical data owner can quickly create, update, and upload medical data maintained by a particular doctor or hospital to other medical information of the medical data owner. The medical data owner can restrict access to a subset of the medical information of any medical data owner medical service provider and can share views or updates with the doctor according to a particular time and place.
Each doctor and each electronic medical record may have only a subset of the medical information for a particular medical data owner, and the medical data owner may have control and access to more complete medical information and may remove all access authorization after the medical data owner leaves the medical site, but leave the medical information accessible to the medical data owner. The present invention allows requestors to quickly upload data to a blockchain of medical data, but makes such uploading secure and tamper-resistant by encrypting each medical data owner's medical information with each medical data owner's private key. The medical data requester transfers the medical data owner data from the electronic medical record to a more secure blockchain of medical data that can only be decrypted using a private symmetric key held by the medical data requester. The method comprises the steps of copying a personal medical data owner record of a doctor in the medical data blockchain to the medical data blockchain of the medical data owner, re-encrypting the medical information of the medical data owner by using a personal symmetric private key of the medical data owner and storing the medical information in the medical data blockchain, wherein the access to the medical information copy of the medical data owner is owned by the medical data owner, and the access can be authorized to a plurality of medical data requesters by the medical data owner.
The medical data owner controls access to medical information stored in the cloud. The medical data owner allows access to the medical information and sharing with the doctor when the medical data owner is at the geographic location of the medical site. The doctor views and updates the medical information of the medical data owner in the virtual medical directory. After the updating is completed, anyone of the medical data requesters can not access the medical information of the medical data owner any more, and the risk caused by granting the medical information permanent access right to each medical data requester is reduced.
The medical data owner record of the present invention includes a record locator. The record of the medical data owner is identified by the record locator without the need for personally identifiable information. The records of each different medical data owner are individually encrypted with the symmetric encryption key of their own owner, who owns and controls access to their own encrypted medical information stored in the data record repository by controlling the symmetric private encryption key and by the required authorization and mapping processes. In this process, the medical data owner is authenticated and then the mapping is provided to the actual encrypted record of the medical data owner. In a preferred embodiment, the data structure used by the system does not include any personal information, such as name, address, etc. These data can only be identified and accessed by anonymous keys.
In one embodiment, a method for enabling secure access to medical data of a medical data owner includes authenticating, at an authentication node, a terminal node of the medical data owner; authenticating a terminal node of a medical data requester; determining, by end node proximity detection, that an end node location of a medical data owner is proximate to a node at a medical data requester location for determining whether the medical data requester can access a medical record of the medical data owner stored in a remote medical data blockchain remote from the node; sending a request to a medical data owner terminal node to authorize a medical data requester to access a medical record of a medical data owner stored in a remote medical data blockchain remote from the node; obtaining the authorization from a medical data owner based on the determination of the proximity detection to enable a medical data requestor to access a medical record of the medical data owner; obtaining a private key for decrypting a medical record of a medical data owner stored in a medical data blockchain, wherein access to the key is provided by the medical data owner for a specified limited period of time;
decrypting, at an authentication node, a medical record of a medical data owner using the private key of the medical data owner; re-encrypting the medical record of the medical data owner by using asynchronous ECC encryption keys of the medical data requester and the authentication node and safely transmitting the medical record to the medical data requester for viewing and updating; storing a medical record of a medical data owner encrypted with a private key in a medical data blockchain; receiving a locator of a medical record of a medical data owner stored in a medical data blockchain; finding the medical record of the medical data owner in the medical data blockchain by using the locator so as to be viewed and updated by the medical data requester; wherein the chain of medical data blocks does not maintain or store any medical data owner identification information other than the locator in an unencrypted format.
The method further comprises the following steps: receiving a medical record of an updated medical data owner from the medical data requestor, the medical record of the updated medical data owner encrypted with an asynchronous ECC key of the medical data blockchain;
decrypting the updated medical record of the medical data owner using the private ECC key of the medical data blockchain;
re-encrypting the medical record of the updated medical data owner on the medical data blockchain with the private key of the medical data owner;
the updated encrypted record is stored in the medical data blockchain.
The method may further comprise: receiving a fingerprint of an operator of a terminal node of a medical data requester and verifying that it matches a stored fingerprint of the medical data requester, the medical data requester being authorized by a medical data owner to access a private medical record of the medical data owner stored in a medical data blockchain;
the fingerprint of the operator of the medical data owner terminal node is received and verified to match the fingerprint authorized by the stored medical data owner to authorize access to the private medical record of the medical data owner stored in the medical data blockchain.
The method may further comprise: maintaining block link points mapped to locators for each registered medical data owner;
identity information of the medical data owner is received and processed to access the chain of medical data blocks.
In addition, the blockchain not only retains anonymously encrypted medical information for medical data owners, but also provides a separate keystore server and secure directory mapping server as an additional layer of security protection for accessing medical information in the medical data blockchain data. The keystore server provides secure electronic storage for medical data owners that maintain copies of their private symmetric keys. The keystore server provides the key directly to the chain of blocks of medical data, or to an authorized device of the owner of the medical data. The medical data blockchain account directory mapping server provides the given medical data owner with the medical data blockchain account after performing the requested authentication with the private key and the properly verified medical data owner credential and will provide the given medical data owner with the medical data blockchain account based on the private key from the keystore server of the particular medical data owner. Finally, after obtaining the private key of the medical data owner and the account of the particular medical data owner, the medical data blockchain processes and validates the data and uses the medical data owner's private key to retrieve or update the medical data blockchain data. The private key is stored in a different location than the medical data blockchain data. All identifiable information is removed from the data stored by the medical data owner in the blockchain of medical data and reduced to only an account or locator and an encrypted medical data owner record. Even if the data record is intercepted by an unauthorized person, the information would be effectively useless if it were not associated with the correct medical data owner account. Thus, a level of security is added to the medical data blockchain data access and update capabilities.
According to the present invention, the medical data blockchain does not store a copy of the medical data owner private key for accessing medical information of the medical data owner in the medical data blockchain. The blockchain receives the key of the medical data owner only for a limited period of time for authorizing reading and updating of the medical information by the medical data owner for a limited specified period of time, for example during access of the medical data owner to the medical data requester. Once the authorized access or update process is complete, the blockchain of medical data will erase the key of the medical data owner. The permanent key of the medical data owner is saved by the medical data owner at the personal terminal node or placed in a key store.
In an alternative embodiment, the identity of the operational medical data owner terminal node may also be confirmed by requesting a fingerprint of the operator of the terminal node, receiving the fingerprint at the medical data blockchain and comparing it with the registration record of each medical data owner to ensure that the correct person operates the medical data owner terminal node. The medical data owner is allowed to use different terminal nodes and confirm its identity to the medical data blockchain by transmitting fingerprints extracted by hardware and application software on the terminal nodes. An application executing on a terminal node requests a user to enter a fingerprint in advance and sends the fingerprint to a blockchain for authentication.
The proximity information on each medical data owner terminal node is transmitted to the proximity detection node and judged. The medical data owner authentication node communicates with the medical data requester terminal node, and the medical data owner authorizes access to a specific medical data requester using the security key based on presence of the medical data owner in the medical data requester and the key authorization. It may also rely on fingerprint authentication of the device operator to ensure that the medical data owner has authorized access, and that the authorized medical data requester operates the terminal node that has requested access to the medical information of the medical data owner.
The symmetric key is transmitted to encrypt or decrypt data of the medical information owner using the symmetric key of the medical data owner. The medical data owner provides and transmits its symmetric key to the medical data blockchain within a preset time to allow a particular authorized medical data requester to access encrypted medical information of the medical data owner in the medical data blockchain. Only one key is needed by the medical data owner to enable a plurality of requesters to read and update the medical information of the medical data owner, and the medical information is stored in an encrypted format in the medical data blockchain.
The transmission protocol utilizes ECC asymmetric key encryption transmission for secure transmission, and uses the private symmetric key of the medical data owner to encrypt and decrypt the medical information of the medical data owner, including updating the stored record. The medical data owner terminal node establishes secure communication with the server. The medical data owner terminal node receives the blockchain public key and encrypts the private symmetric key of the medical data owner using the blockchain public key, and the blockchain public key is sent to the medical data owner terminal node by the medical data blockchain. The medical data blockchain receives a symmetric private key of the medical data owner from the medical data owner terminal node and decrypts transmissions using the private key of the blockchain. When a medical data owner gives independent authorization to a particular medical data requester, it is allowed to decrypt and read or update the medical data owner's medical information on the medical data blockchain using the medical data owner's symmetric private key. This allows the blockchain of medical data to encrypt and decrypt data of the blockchain of medical data during authorized access by a particular medical data requestor. Once the authorization period is exceeded, the medical data blockchain will erase the medical data owner's private symmetric key and not save in any of its internal memory or medical data blockchain.
When it is confirmed that a particular authorized doctor is allowed to read or update the medical information of the medical data owner using the terminal node, it decrypts the medical information of the medical data owner using the private symmetric key of the medical data owner, which is received and saved in the medical data blockchain during authorized access. It then re-encrypts the medical information using the doctor's ECC asymmetric key for secure transmission to the end node of the medical data requester.
The terminal node of the medical data requester receives the public key of the medical data blockchain and encrypts and transmits the public key of the doctor to the medical data blockchain using the public key. The medical data blockchain is then re-encrypted using the doctor's public key and the medical data owner data record is transmitted from the medical data blockchain to the doctor's terminal node, which receives the medical data owner record and displays it on the doctor's terminal node's screen. The doctor's device does not have the private key of the medical data owner because the key is sent to the medical data blockchain and, when authorized, is used to decrypt the medical information of the medical data owner during the authorization session. Then, the medical information of the decrypted medical data owner is re-encrypted with the asymmetric key of the doctor so that the data is securely transmitted to the terminal node of the doctor. This allows the doctor terminal node to decrypt the re-encrypted medical data owner data using its public and private keys and to view or update the data on the doctor's terminal node. For updates, the medical data blockchain will send the doctor's terminal node its public key, which can be used to encrypt the transmitted update data. The updated record will then be re-encrypted using the medical data owner private symmetric encryption key on the medical data blockchain and then stored in encrypted form in the medical data blockchain.
After the authentication is completed and the chain of medical data blocks and a new record location key for the medical data owner data record is provided, the data record is created and encrypted with the identity of the record and the medical data owner's private symmetric key. The request from the medical data owner, along with the user identification and password, is processed on the medical data blockchain, and then a request to authenticate the record database is automatically generated and a record location identification for the medical data owner data record location is received. The location key is then sent to the data record repository, which uses the key to find and return to the blockchain of medical data the encrypted medical information record of the owner of the medical data. The encrypted medical information record is transmitted to the medical data blockchain and then to the end node of the medical data owner. These encrypted data records cannot be decrypted and read without the private key of the medical data owner. The medical data requester does not maintain and control access to the original electronic version of the medical data owner's medical information.
In summary, the present invention provides a method and a system for storing medical blockchain data, which allow medical data owners to store medical information in a blockchain in a secure format, and enable each medical data owner to allow different requesters to access data in a limited range, allow medical data owners to store and store private access keys, and prevent unauthorized access to medical information.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented in a general purpose computing system, centralized on a single computing system, or distributed across a network of computing systems, and optionally implemented in program code that is executable by the computing system, such that the program code is stored in a storage system and executed by the computing system. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.

Claims (7)

1. A medical blockchain data storage method is used for realizing data access in multi-user medical blockchain storage and comprises the following steps:
receiving a permission message indicating authorized access to a block stored in a multiuser medical blockchain storage and owned by a user; store a query to the multiuser medical blockchain for user-specific paths associated with the blocks indicated in the access permission message;
initializing a plurality of blockchain retrieval engines to access the tiles indicated in the permission message, wherein each blockchain retrieval engine corresponds to a plurality of user-specific paths for a single user, and wherein each blockchain retrieval engine of the plurality of blockchain retrieval engines is associated with an access role that restricts access to the tiles indicated in the permission message for the respective plurality of user-specific paths;
accessing, by the plurality of blockchain search engines, the chunks indicated in the grant message according to the access role in each blockchain search engine; wherein said initializing said plurality of blockchain retrieval engines further comprises: identifying a number of users of the user, wherein a number of blockchain retrieval engines are initialized for accessing the blocks indicated in the permission message, wherein the number of blockchain retrieval engines is equal to the number of identified users;
retrieving, by the plurality of blockchain retrieval engines, copies of the tiles from a multi-user medical blockchain store based on user-specific paths, wherein each blockchain retrieval engine retrieves a respective user-specific copy of the tiles corresponding to a single user;
broadcasting user-specific copies of the retrieved tiles at the plurality of blockchain retrieval engines, wherein each blockchain retrieval engine respectively hosts a respective user-specific copy of a tile corresponding to a single user; wherein the retrieved copies of the tiles correspond to a plurality of particular data types based on access roles in each tile chain retrieval engine;
determining a plurality of licensed users associated with the user's block, wherein the license message is received from a plurality of end nodes corresponding to the plurality of licensed users; receiving an initial access request message from a terminal node corresponding to a requesting user, the initial access request message comprising an indication of the tile and an indication of the user; transmitting an indication of an initial access request message to a plurality of end nodes corresponding to a plurality of licensed users, wherein receiving the license message is based on the initial access request message;
generating a temporary user profile based on the permission message, wherein the temporary user profile has access to a plurality of users; transmitting a temporary token associated with the temporary user profile to an end node corresponding to the requesting user, wherein the end node uses the temporary token to access a plurality of tiles stored in a multi-user medical blockchain storage and owned by a plurality of users.
2. The method of claim 1, further comprising:
identifying an indication to revoke authorized access to the block;
revoking the temporary token associated with the temporary user profile from the terminal node corresponding to the requesting user;
the temporary user profile is deleted.
3. The method of claim 1, further comprising: identifying an indication to revoke authorized access to the block;
terminating a plurality of blockchain retrieval engines for accessing the blocks;
access to the blocks indicated in the grant message is relinquished according to the access role.
4. The method of claim 1, further comprising:
identifying a deadline timestamp for accessing the block;
determining that the current timestamp exceeds the identified deadline timestamp;
revoking access to the block indicated in the permission message based on the determined result;
wherein querying the multi-user medical blockchain store for user-specific paths comprises:
sending a query message including a user ID of the user to a data pool associated with the multi-user medical blockchain storage and a metadata database associated with the multi-user medical blockchain storage;
the grant message indicates a plurality of block types corresponding to the block; and the user-specific path is based on a plurality of block types.
5. The method of claim 1, wherein the tiles are accessed using read-only permissions according to access roles in each tile chain retrieval engine.
6. The method of claim 1, wherein the access roles include an identity and an access management role.
7. A medical blockchain data storage system configured to perform the method of any one of claims 1 to 6.
CN202111315343.3A 2021-11-08 2021-11-08 Medical block chain data storage method and system Pending CN113766511A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111315343.3A CN113766511A (en) 2021-11-08 2021-11-08 Medical block chain data storage method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111315343.3A CN113766511A (en) 2021-11-08 2021-11-08 Medical block chain data storage method and system

Publications (1)

Publication Number Publication Date
CN113766511A true CN113766511A (en) 2021-12-07

Family

ID=78784765

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111315343.3A Pending CN113766511A (en) 2021-11-08 2021-11-08 Medical block chain data storage method and system

Country Status (1)

Country Link
CN (1) CN113766511A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114117540A (en) * 2022-01-25 2022-03-01 广州天鹏计算机科技有限公司 Big data analysis processing method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180060496A1 (en) * 2016-08-23 2018-03-01 BBM Health LLC Blockchain-based mechanisms for secure health information resource exchange
US20190286832A1 (en) * 2018-03-19 2019-09-19 Salesforce.Com, Inc. Securely accessing and processing data in a multi-tenant data store
US10841286B1 (en) * 2015-12-02 2020-11-17 Ilya Aronovich Apparatus, system and method for secure universal exchange of patient medical records utilizing key encryption technology
US20210104304A1 (en) * 2016-12-02 2021-04-08 from William Frumkin and from Bernard Davidovics Apparatus, System and Method for Patient-Authorized Secure and Time-limited Access to Patient Medical Records Utilizing Key Encryption
CN112906055A (en) * 2021-03-16 2021-06-04 钦州市友朋医药咨询有限公司 Medical blockchain data storage system and method
US20210176067A1 (en) * 2019-12-09 2021-06-10 Capital One Services, Llc System and method for authorizing secondary users to access a primary user's account using blockchain

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10841286B1 (en) * 2015-12-02 2020-11-17 Ilya Aronovich Apparatus, system and method for secure universal exchange of patient medical records utilizing key encryption technology
US20180060496A1 (en) * 2016-08-23 2018-03-01 BBM Health LLC Blockchain-based mechanisms for secure health information resource exchange
US20210104304A1 (en) * 2016-12-02 2021-04-08 from William Frumkin and from Bernard Davidovics Apparatus, System and Method for Patient-Authorized Secure and Time-limited Access to Patient Medical Records Utilizing Key Encryption
US20190286832A1 (en) * 2018-03-19 2019-09-19 Salesforce.Com, Inc. Securely accessing and processing data in a multi-tenant data store
US20210176067A1 (en) * 2019-12-09 2021-06-10 Capital One Services, Llc System and method for authorizing secondary users to access a primary user's account using blockchain
CN112906055A (en) * 2021-03-16 2021-06-04 钦州市友朋医药咨询有限公司 Medical blockchain data storage system and method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114117540A (en) * 2022-01-25 2022-03-01 广州天鹏计算机科技有限公司 Big data analysis processing method and system

Similar Documents

Publication Publication Date Title
US11887705B2 (en) Apparatus, system and method for patient-authorized secure and time-limited access to patient medical records utilizing key encryption
US10841286B1 (en) Apparatus, system and method for secure universal exchange of patient medical records utilizing key encryption technology
US8856530B2 (en) Data storage incorporating cryptographically enhanced data protection
EP2731042B1 (en) Computer system for storing and retrieval of encrypted data items using a tablet computer and computer-implemented method
CN105072180B (en) A kind of cloud storage data safety sharing method for having permission time control
CN102483792B (en) For the method and apparatus of shared document
US6229894B1 (en) Method and apparatus for access to user-specific encryption information
CN103561034B (en) A kind of secure file shared system
US11025598B1 (en) Method and apparatus for managing encryption keys and encrypted electronic information on a network server
EP1244263A2 (en) Access control method
US20070101438A1 (en) Location-based authentication
KR100656402B1 (en) Method and apparatus for the secure digital contents distribution
CN111783075A (en) Authority management method, device and medium based on secret key and electronic equipment
JP2002501250A (en) Protected database management system for sensitive records
JP2011019129A (en) Data management system and data managing method
EP2509026A1 (en) System for enterprise digital rights management
US11604888B2 (en) Digital storage and data transport system
WO2007086015A2 (en) Secure transfer of content ownership
WO2002006948A1 (en) Method for protecting the privacy, security, and integrity of sensitive data
CN112926082A (en) Information processing method and device based on block chain
KR101698555B1 (en) Method and a system of healthcare data handling
CN113766511A (en) Medical block chain data storage method and system
TWI611302B (en) Method And System For Securely Sharing Content
JP5494171B2 (en) File management system, storage server, client, file management method and program
KR100788278B1 (en) Data Storing System and Method for De-identification of Information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20211207

RJ01 Rejection of invention patent application after publication