CN115270190A - Hospital data privacy protection method and device - Google Patents

Hospital data privacy protection method and device Download PDF

Info

Publication number
CN115270190A
CN115270190A CN202211027781.4A CN202211027781A CN115270190A CN 115270190 A CN115270190 A CN 115270190A CN 202211027781 A CN202211027781 A CN 202211027781A CN 115270190 A CN115270190 A CN 115270190A
Authority
CN
China
Prior art keywords
data
privacy
data set
hospital
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211027781.4A
Other languages
Chinese (zh)
Inventor
于广军
马诗诗
王志刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Palline Data Technology Co ltd
SHANGHAI CHILDREN'S HOSPITAL
Original Assignee
Shanghai Palline Data Technology Co ltd
SHANGHAI CHILDREN'S HOSPITAL
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Palline Data Technology Co ltd, SHANGHAI CHILDREN'S HOSPITAL filed Critical Shanghai Palline Data Technology Co ltd
Priority to CN202211027781.4A priority Critical patent/CN115270190A/en
Publication of CN115270190A publication Critical patent/CN115270190A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H10/00ICT specially adapted for the handling or processing of patient-related medical or healthcare data
    • G16H10/60ICT specially adapted for the handling or processing of patient-related medical or healthcare data for patient-specific data, e.g. for electronic patient records

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Epidemiology (AREA)
  • Primary Health Care (AREA)
  • Public Health (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of medical data privacy processing, in particular to a method and a device for protecting hospital data privacy. The method comprises the following steps: s1, selecting and marking privacy data in medical data to be shared, and marking an identifier, a special disease category and a special patient identity in the privacy data; s2, carrying out classification set on the marked data according to the use scene to form a public data set, a limited data set and an identifiable data set; s3, privacy data protection processing of different degrees is respectively carried out on the public data set, the limited data set and the recognizable data set; and S4, applying the processed public data set, the processed limited data set and the processed identifiable data set to different use scenes. According to the method and the device, the data of the database are subjected to de-identification aiming at different application scenes, so that the possibility of data privacy disclosure is effectively reduced, the availability of data sharing value is guaranteed, and the safety and operability of data sharing application are improved.

Description

Hospital data privacy protection method and device
Technical Field
The invention relates to the technical field of medical data privacy processing, in particular to a method and a device for protecting hospital data privacy.
Background
Medical data sharing has a huge application value, and health medical data based on a regional health information platform are gradually opened and shared.
However, these data relate to the individual privacy and public interest of the patient, and therefore require special privacy protection. Particularly, as "personal information protection law" comes out, higher requirements are put on the processing and utilization of personal information.
The current processing of medical data does not consider the balance between data privacy protection and data sharing. Chinese patent No. CN201910522671.7 proposes a medical data processing method, apparatus and system, wherein the method includes processing received medical data by using a medical data processing model component corresponding to the medical data included in the medical data processing apparatus, and acquiring medical diagnosis information corresponding to the medical data. The above invention can acquire medical diagnosis information for medical data while ensuring privacy of the medical data, but does not disclose how to share the medical data.
Therefore, how to balance medical data sharing application and effective data privacy protection is an urgent problem to be solved at present.
Disclosure of Invention
The invention aims to provide a hospital data privacy protection method and device, and solves the problem that balance between medical data sharing application and effective data privacy protection in the prior art is difficult to achieve.
In order to achieve the above object, the present invention provides a method for protecting privacy of hospital data, comprising the following steps:
s1, selecting and marking privacy data in medical data to be shared, and marking an identifier, a special disease category and a special patient identity in the privacy data;
s2, carrying out classification set on the data marked in the step S1 according to a use scene to form a public data set, a limited data set and an identifiable data set;
s3, privacy data protection processing of different degrees is respectively carried out on the public data set, the limited data set and the recognizable data set;
performing label removal processing on data in the public data set, and performing repeated difference test on the processed data to judge whether the association degree of the private data meets the requirement;
encrypting and generalizing the marked data in the limited data set, and distinguishing and labeling the data security level;
the privacy data of the identifiable data set is not protected;
and S4, applying the public data set, the limited data set and the recognizable data set processed in the step S3 to different use scenes.
In one embodiment, the identifier of the private data in step S1 includes certificate information, account information, biometric information, and body part picture information;
the special disease species of the private data in the step S1 comprise sexual reproduction related diseases, infectious diseases, psychological diseases, malignant tumors, hereditary diseases, anal diseases, rare diseases and other incurable diseases;
the patient-specific identities of the private data in step S1 include pregnant women and patients with malignant tumors.
In an embodiment, the usage scenario in step S2 includes a research institution, a hospital, and a patient;
the step S4 further includes:
and (4) using the public data set processed in the step (S3) in a scientific research application scene, using the limited data set processed in the step (S3) in a hospital retrieval scene, and using the recognizable data set in a patient use scene.
In an embodiment, the de-labeling processing of step S3 further includes:
removing the identifier and generalizing the age;
the data with the diagnosis count smaller than the first count value is subjected to privacy processing;
delete name, number of hospitalization, phone, date of discharge and discharge diagnostic information;
inserting a patient sequence number column;
the age is generalized into age groups;
the return result is replaced by a specific number;
the diagnostic departments with a single count less than the preset number are replaced with departments of a special sign.
In an embodiment, the step S3 performs a re-actualization test on the processed data, and further includes:
the private data before unmarked is marked as X = { X = { X = } 1 ,x 2 ,....x n };
Marking the private data after the mark removal as Y = { Y 1 ,y 2 ,...y n };
And carrying out similarity comparison according to a similarity comparison formula, wherein the corresponding expression is as follows:
Figure BDA0003816434080000031
wherein p is i Similarity between the i-th privacy data before being subjected to the label removal and the i-th privacy data after being subjected to the label removal, wherein n is the total number of the privacy data;
when there is any similarity p i And if the correlation degree of the processed medical data privacy data and the correlation degree of the medical data privacy data before processing do not meet the requirements, and performing de-labeling processing again.
In an embodiment, the encrypting the tag data in step S3 further includes distinguishing and labeling the tag data according to data security level and granularity;
the data security classification is defined according to the recognizable symbol, the special disease species and the special identity of the patient;
the granularity is classified according to the privacy levels of the details with different degrees, including summary level data, summary level data and detail level data:
the summary level data is a summary of partial names of the hospital data;
the summary level data is summary report type materials;
the detailed-level data is a detailed case class material.
In an embodiment, the step S4 of using the limited data set processed in the step S3 in a hospital retrieval scene further includes:
the department, title and diagnosis and treatment group of the doctor are matched with the security level and granularity of the data, and the authority of the doctor for looking up and reviewing the data is set.
In an embodiment, in step S4, the applying the public data set processed in step S3 to a research application scenario further includes:
and carrying out data transmission on the privacy data with different data security levels through different transmission modes.
In an embodiment, in step S4, the processing of step S3 to use the recognizable data set in a patient usage scenario further includes:
the patient enters relevant identity information and, using the identifiable data set, queries for health and medical information relevant to the patient himself.
In an embodiment, in step S4, the patient inputs the relevant identity information, and the method further includes: registering identity information, associating real-name system mobile phone number information, and setting an account password;
in step S4, the method for inquiring health medical information related to the patient further includes:
performing content limitation on the inquired information;
time limitation is carried out on the inquireable information;
and limiting the operation authority of the inquired information.
In order to achieve the above object, the present invention provides a hospital data privacy protecting apparatus, including:
a memory for storing instructions executable by the processor;
a processor for executing the instructions to implement the method of any one of the above.
To achieve the above object, the present invention provides a computer readable medium having stored thereon computer instructions, wherein the computer instructions, when executed by a processor, perform the method as described in any one of the above.
According to the hospital data privacy protection method and device, data of the database are subjected to de-identification aiming at different application scenes, balance between medical data sharing application and effective data privacy protection is achieved, the possibility of data privacy disclosure is effectively reduced, the availability of data sharing value is guaranteed, and the safety and operability of the data sharing application are effectively improved.
Drawings
The above and other features, characteristics and advantages of the present invention will become more apparent from the following description in conjunction with the accompanying drawings and embodiments, in which like reference numerals denote like features throughout the figures, and in which:
FIG. 1 discloses a flow chart of a method for protecting privacy of hospital data according to an embodiment of the invention;
FIG. 2 discloses a detailed schematic diagram of a method for protecting privacy of hospital data according to an embodiment of the present invention;
fig. 3 discloses a functional block diagram of a hospital data privacy protection apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Fig. 1 and fig. 2 respectively disclose a flowchart and a detailed schematic diagram of a hospital data privacy protection method according to an embodiment of the present invention, and as shown in fig. 1 and fig. 2, the hospital data privacy protection method proposed by the present invention includes the following steps:
s1, selecting and marking privacy data in medical data to be shared, and marking an identifier, a special disease category and a special patient identity in the privacy data;
s2, classifying and collecting the marked data in the S1 according to the use scene to form a public data set, a limited data set and an identifiable data set;
s3, privacy data protection processing of different degrees is respectively carried out on the public data set, the limited data set and the recognizable data set;
performing label removal processing on data in the public data set, and performing repeated difference test on the processed data to judge whether the association degree of the private data meets the requirement;
encrypting and generalizing the marked data in the limited data set, and distinguishing and labeling the data security level;
the privacy data of the recognizable data set is not protected;
and S4, applying the public data set, the limited data set and the recognizable data set processed in the step S3 to different use scenes.
These steps will be described in detail below. It is to be understood that within the scope of the present invention, the above-described features of the present invention and those specifically described below (e.g., in the examples) may be combined with each other and correlated to form preferred embodiments.
S1, selecting and marking the privacy data in the medical data to be shared, and marking the identifiable characters, the special disease types and the special identities of the patients in the privacy data.
Hospital data includes medical data that needs to be shared, and not all hospital data is shared.
More specifically, the identifier of the private data includes certificate information, account information, biometric information, and body part picture information;
the certificate information comprises certificate numbers such as marked names, identity cards, driver licenses and the like;
the account information comprises account information such as telephone numbers, addresses, faxes, e-mails, social security numbers, medical record numbers, visiting card numbers and the like;
the biological identification information comprises fingerprints, irises, genes and the like;
the body part picture information comprises picture information such as face images capable of identifying personal special identity information and special disease types.
More specifically, the specific disease category of the private data includes 8 types of diseases such as sexual reproduction related diseases, infectious diseases, psychological diseases, malignant tumors, hereditary diseases, anal diseases, rare diseases and other incurable diseases;
more specifically, the specific identities of patients with private data include pregnant women, patients with malignant tumors, and the like.
And S2, classifying and collecting the data marked in the step S1 according to the use scene to form a public data set, a limited data set and an identifiable data set.
More specifically, the usage scenario includes a research institution, a hospital, and a patient, such that the common data set applies to the research institution, the limited data set applies to the hospital, and the identifiable data set applies only to the patient.
And S3, respectively carrying out privacy data protection processing of different degrees on the public data set, the limited data set and the recognizable data set.
More specifically, data in a public data set is subjected to de-labeling, sensitive information is checked, and the processed data is subjected to a repeated and real identification test according to a minimum requirement principle and anti-identity recognition so as to judge whether the association degree of the private data meets requirements.
Wherein, the sensitive information is checked: the hospital discharge is diagnosed as malignant tumor, infectious disease, psychological disease, sexual reproduction related disease, hereditary disease;
minimum required principle: if the analysis satisfaction degree is satisfied, the discharge date and the discharge diagnosis are recommended to be removed.
Anti-identity recognition: the method is a privacy technology which prevents professional data analysts from carrying out link attack through other databases and is mainly named by some butcheries.
Principles of data de-labeling include the inability to identify individuals, the inability to indirectly identify individuals through data mining, and minimum requirement principles.
The label removing treatment further comprises the following steps:
removing identifiers and generalizing ages;
the data with the diagnosis count smaller than the first count value is processed in a privacy mode;
delete name, number of hospitalization, phone, date of discharge and discharge diagnostic information;
inserting a patient sequence number column;
the age is generalized into age groups;
the return result is replaced by a specific number;
the diagnostic departments with a single count less than the preset number are replaced with departments of a special sign.
In this embodiment, the data with the diagnosis count less than 11 needs to be processed in a privacy way, for example, if the discharge diagnosis is that the count of a certain disease is <11, the actual discharge diagnosis cannot be displayed, so as to diagnose the broad category or even replace the letter.
In the embodiment, the regression results are replaced by 1, 2 and 3, and the department A \ B \ C with the diagnosis department single count of <11 is replaced by.
And performing a re-actualization test on the processed data, further comprising:
before de-labeling private data is marked as X = { X = 1 ,x 2 ,....x n };
Marking the private data after the mark removal as Y = { Y 1 ,y 2 ,...y n };
And comparing the similarity according to a similarity comparison formula, wherein the corresponding expression is as follows:
Figure BDA0003816434080000071
wherein p is i Similarity between the i-th private data before being unmarked and the unmarked private data is obtained, and n is the total number of the private data;
when there is any similarity p i And if the correlation degree of the processed medical data privacy data and the medical data privacy data before processing is larger than the preset threshold value, the medical data privacy data is considered to be not satisfied with the requirements, and the medical data is subjected to de-labeling processing again.
More specifically, the marked data in the limited data set is encrypted and generalized, and meanwhile, the data security level is distinguished and labeled.
Marking the marked data according to the data security level and granularity;
the data security level is distinguished and defined according to the identifiable characters, the special disease types and the special identities of the patients, so as to be matched with the authority of the corresponding role in the later period;
the granularity is classified according to the privacy levels of the details with different degrees, including summary level data, summary level data and detail level data:
the summary level data is a summary of partial names of the hospital data, such as examination and examination names, a hospital for treatment, a department for treatment and the like;
the summary level data are materials of summary reports, such as inspection and examination reports, operation summary, hospitalization summary, medication condition and the like;
the detailed data is detailed case type materials, such as detailed medical records in hospital and the like.
For example, the encryption means may be a symbolic representation of the information, such as the information is shown as x, and the generalization means may be an expansion of the specific value to a range representation, such as 15 years of age < 18 years of age.
And S4, applying the public data set, the limited data set and the recognizable data set processed in the step S3 to different use scenes.
More specifically, the public data set processed in step S3 is used in a research application scenario, the limited data set processed in step S3 is used in a hospital retrieval scenario, and the recognizable data set is used in a patient use scenario.
Three embodiments are provided below to respectively explain in detail a hospital interview scenario, a research study application scenario, and a patient use scenario.
Example 1 Hospital interview scenario
The limited data set is used for a hospital interview scenario.
The department, title and diagnosis and treatment group of the doctor are matched with the confidentiality grade and granularity of the data, and the permission of the doctor for looking up the data is set.
1.1 ) role definition
Doctors are divided into diagnosis doctors, non-diagnosis and treatment group doctors in the department, doctors in other departments and the like according to functions, and are divided into inpatients, main doctors, chief physicians and the like according to the titles, the retrieval authority of different roles is different, the role definition is clear, and the next authority distribution can be carried out.
In principle, the role types need to be defined by the department, title, and treatment group.
The departments are different diagnosis and treatment departments, and are divided according to hospital departments, such as digestive department and cardiac surgery.
The term indicates the profession and the relationship between the physician's level, such as the resident physician, the attending physician and the chief and ren physicians.
The diagnosis and treatment groups are diagnosis and treatment group division in departments, according to the specific division of the departments in the hospital, patients in different diagnosis and treatment groups are administered independently, for example, the interior of general surgery is divided into a gastrointestinal diagnosis and treatment group, a hepatobiliary diagnosis and treatment group and the like, and if the interior of the departments is not divided, definition is not needed.
The hospital needs to upload the department organization architecture condition (superior-inferior relation and diagnosis and treatment group) to the regional health information platform to form an authority group. The adjustment of the permission group can be transferred to a department master, a superior doctor can dynamically allocate the diagnosis and treatment group affiliation of a subordinate doctor (considering that the diagnosis and treatment group may change frequently and the workload of the doctor is not increased), and a hospital medical department is responsible for daily audit.
1.2 ) Authority assignment
And matching the department, title and diagnosis and treatment group of the doctor with the data security grade and granularity.
For the data of common disease species, doctors can read the data within the authority range;
for the data of special disease categories, the granularity authorities of doctors with different titles are different, and the higher the level is, the more detailed the accessible data is;
for infectious diseases, the principle of protecting medical staff is followed, and the default is open.
Each physician can only access the data of patients in his jurisdiction and the superior physician can view patients in the jurisdiction of the inferior physician, see table 1.
When the same doctor satisfies multiple roles, the authority of the same doctor takes intersection.
TABLE 1 role authority table
Figure BDA0003816434080000091
1.3 Retrieve user login
Identity recognition is needed during retrieval, and modes comprise account number and password and PKI.
The access time and place are limited, and the non-hospital IP retrieval and the non-working time retrieval are abnormal retrieval. After the user has no action for a certain time (such as 10 min) after the user is called, the account is automatically logged out, and the screen automatically sleeps.
1.4 Data retrieval
The monitoring system is established with the ability of sensing abnormal behaviors, and the alarm mode comprises the modes of providing site alarm, short messages of mobile phones, mails and the like.
The alarm content comprises the IP, time, account number and access content of the abnormal retrieval user. And simultaneously, establishing an emergency plan and the like.
The storage time of the retrieval logs is not less than 6 months, the retrieval logs are audited by a person at regular intervals, and the retrieval records of the sensitive data and the patients with special identities are audited.
Example 2 scientific research application scenario
The public data set is used for scientific research application scenes. Researchers (medical staff, teachers and students in colleges and universities, etc.) apply for medical data for research purposes.
2.1 Data preparation
And secondly, classifying the data to make a data packet. The data package is displayed in a data directory within a certain range, including the brief description of the data package, the included variable, the available year and the like, and a small amount of sample data or modified data can be displayed.
2.2 Data application
The data is only applied for scientific research personnel, and the applied data is in accordance with the minimum requirement principle, namely the minimum data is applied on the premise of meeting the research purpose.
2.3 Data desensitization
And carrying out corresponding de-identification work on the data according to the requirements of the data applicant, and carrying out re-identification detection after the de-identification work is finished.
2.4 Data delivery
And carrying out data transmission on the privacy data with different data security levels through different transmission modes.
The public data set may take the form of encrypted mail, encrypted USB or other removable devices (usable only by a particular computer), etc.
The limited data set and the identifiable data set can be locally operated by a regional health information platform, remotely accessed by a virtual desktop (analysis is carried out in the system, and only statistical analysis results are downloaded), a data sandbox and the like due to the fact that part of personal information of a patient is involved.
Example 3 patient usage scenario
The data set may be identified for a patient usage scenario. The identifiable data set is a health data set that includes a patient identifier from which an individual may be identified and obtained by a patient visit.
The patient can inquire the self-related health medical information by only inputting the related identity information by using the identifiable data set.
More specifically, the patient enters relevant identity information and, using the identifiable data set, queries for health and medical information related to the patient himself.
The patient inputs the related identity information through the portal website of the regional health information platform, and can inquire the related health medical information.
3.1 Identification of identity
The platform need make the management and control measure of preventing other people from calling for the wrong name inquiry or intercepting in batches, and relevant identity information is input to the patient, further still includes: registering identity information, associating real-name system mobile phone number information, and setting an account password.
The individual registers for the first time and needs to be associated with the real-name system mobile phone number information. And sending the mobile phone number verification code through real-name mobile phone login.
Considering the information query requirement of the children instead of the old parents, the account can be bound with the mobile phones of the children (the identity card or the scanning piece of the account notebook can be uploaded or authenticated by the background of the regional health information platform).
After the registration is completed, an individual needs to set an account number and a password, and the regional health information platform has certain requirements on the complexity of the password, including the password being changed periodically and the like.
3.2 ) query information
In order to prevent the account from falling into the hands of other people and causing a large amount of personal information leakage, the regional health information platform should appropriately limit the inquired information and not display the content limitation of the inquired information, such as sensitive inspection results of HIV, hepatitis and the like.
The inquired information is limited in time, for example, the information such as the relevant inspection report, the medication condition and the like in three months can be inquired by default.
And limiting the operation authority of the inquireable information, wherein the operation authority comprises additional storage, copying, printing, downloading and the like.
When the individual carries out corresponding operation, the page displays that the user needs to know, for example, the patient is informed that the information safety obligation of the downloaded data lies in the person, and the like, the individual is prompted to pay attention to information protection, and meanwhile, the important sentences are marked with red.
While, for purposes of simplicity of explanation, the methodologies are shown and described as a series of acts, it is to be understood and appreciated that the methodologies are not limited by the order of acts, as some acts may, in accordance with one or more embodiments, occur in different orders and/or concurrently with other acts from that shown and described herein or not shown and described herein, as would be understood by one skilled in the art.
Fig. 3 shows a block diagram of a hospital data internet privacy protection apparatus according to an embodiment of the present invention. The hospital data internet privacy protection device may include an internal communication bus 301, a processor (processor) 302, a Read Only Memory (ROM) 303, a Random Access Memory (RAM) 304, a communication port 305, and a hard disk 307. The internal communication bus 301 can realize data communication among hospital data internet privacy protection device components. Processor 302 may make the determination and issue a prompt. In some embodiments, the processor 302 may be comprised of one or more processors.
The communication port 305 can realize data transmission and communication between the hospital data internet privacy protection device and external input/output equipment. In some embodiments, the hospital data internet privacy device may send and receive information and data from the network through the communication port 305. In some embodiments, the hospital data internet privacy protection apparatus can transmit and communicate data with external input/output devices through the input/output terminal 306 in a wired manner.
The hospital data internet privacy protection arrangement may also include various forms of program storage units and data storage units, such as a hard disk 307, read Only Memory (ROM) 303 and Random Access Memory (RAM) 304, capable of storing various data files for computer processing and/or communication use, as well as possible program instructions for execution by the processor 302. The processor 302 executes these instructions to implement the main parts of the method. The results of the processing by the processor 302 are communicated to an external output device via the communication port 305 for display on a user interface of the output device.
For example, the implementation process file of the hospital data internet privacy protection apparatus may be a computer program, stored in the hard disk 307, and recorded in the processor 302 for execution, so as to implement the method of the present application.
When the implementation process file of the hospital data internet privacy protection method is a computer program, the implementation process file can also be stored in a computer readable storage medium as a product. For example, computer-readable storage media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips), optical disks (e.g., compact Disk (CD), digital Versatile Disk (DVD)), smart cards, and flash memory devices (e.g., electrically Erasable Programmable Read Only Memory (EPROM), card, stick, key drive). In addition, various storage media described herein can represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable medium" can include, without being limited to, wireless channels and various other media (and/or storage media) capable of storing, containing, and/or carrying code and/or instructions and/or data.
According to the hospital data privacy protection method and device, data of the database are subjected to de-identification aiming at different application scenes, balance between medical data sharing application and effective data privacy protection is achieved, the possibility of data privacy disclosure is effectively reduced, the availability of data sharing value is guaranteed, and the safety and operability of the data sharing application are effectively improved.
As used in this application and in the claims, the terms "a," "an," "the," and/or "the" are not intended to be inclusive in the singular, but rather are intended to include the plural, unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" merely indicate that steps and elements are included which are explicitly identified, that the steps and elements do not form an exclusive list, and that a method or apparatus may include other steps or elements.
Those of skill in the art would understand that information, signals, and data may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits (bits), symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The various illustrative logical modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary embodiments, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software as a computer program product, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a web site, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk (disk) and disc (disc), as used herein, includes Compact Disc (CD), laser disc, optical disc, digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks (disks) usually reproduce data magnetically, while discs (discs) reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The above-described embodiments are provided to enable persons skilled in the art to make or use the invention, and that persons skilled in the art may make modifications or changes to the above-described embodiments without departing from the inventive concept thereof, and therefore the scope of protection of the invention is not limited by the above-described embodiments but should be accorded the widest scope consistent with the innovative features recited in the claims.

Claims (12)

1. A method for protecting privacy of hospital data is characterized by comprising the following steps:
s1, selecting and marking privacy data in medical data to be shared, and marking an identifiable symbol, a special disease type and a special identity of a patient in the privacy data;
s2, classifying and collecting the marked data in the S1 according to the use scene to form a public data set, a limited data set and an identifiable data set;
s3, privacy data protection processing of different degrees is respectively carried out on the public data set, the limited data set and the recognizable data set;
performing label removal processing on data in the public data set, and performing repeated difference test on the processed data to judge whether the association degree of the private data meets the requirement;
encrypting and generalizing the marked data in the limited data set, and distinguishing and marking the data security level;
and S4, applying the public data set, the limited data set and the recognizable data set processed in the step S3 to different use scenes.
2. The hospital data privacy protection method according to claim 1, wherein the identifier of the privacy data in step S1 includes certificate information, account information, biometric information, and body part picture information;
the special disease species of the privacy data in the step S1 comprise sexual reproduction related diseases, infectious diseases, psychological diseases, malignant tumors, hereditary diseases, anal diseases, rare diseases and other incurable diseases;
the patient-specific identities of the private data in step S1 include pregnant and parturient women and patients with malignant tumors.
3. The hospital data privacy protection method according to claim 1, wherein the usage scenario in step S2 includes scientific institutions, hospitals and patients;
the step S4 further includes:
and (4) applying the public data set processed in the step (S3) to a scientific research application scene, applying the limited data set processed in the step (S3) to a hospital retrieval scene, and applying the recognizable data set to a patient application scene.
4. The hospital data privacy protection method according to claim 1, wherein the de-labeling process of step S3 further comprises:
removing identifiers and generalizing ages;
the data with the diagnosis count smaller than the first count value is processed in a privacy mode;
delete name, number of hospitalization, phone, date of discharge and discharge diagnostic information;
inserting a patient sequence number column;
the age is generalized into an age group;
the return result is replaced by a specific number;
the diagnostic departments with a single count less than the preset number are replaced with departments of a special sign.
5. The hospital data privacy protection method according to claim 1, wherein the step S3 of performing a reissue-to-differentiate test on the processed data further comprises:
before de-labeling private data is marked as X = { X = 1 ,x 2 ,....x n };
Marking the private data after the mark removal as Y = { Y = 1 ,y 2 ,...y n };
And comparing the similarity according to a similarity comparison formula, wherein the corresponding expression is as follows:
Figure FDA0003816434070000021
wherein p is i Similarity between the i-th private data before being unmarked and the unmarked private data is obtained, and n is the total number of the private data;
when there is any similarity p i And if the correlation degree of the processed medical data privacy data and the correlation degree of the medical data privacy data before processing do not meet the requirements, and performing de-labeling processing again.
6. The hospital data privacy protection method according to claim 1, wherein the step S3 of encrypting the marked data further comprises the step of distinguishing and labeling the marked data according to data security level and granularity;
the data security classification is defined according to the recognizable symbol, the special disease species and the special identity of the patient;
the granularity is classified according to the privacy levels of the data with different details, and comprises summary-level data, summary-level data and detail-level data:
the summary level data is a summary of partial names of the hospital data;
the summary level data is summary report type materials;
the detailed-level data is a detailed case class material.
7. The hospital data privacy protection method according to claim 3, wherein the limited data set processed in step S3 is used in a hospital retrieval scene in step S4, and further comprising:
the department, title and diagnosis and treatment group of the doctor are matched with the security level and granularity of the data, and the authority of the doctor for looking up and reviewing the data is set.
8. The hospital data privacy protection method according to claim 3, wherein in step S4, the public data set processed in step S3 is used in a scientific research application scenario, and further comprising:
and carrying out data transmission on the privacy data with different data security levels through different transmission modes.
9. The hospital data privacy protection method according to claim 3, wherein in step S4, the recognizable data set is used in the patient usage scenario after processing in step S3, and further comprising:
the patient enters relevant identity information and, using the identifiable data set, queries for health and medical information relevant to the patient himself.
10. The hospital data privacy protection method of claim 9, wherein in the step S4, the patient inputs the relevant identity information, and further comprising: registering identity information, associating real-name system mobile phone number information, and setting an account password;
in step S4, the method for inquiring health medical information related to the patient further includes:
performing content limitation on the inquired information;
time limitation is carried out on the inquired information;
and limiting the operation authority of the inquireable information.
11. A hospital data privacy protection device comprising:
a memory for storing instructions executable by the processor;
a processor for executing the instructions to implement the method of any one of claims 1-10.
12. A computer readable medium having computer instructions stored thereon, wherein the computer instructions, when executed by a processor, perform the method of any of claims 1-10.
CN202211027781.4A 2022-08-25 2022-08-25 Hospital data privacy protection method and device Pending CN115270190A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211027781.4A CN115270190A (en) 2022-08-25 2022-08-25 Hospital data privacy protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211027781.4A CN115270190A (en) 2022-08-25 2022-08-25 Hospital data privacy protection method and device

Publications (1)

Publication Number Publication Date
CN115270190A true CN115270190A (en) 2022-11-01

Family

ID=83752844

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211027781.4A Pending CN115270190A (en) 2022-08-25 2022-08-25 Hospital data privacy protection method and device

Country Status (1)

Country Link
CN (1) CN115270190A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117334285A (en) * 2023-10-16 2024-01-02 威海万伟达信息科技有限公司 Medical self-help information interaction system and method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117334285A (en) * 2023-10-16 2024-01-02 威海万伟达信息科技有限公司 Medical self-help information interaction system and method
CN117334285B (en) * 2023-10-16 2024-05-10 威海万伟达信息科技有限公司 Medical self-help information interaction system and method

Similar Documents

Publication Publication Date Title
US9280684B1 (en) Identity validation and verification system and associated methods
US7945048B2 (en) Method, system and computer product for securing patient identity
KR100750787B1 (en) System and method for disclosing personal information and system for disclosing medical record information
US7519591B2 (en) Systems and methods for encryption-based de-identification of protected health information
Huang et al. Privacy preservation and information security protection for patients’ portable electronic health records
CA2564307C (en) Data record matching algorithms for longitudinal patient level databases
US20050197859A1 (en) Portable electronic data storage and retreival system for group data
US20060293925A1 (en) System for storing medical records accessed using patient biometrics
US20050182661A1 (en) Method, system, and apparatus for patient controlled access of medical records
JPWO2018124297A1 (en) Data utilization method, system and program using BCN (block chain network)
EP2365458A2 (en) A computer implemented method for determining the presence of a disease in a patient
DE102007019375A1 (en) Patient data retrieving and re-identifying method, involves locating patient identifier associated with patient identification information in database, and inserting information into file within authorized environment
US8498884B2 (en) Encrypted portable electronic medical record system
US20050159984A1 (en) Medical data management system
JP2001357130A (en) Clinical information management system
CN114580007A (en) Medical data desensitization methods and apparatus
CN114360673A (en) Block chain-based medical information sharing method, device, equipment and storage medium
CN115270190A (en) Hospital data privacy protection method and device
JP2005346248A (en) Information mediation method and device
CN107317877A (en) Computer based Rehabilitation data method for pushing
JP4284986B2 (en) Personal information management system and personal information management method
Blobel Clinical record systems in oncology. experiences and developments on cancer registers in eastern germany
Engelbrecht et al. DIABCARD—An application of a portable medical record for persons with diabetes
Árnason Personal Identifiability in the Icelandic Health Sector Database', Refereed Article
CN112768020A (en) Electronic medical record system based on cloud platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination