FR2961925A1 - DEVICE AND METHODS FOR RECORDING AND CONSULTING MEDICAL IMAGING DATA - Google Patents

Abstract

The invention relates to a device for the registration and consultation of medical data relating to patients, said recordings being searchable anywhere provided with an internet connection, but in the respect of patient privacy and security Datas. To this end, the invention proposes a device for recording and consulting medical data comprising: a data storage network (2) comprising a primary server (21) and a plurality of secondary servers (22, 22 '); , 23, 23 ') in computer connection with the primary server (21); a network (1) said user comprising means for recording and storing medical data (10,121), and identification means (11) for an authorized user and a patient; computer resources (12), called BOXs, forming an interface between the user network (1) and the storage network (2) able to compile, encrypt and prepare data generated by the user network to record them on the storage network (2) and to extract, reconstruct and decrypt data from the storage network to make them available to the user network.

Description

The invention relates to a device for the registration and consultation of medical data relating to patients, said recordings being searchable anywhere provided with an internet connection, but in the respect of patient privacy and security Datas. The invention is more particularly, but not exclusively, suitable for recording and consulting data relating to radiological examinations and generally to medical data, particularly medical imaging.

The invention aims to facilitate the follow-up of the patients by allowing the comparison of exams, thanks to a simple and fast access to the previous examinations, by any authorized doctor. Another object of the invention is to allow the archiving on a large volume of data, for a period of up to 20 years, by pooling the means of archiving and the progressive growth of the capacity of these means. Prior art is known for digital archiving of medical imaging data within each imaging office, in an archiving system, commonly referred to as "PACS", which includes records corresponding to each patient of the office. . In these files are archived images in standard DICOM format and examination reports recorded according to a standard code known as "HL7". This HL7 coding includes, among other things, the identification of the patient and the correspondence between the report and the imaging record relating to said patient. The PACS system is in communication, via a computer network, with a device called "RIS" which uniquely identifies the patient using, generally, a smart card identification, called "Carte Vitale" " in France. This computer network, called "user", constitutes a secure archive of immediate access for the imaging center. This archiving must be kept for a minimum time, usually defined by the law of the country in which the medical imaging center is located. For example, in France, the law requires that this archiving of immediate access be kept for 2 years. Beyond this time the archives can be recorded on other media in a compression format, called "DICOM Lossy", for delayed access and to be kept for 20 years.

Thus, when a doctor wishes to consult the previous medical file of a patient, the patient must make a request to the medical imaging centers of which he was a client, who must, from their archiving system immediate access or from their archives delayed access, retrieve the elements of the patient's file and transmit them to the latter, which, in turn, transmits them to the doctor, usually on physical media. This process is long and insecure, data can be lost or diverted. The process is complicated by the fact that several imaging centers are involved and data must, for example, be repatriated from abroad.

There are of course examples of remote access data servers. The operation of these servers is generally as follows: the physician requests access to said server to an administration authority thereof which issues it connection information such as a username and a password; this identity, used at each connection, gives the doctor access to a part of the server which may for example be limited to the recordings he makes there himself, that is to say 2 concerning his clientele, or wider access. This situation is however not satisfactory for the confidentiality and the security of the data on the one hand, for the accessibility to these data on the other hand. Indeed, if the doctor only has access to his established clientele, he can hardly access information about a new patient. If he has access to a larger part of the directory, he can view medical data that should be confidential. Finally, the administrators of said server can access all the data of the latter without any authorization being granted by the patients.

There is therefore a need for a device for making such medical data accessible in digital form from potentially anywhere in the world connected to the Internet. Such a device must be safe in the sense of respect for the privacy of patients to know that no one can access data relating to a patient without it being authorized to do so and without the consent of said patient. The device must also be secure, that is, robust, to avoid data loss due to a technical failure or computer attack. To this end, the invention proposes a device for recording and consulting medical data comprising: a data storage network comprising a primary server and a plurality of secondary servers in computer connection with the primary server; a so-called user network comprising means 25 for storing and storing medical data, and means for identifying an authorized user and a patient; computer means, known as BOX, forming an interface between the user network and the storage network capable of compiling, encrypting and preparing data generated by the user network for recording them on the storage network and for extracting, reconstructing and decrypting data storage network to make them available to the user network. Advantageously, the primary server contains only information on the tree of data recording files which are stored on the secondary servers. The primary server also includes tables for mapping between the file tree, patient identification of authorized users, and client imaging centers of the device. The secondary servers contain only data, organized according to the tree defined on the primary server, without the correspondence tables. Thus, access to only the primary server does not provide access to the data, and access to only secondary servers does not link the data to patients, authorized users, or individual client imaging centers. Advantageously, the storage network can be used by the client imaging center independently of the user network to meet the need for delayed or immediate access archiving in the client's medical imaging center of the device. Advantageously, in order to increase the security of the device, the primary server and doubled of a mirror server and at least one redundant secondary server is installed in the storage network for each of the secondary servers. The storage network therefore has a recording volume capacity that is at least two times greater than the volume of data to be archived.

This device allows the implementation of methods of consultation and registration of medical records that meet the need according to several advantageous variants, which can be considered alone or in combination. In particular the invention also relates to a method using such a device for recording, by an authorized user having personal identification means, data relating to a medical examination of a patient having personal identification means, said method comprising the steps of: - reading the patient identification means; and - read the means of identification of the authorized user; - allow the authorized user access to the primary server by valid identification of the patient and the authorized user; and - search in the primary server for the presence of a file 15 attached to the patient's identity and in the absence of such a file to create it; and - search on the secondary servers the data contained in the folders corresponding to the identification defined in the previous step; and 20 - sending said data from the secondary servers to the BOX; and - reconstitute on the BOX the contents of the patient's file using the data received; and - performing the medical examination of the patient and recording the data relating to said examination on the user network registration means; and - close the examination; and - when the examination is closed, record the patient's file thus modified by segmenting it on a plurality of secondary servers in the file corresponding to the patient on each of these servers. Some of these steps can be accomplished in parallel. This method of use of the device makes it possible to further increase safety and security. Indeed, although each secondary server contains the same file tree, ie that which is defined on the primary server, the data contained in the file of each patient is segmented on a plurality of secondary servers, so that the access to one, or even to several secondary servers does not make it possible to reconstitute the file of a patient. Both the storage of the data on the storage center and the consultation of this data requires an authentication of the patient, for example by a personal smart card, and the identification of the authorized user. The reconstruction of the data extracted from the network and the segmentation of the data for recording on the storage network passes through the specific interface means, called BOX, so that the possession of these means is essential to access reading and writing on the storage network. Advantageously, the data segments are distributed randomly over the number of available secondary servers. Thus, the greater the number of secondary servers, the more secure and secure the data. Storage of the data on the storage network can only be carried out when the examination has been closed. Advantageously, the method for recording the data of a medical examination comprises a step 6 of generating a computer list of tasks corresponding to the examination, which tasks are validated by computer at each corresponding stage of the examination. The closing of the exam occurs when the last task in the list has been validated. The necessary possession of the means of interface, called BOX, as well as the conditioning of the recording to the complete realization of the examination is a guarantee of quality and completeness of the information contained in the data recorded on the storage network and therefore the usefulness of the data consulted for a practitioner other than the one who is at the origin of their registration. Advantageously, the last task of the list is the issue of the electronic care sheet. Advantageously also, the examination data includes images and an examination report. To further improve the safety of the device, the report and the images are stored in two separate directories of the patient's file. In a preferred embodiment, each exam is associated in the patient record with a unique imaging file and a review report file. This configuration allows traceability of transactions and the patient's journey. According to a particularly advantageous embodiment, geo-location data of the place of examination are introduced in the imaging data file and in the examination report file. Thus traceability is optimal.

The invention also relates to a method using the device for consulting, on a computer terminal, data relating to a medical examination of a patient having personal identification means, by an authorized user, having personal identification means. said method comprising the steps of: - reading the means for identifying the patient; and - read the means of identification of the authorized user; and - sending to the primary server the data relating to the identities of the patient and the authorized user; and - confirm the validity of the identities of the authorized user and the patient, and if this validity is confirmed, - read on the primary server the identification of the files corresponding to the patient; and - search on the secondary servers the data segments contained in the folders corresponding to the identification defined in the previous step; and - sending said data segments from the secondary servers to the consulting computer terminal; and - reconstituting the patient's records on the consultation terminal using the data segments received. This consultation takes place on a computer terminal containing programs for reconstructing data from segments extracted from the storage network and can therefore be implemented without the BOX. In this way, the data stored on the storage network can be securely accessed from anywhere in the world with a computer terminal connected to the Internet network, and with programs enabling both the identification of authorized user and the patient, as well as the dialogue with the storage center and the reconstruction of data from the segments received.

Thus access to the device for both reading and writing is conditioned by the authorization of the patient who must provide his personal identification means. Access is restricted to the patient's records only and this access is only possible to an authorized user, that is, more specifically to an authorized professional with personal identification means. This accredited professional may access any file only if the patient concerned authorizes it by his personal means of identification. It is only possible to access write access with a BOX, which must also correspond in geo-location to its actual position. The invention will now be more specifically described in the context of preferred embodiments, in no way limiting, represented in FIGS. 1 to 5 in which: FIG. 1 represents, schematically, an example of a recording and consultation device of FIGS. medical examination data; FIG. 2 schematically shows an exemplary content of a primary server of the storage network of the device for recording and consulting medical examination data; FIG. 3 schematically shows an exemplary content of a secondary server of the network for storing and consulting medical examination data; FIG. 4 illustrates by a table an example of distribution of data segments corresponding to a file recorded on the storage network of the device; FIG. 5 is an exemplary flowchart corresponding to the method of recording a medical examination using the device, in view of the user network (FIG. 5.1), the storage network (5.3) and the means for interface (5.2). Figure 1, according to an exemplary embodiment the device of the invention comprises a network (1), said user, and a network (2) said storage. The network (1) user is an internal network to a medical imaging center.

It is connected to the storage network (2) by a dedicated high-speed line (3) and via interface means (12), called BOX. In practice a plurality of networks (1) users are linked by high speed lines dedicated to a network (2) storage. The storage network is also connected via internet (13) to the consultation terminals (130). The user network comprises means (10), commonly called PACS, for local archiving in direct access to the medical examination data. This data includes images, generally recorded in a format known as "DICOM® lossless" and review reports, generally recorded in a format known as HL7®. The HL7® format is a standardized international coding based on digital documents in XML® format, for the computerized exchange of clinical, financial and administrative data. The user network (1) further comprises identification means (11) for a patient and an authorized user, such as one or more smart card readers. The interface means (12), or BOX, are specific and dedicated to a given imaging center and include information recordings relating to the identity and geographic location of the imaging center. According to an exemplary embodiment, these interface means (12) are constituted by a computer comprising network connections, storage (121) and display (122) means, as well as data processing capabilities adapted to the implementation of the methods of the invention. The storage network (2) comprises a router (30), a primary server (21) and a plurality of secondary servers (22, 22 ', 23, 23'). Advantageously, to secure the archiving of data, the storage network (2) comprises a second primary server, mirror of the first (21). Secondary servers are added to the network as the number of medical imaging centers subscribing to the storage solution increases. Thus, when an imaging center having a direct access archiving storage capacity 'T' subscribes to the proposed storage solution, two secondary servers of storage capacity `T 'are added to the network (2) of storage, whose storage capacity increases by 2T. Thus, the storage network (2) increases in capacity, safety and security with the number of client imaging centers of the device. FIG. 2, according to a preferred embodiment, the primary server (21) comprises the recording of the tree (210) of the files, comprising notably the files (211) relating to each patient, and a correspondence table (212) to link each of the patients and each of the recorded exams (A, B, C) thereof to the files containing the corresponding data, which are on the secondary servers. . 3, each secondary server (22) comprises data (220) which are organized according to the same tree as on the primary server (21). Thus the secondary server will include the examination data (A) of a particular patient under the same folder (211) and the same tree as on the primary server. However, on a particular secondary server only segments (A1, A3, A6, An) of this file will be found, so that to reconstruct the file, it is necessary to acquire all the segments of the file. corresponding data, which are distributed on all secondary servers, but always in the same directory and under the same file tree. Indeed, for each record of a file from the network (1) user on the network (2) storage, the file is segmented and the segments are randomly distributed, but respecting the tree structure, on all servers secondary network (2) storage. To improve security, the segmented file is saved twice, with both segment distributions random. FIG. 4, according to an example of segment distribution (Al A8) of a file recorded twice randomly on eight secondary servers (22, 22 ', 23, 23', 24, 24 ', 25, 25'), the failure, for example, of three servers (22, 22 ', 24') does not prevent the reconstruction of the file.

Figure 5, on arrival of a patient in an imaging center subscribed to the device, the patient identification data is retrieved (510) by the appropriate means (11) of the user network, such as a reader of smart card, as well as the data (510 ') relating to the identity of the authorized user, the dual identification conditioning access to the device. Depending on the nature of the examinations to be performed, a task list, which is associated with the identification of the patient, is automatically generated (511). This task list is generated in HL7® format. According to one embodiment, the task list is generated by the so-called BOX means (12), or, alternatively, it can be generated by other computer means of the user network (1). In the latter case, it must be sent to the BOX (12), which verifies (520) that the task list is generated and that the patient's identity corresponds to that indicated on the task list, if yes, several actions will unfold in parallel. The BOX (12) will connect (530) to the primary server (21) of the storage network (2) and interrogate (531) it, through the correspondence tables (212), on the existence of a file relating to the identified patient. If such a file exists, the corresponding data segments are searched (533) on the secondary servers, and said patient-owned image and test report segments are loaded (534) from the secondary servers (22, 22 '). , 23, 23 ') and sent (525) to the storage means (121) of the BOX (12) which reconstructs (521) the file from said segments. According to an advantageous embodiment, the examinations that have been carried out in the medical imaging center of the network (1) user including the BOX (12) and which are available on the PACS (10) are not downloaded from the network ( 2) Storage. If no folder corresponding to the patient's identity exists in the storage network (2), the folder is created (532). In any case, the new examination leads to the creation of an imaging file and a single examination report file in the file tree (210) of the storage network (2). These unique files are linked to the patient and the geo-location of the imaging center, which can be obtained by various means, including IPv6. A space dedicated to the examination, and including a location for said imaging file and a location for said examination report file, is created (512) on the direct access archiving means, PACS (10). The examination is practiced and the steps of the task list are validated (513) as the progress of the latter to the close.

The closing of the examination takes place when all the tasks of the generated list have been validated and in particular the last which, according to an advantageous embodiment, consists of the issue of the corresponding electronic care sheet. With the close of the review validated (514), as soon as the imaging data and the test report are available at the appropriate locations on the PACS (10), the BOX (12) retrieves (522) the images at the same time. "DICOM® lossless" format on the PACS (10), compresses them in "DICOM® lossy" format, retrieves the report, segments the data and transfers them (523) in the form of packets to the primary server (21) which, once the BOX has notified the end of transmission, updates (535) the tree on the secondary servers (22, 22 ', 23, 23') and distributes (536) the data packets randomly on them. When the registration operation is complete, the primary server (21) notifies the BOX (12) of the success of the operation and the connection between the storage network (2) and the BOX (12) is closed. Thus, the modification of the data tree on the storage network (2) is not performed until the image files and reports are available on the PACS (10), as long as the primary server has not not received the notification of the end of transmission of the data packets or the link between the BOX and the storage network (2) has failed. The data remains however available, in high resolution for the images, on the PACS (10), and advantageously, a specific procedure for an attempt to reload them on the network (2) of storage, this time in absence of the patient can be set up for the case of failure of the link between the network (1) user and the network (2) storage at the time of the initial transmission attempt for example. According to an alternative embodiment, the image files are sent in a continuous flow to the primary server before the closing of the examination, which can then be done later by issuing the examination report, which may allow to other practitioners to access the imaging data immediately, again according to a dual-identification protocol, while allowing the practitioner who practiced the examination time to write the examination report.

Consultation of the data recorded in the storage network (2) is possible either via the BOX (12) or via any computer terminal connected to the Internet. However, any consultation is possible only by matching the identification of a patient and the identification of a person authorized to this consultation, or authorized user, for example, a doctor. According to one embodiment, such a consultation is possible by associating the identification of the patient via his personal smart card and the identification of the authorized user. This double identification is checked during each transaction that it is for viewing or writing data on the servers of the storage center. For example, this consultation is possible by associating the identification of the patient with that of the professional smart card of the authorized user, for example the referring physician of the patient. Smart card identification offers the most security. In particular, it is possible to record in the chip of the patient's card, the identity of his referring doctors, and consequently, to verify the correspondence between this information and the identity of the practitioner wishing to access the records. However, those skilled in the art will easily adapt other cross-identification protocols, using dongles or identified identification numbers and passwords, fingerprints, etc. Whatever the protocol set up, this allows a traceability of the consultations which can be recorded on the primary server (21). This traceability includes geolocation information from the medical imaging center that performed the examination.

The cross identification of the practitioner and the patient defines the part of the tree that the practitioner can access. After selecting the elements to be consulted, the corresponding files are sent in packets from the secondary servers (22, 22 ', 23, 23') to the consultation terminal which includes the programs necessary to reassemble the file segments and to decompress them. The above description clearly illustrates that by its different characteristics and advantages, the present invention achieves the objectives it has set for itself. In particular, it allows secure storage of medical examination data and secure consultation thereof from any terminal connected to the internet network, with the security of dual identification and traceability of all transactions.

Claims (10)

REVENDICATIONS1. Device (100) for the recording and consultation of medical data characterized in that it comprises - a network (2) said data storage comprising a primary server (21) and a plurality of secondary servers (22, 22 ') , 23, 23 ') in computer connection with the primary server (21); a network (1) said user comprising means for recording and storing medical data (10, 121), and identification means (11) for an authorized user and a patient; computer resources (12), called BOXs, forming an interface between the user network (1) and the storage network (2) able to compile, encrypt and prepare data generated by the user network to record them on the storage network (2) and to extract, reconstruct and decrypt data from the storage network to make them available to the user network. A method using a device according to claim 1 for recording, by an authorized user having personal identification means, data relating to a medical examination of a patient having personal identification means, said method being characterized in that it comprises the steps of: - reading the means of identification of the patient (510) and - reading the identification means of the authorized user (510 '); - allow the authorized user access to the primary server by valid identification of the patient and the authorized user; and - searching (531) in the primary server (21) for the presence of a file (211) attached to the patient's identity and in the absence of such a file to create it (532); searching (533) on the secondary servers (22, 22 ', 23, 23') the data segments (220) contained in the folders (211) corresponding to the identification defined in the previous step; sending (525) said data segments from the secondary servers to the BOX (12); and - reconstituting (521) by the functionality of the BOX (12) the contents of the patient's record using the received data segments (220); and - performing the medical examination of the patient and recording the data relating to said examination on the recording means (10) of the user network; and - close the examination; and - when the examination is closed (514), record (522, 523, 535, 536) the patient's file thus modified by segmenting it on a plurality of secondary servers (22, 22 ', 23, 23') in the folder corresponding to the patient on each of these servers. 3. Method according to claim 2, characterized in that each examination is associated in the patient file with a single imaging file and a single examination report file. 4. Method according to claim 3, characterized in that geo-location data from the examination site are entered in the imaging data file and in the examination report file. 5. Method using a device according to claim 1 for consultation by an authorized user having personal identification means, on a computer terminal, data relating to a medical examination of a patient having personal identification means, said characterized in that it comprises the steps of: - reading the identification means of the patient; and - read the means of identification of the authorized user; and - sending to the primary server (21) the data relating to the identities of the patient and the authorized user; and - confirm the validity of the identities of the authorized user and the patient, and if this validity is confirmed; reading on the primary server (21) the identification of the files (211) corresponding to the patient; and 15 - searching on the secondary servers (22, 22 ', 23, 23') the data segments (220) contained in the folders (211) corresponding to the identification defined in the previous step; and - sending said data segments (220) from the secondary servers (22, 22 ', 23, 23') to the consulting computer terminal; and reconstituting the patient's records on the consultation terminal using the data segments (220) received. 6. Method according to claim 2 characterized in that it comprises a step of generating (511) a computer list of tasks corresponding to the examination, which tasks are validated (513) computeratically at each corresponding stage of the examination and that the closing of the exam occurs when the last task in the list has been validated. 7. Method according to claim 4 characterized in that the last task of the list is the issue of an electronic care sheet. 8. The method as claimed in claim 2, characterized in that the data segments (220) are distributed randomly over the number of available secondary servers (22, 22 ', 23, 23'). 9. The method as claimed in claim 2, characterized in that the data relating to the examination comprise images and an examination report. 10. Method according to claim 9, characterized in that the report and the images are recorded in two separate directories of the patient's file.