CN114567491A - Medical record sharing method and system based on zero trust principle and block chain technology - Google Patents
Medical record sharing method and system based on zero trust principle and block chain technology Download PDFInfo
- Publication number
- CN114567491A CN114567491A CN202210206248.8A CN202210206248A CN114567491A CN 114567491 A CN114567491 A CN 114567491A CN 202210206248 A CN202210206248 A CN 202210206248A CN 114567491 A CN114567491 A CN 114567491A
- Authority
- CN
- China
- Prior art keywords
- transaction
- data
- consensus
- node
- sender
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000005516 engineering process Methods 0.000 title claims abstract description 19
- 238000003860 storage Methods 0.000 claims abstract description 13
- 238000012795 verification Methods 0.000 claims description 30
- 230000007246 mechanism Effects 0.000 claims description 9
- 238000013475 authorization Methods 0.000 claims description 6
- 238000013461 design Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 5
- 238000012790 confirmation Methods 0.000 claims description 2
- 238000012544 monitoring process Methods 0.000 claims description 2
- 238000004806 packaging method and process Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 claims description 2
- 230000007613 environmental effect Effects 0.000 claims 3
- 230000005540 biological transmission Effects 0.000 abstract description 6
- 238000013500 data storage Methods 0.000 abstract description 3
- 238000012550 audit Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16H—HEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
- G16H15/00—ICT specially adapted for medical reports, e.g. generation or transmission thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/72—Signcrypting, i.e. digital signing and encrypting simultaneously
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/88—Medical equipments
Abstract
The invention discloses a medical case history sharing method and system based on a zero trust principle and a block chain technology, which can ensure the safety and the integrity of data by using the block chain technology to record and audit each transaction in data storage and transmission and utilizing the indechangeability of the block chain, carry out safety addition based on the zero trust principle, ensure that the medical case history data is encrypted, and only a user and equipment which are authenticated can interact with a network. The method can solve a plurality of loopholes related to data security, and has good performance in the aspect of dealing with the problems of transmission and storage of medical data.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a medical record sharing method and system based on a zero trust principle and a block chain technology.
Background
Researchers divide internet security into four core parts, interception, manufacturing, modification, and interruption. More specifically, they can be divided into two groups: unintentional errors (natural mishaps and mishandling) and intentional actions (fraud, identity theft, etc.). The problem of data leakage on the internet occurs many times, huge social and economic hazards are caused, and a safer and more reliable data security solution is urgently needed. Particularly in the medical field, the related data security is also important, and if personal information, medical record information and the like are leaked, the society and patients are greatly influenced.
In the existing approach, part of the solution comes in the form of a blockchain, which provides protection against unnecessary data exposure. The distributed consensus mechanism is characterized in that a blockchain stores important information in a peer-to-peer (P2P) network, ensures digital trust by recording transactions in a public platform, has the characteristics of being unchangeable and unforgeable, and provides certain transparency and auditing capability. The application of blockchain data security solutions to the medical field should also be most beneficial and critical.
In addition, the current advances of cloud storage and cloud service provide convenience and bring greater challenges to data security, and in the medical record cloud platform, security measures must be taken at each step from the beginning, during or even after data transmission in order to ensure the data security. While the zero trust security model solves the above-described security problems at each stage of data transmission. IT is an IT security model that involves the rigorous authentication of users and devices attempting to access resources on a network, whether they are located inside or outside the perimeter of the network.
In the prior art, no single specific technology is associated with the zero trust principle, which is a network security integrity approach that combines several different principles and technologies. Theoretically, a blockchain is impenetrable, but it has its weaknesses. Block chains also present some safety issues, such as: social engineering, identity theft, use of weak passwords, and security vulnerabilities. Therefore, in the field of medical data safety, the safety of the block chain can be improved by taking some additional measures, the zero trust principle is used for enhancing, the overall safety can be improved when the block chain model is implemented, the fault safety is ensured by using the block chain technology, and the access management and the user identity authentication are improved by using the zero trust principle.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a medical record sharing method and system based on the zero trust principle and the blockchain technology. Unlike the existing methods, most methods only use encryption to secure the existing medical data security, or use block chain technology or other technologies in a single way, which is not perfect in data security. In addition, one of the factors which have the greatest influence on the application performance of the existing block chain is that the consensus mechanism consumes longer time, and in the invention, the consensus mechanism in the block chain is improved, so that the consensus mechanism is more suitable for the consensus analysis of medical data, and large energy consumption and network congestion cannot be generated.
The technical scheme provided by the invention is as follows: the whole identification method is divided into two parts based on a zero trust principle and a block chain technology.
The zero trust principle ensures that the user and the equipment can be verified in different layers, and the data security is ensured through data encryption. The zero trust principle is to transmit and receive data through a three-level security layer design, and the structure of the zero trust principle is shown in fig. 1.
Wherein, the sender is provided with the following three layers of safety guarantee:
the first layer, logging in, provides the outermost security assurance that includes authenticating the data sender with the terminal device using login credentials such as username and password, in this case a PC connected to the medical record entry client device.
A second layer, which is a second layer of security assurance, that is, the security and reliability of the sender device is verified before sending data, and the security and reliability is realized by determining whether the device and the client conform to the latest security patch and preventive measures, and in addition, the measures can also ensure whether the device is blacked or damaged;
and the third layer is used for encrypting and sending the data, which is the innermost layer security layer in the data security guarantee, and after the sender successfully passes the security verification of the first two layers, the data to be sent is encrypted by using the public key of the receiver, so that the sender can only access the expected receiver with the secret key.
Similarly, when the receiver accesses data through a webpage or an application program interface, the following three layers of security guarantee are set:
the first layer is login, similar to the sender, the outermost layer of security guarantee is provided through a login mode, and the identity of the receiver is verified;
the second layer, 2FA multi-element authentication, which is the second layer security of the recipient, is performed by two elements, the authentication application will generate an unpredictable authentication code, and the recipient must also enter the code to gain access. Thus, an attacker cannot easily access one's device or online account because knowing only the victim's password is not sufficient;
and the third layer is used for decrypting the received data, which is the innermost layer of the data security guarantee, and after the first two layers of security verification are completed, the receiving party can use the private key.
In the blockchain module, all transactions that occur are recorded mainly using blockchains, and role-based access control is formed. In addition, in order to ensure scalability and convenience of data storage and use, only hashes of data are stored in a blockchain, and actual data are stored in an IPFS (distributed file system and storage platform) for off-chain storage, which is different from other cloud storage modes which are simply used, the storage mode is decentralized, and all trusts are not placed in a single node, so that safe storage and safe access of the data can be further ensured.
Different from the traditional block chain technology, in the traditional block chain technology, a consensus mechanism needing to be performed consumes a lot of time, and the invention improves the block chain aiming at the real-time property of data processing in medical records, and the method specifically comprises the following steps:
1) optimizing the number of nodes: part of nodes are selected to form a consensus group (LCG) for consensus operation, and in order to guarantee designated fault-tolerant performance, the number of Consensus Nodes (CN) involved in transaction confirmation is optimized, so that the consensus speed of transaction is improved;
2) the transaction is split. When the transaction quantity is increased, only one subset of the consensus nodes is needed to verify the transaction, namely, only the consensus nodes in the consensus group (LCG) are needed to verify the transaction, and the generation of the blocks in the transaction verification is divided into the generation of a plurality of small blocks, so that the overhead is reduced.
In order to reduce transaction time while considering fault tolerance performance, the present invention proposes a new blockchain architecture. In the overall architecture of the block chain, all nodes that can participate in transaction verification are called Verification Nodes (VN). In this blockchain, any node that wants to become an authentication node must be acknowledged by other authentication nodes. Existing verification nodes may vote together to decide whether to accept the new node. All authentication nodes are classified into Backup Nodes (BN) and Common Nodes (CN) according to their functions. Other nodes that do not participate in transaction verification but can initiate a transaction are referred to as clients. The consensus node is a core node of the blockchain and is responsible for confirming transactions in the blockchain and packaging and generating the blocks. The backup node is responsible for receiving the transaction from the client and forwarding it to the consensus node. The backup node is also responsible for monitoring and reporting any malicious behavior of the consensus node.
The consensus mechanism (i.e. verification of the transaction) used by the blockchain in the present invention performs the following steps:
step A1, the client initiates a transaction request to the BN;
step A2, after receiving the request from the client, the BN verifies the identity and time stamp of the client, if the authentication is successful and the difference between the transaction time stamp and the latest block is less than the maximum block interval, a new request message is generated and sent to one of the consensus groups responsible for processing the transaction, which is determined by the system transaction allocation rule;
step A3, the node in the consensus group forwards the request to the leader node in the group, the leader node verifies the deal as the leader, confirms the signature of the BN, and determines whether the deal conflicts with other deals in the "to-be-executed deal pool", if the verification is successful, the leader will add a number and a signature in the deal;
step A4, the leader distributing a request message to all other nodes in the consensus group, each node in the consensus group verifying the leader signature and the number of trades, if correct, the node adding the request to a local "pool of pending transactions" and sending an agreement message to all other nodes in the consensus group;
step A5, when the leader receives a sufficient number (f is the total node number of the consensus group and needs to satisfy the number greater than or equal to (2f +1)/3) of agreement messages, it moves the request message out of the local to-be-executed transaction pool and enters the to-be-packed transaction pool;
and step A6, after a certain time, a leader in the LCG packs the transactions in the local transaction pool to be packed and sends the packaged transactions to other nodes in the same consensus group, if the verification of each transaction and block information contained in a node verification block is successful, the node broadcasts an aggregate _ block message, and when the leader receives enough aggregate _ block messages, all small blocks submitted by the LCG are verified and packed, and large blocks exposed in a block chain are generated.
In addition, the whole blockchain module is strictly related to the data transmission transaction of the sender and the receiver of the data, as shown in fig. 2, the block header of each blockchain consists of the hash of the previous block, the address of the sender, the address of the receiver, the symmetric key, and the ipfshash (the hash generated by IPFS during uploading medical illness), and the following steps are performed in the whole calling process:
step B1, the sender requests to upload data, and at the moment, requests to call the intelligent contract on the chain;
step B2, the blockchain verifies the sender requesting to call the contract, judges whether the sender is a node allowed to participate in the blockchain network, if yes, the call is approved;
step B3, the sender creates a block according to the prompt and adds the block into the block chain;
in step B4, after the sender successfully adds the tile to the tile chain, the receiver can retrieve and view the data.
The invention designs and realizes a medical record sharing system based on a zero trust principle and a block chain technology. In terms of block chain function design related to medical records, main functions are publishing, storing and sharing of medical data, and are specifically described as follows:
and (4) issuing medical data. When a patient visits, the doctor generates a medical record or examination report for the patient. When generating medical data, a doctor generates a digest and a hash of the medical data and issues it to the blockchain after logging in using the private key of the issuer. Meanwhile, the medical data is encrypted by adopting a symmetric key, and the encryption key of the medical data is encrypted by adopting a public key of the patient. Both are sent to the patient.
And storing the medical data. After receiving the data of the medical institution, the patient verifies the signature of the institution, then decrypts the medical data encryption key, the original medical data and the signature by using the private key of the patient, and generates a new encryption key for storing the medical data and the signature thereof in cloud storage.
Medical data sharing. The use authority of the medical data is completely controlled by the user, and the patient can authorize a third-party mechanism to access partial medical data of the patient through an access control mechanism and can revoke the authorization at any time. The position, the use authority and the validity period of the shared record in the cloud storage and the decryption key of the third-party organization are written into the medical block chain, and the cloud storage management can set an access control strategy.
The invention has the beneficial effects that:
the invention provides a medical record sharing method and system based on a zero trust principle and a block chain technology, which can ensure the safety and the integrity of data by using the record and the audit of each transaction in data storage and transmission by using the block chain technology and utilizing the indechangeability of the block chain, carry out safety attachment based on the zero trust principle, ensure that the medical record data is encrypted, and only a user and equipment which are authenticated can interact with a network.
Drawings
Fig. 1 is a schematic diagram of zero trust principle three-level security layer division in the method of the present invention.
FIG. 2 is a block chain design diagram in the method of the present invention.
FIG. 3 is a block diagram of the overall flow of the method of the present invention.
Detailed Description
The invention will be further described, by way of example, with reference to the accompanying drawings, without in any way limiting the scope of the invention.
Fig. 3 shows the workflow of the proposed method of the present invention, we have developed a distributed medical record sharing system according to the designed model method, the blockchain is used to ensure the distribution and immutability of data, and the zero trust principle is used for access control and authorization, the following are the complete execution steps of data from sending to receiving:
the method comprises the following steps: sending a request, after a sender passes the security verification of the front two layers (login and client environment security check), checking the authorization role and the authorization of the sender by an intelligent contract on a block chain, and if the intelligent contract is available, processing the request and successfully sending a file by the sender;
step two: sending a file, wherein the file is encrypted by using a symmetric key and stored in an IPFS (distributed file system and storage platform), and a hash of the file, called an ipfshash, is generated in real time and represents the position of the file in the IPFS;
step three: sending an ipfshash, performing digital signature on the ipfshash generated in the step two and a private key of a sender, then encrypting by using a public key of a receiver, and creating a block in a block chain as shown in fig. 2;
step four, requesting the file, after the receiver passes the front two layers of security verification (password login and 2FA dual-factor authentication), verifying the authorized role and authority of the receiver by the intelligent contract on the block chain, and if the verification is passed, enabling the receiver to carry out the file retrieval request;
step five, retrieving the ipfshash, if the file request sent by the receiver contains a correct private key, decrypting the ipfshash retrieved from the block chain, and then verifying the ipfshash with the public key of the sender;
and step six, receiving the file, retrieving the encrypted file from the IPFS with the help of the ipfshash, then decrypting the file by using the symmetric key, and if the decryption is successful, the user can check the file requested by the user in the terminal equipment.
In an implementation, the blockchain provides licensed accounts for data manipulation and requests on the chain, and in addition, the private and public keys of these accounts are used for encryption and decryption, and secondly, the system can be connected to the IPFS node instance through an API interface for uploading medical record data.
The intelligent contract of the block chain comprises some role-based functions:
(1) adding roles: this function, which can only be called by the administrator, is used to register users (patients and medical technicians) and provide them with the corresponding rights, and its functional pseudo-code is as follows;
(2) a sending function: the encrypted ipfshash and the address of the recipient are used as parameters, the new data is added into a data group of the sender, and the functional pseudo code for sending the ipfshash to the patient is as follows:
(3) an acquisition function: and taking the data index as a competition, and returning the corresponding encrypted ipfshash sent by the medical technical personnel.
Claims (7)
1. A medical case history sharing method, release, save and share of the medical data based on zero trust principle and block chain technology, characterized by that, carry on the sending and receiving of the data through the design of the three-level security layer on the basis of the zero trust principle, record all affairs that take place on the basis of the block chain technology, and form the access control based on role; setting three levels of security layers of login, environmental security risk check and encryption at a sender based on a zero trust principle, and setting three levels of security layers of login, 2FA dual-factor authentication and decryption at a receiver; only the hash of the data is stored in the block chain, and the actual data is stored in the IPFS for off-chain storage, so that the safe storage and the safe access of the data are ensured; the block chain is improved as follows: 1) optimizing the number of nodes: selecting part of nodes to form a consensus group for consensus operation, and improving the consensus speed of the transaction by optimizing the number of consensus nodes involved in transaction confirmation in order to ensure the specified fault-tolerant performance; 2) splitting and trading: when the transaction quantity is increased, only one subset of the consensus nodes is needed to verify the transaction, namely, only the consensus nodes in the consensus group are needed to verify the transaction, and the generation of the block in the transaction verification is divided into the generation of a plurality of small blocks, so that the expenditure is reduced.
2. The method for sharing medical records of claim 1, wherein:
the following three layers of safety guarantee are set at the sender: the first layer is to provide the outermost security guarantee by login and authenticate the identity of a data sender by using a login credential comprising a user name and a password through terminal equipment; a second layer, which performs environmental security risk check, including verifying the security and reliability of the sender device before sending data, and implementing by determining whether the device and the client conform to the latest security patch and precautionary measures; the third layer, send after encrypting data, after the sender passes the safety verification of the first two layers successfully, use the public key of the take over party to encrypt the data to be sent;
the receiver sets the following three layers of security guarantee when accessing data through a webpage or an application program interface: the first layer provides the outermost layer of security guarantee through a login mode and carries out identity authentication on a receiver; the second layer, carry on 2FA two-factor authentication; and the third layer decrypts the received data, and after the first two layers of security verification are completed, the receiver decrypts the data by using the private key.
3. The medical record sharing method according to claim 1, wherein in the block chain architecture, all nodes that can participate in transaction verification are called verification nodes, and any node that wants to become a verification node must be confirmed by other verification nodes; nodes that do not participate in transaction verification but can initiate a transaction are referred to as clients; all verification nodes are divided into backup nodes and consensus nodes according to functions of the verification nodes; the consensus node is a core node of the block chain and is responsible for confirming the transaction in the block chain, packaging and generating the block; the backup node is responsible for receiving and forwarding transactions from the client to the consensus node, and for monitoring and reporting any malicious behavior of the consensus node.
4. The medical record sharing method according to claim 3, wherein the consensus mechanism used by the blockchain performs the following steps:
step A1, the client end sends a transaction request to the backup node;
step A2, after receiving the request of the client, the backup node verifies the identity and the timestamp of the client, if the authentication is successful and the difference between the transaction timestamp and the latest block is less than the maximum block interval, a new request message is generated and sent to one of the consensus groups responsible for processing the transaction;
step A3, the node in the consensus group forwards the request to the leader node in the group, the leader node verifies the transaction as the leader, confirms the signature of the backup node, and determines whether the transaction conflicts with other transactions in the "to-be-executed transaction pool", if the verification is successful, the leader will add a number and a signature in the transaction;
step A4, the leader distributing a request message to all other nodes in the consensus group, each node in the consensus group verifying the leader signature and the number of trades, if correct, the node adding the request to a local "pool of pending transactions" and sending an agreement message to all other nodes in the consensus group;
step A5, when the leader receives a sufficient number of agreement messages, it moves the request message out of the local to-be-executed transaction pool and into the to-be-packaged transaction pool;
and step A6, after a certain time, a leader in the consensus group packs the transactions in the local transaction pool to be packed and sends the packaged transactions to other nodes in the same consensus group, if the verification of each transaction and block information contained in a node verification block is successful, the node broadcasts an aggregate _ block message, and when the leader receives enough aggregate _ block messages, all small blocks submitted by the consensus group are verified and packed, and large blocks exposed in a block chain are generated.
5. The medical record sharing method according to claim 4, wherein in step A5, f represents the total number of nodes of the consensus group, and when the leader receives an agreement message with a number greater than or equal to (2f +1)/3, it moves the request message out of the local to-be-executed transaction pool and into the to-be-packaged transaction pool.
6. The medical record sharing method according to claim 1, wherein the block header of each block chain is composed of hash of the previous block, address of sender, address of receiver, symmetric key, ipfshash, and the following steps are performed in the whole calling process:
step B1, the sender requests to upload data, and at the moment, requests to call the intelligent contract on the chain;
step B2, the blockchain verifies the sender requesting to call the contract, judges whether the sender is a node allowed to participate in the blockchain network, if yes, the call is approved;
step B3, the sender creates a block according to the prompt and adds the block into the block chain;
in step B4, after the sender successfully adds the tile to the tile chain, the receiver can retrieve and view the data.
7. The medical record sharing method according to claim 6, wherein the data from sending to receiving is performed by the steps of:
the method comprises the following steps: sending a request, after a sender passes two layers of security verification of login and environmental security risk check, checking the authorized role and authorization of the sender by an intelligent contract on a block chain, and if the authorized role and authorization are available, processing the request and successfully sending a file by the sender;
step two: sending a file, encrypting the file by using a symmetric key, storing the encrypted file in the IPFS, and generating a hash of the file in real time, wherein the hash is called an ipfshash and represents the position of the file in the IPFS;
step three: sending an ipfshash, performing digital signature on the ipfshash generated in the step two and a private key of a sender, encrypting by using a public key of a receiver, and creating a block in a block chain;
step four, requesting the file, after the receiver passes two-layer security verification of login and 2FA dual-factor authentication, verifying the authorized role and the authority of the receiver by the intelligent contract on the block chain, and if the verification is passed, enabling the receiver to carry out the file retrieval request;
step five, retrieving the ipfshash, if the file request sent by the receiver contains a correct private key, decrypting the ipfshash retrieved from the block chain, and then verifying the ipfshash with the public key of the sender;
and step six, receiving the file, retrieving the encrypted file from the IPFS with the help of the ipfshash, then decrypting the file by using the symmetric key, and if the decryption is successful, the user can check the file requested by the user in the terminal equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210206248.8A CN114567491A (en) | 2022-03-03 | 2022-03-03 | Medical record sharing method and system based on zero trust principle and block chain technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210206248.8A CN114567491A (en) | 2022-03-03 | 2022-03-03 | Medical record sharing method and system based on zero trust principle and block chain technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114567491A true CN114567491A (en) | 2022-05-31 |
Family
ID=81718253
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210206248.8A Pending CN114567491A (en) | 2022-03-03 | 2022-03-03 | Medical record sharing method and system based on zero trust principle and block chain technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114567491A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116389012A (en) * | 2023-05-29 | 2023-07-04 | 国家卫生健康委统计信息中心 | Medical health data trusted sharing method based on blockchain |
| CN116884556A (en) * | 2023-09-07 | 2023-10-13 | 徐州医科大学 | Medical data safety sharing platform based on inline block chain |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111400401A (en) * | 2020-03-12 | 2020-07-10 | 江苏荣泽信息科技股份有限公司 | Electronic medical record storage system based on block chain |
| CN112910840A (en) * | 2021-01-14 | 2021-06-04 | 重庆邮电大学 | Medical data storage and sharing method and system based on alliance blockchain |
-
2022
- 2022-03-03 CN CN202210206248.8A patent/CN114567491A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111400401A (en) * | 2020-03-12 | 2020-07-10 | 江苏荣泽信息科技股份有限公司 | Electronic medical record storage system based on block chain |
| CN112910840A (en) * | 2021-01-14 | 2021-06-04 | 重庆邮电大学 | Medical data storage and sharing method and system based on alliance blockchain |
Non-Patent Citations (3)
| Title |
|---|
| DU, MINGXIAO, ET AL.: "\"An optimized consortium blockchain for medical information sharing.\"", 《IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT》 * |
| DU, MINGXIAO, QIJUN CHEN, AND XIAOFENG MA.: "\"MBFT: A new consensus algorithm for consortium blockchain.\"", 《IEEE ACCESS》 * |
| SULTANA, MALIHA, ET AL.: "\"Towards developing a secure medical image sharing system based on zero trust principles and blockchain technology.\"", 《BMC MEDICAL INFORMATICS AND DECISION MAKING》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116389012A (en) * | 2023-05-29 | 2023-07-04 | 国家卫生健康委统计信息中心 | Medical health data trusted sharing method based on blockchain |
| CN116389012B (en) * | 2023-05-29 | 2023-09-15 | 国家卫生健康委统计信息中心 | Medical health data trusted sharing method based on blockchain |
| CN116884556A (en) * | 2023-09-07 | 2023-10-13 | 徐州医科大学 | Medical data safety sharing platform based on inline block chain |
| CN116884556B (en) * | 2023-09-07 | 2024-01-12 | 苏州慧睿康智能科技有限公司 | Medical data safety sharing platform based on inline block chain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11496310B2 (en) | Methods and systems for universal storage and access to user-owned credentials for trans-institutional digital authentication | |
| US11025435B2 (en) | System and method for blockchain-based cross-entity authentication | |
| US11533164B2 (en) | System and method for blockchain-based cross-entity authentication | |
| Cai et al. | Enabling reliable keyword search in encrypted decentralized storage with fairness | |
| CN108418680B (en) | Block chain key recovery method and medium based on secure multi-party computing technology | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| CN112311735B (en) | Credible authentication method, network equipment, system and storage medium | |
| CN110771120B (en) | System and method for blockchain based authentication | |
| CN110914851A (en) | Improving integrity of communications between blockchain networks and external data sources | |
| CN114172735A (en) | Double-chain mixed block chain data sharing method and system based on intelligent contract | |
| CN109728903B (en) | Block chain weak center password authorization method using attribute password | |
| Zhong et al. | Distributed blockchain-based authentication and authorization protocol for smart grid | |
| CN111010430B (en) | Cloud computing security data sharing method based on double-chain structure | |
| CN114329529A (en) | Asset data management method and system based on block chain | |
| CN114567491A (en) | Medical record sharing method and system based on zero trust principle and block chain technology | |
| CN109309645A (en) | A kind of software distribution security guard method | |
| CN107347073B (en) | A kind of resource information processing method | |
| JP2004104750A (en) | Verify method of digital signature | |
| Yang et al. | An access control model based on blockchain master-sidechain collaboration | |
| CN113302612B (en) | Computer implementation method, system and device for cross-chain and cross-network data transmission | |
| CN113271207A (en) | Escrow key using method and system based on mobile electronic signature, computer equipment and storage medium | |
| CN113597608A (en) | Trusted platform based on block chain | |
| CN114124392B (en) | Data controlled circulation method, system, device and medium supporting access control | |
| CN114329395A (en) | Supply chain financial privacy protection method and system based on block chain | |
| Lyu et al. | JRS: A joint regulating scheme for secretly shared content based on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20220531 |