JP2005276066A - Electronic authentication system and method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an electronic authentication system capable of establishing the fact that a product or a service is provided without using a signed and sealed paper document, and requesting the payment for the product or service. <P>SOLUTION: An electronic mark indicating the execution of nursing service can be recorded by a cared person 12 on a nursing service provision recording file 30A recorded in a service providing performance management system 108 by intelligent cards 102, 104. An electronic authentication server 170 of the system 108 transforms the file 30A into an unreferable file and performs electronic sign by a software when a password is not input. In an application system 360a of an examination payment organization 18, the transformed unreferable nursing service provision recording file 30A is inversely transformed by the password to make it referable, and collates the same with a benefit invoice submitted from an employer with a specific form. When both are agreed with each other, an insurer pays the benefit to the employer through the examination payment organization 18. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a dispatch management system, for example, an electronic authentication system and method for the purpose of performing a service such as a care service at a care site other than a care facility, such as home care, and authentication at the time of delivery of goods.

  Documents such as contracts and certificates that need to be signed and stamped are usually sent back and forth between contract parties as paper. Such paper documents are used for proof of transaction facts, and by presenting them, the price of the goods and services provided can be charged. Such paper documents may also be subject to audit by public authorities.

  Hereinafter, a conventional paper-based transaction will be described using a home care service as an example. This service is to receive a care service at the home of a care recipient who receives care, and the types of services that can be used by individual care recipients are generally limited. The mechanism is roughly as follows.

  As shown in FIG. 9, first, a care recipient who is enrolled in a long-term care insurance, that is, an insured person 12, makes an application 15 for care certification to a local government 14 such as a municipality who is an insurer. The care certification rank is evaluated by the local government 14 and notified 17 to the care recipient. The insured person 12 who has been notified of the care certification rank requests a care manager (care support specialist) 20 belonging to a home care support company installed in a hospital or the like to create a care plan, that is, a care service plan. 19 to do. The care manager 20 creates a care plan through a care conference to discuss with the insured person 12 and his family, and issues the care plan 24 to the insured person 12.

  Next, based on the created care plan, the care manager 20 sends a service provision slip describing the plan of the service to be provided to the insured person 12 to the care service provider 16 and requests service provision. In FIG. 9, only one business operator 16 is shown as a representative, but a plurality of business operators may be requested for services having different contents for each business operator.

  The care service provider 16 creates and delivers a “service provision record slip” 30 shown in FIG. 10 to one or more helpers belonging to the provider 16 based on the service provision slip. This “service provision record slip” 30 describes the service that the helper is scheduled to provide to the insured person 12. The helper visits the home of the insured person 12 for providing the service 23 and receives the mark 47 of the insured person 12 in the “service provision record sheet” 30 as proof that the service has been provided.

  At the time of providing the service by the helper23, the insured 12 totals the amount of money that is determined to be borne by the insured 12 himself / herself in the month-end. , Pay to the operator.

  FIG. 10 shows an example of a service provision record slip that the helper brings as a paper to the home of the insured person 12 when the service provision 23 is performed. As shown in FIG. 10, the service provision record sheet 30 includes a care receiver name column 32, a service provider name column 33, and a service date column 34, and includes a service plan for one month. Service contents A to E received by the care recipient are printed in the service contents column 36. In the schedule column 40, a time period during which the service is provided is printed in advance. In the result column 42, the time zone when the helper actually provided the service is entered. In the care receiver check column 46, as already described above, the care receiver 12 who received the service presses the confirmation seal 47.

  As shown by the arrow 25 in FIG. 9, the care service provider 16 typically makes a request for payment of benefits 49 to the National Health Insurance Federation 18 on a monthly basis, based on the service record slip 30 brought back by the helper. do. That is, the insurer 12 charges the insurer 14 through the National Health Insurance Federation 18 for the remaining fee paid by the insured person 12 itself. On the other hand, if there is a change in the care plan and its contents, the care manager 20 also submits a benefit management slip reflecting the change contents to the National Health Insurance Federation 18 (arrow 51). The National Health Insurance Federation 18 compares the invoice from the business 16 with the benefit management slip from the care manager 20, performs the necessary examination, and requests the insurer 14 for the benefit (arrow 62). As a result, the benefit is paid from the insurer 14 to the business 16 through the National Health Insurance Federation 18 (arrows 60 and 61).

Edited by NTT Data Management Laboratories, “Electronic Document Certification”, first edition, NTT Publishing Co., Ltd., August 2001, p. 62-63 “Audio Smart Card” [online], [Searched on December 24, 2003], Internet <URL: http://www.audiosmartcard.com/Home/Index.asp>

  For example, the problems with the conventional home care service using the paper service provision record sheet 30 as described above are as follows. That is, the nursing care service provider 16 may tamper with the service provision record sheet 30 and charge the service fee illegally by modifying the service provision record sheet 30 as if the service was actually canceled. In addition, when the business operator 16 creates an invoice based on the service provision record sheet 30, there is a possibility that an incorrect amount is charged due to an input error. And there is a limit to let the insured person 12 confirm whether or not the inflated claims are being made illegally. In addition, these paper documents are stored as paper for audit by public authorities, but storage is expensive.

  Such paper document transactions have the following problems not only in nursing care services but also in general merchandise transactions. For example, a wholesaler delivers a product to a retailer and a delivery document that is a paper document. The retailer checks the delivery note against the delivered product, returns the receipt, and if there is a missing item, fills in the receipt, for example, and informs the wholesaler. On the other hand, the wholesaler delivers the missing item again with the delivery note. As described above, it takes time and labor to reciprocate a paper document.

  By the way, in the e-Japan concept, a public certifying agency applies electronic certification to digitized documents, and is proceeding to solve space-time problems such as storage costs. However, this greatly depends on the development of the IT environment, and unless the investment effect is sufficient, the realization of the IT environment cannot be expected. In addition, when a system in which paper and IT equipment are mixed is used, a problem of an input error occurs when a paper that has been reciprocated as paper is input as electronic data to an IT equipment such as a personal computer.

  An object of the present invention is to provide an electronic authentication system in which a party can approve the results of nursing care and transactions while eliminating the paper-based management accompanied by a seal, eliminating the drawbacks of the conventional technology.

  According to the present invention, in order to solve the above-described problems, a server system for storing a plan and a plan information file including an approval recorded by a specific person when the plan is executed, and a server system are installed. Planning to approve that the plan has been executed by sending the communication system that connects the base and the point where the specific person is located, and the identification information indicating the specific person from the above point through the communication network to the server system Including an approval means for recording in the information file and an electronic authentication means for confirming the approval recorded in the plan information file and applying an electronic signature indicating the validity of the approval to the plan information file. The signature verifies whether the plan has been executed.

  The electronic authentication means converts the plan information file into an unreferenceable file, and includes an unreferenceable file, a plan information file before conversion, and a password necessary to reversely convert the unreferenceable file into a plan information file. It can be downloaded from the server system via the communication network. As a result, the electronic signature is confirmed by comparing the converted plan information file that can be referred to by reverse conversion with the password and the plan information file before conversion.

  Moreover, the above-mentioned approval means is an information carrier assigned to a specific person that carries identification information and a password, and transmits the identification information and the password from the communication network as a voice signal. When the server system receives the voice signal from the communication network, the server system determines the rationality of the password code included in the voice signal, and records the date / time information in the plan information file when the rationality is recognized.

  According to the present invention, the contents of the plan information file indicating the fact of the transaction can be approved only by a specific person, that is, a person who has received provision of goods or services by the above-described approval means. In combination with such approval means, a higher-level certification body such as a prefectural certification authority performs an electronic signature on the plan information file. Can be verified. For example, by presenting a plan information file with an electronic signature, it is possible to charge a person who is obligated to pay for goods or services.

  At the same time, since the originality of the plan information file is ensured by the electronic signature, it is possible to prevent fraudulent acts such as tampering with a paper document by a business operator and adding a bill.

  In addition, it is possible to prevent erroneous billing due to an input error when creating a bill of charge from a paper document. And since these transaction documents, which have been conventionally stored as paper for auditing, can be stored as plan information files, there is no cost for storing paper documents.

  Furthermore, the choice of “paper + stamp” or “electronic signature” depends largely on the IT environment, and unless the IT environment is sufficiently effective, its feasibility cannot be expected. According to the idea, it is possible to provide a mechanism that can wipe out paper-based management with a seal without making a large-scale investment.

  Hereinafter, embodiments of an electronic authentication system according to the present invention will be described in detail with reference to the accompanying drawings.

  FIG. 1 is a schematic view showing an embodiment in which the electronic authentication system according to the present invention is applied to a care service. Referring to FIG. 1, using a card 102 held by a helper who has visited a cared person's home 101 and a card 104 held by the cared person, for example, through a telephone 106, a prefectural certification body 103 located in a remote place. Access to the service provision results management system 108 installed in, and register the care results data such as the helper visited, the care recipient who receives care from the helper, and the visit time of the helper in the system 108 for later verification. Can be searched.

  Cards 102 and 104 are intelligent cards that modulate internally generated data into audio signals and output them as audible signals 150 (FIG. 2). In the present embodiment, an audio smart card (Non-patent Document 1) provided by, for example, the French audio smart company is advantageously applied to these cards 102 and 104. This will be described in detail later.

  The telephone 106 is a cellular phone such as a cellular or personal handyphone system (PHS), or a fixed telephone, and is connected to the public telephone network 112 by radio or wire 110. Instead of or in addition to the telephone 106, it may be a personal computer (PC) or personal digital assistant (PDA) 114 with voice input / output functions, which can be connected to the Internet protocol (via dial-up connection or always-on connection 116). IP) connected to the network 118.

  The service provision result management system 108 is connected to the telephone network 112 or the IP network 118 via lines 120 and 122, respectively, and includes a plan server 124, and the authentication record memory 126 (both in FIG. This is a server system for storing long-term care result data 130 (FIG. 4). This will be described in detail later.

  The cards 102 and 104 may have the same configuration as each other, and are information carriers having a generally rectangular flat plate shape having an integrated circuit therein. Referring to FIG. 2, for example, the card 102 has an identification code (ID) 136 unique to it, and this and the count value 140 of the counter 138 are encrypted by the arithmetic unit 142, and both are voice signals by the voice synthesizer 144. And audible sound 150 is output from the speaker (SP) 146. The card ID 136 is uniquely assigned to the card 102 or 104. They are usually assigned uniquely in the card system employed, but may be the same as the card holder, i.e. the helper or caregiver identification code, e.g. care provider code or care insurance insured number .

  The cards 102 and 104 have a manual operation switch 148, and an audible sound 150 can be generated by pressing the switch. The voice 150 is sent to the service provision result management system 108 through the telephone 106 or a personal computer or a portable information terminal 114 having a voice input / output function, for example. After transmitting the audio signal, the calculation unit 142 increments the counter 138 according to a predetermined calculation formula, and updates the count value.

  In the plan server 124 of the performance management system 108, the encrypted voice 150 is decrypted by the decryption unit 152 and decrypted, and the count value 140 included in the voice signal is compared with the count value 154 prepared in advance. The update unit 156 performs collation. If the two match, the process proceeds to a registration process described later, and the received count value 140 is incremented according to a predetermined arithmetic expression, and this is stored in the database 158 as a new count value 154 corresponding to the received card ID 136. . The updated new count value 154 is used for collation with the count value 140 transmitted when the same card 102 or 104 is accessed next time. As described above, the count value 140 generated by the counter 138 of the intelligent card 102 or 104 functions as a kind of password, that is, a one-time password.

  The count value 140 of the card 102 or 104 is registered as an initial value as the count value 154 in the planning server 124 when the card is issued, and whenever the voice signal 150 is transmitted from the card 102 or 104 and received by the planning server 124, Both are calculated and updated by the same predetermined calculation. Therefore, the same count value 140 is not generated a plurality of times from the same card 102 or 104. For example, if the encrypted audio signal 150 is wiretapped, recorded, and reused, the planning server 124 can block the passage with a check 214 or 222 (FIG. 4). Since the intelligent card 102 or 104 is in the form of a portable card, an unauthorized use can be prevented by attaching a photograph of the face of the holder to the card.

  In this embodiment, the cards 102 and 104 have the same configuration, but they need not be the same. For example, only one card may be used to encrypt the audio signal. In this embodiment, the passwords of the cards 102 and 104 are used as one-time passwords. However, the password of only one of the cards may be used as a one-time password. Since the audio smart card employs a count value as in this embodiment, the same count value is not generated a plurality of times. However, instead of such an embodiment, an intelligent card having a function of generating a password as a one-time password by an arithmetic expression including time information such as a password synchronized with time may be adopted. With this mechanism, wiretapping and recording due to the estimation of the calculation rule of the counter 138 can be more effectively avoided.

  Now, referring to FIG. 3, the performance management system 108 includes a computer telephony (CTI) device 160 in this embodiment, which is connected to the telephone network 112 by a line 120. The telephony device 160 includes a switching switch (SW), and a voice response / recognition device 162 and a plan server 124 are connected to the opposite side of the line 120 as shown. The telephony device 160 is a telephone device that connects the voice response / recognition device 162 and the plan server 124 to the line 120 in accordance with an authentication sequence of cards 102 and 104 described later.

  The voice response / recognition device 162 is also connected to the planning server 124 via a connection line 163. The voice response / recognition device 162 organizes various announcement messages necessary for the authentication sequence into voice signals, sends them to the line 120, recognizes the voice from the voice signals received from the line 120, and recognizes the result to the plan server 124. It is a device that conveys.

  The planning server 124 identifies care result data such as helpers, care recipients, and times from voice signals transmitted from the cards 102 and 104 through, for example, the telephone 106 with reference to stored data in the database 158, and this is identified in the authentication record memory. This is a server system that registers in 126 and searches the stored data in the authentication record memory 126 in response to a request from the insurer client 166 (FIG. 4) of the local government system 134 and provides it to the client 166. The planning server 124 is also connected to the telephony device 160 by a local area network (LAN) 164 and is also connected to a router 168.

  The plan server 124 has an interface for creating a service provision record file 30A by the personal computer 351 of the care manager. Therefore, the care manager 20 can create the planned care plan in advance in the authentication record memory 126 as a service provision record sheet file 30A in PDF format shown in FIG. This service provision record file 30A is a record of a service plan provided by one service provider 16 to one care receiver 12, and if the provider 16 or the care receiver 12 is different, Create as a file.

  Further, the planning server 124 reversely converts the created service provision record sheet file 30A, the unreferenceable file obtained by converting the file 30A by the electronic authentication server 170, which will be described later, and the unreferenceable file, into the original service provision record A password for reverse conversion to the vote file 30A can be made available for download.

  The authentication recording memory 126 is a storage device that accumulates various nursing care result data 130, as will be apparent from the description with reference to FIG. In addition to the reception number 176, cardholder IDs 184 and 186, care service start / end information 206 and date / time information 180 shown in FIG. As shown in FIG. 6, the nursing care record data may be stored in the authentication record memory 126 as a service provision record sheet file 30A in PDF (Portable Document Format) (registered trademark) format. Alternatively, it may be saved as a file in XML (eXtensible Markup Language) format or CSV (Comma Separated Value) format.

  The electronic authentication server 170 is a server that can be exclusively used by a specific certifier such as a prefectural authentication officer. The electronic authentication server 170 holds software for converting the service provision record sheet file 30A (FIG. 6) into a file that cannot be referred to unless a password is input, and public / private keys in a public key cryptosystem.

  Certifiers such as prefectural certification officers use the electronic authentication server 170 to refer to the service provision record sheet file 30A stored in the authentication record memory 126, confirm the contents, and then refer to the file 30A. It can be converted to a file that is not possible. Then, an unreferenceable file, a service provision record sheet file 30A before conversion, and a password required to reversely convert the unreferenceable file into the service provision record sheet file 30A can be stored in the authentication record memory 126. The stored information is released from the plan server 124 and can be downloaded from the line 122 to the personal computer 350 of a plurality of service providers and the application systems 360b of the plurality of examination and payment institutions 18, which will be described later, via the IP network 118.

  The unreferenceable file may be a PDF (Portable Document Format) (registered trademark) file converted by software Adobe Acrobat Reader (registered trademark). This file prompts for a password when you try to open it, and you can only see the contents after it is converted back by entering the password.

  In addition to the method using such software, the certification officer of the prefecture uses the electronic authentication server 170 to encrypt the service provision record file 30A with the private key of the public key cryptosystem and encrypt the service provision record. The vote file 30A, the service provision record vote file 30A before being encrypted, and the public key of the public key cryptosystem may be stored in the authentication record memory 126. These pieces of information can also be released from the plan server 124 so as to be downloadable, as described above.

  The router 168 is connected to the line 122, through which the personal computer or the portable information terminal 114 can access the planning server 124.

  In the operating state, the initial values of the card ID 136 and the counter 138 of the intelligent cards 102 and 104 are registered in the database 158 of the performance management system 108 in association with their holder IDs 184. The holder ID 184 may be, for example, an identification code unique to a helper managed by a care service provider or a care insurance insured person number.

  When the helper visits the care recipient's home 101, the helper calls the result management system 108 from a telephone 106 such as a mobile phone or a fixed telephone. This is indicated by the arrow 200 in FIG. A call from the telephone 106 arrives at the performance management system 108 via the telephone network 112, and in response, the telephony device 160 connects the line 120 to the voice response / recognition device 162. This is indicated by the solid line 172 in FIG.

  When making a call from the telephone 106, the system may be configured to dial a calling party number designation special number (for example, “186”). In the case of such a system configuration, the planning server 124 cooperates with the telephony device 160 and, if the calling telephone 106 is a fixed telephone, collates with the care receiver ID from the calling telephone number, Can see the fact that visited the home of the care recipient.

  When the voice response / recognition device 162 receives the call, the voice response / recognition device 162 transmits a guidance message “This is a nursing care management system” 202 followed by a question message “What is the service attribute?” 204 to the calling phone 106.

  For example, when starting a care service for this care recipient, the helper who listens to this verbally answers in the present embodiment that “service“ 2 ”is“ start ”” (206). Of course, the system may be configured such that the service code is transmitted by a push button signal of the telephone 106. This voice signal reaches the voice response / recognition device 162 from the telephone 106 via the telephone network 112 and the telephony device 160, and the latter recognizes the voice and confirms the “start” of the confirmation message “service“ 2 ”. "208" is sent to the telephone 106. By declaring “start” or “end” of such a dispatch service, it is possible to prevent a situation in which one of the start and end operations is forgotten.

  In this embodiment, the start or end of the service is transmitted by voice using the telephone 106 to the results management system 108 as described above, but such a start and end signal is sent to the card 102 or 104. May be provided with a function of transmitting. Further, when using a personal computer or the portable information terminal 114, start and end signals may be transmitted therefrom.

  The business service attribute is not limited to such start or end. For example, in the application example of the maintenance operation service at the facility site, in addition to the start or end, the type of work such as inspection and repair of the apparatus, the number of persons, and the like may be transmitted as attributes to the performance management system.

  Subsequently, in the present embodiment, the voice response / recognition device 162 sends a guidance message “Please enter data of the insured person” 210 to the telephone set 106. Thereafter, the telephony device 160 connects the incoming line 120 to the planning server 124 in parallel as indicated by a dotted line 174 in FIG.

  Therefore, in this embodiment, the helper first moves the speaker 146 of the card 104 held by the care recipient close to the mouthpiece of the telephone 106 and presses the switch 148. In response to this, the card 104 of the care recipient (FIG. 2) and the count value 140 of the counter 138 at that time are encrypted 150 and sent out as an audio signal 212 from the card 104. This voice signal 212 reaches the planning server 124 from the telephone 106 via the telephone network 112 and the telephony device 160. The plan server 124 decrypts the voice signal 212 by the decryption unit 152 and decrypts the encryption, and the collation update unit 156 decrypts 214 the card ID 136 included therein. The collation update unit 156 collates 214 the count value 140 included in the audio signal with the count value 154 corresponding to the card ID 136 stored in the database 158. If they match, that is, if the password is reasonable, the process proceeds to the registration process. At the same time, the collation update unit 156 updates the received count value 140 according to a predetermined arithmetic expression, and stores it in the database 158 as a new count value 154 corresponding to the received card ID 136. This state is indicated by a check box 214 in FIG. With the above operation, the care recipient can approve the start of the service without pressing an approval mark on the paper document as in the past.

  In response to the confirmation result 214 in the plan server 124, the voice response / recognition device 162 sends an announcement message “confirmed insured” or “cannot confirm insured” to the telephone 106. If the result of the check 214 is positive (OK), the planning server 124 searches the database 158 from the card ID 136 of the received card 102 and specifies the holder of the card 102. The identified holder, that is, the care recipient's holder ID 184 in this example, is included in the record data together with the “start / end” data 206 and is stored in the authentication record memory 126. At that time, a reception number 176 is created, the date / time information 180 at that time is acquired from the date / time stamper 178 (FIG. 4), and the corresponding date / time information 180 is also stored in the authentication recording memory 126. This identifies the date and time when the service was started.

  On the other hand, the voice response / recognition device 162 further sends a guidance message “Please input helper data” 218 to the telephone 106. In response to this, the helper presses the switch 148 of the card 102 held by the helper, that is, the helper, in the same manner as the previous time. In this way, the card ID 136 of the helper and the count value 140 of the counter 138 at that time are transmitted from the card 102 as an audio signal 220 (FIG. 5), and reach the planning server 124.

  In the plan server 124, the card ID 136 and the count value 140 included in the audio signal 220 generated from the helper card 102 are decoded and verified 222 in the same manner as in the case of the care recipient card 102. If the verification is successful, the received count value 140 is updated and stored in the database 158 as a new count value 154 corresponding to the card ID 136.

  Through the operations up to this point, using both the care recipient and the cards 102 and 104 held by the helper, the circuit switching network called the telephone network 112 is used, and each card is connected via the same call-connected line. Authentication was performed by transmitting an audio signal including a code to carry. Authentication is performed only when the same call-connected line is used. This is because it is assumed that both the care recipient and the helper are at the same point (usually the care recipient's home) at the service start time. Therefore, even if authentication is performed using both the cards 102 and 104 at the same time, if the card authentication operation is performed via a separately connected line, they are at the same point. Because it cannot be inferred, authentication is rejected. This prevents fraud.

  However, when a voice signal is transmitted using a packet switching network such as the IP network 118, there is no concept of circuit switching. Therefore, if an audio signal including a code carried by each card is received by the system 108 within a predetermined time, it is assumed that both the care recipient and the helper are at the same point at the service start time. Authentication may be performed.

  Depending on the result of the confirmation 222 at the planning server 124, the voice response / recognition device 162 sends an announcement message “Helper confirmed” or “Helper not confirmed” 224 to the telephone 106. If the result of the check 222 is affirmative (OK), the plan server 124 searches the database 158 from the card ID 136 of the received card 104 to identify the holder. The specified holder, that is, the holder ID 186 of the helper in this example, is stored in the authentication record memory 126 in correspondence with the previous reception number 176 (226). At this time, the planning server 124 informs the voice response / recognition device 162 of the reception number 176 (227), and the latter creates a guidance message “reception number is XXXX” 228 by voice synthesis of the reception number 176, and the line 120 To send. This is reported to the helper from the telephone 106 and used for taking notes. Telephony device 160 then disconnects the call (230).

  If the check results in the verification steps 214 and 222 are negative (NG), the card 102 or 104 is used again to retransmit the audio signal 150 or restore the call. In that case, necessary items are left in the authentication record memory 126 of the result management system 108 as a log.

  In the above example, the care receiver card 102 is configured to be operated before the helper card 104, but the system is configured so that the helper card 104 is operated before the care receiver card 102. May be. In any case, if both card operations are performed while the call connection is continued, it can be inferred that both the cared person and the helper are in the same place.

  When the helper ends the provision of the care service, the “end” procedure is performed by operating the telephone 106 or the personal computer or the portable information terminal 114 in the same manner. In this embodiment, for example, instead of the voice input “service“ 2 ”is“ start ”” 206, verbal input is made such as “service“ 9 ”is“ end ””. Thereby, for example, the record data 190 as shown in the receipt number # 7 of the authentication record memory 126 in FIG. 4 is created. This infers that both the care recipient and the helper are at the same point (usually the care recipient's home) at the end time of the service.

  In this way, by operating the card 102 held by the helper who visited the home of the care recipient and the card 104 held by the care recipient, the performance management system 108 is accessed from the telephone 106, Care record data such as care recipients and visit times can be recorded in the authentication record memory 126 of the result management system 108.

  Referring to FIG. 4, in this example, the start operation is first performed for the helper card 102 having the card ID 5, and if the check 214 of the count value 140 is passed, the card 158 holds the corresponding card based on the card ID 5. Search for the person IDb. The retrieved holder IDb is stored in association with the reception number # 2 of the authentication record memory 126 together with the date / time data t2 given by the date / time stamper 178 and the start display 206.

  Subsequently, similarly, an operation is performed on the cared person card 104 having the card ID3, and when the check value 140 passes the check 222, the cardholder IDY is searched in the database 158 based on the card ID3. . The retrieved holder IDY is stored in the storage location of the same receipt number # 2 in the authentication record memory 126. Thus, one data entry is formed in this example for one “start” operation.

  In the above-described example, the performance management system 108 is accessed from the telephone 106, but of course, the performance management system 108 may be accessed from the personal computer or the portable information terminal 114 through the IP network 118 instead of the telephone 106. In the latter case, a guidance or confirmation message from the planning server 124 to the personal computer or the portable information terminal 114 may be transferred as character information. Further, the telephony device 160 and the voice response / recognition device 162 may not be provided. However, intelligent cards 102 and 104 are used similarly.

  In the example shown in FIG. 4, “end” is recorded as the data entry of the receipt number # 7 for the combination of the cardholder IDb and the same IDY by the subsequent “end” operation. In this example, two cardholders IDb and IDY are recorded as the same data entry in the authentication record memory 126 for one start operation. However, it is not always necessary to make the same data entry. , They may be separate data entries. In any case, the care fact data 130 is recorded in the authentication record memory 126 for each registration operation from the telephone 106, the personal computer, or the portable information terminal 114.

  As shown in the cared person check column 46 of FIG. 10, conventionally, a check 47 is made in the cared person check column 46 of the paper document 30, but in this embodiment, as shown in FIG. The manager 20 creates a service provision record file 30A, for example, in the form of a PDF file in the authentication record memory 126.

  The service provider 16 downloads the service provision record file 30A from the planning server 124, passes the service provision record sheet in a physical form such as paper to the helper in charge of providing the service to the insured person 12, and Dispatch to the home of the person 12 and provide the service.

  The insured person 12 accesses the planning server 124 by certifying means using the intelligent cards 102 and 104 in place of the conventional verification of the paper document as proof that the service has been provided. As a result, an electronic mark (check mark) 47A is recorded in the check column 46A of the service provision record sheet file 30A, which is electronic data stored in the authentication record memory 126. As described above, this electronic mark 47A cannot be recorded unless the cared person and the helper are present at the same place at the start and end of the service. Therefore, the reliability of the electronic stamp 47A is much higher than that of the conventional method of stamping a paper document.

  Here, with reference to FIG. 6, a condition for recording the electronic mark 47A will be described with an example. In this embodiment, if both the start / end times of the record column 42A are recorded, the rule that the electronic stamp 47A is recorded in the check column 46A is adopted regardless of the times. Therefore, as in service A, the start / end times of the result column 42A are different from those in the scheduled time column 40A, and as in service B, the start / end times of the result column 42A are different from those in the scheduled time column 40A. Even if it is deviated or the actual end time is earlier than the schedule as in service C, the electronic mark 47A is recorded. This is because the date and time information such as the start / end time of the service is not usually recorded at the same time as the scheduled time. Moreover, even if the helper arrives at the care receiver's home 101 earlier or is late, the care service is performed without delay, and the provision of the care service may end at an earlier time than the schedule.

  On the other hand, when only the time that is considered to be the start time is recorded as in service D, or when no time information is recorded as in service E, it is considered that the service has not been executed. The electronic mark 47A is not recorded. In these cases, it is considered that the service is interrupted for some reason and is not completed, or the service itself is canceled. As will be described later, when the prefectural certification officer refers to the service provision record sheet file 30A of FIG. 6, the service column in which the electronic mark 47A is recorded and the service column that is not recorded are as follows. They are displayed separately by changing the color.

  One of the purposes of the electronic authentication system according to the present invention is that the above-mentioned care fact data 130, that is, the PDF file of the service provision record file 30A shown in FIG. 6, is authentic by a higher-level certification body such as a prefecture. It is possible to prove this.

  The certification officer of the prefecture uses the electronic authentication server 170 of FIG. 3 and refers to the file 30A when the month in which the service contents described in the service provision record file 30A of FIG. 6 have been provided has elapsed. . As shown in FIG. 6, only the service D and E fields in which the electronic mark 47A is not recorded are displayed in a different color from the other service A to C fields, indicating that the service has not been executed. Display easily. Upon confirming the contents of the file 30A, the authentication officer inputs the mark 512 of the electronic signature 512 into the local government check column 510. This mark is merely a formal one, and it cannot be said that the originality of the record slip file 30A has been secured by itself. Therefore, in order to ensure the originality, the file 30A is converted into an inaccessible file by software provided in the electronic authentication server 170. It is necessary to reversely convert the unreferenceable file and the service provision record file 30A before the conversion, in which the formal digital signature mark 512 is input, and the unreferenceable file into the service provision record file 30A. A new password is stored in the authentication recording memory 126. These stored information can be downloaded from the planning server 124.

  Alternatively, the PDF file of the service provision record tag file 30A may be encrypted with a private key, and the encrypted service provision record slip file 30A may be made downloadable. In that case, an unencrypted service provision record card file 30A in which the formal electronic signature mark 512 is input is also made downloadable in the same manner. Further, a public key for decrypting the encrypted service provision record card file 30A is also disclosed to the server 124.

  The care service provider 16 accesses the plan server 124 of the service provision result management system 108 from the personal computer 350 owned by the care provider 16 via the IP network 118 and downloads the unencrypted service provision record sheet file 30A. Using the service provision record file 30A or the service provision record sheet 30A (FIG. 6) in which the electronic signature 512 of the prefecture is applied to the local government seal column 510, which is printed, Various application procedures for 360a and 360b will be possible. The application systems 360a and 360b here are typically subsidy claiming systems from businesses to local governments and other institutions.

  The care service provider 16 fills in the prescribed invoice form the type and total amount (number of times) of the services provided by the company to the care recipient among the matters described on the printed form 30A. The form is sent to the examination and payment institution 18 to request benefits. In the application system 360a provided in the examination and payment institution 18, the PDF (Portable Document Format) (registered trademark) format converted by the Adobe Acrobat Reader (registered trademark) from the server 124 in the system 108 through the IP network 118 is referred. An impossible file is downloaded, and this is reverse-converted with the password disclosed to the server 124 to obtain a file 30A. Then, the contents of the invoice form submitted by the business operator 16 are collated with the service provision record sheet file 30A which is the decrypted electronic data, and it is confirmed that they match. In the application system 360a, for the convenience of collation, the contents of the downloaded and reverse-converted PDF file may be collated after being automatically entered into a form similar to the invoice form submitted by the business operator 16.

  On the other hand, when the information published by the server 124 is information encrypted by the public key cryptosystem, the service provision record sheet file 30A encrypted by the private key is downloaded and decrypted by the public key. Then, the contents of the invoice form submitted by the business operator 16 are collated with the service provision record sheet file 30A which is the decrypted electronic data, and it is confirmed that they match.

  By these confirmation operations, the contents of the invoice form submitted by the business 16 are proved to be authentic. This is because, as described in Non-Patent Document 1, the service provision record sheet file 30A as electronic data that can be inversely converted or decrypted using a password or a public key matches the printed form 30A. This is because it is possible to prove that the service provision record sheet file 30A, which is data, has been converted or encrypted by software held by the electronic authentication server 170 or a secret key.

  Further, the business operator 16 sends the converted or unencrypted service provision record file 30A downloaded from the server 124 to the application system 360b provided in the examination / payment institution 18 without printing it as electronic data. May be. In this case, among the items described in the service provision record file 30A, the type of service provided to the care recipient by the operator and the total amount (number of times) are provided in a predetermined invoice form provided in the system 360b. Automatically entered. As a result, an error in filling in the invoice form by the business operator 16 is prevented. In this case as well, the examination / payment institution 18 reversely converts or decrypts the service provision record file 30A converted or encrypted by software or a private key, and creates an invoice form created from data sent through the application system 360b. It is possible to confirm that the data sent from the operator 16 is authentic. In this case, the service provision record file 30A to be collated is preferably not in PDF format but in XML (eXtensible Markup Language) format before and after conversion or encryption for convenience of collation.

  Regardless of whether the application system 360a or 360b is used, if the fact of the nursing care activity can be confirmed, the insurer 14 pays the benefit to the business operator 16 through the examination and payment institution 18.

  The above-described embodiment is configured on the premise that the benefit is paid in response to the claim request procedure from the business operator 16 to the examination / payment institution 18 in the current nursing care claim system. However, it is already ensured that there is no error in the contents of the service provision record sheet file 30A downloaded from the results management system 108 after being converted or encrypted. Therefore, in the future, the request procedure from the business operator 16 to the examination / payment institution 18 may be eliminated.

  7 and 8 show the relationship between the product delivery person and the authenticator who receives the delivery. FIG. 7 is a conventional paper-based transaction relationship diagram, and FIG. 8 shows a second embodiment of the electronic authentication system according to the present invention applied to the transaction of FIG. The deliverer 400 may be, for example, a wholesaler that delivers goods, and the authenticator 410 may be a retailer that receives deliveries. Conventionally, as shown in FIG. 7, a product is delivered from a delivery person 400 to a certifier 410 together with a delivery form 420 that is paper, and for missing items, for example, a receipt form 420A is entered. It was returned to the delivery person 400.

  As shown in FIG. 8, in the electronic authentication system according to the present invention, the service provider performance management system 108 similar to that shown in FIG. Just place it. In this case, the delivery form 420 is sent as paper at the time of delivery, but it is possible to notify the delivery side of the product without returning the paper document by using the electronic signature 420B as to whether or not the goods are completely prepared. . As a result, troublesome operations such as manually collating paper documents are eliminated, and delivery confirmation operations are made more efficient.

  In the first example, the insured 12 who received the care service provided only a part of the fee, and the other shortfall was covered by the benefit from the insurer, ie the municipality 14, The digital signature can be obtained from the digital authentication server 170 that can be used only by the certification officer of the prefecture. However, in this second embodiment, the transactions are between private traders, so there is no need for a public certification body to intervene. In the second embodiment, the service provision result management system 108 is held by the delivery person 400. However, if there is a missing item in the delivered product, it is the certifier 410 that approves the data such as the delivery note in the system 108 to indicate that fact and further digitally signs the data. The electronic data of the receipt converted or encrypted with the software or private key held by the certifier 410 is reversely converted or decrypted by the provider 400 using a password or public key, and the certifier is surely provided with the product. I can confirm that.

  In the first embodiment, the start time and end time of the service are registered with the cards held by both the helper and the care recipient in relation to the care service, but in this second embodiment, the authenticator 410 It is only necessary to register the shortage quantity or the like in the system 108 using only the cards possessed by the system.

It is the schematic which shows the Example which applied the electronic authentication system by this invention to care service. It is a block diagram of the card | curd and plan server which are shown in FIG. It is a block diagram of the service provision track record management system shown in FIG. It is a block diagram of the plan server shown in FIG. It is a sequence diagram which shows the example of the authentication registration sequence in a 1st Example. It is a figure which shows an example of the service provision recording slip as data preserve | saved at the authentication recording memory of FIG. It is a transaction relationship figure between the conventional paper-based delivery person and the authenticator who receives delivery. It is a figure which shows the 2nd Example of the electronic authentication system by this invention applied with respect to FIG. It is a figure which illustrates the conventional paper-based home care service. FIG. 10 is a diagram showing an example of a service provision record slip that reciprocates between the insurer and the insured person shown in FIG. 9 as paper.

Explanation of symbols

102, 104 Intelligent card
106 telephone
108 Service provision management system
124 Planning server
126 Authentication record memory
158 database
162 Voice response / recognition device
166 Insurer Client
170 Electronic authentication server

Claims (18)

A server system for storing a plan information file including a plan and an approval recorded by a particular person when the plan is executed;
A communication network connecting a base where the server system is installed and a point where the specific person is located;
Approval means for transmitting identification information indicating that the person is the specific person from the point through the communication network to record the approval that the plan has been executed in the plan information file;
Electronic authentication means for confirming the approval recorded in the plan information file and applying an electronic signature indicating the validity of the approval to the plan information file,
An electronic authentication system, wherein whether or not the plan is executed is verified by an electronic signature applied to the plan information file.   2. The electronic authentication system according to claim 1, wherein the electronic authentication unit converts the plan information file into an unreferenceable file, the unreferenceable file, the pre-conversion plan information file, and the unreferenceable file. An electronic authentication system characterized in that a password necessary for reversely converting a file into a plan information file can be downloaded from the server system via a communication network.   3. The electronic authentication system according to claim 2, wherein the unreferenceable file is a PDF (Portable Document Format) (registered trademark) file converted by Adobe Acrobat Reader (registered trademark). .   4. The electronic authentication system according to claim 2, wherein the presence / absence of the electronic signature is determined by comparing a plan information file obtained by reversely converting the unreferenceable file with the password and a plan information file before the conversion. An electronic authentication system characterized by being determined.   2. The electronic authentication system according to claim 1, wherein the electronic authentication unit encrypts the plan information file with a secret key of a public key cryptosystem, the encrypted plan information file, and the encrypted plan information file before being encrypted. An electronic authentication system, wherein a plan information file and a public key of the public key cryptosystem can be downloaded from the server system via a communication network.   6. The electronic authentication system according to claim 5, wherein the presence or absence of the electronic signature is determined by: a plan information file obtained by decrypting the encrypted plan information file with the public key; and a plan information file before being encrypted. An electronic authentication system characterized by being determined by checking. 2. The electronic authentication system according to claim 1, wherein the approval unit is assigned to the specific person who carries the identification information and a password and transmits the identification information and the password as a voice signal from the communication network. Information carrier,
When the server system receives the voice signal from the communication network, the server system determines the rationality of the password code included in the voice signal, and records the date / time information in the plan information file when the rationality is recognized. An electronic authentication system characterized by that.   8. The electronic authentication system according to claim 1, wherein the plan is an implementation plan of a care service, and the specific person is a care recipient who receives the care service. Authentication system.   8. The electronic authentication system according to claim 1, wherein the plan is a delivery plan of the goods, and the specific person is a person who receives the delivery of the goods. Creating a plan information file in the server system that includes a plan and an approval recorded by a particular person when the plan is executed;
A step of transmitting identification information indicating that the specific person is the specific person to the server system through a communication network and recording an approval that the plan has been executed in the plan information file;
A specific certifier confirming the approval recorded in the plan information file and applying an electronic signature indicating the validity of the approval to the plan information file,
An electronic authentication method characterized by verifying whether or not the plan has been executed by an electronic signature applied to the plan information file.   11. The electronic authentication method according to claim 10, wherein in the step of applying the electronic signature to the plan information, the specific certifier converts the plan information file into an unreferenceable file, the unreferenceable file, An electronic authentication method characterized in that a plan information file before conversion and a password necessary for reversely converting the unreferenceable file into a plan information file can be downloaded from the server system via a communication network. .   12. The electronic authentication method according to claim 11, wherein the unreferenceable file is a PDF (Portable Document Format) (registered trademark) file converted by Adobe Acrobat Reader (registered trademark). .   13. The electronic authentication method according to claim 11 or 12, wherein the presence or absence of the electronic signature is determined by comparing a plan information file obtained by reversely converting the unreferenceable file with the password and a plan information file before the conversion. The electronic authentication method characterized by determining.   11. The electronic authentication method according to claim 10, wherein in the step of applying the electronic signature to the plan information, the specific certifier encrypts the plan information file with a secret key of a public key cryptosystem, and the encrypted information is encrypted. An electronic authentication method characterized in that a plan information file, a plan information file before encryption, and a public key of the public key cryptosystem can be downloaded from the server system via a communication network.   15. The electronic authentication method according to claim 14, wherein the presence / absence of the electronic signature is determined by: a plan information file obtained by decrypting the encrypted plan information file with the public key; and a plan information file before being encrypted. An electronic authentication method characterized by determining by collating. The electronic authentication method according to claim 10, wherein in the step of recording the approval that the plan has been executed in the plan information file,
Assigning to the specific person an information carrier that carries the identification information and password and transmits the identification information and password as a voice signal;
The specific person transmits the audio signal from the information carrier through a communication network to the server system;
The server system receiving the audio signal and determining the rationality of a security code included in the received audio signal;
The server system includes a step of recording date and time information in the plan information file when the rationality is recognized.   17. The electronic authentication method according to claim 10, wherein the plan is an implementation plan of a care service, and the specific person is a care recipient who receives the care service. Authentication method.   17. The electronic authentication method according to claim 10, wherein the plan is a delivery plan for the goods, and the specific person is a person who receives the delivery of the goods.

Images