JP2015095185A - Information management system and data coordination method thereof - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce a load required for maintaining and managing fictitious names and user ID linked to the fictitious names by reducing the number of fictitious names to be registered.SOLUTION: In each of hospital public servers SV1-SV2, a medical employee belonging to another hospital that is locally coordinated is defined as a guest user and for the guest user, a fictitious name is issued and registered by a coordination server SV0. When a medical employee in a certain hospital browses medical examination information of a patient stored in the public server of the other hospital, a fictitious name for the medical employee of an access source is replaced with the fictitious name for the guest user of the hospital to be an access destination, thereby executing ID coordination of the medical employees between the hospital public servers. Otherwise, the coordination server SV0 temporarily issues a fictitious name and replaces the fictitious name of the medical employee of the access source with the temporarily issued fictitious name, thereby executing ID coordination of the medical employees between the hospital public servers.

Description

  The present invention relates to an information management system for transferring patient medical information between, for example, local medical institutions and health-related organizations via a communication network, and thereby allowing a referral doctor to refer to patient medical information. The present invention relates to a data linkage method used in this system.

  Depending on the patient's medical condition, regional medical institutions are making use of their respective characteristics to share the functions, and by collaborating between medical institutions, efforts to provide medical services centered on patients throughout the region are being promoted Yes. In order to realize this regional medical cooperation, EHR (Electronic Health Record) is a mechanism that allows doctors at other hospitals and clinics to view patient medical data stored by a hospital in the area as needed. There is.

  In a region where Hospital A and Hospital B participate in medical collaboration, when a medical worker X belonging to Hospital A views the medical information of a patient who has received a medical examination at Hospital B, the medical worker X is B You need to be able to access the hospital server. In this case, in order to identify who accessed at the B hospital side, it is necessary to prepare the account of the medical worker X belonging to the A hospital in the system at the B hospital side, which may be complicated. It had been.

  In order to solve this problem, in order to be able to access the data servers of multiple hospitals with a single authentication procedure, a method for enabling safe access to patient data using ID-linked single sign-on Has been proposed (see, for example, Patent Document 1). If this method is used, ID cooperation can be realized by transferring individual information of a user such as a patient between the data servers without notifying the user ID managed uniquely by each hospital data server.

  From the viewpoint of security, a system that uses a pseudonym for user ID cooperation between data servers has also been proposed (see, for example, Patent Document 2). This system includes a user authentication / management server that authenticates a user and manages the user's identity, and a service providing server that provides various services to the user. The user ID is linked by conversion through the pseudonym by the management server. The reason for using the pseudonym is to prevent the leakage of personal information generated by linking the user IDs existing in each server while preventing the leakage of the real user ID.

JP 2007-299303 A JP 2013-29886 A

  However, in the method described in Patent Document 1, since it is necessary to cooperate while exchanging user IDs between the data servers of each hospital, there is troublesome cooperation of user IDs. On the other hand, in the system described in Patent Document 2, a huge number of pseudonyms obtained by multiplying the number of users by the number of service servers is registered and operated, which requires a lot of trouble to maintain and manage the pseudonyms and the user IDs associated therewith. And time is required. In addition, it is very undesirable for security to register the user ID of a medical worker who does not know whether to use the system.

  The present invention has been made paying attention to the above circumstances, and the purpose thereof is to reduce the number of registrations of kana and thereby reduce the load required for the maintenance management of kana and user IDs associated with the kana. The object is to provide a management system and a data linkage method used in this system.

In order to achieve the above object, the present invention comprises the following aspects.
(1) First and second data servers that independently manage individual information and individual user IDs for each user to be managed, and communication with these first and second data servers via a communication network An information management system comprising a cooperative server,
The first and second data servers include means for defining a user group managed by a data server other than its own server as a guest user, and issuing and storing a guest user ID for the guest user,
The linkage server issues a common user ID for managing each user in common with the entire system for the managed user and guest user, and the server itself is the first and second data server for each user. And a means for generating and storing first linkage information in which the issued common user ID and the communication identifier are associated with each other.
The first and second data servers include means for receiving a communication identifier issued by the cooperation server for the management target user and guest user from the cooperation server, the received communication identifier, Means for generating and storing second linkage information in which the individual user ID and the guest user ID that are managed independently by the own server are associated with each other;
When a user managed by the first data server accesses individual information of another user managed by the second data server,
In response to the assertion acquisition request regarding the access source user and the other user that is the access destination sent from the first data server, the cooperation server is the guest user and the other access destination that are defined in the second data server. Communication identifier that is issued to each of the users is searched from the first link information, and the assertion information including each searched communication identifier is returned to the first data server of the acquisition request source Perform the conversion process,
The first data server sends a data access request for the individual information of the other user to the second data server together with the assertion information returned from the cooperation server,
When the second data server receives the data access request and the assertion information sent from the first data server, based on each communication identifier included in the received assertion information, the guest user ID and The individual user ID of the access destination user is searched from the second linkage information, and the access processing for the individual information of the access destination user is executed based on each searched user ID and the received assertion information. It is a thing.

  (2) The linkage server further includes means for storing a conversion rule for determining whether or not the communication identifier can be converted, and the access source user included in the assertion acquisition request sent from the first data server If the attribute information of the second data server satisfies the stored conversion rule, and if it is determined that the conversion rule is satisfied, the communication identifier issued for the guest user of the second data server is stored in the storage It is made to search from the 1st cooperation information made.

  (3) The second data server includes means for storing an access condition for the individual information of the management target user in association with the individual user ID for each user to be managed, and when receiving the data access request Determining whether or not the attribute information of the access source user included in the assertion information received together with the data access request satisfies the stored access condition, and if it is determined that the access condition is satisfied, the data access request The access processing for the individual information of the management target user specified by the above is executed.

  (4) Each of the first and second data servers and the linkage server represents a process executed in the own server from the generation of the assertion acquisition request to the end of the access process for the individual information of the management target user. The information processing apparatus further includes means for generating and storing log information including session information and thread information indicating an execution unit of the process.

(5) First and second data servers that individually manage individual information and individual user IDs for each user to be managed, and communication with these first and second data servers via a communication network An information management system comprising a cooperative server,
The linkage server issues a common user ID for the user to be managed in common for the entire system, and the server communicates with the first and second data servers individually for the user. A means for generating and storing first linkage information in which the issued common user ID and the communication identifier are associated with each other.
The first and second data servers are configured to receive, from the cooperation server, a communication identifier issued by the cooperation server for the management target user, the received communication identifier, and the user. Means for generating and storing second linkage information in which the individual user IDs independently managed by the server are associated with each other;
When a user managed by the first data server accesses individual information of another user managed by the second data server,
In response to an assertion acquisition request regarding an access source user and an access destination other user sent from the first data server, the cooperation server is issued for another user as an access destination in the second data server The communication identifier is searched from the first link information, the communication identifier is temporarily issued to the access source user, and the assertion information including the search and issued communication identifier is obtained from the first request source. 1) convert the communication identifier to be returned to the data server
The first data server sends a data access request for the individual information of the other user to the second data server together with the assertion information returned from the cooperation server,
When the second data server receives the data access request and the assertion information sent from the first data server, the second data server individually identifies the access destination user based on each communication identifier included in the received assertion information. A user ID is searched from the second link information, and an access process for the individual information of the access destination user is executed based on the searched user ID and the received assertion information.

According to each aspect of the present invention, the following effects can be obtained.
(1) In the first and second data servers, a user group managed by a data server other than its own server is defined as a guest user, and a guest user ID is issued to the guest user. In response to this, the cooperation server issues and stores communication identifiers for the guest users defined in the first and second data servers, respectively. When the user's individual information managed by the second data server is accessed from the first data server, it is defined in the second data server in response to a request from the first data server. The communication identifier of the guest user is notified from the linkage server to the first data server. Then, the data access request is sent from the first data server to the second data server together with the assertion information including the communication identifier of the notified guest user, and this sent assertion information is sent to the second data server. The guest user ID is specified based on the communication identifier included in the ID, and the access processing of the individual information of the access destination user is executed using the guest user ID as the access source. That is, when accessing the individual information of the second data server from the first data server, the communication identifier of the access source user is replaced with the communication identifier for the guest user of the access destination data server.

  Therefore, compared to the case where all data servers manage the user IDs of all users, and the linkage server issues communication identifiers for all the user IDs and maintains them accordingly, the linkage server manages them. It is possible to reduce the number of communication identifiers, thereby reducing the load required for maintaining and managing communication identifiers and user IDs associated therewith. Also, by defining guest users for each data server, it is not necessary for all data servers to manage user IDs of users who do not know whether to use the system. For this reason, it becomes possible to prevent the leakage of the ID of the user who does not use the system, thereby improving the security for managing the user ID.

  (2) In the cooperation server, a conversion rule for determining whether or not the communication identifier can be converted is set, it is determined whether or not the attribute information of the access source user satisfies the conversion rule, and it is determined that the conversion rule is satisfied. In this case, the communication identifier for the access source user is converted into the communication identifier for the guest user. For this reason, users other than those having preset attribute information can be prevented from being recognized as guest users, so that only users belonging to a predetermined organization and having appropriate qualifications perform data access as guest users, for example. It becomes possible.

  (3) In the data server, an access condition for the individual information of the user is set for each user in association with the user ID, and when the data access request is received, the attribute information of the access source user satisfies the access condition. Only when it is determined that, the access processing for the individual information of the access destination user designated by the data access request is executed. For this reason, for example, the medical information is disclosed only to the access source user who satisfies the medical information disclosure condition set for each patient. Therefore, the access sources for the individual information can be appropriately restricted.

  (4) In the first and second data servers and the linkage server, log information including session information and thread information is generated and stored each time an access process is performed on individual information of the user. For this reason, when the user's personal information is accessed, the session information and thread information of the stored log information are traced to determine which user has accessed what personal information of which user. It becomes possible to specify. That is, even if each data server accepts a user who is not managed by its own server as a guest user, it is possible to reliably specify the access source user.

  (5) When a user managed by the first data server accesses individual information of another user managed by the second data server, the cooperation server In response to the request, a communication identifier for cooperation with the second data server is temporarily issued to the access source user and notified to the first data server. Then, the first data server sends the assertion information including the temporarily issued communication identifier to the second data server together with the data access request, and the second data server sends this assertion information. The access source user is managed based on the temporary communication identifier included in the. That is, when accessing the individual information of the second data server from the first data server, the communication identifier of the access source user is replaced with the communication identifier temporarily issued for the second data server. .

  Therefore, as in (1) above, all user IDs of all users are managed in all data servers, and the corresponding server issues communication identifiers for all the user IDs accordingly and maintains them. Compared to the above, it is possible to reduce the number of communication identifiers managed by the linkage server, thereby reducing the load required to maintain and manage the communication identifier and the user ID associated therewith. For this reason, it becomes possible to prevent the leakage of the ID of the user who does not use the system, thereby improving the security for managing the user ID.

  That is, according to the present invention, there is provided an information management system that reduces the number of registered pseudonyms and thereby reduces the load required for maintaining and managing the pseudonyms and the user IDs associated therewith, and a data linkage method used in this system can do.

1 is a schematic configuration diagram of an information management system according to an embodiment of the present invention. The block diagram which shows the function structure of the cooperation server used with the system shown in FIG. The block diagram which shows the function structure of the hospital open server of the access origin used with the system shown in FIG. The block diagram which shows the function structure of the hospital open server of the access destination used with the system shown in FIG. The figure which shows the data holding example by each server in the case of managing each user's user ID and pseudonym with each hospital public server of an access source and an access destination. The figure which shows the data holding example by each server at the time of using the kana method for guest users. The figure which shows the data holding example by each server in the case of using the pseudonym issued temporarily. The figure which shows an example of the conversion rule setting file which a cooperation server hold | maintains. The flowchart which shows the first half part of the access processing procedure at the time of using the kana method for guest users, and processing content. The flowchart which shows the latter half part of the access processing procedure at the time of using the kana method for guest users, and processing content. The flowchart which shows the first half part of the access process procedure and process content in the case of using the pseudonym issued temporarily. The flowchart which shows the latter half part of the access processing procedure in the case of using the pseudonym issued temporarily, and the processing content.

Embodiments according to the present invention will be described below with reference to the drawings.
[One Embodiment]
(Constitution)
FIG. 1 is a schematic configuration diagram of an information management system according to an embodiment of the present invention.
This system includes a cooperation server SV0, and allows a plurality of hospital public servers SV1 to SVn that are independently operated by medical institutions such as hospitals to communicate with the cooperation server SV0 via a communication network NW. For example, an IP (Internet Protocol) network is used as the communication network. UT0 indicates an operator terminal for a system operator connected to the cooperation server SV0, and UT1 to UTn are used by medical workers such as doctors and nurses connected to the hospital public servers SV1 to SVn, respectively. It shows a user terminal to perform.

(1) Cooperation server SV0
As shown in FIG. 2, the cooperation server SV0 is operated by a service provider or a local government, and as shown in FIG. 2, the processing unit 10, the information storage unit 11, the conversion rule setting file storage unit 12, the communication interface unit 13, and the user And an interface unit 14. The conversion rule setting file storage unit 12 may be provided in the information storage unit 11 without being provided separately from the information storage unit 11.

  Under the control of the processing unit 10, the communication interface unit 13 performs various control data for authentication, ID linkage, and access control with each hospital public server SV1 to SVn according to the communication protocol defined by the communication network NW. Has the function of transmitting and receiving.

  The user interface unit 14 is connected to an operator terminal UT0 operated by the system operator. The user interface unit 14 takes in the operation data input at the operator terminal UT0 and notifies the processing unit 10 and a function of outputting various display data output from the processing unit 10 to the operator terminal UT0 for display. Have

  The information storage unit 12 uses a nonvolatile storage medium that can be written and read as needed, such as an HDD or SSD, as a storage medium, and stores user information as a storage unit necessary to implement an embodiment of the present invention. Unit 111, ID linkage information storage unit 112, access control information storage unit 113 for storing access control rules, and log information storage unit 114 for managing log information.

  The user information storage unit 111 stores a user information management table. The user information management table stores attribute information of each user who uses the system. The attribute information is obtained by associating the user's first name, last name, organization, internal organization, possession qualification, and the like with a system common user ID issued to the user.

  The ID linkage information storage unit 112 stores an ID linkage information management table. The ID linkage information management table stores a pseudonym and identification information of a hospital public server representing a linkage destination in association with a user ID common to the system for each user. The pseudonym is a communication identifier issued by the cooperation server SV0 for the individual user ID uniquely assigned to the user by each hospital public server SV1 to SVn, and the diagnosis information of the patient user between the hospital public servers SV1 to SVn. It is used instead of the individual user ID when accessing (operating).

  The access control information storage unit 113 stores information representing an access control rule for the medical information of the patient user as an access control list. This access control list includes, for a patient common user ID (data owner ID), identification information of medical information of the patient, information indicating a disclosure partner, and information (R / W) indicating read / write permission / inhibition It consists of something related.

  The log information storage unit 114 is used to store log information generated by the control unit 10 to be described later each time an access process for individual user information is performed. The log information is obtained by recording the session ID and thread ID at that time in time series every time an access process is performed on the individual information of the user.

  Note that a session refers to a series of operations and communications from connection / login to disconnection / logoff in a computer system or network communication. In particular, in the field of the Web, a series of actions that a user who visits a Web site performs in the site is one unit of the number of accesses, and is called one session. In order to determine this, a session ID is issued from the server side. A thread is the minimum execution unit of a program on an OS (Operating System) that supports parallel processing in the field of software and programming. Each thread is given an ID for uniquely identifying the thread. The

  The conversion rule setting file storage unit 12 stores kana conversion rules. The conversion rule is that when a medical worker at a hospital accesses patient medical information stored in another hospital, the pseudonym for the guest user or the pseudonym that is temporarily paid out is set as the pseudonym for the guest user. It describes rules for replacement, and is defined by the user's organization, internal organization, and qualifications. FIG. 8 shows an example.

  The processing unit 10 includes a CPU (Central Processing Unit). As processing functions necessary for carrying out the embodiment of the present invention, a Web access reception unit 101, an authentication / ID cooperation processing unit 102, and an access control determination unit 103, a remote data access processing unit 104, a data operation processing unit 105, and a log output unit 106. Each of these processing units is realized by causing the CPU to execute an application program stored in a program memory (not shown).

  The web access receiving unit 101 performs processing for receiving a request from the operator terminal UT0 via the user interface unit 14.

The authentication / ID cooperation processing unit 102 has the following processing functions.
(1) When an authentication request is sent from the hospital public server SV1 to SVn, an authentication screen is displayed on the user terminals UT1 to UTn connected to the requesting servers SV1 to SVn, and the user inputs on this authentication screen The authentication process is executed based on the user ID and the like. When the authentication is completed, information related to the user is read from the user information storage unit 111 and the ID linkage information storage unit 112, and assertion information including the user's pseudonym, organization, internal organization, and holding qualification is generated, A process of returning to the original servers SV1 to SVn is performed.

  (2) When a user ID cooperation request is notified from the hospital public servers SV1 to SVn, a communication identifier (a pseudonym) used for communication between the cooperation server SV0 and the hospital public server to be linked is issued. The issued pseudonym and the common user ID given as an argument by the user ID cooperation request are stored in the ID cooperation information storage unit 112. At the same time, the issued pseudonym is returned to the hospital public servers SV1 to SVn to be linked, and the pseudonym and the collaboration user ID of the servers SV1 to SVn to be linked or the guest user ID for the guest user. In association with each other, a process of storing the data in the ID linkage data storage unit of the hospital public servers SV1 to SVn is performed.

  The remote data access processing unit 104 performs a process of accessing the hospital public servers SV1 to SVn via the network NW. The data operation processing unit 105 performs processing for operating data in the own server SV0.

  When various requests are generated from the data operation processing unit 105, the access control determination unit 103 determines whether the attribute information included in the request matches the access control rule stored in the access control information storage unit 113. Then, the process of returning the determination result is performed.

  The log output unit 106 receives the assertion acquisition request from the access source hospital public servers SV1 to SVn and then ends the access to the individual information of the user until the session ID representing the process executed in the own server, Log information including a thread ID representing a process execution unit is generated, and the log information storage unit 114 stores the generated log information.

(2) Hospital public servers SV1 to SVn
The hospital public servers SV1 to SVn include a hospital server as an access source (patient information introduction destination) for patient information and a hospital server as an access destination (patient information introduction source) for patient information. Some of the servers have different functions. In addition, all the hospital public servers SV1 to SVn may include both a function that is an access source for patient information and a function that is an access destination for patient information.

(2-1) Hospital SV1 as a source of access to patient information
As shown in FIG. 3, the hospital server SV1 that is an access source for patient information includes a processing unit 20, a storage unit 21, a communication interface unit 23, and a user interface unit 24.

  The communication interface unit 23 performs authentication, ID linkage, access control, etc. between the linkage server SV0 and the other hospital public servers SV2 to SVn according to the communication protocol defined by the communication network NW under the control of the processing unit 20. Has a function of transmitting and receiving various control data.

  Connected to the user interface unit 24 is a user terminal UT1 operated by medical personnel such as doctors, public health nurses, and nurses. The user interface unit 24 has a function of capturing operation data input at the user terminal UT1 and notifying the processing unit 20 and a function of outputting various display data output from the processing unit 20 to the user terminal UT1 for display. .

  The storage unit 21 uses a nonvolatile storage medium such as HDD or SSD that can be written and read as needed, and a patient user information storage section as a storage section necessary for carrying out an embodiment of the present invention. 211, a medical worker information storage unit 212, an ID linkage information storage unit 213, an access control information storage unit 214, a medical treatment information storage unit 215, and a log information storage unit 216.

  The patient user information storage unit 211 stores a patient user information management table. In the patient user information management table, attribute information such as the patient's first and last name and address is stored in association with the user ID of the patient issued by the hospital public server SV1 for each patient managed by the hospital. FIG. 6 shows an example of medical worker information.

  The medical worker information storage unit 212 stores a medical worker information management table. This medical worker information management table associates the medical worker with a user ID uniquely issued by the hospital public server SV1 to medical personnel belonging to the hospital, such as doctors, public health nurses, and nurses. Attribute information such as name and address is stored. FIG. 6 shows an example of medical worker information.

  The ID linkage information storage unit 213 stores a hospital-specific ID linkage information management table. This ID linkage information management table is issued by the linkage server SV0 in association with the user ID for linkage issued by the hospital public server SV1 to users such as medical workers and patients managed by the hospital. The communication identifier (a pseudonym) is stored. FIG. 6 shows an example of the stored data.

  The access control information storage unit 214 stores an access control information management table representing access control rules for patient medical information managed by the hospital. The access control information management table stores the type of access (operation) to be permitted and one or more disclosure conditions in association with the user ID of the patient. The types of access include a plurality of types of operations such as reference (viewing), change, addition, and deletion.

  The medical information storage unit 215 is used to store individual patient data (for example, medical information) managed uniquely by the hospital. The medical information includes electronic medical record data, examination data, diagnostic image data, prescription data, and the like.

  The log information storage unit 216 is used to store log information generated by the control unit 20 to be described later every time access (operation) to medical information of a patient user is performed. The log information records the session ID and thread ID at that time each time access (operation) to the medical information of the patient user is performed.

  The processing unit 20 includes a CPU (Central Processing Unit). As processing functions necessary for carrying out one embodiment of the present invention, a Web access reception unit 201, an authentication / ID cooperation processing unit 202, and an access control determination unit 203, a remote data access processing unit 204, a data operation processing unit 205, and a log output unit 206. Each of these processing units is realized by causing the CPU to execute an application program stored in a program memory (not shown).

  The web access accepting unit 201 performs processing for accepting operation information on the user terminal UT <b> 1 via the user interface unit 24.

  The data operation processing unit 205 accepts a request for web access when an operation for requesting access to the medical information of the patients held by the other hospital public servers SV2 to SVn is performed by the medical staff at the user terminal UT1. The request is received from the unit 201, and an assertion information acquisition request in the access destination server of the patient who is the access destination and the medical worker who is the access source is output to the authentication / ID cooperation processing unit 202. Then, when the assertion information is returned from the authentication / ID cooperation processing unit 202, a process of outputting an access request for the examination information of the patient to the remote data access processing unit 204 is performed based on the assertion information.

The authentication / ID cooperation processing unit 202 has the following processing functions.
(1) When a login operation is performed at the user terminal UT1, an authentication request is transmitted to the cooperation server SV0, and an authentication screen sent from the cooperation server SV0 is displayed on the user terminal UT1 in response to this request. Data necessary for authentication input by the user on this authentication screen is transmitted to the cooperation server SV0, and information (authentication token) representing the authentication result is received from the cooperation server SV0. Once this authentication procedure is completed, it is possible to make a login operation without any inquiry or authentication act to the cooperation server SV0, that is, single sign-on.

  (2) Upon receiving an assertion information acquisition request from the data operation processing unit 205, the acquisition request is transmitted to the cooperation server SV0. When the assertion information including the pseudonym and the attribute information in the access destination server is returned from the cooperation server SV0 in response to this acquisition request, a process of returning the returned assertion information to the data operation processing unit 205 is performed.

  The access control determination unit 203 determines whether or not each request matches the access control rule stored in the access control information storage unit 214. When the remote data access processing unit 204 receives an access request for patient examination information from the data operation processing unit 205, the remote data access processing unit 204 sends a data acquisition request from the communication interface unit 23 via the network NW to the access destination hospital public server SV2. Processing to transmit to SVn and processing to receive this information via the communication interface unit 23 when patient medical information is sent from the hospital public servers SV2 to SVn as access destinations.

  The log output unit 206 executes in its own server from receiving the access request for the medical information of the patient managed by another hospital public server from the access source user terminal UT1 until receiving the medical information of the patient. Log information including a session ID representing the processed process and a thread ID representing an execution unit of the process is generated, and the generated log information is stored in the log information storage unit 216.

(2-2) Public server SV2 of a hospital that is an access destination (referral source) of patient information
As shown in FIG. 4, the hospital public server SV2 of the hospital to be accessed by the patient includes a processing unit 30, a storage unit 31, a communication interface unit 33, and a user interface unit 34. In addition, description is abbreviate | omitted about the same part as the function with which the hospital public server SV1 used as the access origin is provided among the functions with which the hospital public server SV2 used as the access destination is provided.

  The storage unit 32 uses a nonvolatile storage medium that can be written and read as needed, such as an HDD or SSD. The storage unit 32 is a storage unit necessary for carrying out an embodiment of the present invention. Similar to the hospital public server SV1, a patient user information storage unit 311, a medical worker information storage unit 312, an ID linkage information storage unit 313, an access control information storage unit 314, a medical treatment information storage unit 315, and log information A storage unit 316 is provided.

  The processing unit 30 includes a CPU (Central Processing Unit). As processing functions necessary for carrying out one embodiment of the present invention, a Web access reception unit 301, an authentication / ID cooperation processing unit 302, and an access control determination A unit 303, a remote data access processing unit 304, a data operation processing unit 305, and a log output unit 306. Each of these processing units is realized by causing the CPU to execute an application program stored in a program memory (not shown).

  Among the above processing units, the authentication / ID cooperation processing unit 302 issues a unique guest user ID on its own server to the guest user when the guest user registration process is performed by operating the user terminal UT1. The medical worker information storage unit 312 is stored. At the same time, the linkage server SV0 is requested to issue a pseudonym, and the pseudonym for the guest user sent from the linkage server SV0 in response to the issue request is stored in the ID linkage information storage unit 313 in association with the guest user ID. Process.

(Operation)
Next, the ID linkage operation executed in the system configured as described above will be described by dividing it into a plurality of embodiments.
(1) In the case where the pseudonym is issued to all users individually In this example, the pseudonym is individually issued to all users to perform ID linkage. This is an operation that is a premise of the present invention. It will be explained as a reference example to help understanding. FIG. 5 shows an example of data holding of the system in this reference example.

  In the figure, it is assumed that Dr. Taro Mizuno is a physician in hospital A and Dr. Jiro Tanaka is a physician in hospital A. Assume that the patient, Hanako Suzuki, visits both Hospital A and Hospital B. The medical staff information management table 212 of the A hospital public server SV1 stores attribute information such as first and last names and addresses in association with user IDs of Dr. Taro Mizuno and Dr. Jiro Tanaka. The patient user information management table 211 stores attribute information such as first and last names and addresses in association with the user ID of the patient Hanako Suzuki. In addition, the attribute information of Hanako Suzuki who is a patient is registered in the patient user information management table 311 in the hospital public server SV2 of Hospital B. When Hospital A and Hospital B are not in regional medical cooperation, Dr. Taro Mizuno is not registered in Hospital B.

  When Dr. Taro Mizuno needs to view medical information stored in Hospital B's public server SV2 as a reference for treatment of patient Hanako Suzuki at Hospital A, it can be viewed by operators of Hospital B's public server SV2. Request registration of information to make it. The operator registers Dr. Taro Mizuno (user ID: BDoc_901) in the medical worker information management table 312 of the B hospital public server SV2. Next, the cooperation server SV0 issues a pseudonym of Dr. Taro Mizuno at the B hospital public server SV2, additionally registers (user ID: md0001, pseudonym: V5pw4j) in the ID linkage information management table 112, and further adds the pseudonym to B By sending to the hospital public server SV2 and additionally registering Dr. Taro Mizuno's pseudonym and user ID (pseudonym: V5pw4j, user ID: BDoc_901) in the ID linkage information management table of the ID linkage information storage unit 313, individual user IDs are registered. ID linkage using pseudonyms that is not distributed is enabled.

  Furthermore, in the access control information management table of the B hospital public server SV2, a user whose qualification is a doctor, whose organization is A hospital, and whose internal organization is internal medicine is permitted to view medical information of Hanako Suzuki (user ID: BPat_001). Set the access control rule. As a result, Dr. Taro Mizuno at the A hospital can browse the medical information of Hanako Suzuki stored in the B hospital public server SV2.

  However, in the method of issuing and managing the pseudonyms for all such medical workers, the user IDs of the medical workers and all the public hospitals SV1 to SVn and the cooperative server SV0 that are linked to the region are used. Kana must be registered, and the more hospitals and medical workers who cooperate in the region, the more time is required for registration and maintenance.

(2) When using the kana method for guest users (Example 1)
The first embodiment is a method for performing ID cooperation using a pseudonym for a guest user. In each hospital public server, a medical worker belonging to another hospital that is affiliated with the region is defined as a guest user, and a pseudonym for this guest user is registered. When browsing the patient's medical information stored on the public server, replace the pseudonym of the health care worker at the access source with the pseudonym for the guest user of the hospital at the access destination, so that the medical care between the hospital public servers It is intended to perform ID linkage of workers.

FIG. 6 shows an example of data possession in each server when the kana method for guest users is used. 9 and 10 are flowcharts showing the processing procedure and processing contents of each server in the first embodiment.
In order to make it possible for the patient's medical information stored in the B hospital public server SV2 to be browsed from the A hospital public server SV1 that is the referral destination of the patient, the operator of the SV2 public server SV2 To register the guest doctor (user ID: BDoc_gst) in the medical staff information management table of the hospital B public server SV2 as shown in FIG. Then, a pseudonym issuance request is sent to the cooperation server SV0.

  In contrast, the linkage server SV0 issues a system common user ID and pseudonym for the hospital B guest user, and the issued user ID (mdg00b) and pseudonym (f6SmF9) are stored in the local server SV0 as shown in FIG. It is additionally registered in the ID linkage information management table. At the same time, the issued guest user pseudonym (f6SmF9) is additionally registered in association with the user ID (BDoc_gst) in the ID linkage information management table of the hospital B public server SV2. Furthermore, in the access control information management table of the hospital B public server SV2, “permitted to view medical information of Hanako Suzuki (user ID: BPat_001) for users whose qualifications are doctors, the organization is A hospital, and the internal organization is internal medicine. Set the access control rule “Yes”.

  Now, in this state, Dr. Taro Mizuno, who belongs to Hospital A, browses from the user terminal UT1 to the Hospital A public server SV1 in order to view the medical information of Hanako Suzuki stored in the Hospital B public server SV2. Suppose you send a request. When the Web access acceptance unit 201 receives the above browsing request, the A hospital public server SV1 requests the data operation processing unit 205 to perform a data acquisition process, as shown in FIG. The data operation processing unit 205 requests the authentication / ID cooperation processing unit 202 for assertions of the patient, Hanako Suzuki and Dr. Taro Mizuno.

  The authentication / ID cooperation processing unit 202 acquires the pseudonyms (Mw0qJZ) and (AgYe6f) in the A hospital public server SV1 of the above-mentioned patients Hanako Suzuki and Dr. Taro Mizuno from the ID cooperation information management table. Then, the acquired assertion acquisition request including the pseudonym (Mw0qJZ) and (AgYe6f) in the acquired A hospital public server SV1 is sequentially transmitted to the cooperative server SV0. Get assertion information.

  For example, the authentication / ID cooperation processing unit 202 of the A hospital public server SV1 first transmits an assertion acquisition request including the pseudonym (Mw0qJZ) in Hanako Suzuki's A hospital public server SV1 to the cooperation server SV0 as shown in FIG. The cooperation server SV0 acquires the common user ID (mp0001) of Hanako Suzuki associated with the pseudonym (Mw0qJZ) from the ID cooperation information management table under the control of the authentication / ID cooperation processing unit 102. Then, using this common user ID as a key, the pseudonym (9d5AQL) in Hanako Suzuki's B hospital public server SV2 is acquired from the ID linkage information management table, and the assertion information including the acquired pseudonym is sent to the requesting A hospital public server SV1. Return it.

  Next, the authentication / ID cooperation processing unit 202 of the A hospital public server SV1 transmits an assertion acquisition request including the pseudonym (AgYe6f) of Dr. Taro Mizuno in the A hospital public server SV1 to the cooperation server SV0. The cooperation server SV0 acquires the common user ID (md0001) of Dr. Taro Mizuno associated with the pseudonym (AgYe6f) from the ID cooperation information management table under the control of the authentication / ID cooperation processing unit 102. Then, using this common user ID as a key, an attempt is made to obtain a pseudonym in Dr. Taro Mizuno's B hospital public server SV2 from the ID linkage information management table.

  However, the pseudonym in Dr. Taro Mizuno's B hospital public server SV2 is not registered. Therefore, the attribute information of Dr. Taro Mizuno associated with the common user ID is read from the user information management table, and the attribute information of this read Dr. Taro Mizuno is converted into a conversion rule setting file stored in the conversion rule setting file storage unit 12 and Match. When a conversion rule that matches the attribute information is found, a pseudonym for the guest user is acquired from the ID linkage information management table.

  For example, if the attribute information of Dr. Taro Mizuno is as shown in FIG. 6, the belonging organization = A hospital, internal organization = internal medicine, possession qualification = doctor, and the content of the conversion rule setting file is as shown in FIG. The attribute information of Dr. Taro Mizuno matches the conversion rule 1. Therefore, “f6SmF9”, which is a pseudonym for the guest user, is acquired from the ID linkage information management table.

  The authentication / ID cooperation processing unit 102 creates assertion information for the hospital B public server SV2 of Dr. Taro Mizuno using the acquired pseudonym (f6SmF9) for the guest user, and returns it to the hospital A public server SV1. .

A supplementary explanation will be given with reference to FIG. In the above example, the attribute information of Dr. Taro Mizuno has been described by taking an example in which the conversion rule 1 of the conversion rule setting file completely matches. However, various settings are possible for this match.
In FIG. 8, the conversion rule 2 has an organization and qualifications, but the internal organization is blank. The conversion rule 3 describes only one attribute for the qualification, but the organization and the internal organization specify a plurality of attributes. There are two ways to define the blank. One is to handle “having a value of blank”. In the conversion rule 2, since the internal organization is blank, it is assumed that Dr. Mizuno of internal medicine does not match, and Dr. Tanaka who does not belong to the internal organization matches. The other is to treat “not specified”. In this case, the conversion rule 2 is interpreted as “the internal organization does not matter”. For this reason, Dr. Mizuno and Dr. Tanaka are considered to agree.

  In addition, two determination methods can be considered when the user has a plurality of attributes (qualification, organization, internal organization). One is to allow only when all the user attributes and the rule attributes match, and the other is that any one of the plurality of attributes only needs to match. For example, it is assumed that Dr. Sato belongs to internal medicine and pediatrics in both hospital A and hospital B, but Dr. Naganuma belongs only to pediatrics in hospital B. In the conversion rule 3, only Dr. Sato matches with the former determination method, and Dr. Sato and Dr. Naganuma match with the latter determination method.

Furthermore, in FIG. 8, the match with the conversion rule is determined based on the three attributes of qualification, organization, and internal organization, but other attributes can be used for the determination. Information indicating the authentication method (whether it is a one-time password method or biometric authentication) when the user is authenticated, and the IP address or domain of the access source terminal may be included. In addition, a rule that only a specific server is permitted can be created using the server information of the access destination. Furthermore, a combination of these pieces of information may be used to create a conversion rule using an AND condition or an OR condition.
As described above, the description regarding FIG. 8 is merely an example, and the present invention is not limited to this description.

  When the assertion information in the public hospital SV2 of the B hospital public server SV2 of Hanako Suzuki as the access destination and the assertion information in the public hospital SV2 of the B hospital public server SV2 of the doctor Taro Mizuno as the access source are returned from the cooperation server SV0, The above assertion information is returned from the authentication / ID cooperation processing unit 202 to the data operation processing unit 205. The data operation processing unit 205 requests the remote data access processing unit 204 to browse the medical information of Hanako Suzuki stored in the B hospital public server SV2. At this time, the remote data access processing unit 204 also sends assertion information of Hanako Suzuki and Dr. Taro Mizuno together with the above browsing request. The remote data access processing unit 204 transmits a data acquisition request to the B hospital public server SV2.

  Upon receiving the data acquisition request and the assertion information, the B hospital public server SV2 passes the assertion information from the data operation processing unit 305 to the authentication / ID cooperation processing unit 302 as illustrated in FIG. The authentication / ID cooperation processing unit 302 extracts the pseudonym (9d5AQL) from the assertion information of Hanako Suzuki, and acquires the user ID (BPat_001) from the ID cooperation information management table based on the pseudonym (9d5AQL). Subsequently, the pseudonym (f6SmF9) is extracted from the assertion information of Dr. Taro Mizuno, and the user ID (BDoc_gst) of the guest doctor is acquired from the ID linkage information management table based on this pseudonym (f6SmF9). Then, the acquired user ID (BPat_001) of Hanako Suzuki and the user ID (BDoc_gst) of the guest doctor are returned to the data operation processing unit 305.

  Next, the data operation processing unit 305 requests the access control determination unit 303 to determine whether access to the medical information of Hanako Suzuki is possible. The access control determination unit 303 sets the user ID (BPat_001) of Hanako Suzuki acquired in the previous process and the qualification obtained from the assertion information of Dr. Taro Mizuno = doctor, belonging organization = A hospital, internal organization = internal medicine, The access control rule stored in the access control information management table is collated, and if it matches, it is determined that the medical information can be accessed, and the result is returned to the data operation processing unit 305.

  When receiving the determination result that the access is possible, the data operation processing unit 305 reads out the medical information of Hanako Suzuki from the medical information storage unit 315 and passes it to the remote data access processing unit 304. The remote data access processing unit 304 passes the read medical information of Hanako Suzuki to the data operation processing unit 205 of the hospital A public server SV1. The data operation processing unit 205 passes the result to the web access reception unit 201, and the medical access information of Hanako Suzuki is sent from the web access reception unit 201 to the user terminal UT1 and displayed on a display or the like.

  Thus, the access destination B hospital public server SV2 does not use the individual user ID and pseudonym of the access source Dr. Taro Mizuno, but instead performs ID linkage using the guest doctor's pseudonym, thereby making the hospital public server SV1, The medical information of Hanako Suzuki between SV2 can be browsed.

  By the way, when the series of ID linkage processing and examination information browsing processing described above are completed, the linkage server SV0, the access source A hospital public server SV1, and the access destination B hospital public server SV2 are log output units 106, 206, 306 creates log information in which session IDs and thread IDs used in the course of the series of ID linkage processing and examination information browsing processing are arranged in time series, and each of the created log information is a log information storage unit. 114, 216, 316.

  At this time, one session ID is assigned by the operation of the website. For this reason, there is a possibility that the guest doctor's pseudonym may be used by a plurality of medical workers belonging to Hospital A, but since the session ID is different for each medical worker, which medical worker has operated from the log information. Can be distinguished. The thread ID is used to determine in which order processing has been performed. For this reason, it is possible to sequentially determine who has performed which operation by looking at the log information created by each hospital public server as the access source and the access destination.

(3) When using a temporarily issued pseudonym (Example 2)
The second embodiment is a method in which ID linkage is performed using a temporarily assigned pseudonym. Each hospital public server does not register any user IDs for medical workers belonging to other hospitals that are linked to the region. Then, when an assertion of a medical worker at the hospital public server as the access destination is requested from the hospital public server as the access source, the linkage server SV0 is temporarily used for the medical worker at the hospital public server as the access destination. In this case, the pseudonym is issued to the access point, and the pseudonym of the health care worker at the access source is replaced with the temporarily issued pseudonym so that the medical staff ID is linked between the hospital public servers.

FIG. 7 shows an example of data possession in each server when a method of performing ID linkage using a temporarily issued pseudonym is applied. 11 and 12 are flowcharts showing the processing procedure and processing contents of each server in the second embodiment.
In the second embodiment, since the method of temporarily paying out the pseudonym is adopted, the operator of the hospital B public server SV2 can set the medical worker information management table and the ID linkage information management table as shown in FIG. Registration of a user name and its user ID is not required. However, in order to judge whether or not the medical information stored in the B hospital public server SV2 can be accessed by the medical staff belonging to the A hospital, the access control information management table indicates that “the qualification is a doctor and the organization is the A hospital. An access control rule of “permit viewing of medical information of Hanako Suzuki (user ID: BPat_001) to a user whose organization is internal medicine” is set.

  Now, in this state, Dr. Taro Mizuno, who belongs to Hospital A, browses from the user terminal UT1 to the Hospital A public server SV1 in order to view the medical information of Hanako Suzuki stored in the Hospital B public server SV2. Suppose you send a request. When the Web access acceptance unit 201 receives the above browsing request, the A hospital public server SV1 requests the data operation processing unit 205 to perform a data acquisition process, as shown in FIG. The data operation processing unit 205 requests the authentication / ID cooperation processing unit 202 for assertions of the patient, Hanako Suzuki and Dr. Taro Mizuno.

  The authentication / ID cooperation processing unit 202 acquires the pseudonyms (Mw0qJZ) and (AgYe6f) in the A hospital public server SV1 of the above-mentioned patients Hanako Suzuki and Dr. Taro Mizuno from the ID cooperation information management table. Then, the acquired assertion acquisition request including the pseudonym (Mw0qJZ) and (AgYe6f) in the acquired A hospital public server SV1 is sequentially transmitted to the cooperative server SV0. Get assertion information.

  For example, the authentication / ID cooperation processing unit 202 of the A hospital public server SV1 first transmits an assertion acquisition request including the pseudonym (Mw0qJZ) in Hanako Suzuki's A hospital public server SV1 to the cooperation server SV0 as shown in FIG. The cooperation server SV0 acquires the common user ID (mp0001) of Hanako Suzuki associated with the pseudonym (Mw0qJZ) from the ID cooperation information management table under the control of the authentication / ID cooperation processing unit 102. Then, using this common user ID as a key, the pseudonym (9d5AQL) in Hanako Suzuki's B hospital public server SV2 is acquired from the ID linkage information management table, and the assertion information including the acquired pseudonym is sent to the requesting A hospital public server SV1. Return it.

  Next, the authentication / ID cooperation processing unit 202 of the A hospital public server SV1 transmits an assertion acquisition request including the pseudonym (AgYe6f) of Dr. Taro Mizuno in the A hospital public server SV1 to the cooperation server SV0. The cooperation server SV0 acquires the common user ID (md0001) of Dr. Taro Mizuno associated with the pseudonym (AgYe6f) from the ID cooperation information management table under the control of the authentication / ID cooperation processing unit 102. Then, using this common user ID as a key, an attempt is made to obtain a pseudonym in Dr. Taro Mizuno's B hospital public server SV2 from the ID linkage information management table.

However, the pseudonym in Dr. Taro Mizuno's B hospital public server SV2 is not registered. Therefore, the attribute information of Dr. Taro Mizuno associated with the common user ID is read from the user information management table, and the attribute information of this read Dr. Taro Mizuno is converted into a conversion rule setting file stored in the conversion rule setting file storage unit 12 and Collate. For example, if the attribute information of Dr. Taro Mizuno is as shown in FIG. 7, the belonging organization = A hospital, internal organization = internal medicine, possession qualification = doctor, and the content of the conversion rule setting file is as shown in FIG. The attribute information of Dr. Taro Mizuno matches the conversion rule 1. When a conversion rule that matches the attribute information is found in this way, a pseudonym is temporarily issued, and using this issued pseudonym, the assertion information for Dr. Taro Mizuno's B hospital public server SV2 is created, and hospital A Return to the public server SV1.
Since the method of using the conversion rule shown in FIG. 8 is as described in the first embodiment, description thereof is omitted here.

  When the assertion information in the public hospital SV2 of the B hospital public server SV2 of Hanako Suzuki as the access destination and the assertion information in the public hospital SV2 of the B hospital public server SV2 of the doctor Taro Mizuno as the access source are returned from the cooperation server SV0, the A hospital public server SV1 The above assertion information is returned from the authentication / ID cooperation processing unit 202 to the data operation processing unit 205. The data operation processing unit 205 requests the remote data access processing unit 204 to browse the medical information of Hanako Suzuki stored in the B hospital public server SV2. At this time, the remote data access processing unit 204 also sends assertion information of Hanako Suzuki and Dr. Taro Mizuno together with the above browsing request. The remote data access processing unit 204 transmits a data acquisition request to the B hospital public server SV2.

  Upon receiving the data acquisition request and the assertion information, the B hospital public server SV2 passes the assertion information from the data operation processing unit 305 to the authentication / ID cooperation processing unit 302 as shown in FIG. The authentication / ID cooperation processing unit 302 extracts the pseudonym (9d5AQL) from the assertion information of Hanako Suzuki, and acquires the user ID (BPat_001) from the ID cooperation information management table based on the pseudonym (9d5AQL). Subsequently, attribute information is extracted from the assertion information of Dr. Taro Mizuno, and the extracted attribute information of Dr. Taro Mizuno is returned to the data operation processing unit 305 together with the acquired user ID (BPat_001) of Hanako Suzuki.

  Next, the data operation processing unit 305 requests the access control determination unit 303 to determine whether access to the medical information of Hanako Suzuki is possible. The access control determination unit 303 accesses the user ID (BPat_001) of Hanako Suzuki acquired in the previous process and the qualification extracted from the assertion information of Dr. Taro Mizuno = doctor, belonging organization = A hospital, internal organization = internal medicine It collates with the access control rules stored in the control information management table. If the attribute matches the access control rule, it is determined that the medical information can be accessed, and the result is returned to the data operation processing unit 305.

  When receiving the determination result that the access is possible, the data operation processing unit 305 reads out the medical information of Hanako Suzuki from the medical information storage unit 315 and passes it to the remote data access processing unit 304. The remote data access processing unit 304 passes the read medical information of Hanako Suzuki to the data operation processing unit 205 of the hospital A public server SV1. The data operation processing unit 205 passes the result to the web access reception unit 201, and the medical access information of Hanako Suzuki is sent from the web access reception unit 201 to the user terminal UT1 and displayed on a display or the like.

  Thus, not only the individual user ID and pseudonym of the access source Dr. Taro Mizuno, but also the guest doctor's user ID and pseudonym are used, and ID linkage is performed using the temporary issued pseudonym, thereby making the hospital public The medical information of Hanako Suzuki can be browsed between the servers SV1 and SV2.

  When the series of ID linkage processing and examination information browsing processing described above are completed, the linkage server SV0, the access source A hospital public server SV1, and the access destination B hospital public server SV2 are log output units 106, 206, 306 creates log information in which session IDs and thread IDs used in the course of the series of ID linkage processing and examination information browsing processing are arranged in time series, and each of the created log information is a log information storage unit. 114, 216, 316.

  At this time, similarly to the method of performing user authentication using the pseudonym for the guest user, when outputting each process executed in each server as log information, the session ID and thread ID are also output together. It is possible to determine which medical worker has performed which operation. In addition to this method, there is a method of outputting a user ID of a medical worker and a temporarily assigned pseudonym as log information of the cooperation server SV0. The log information storage unit 316 of the B hospital public server SV2 stores the log information of the temporarily issued pseudonym, and this medical information is associated with the log information of the cooperation server SV0, so It is possible to determine which operation has been performed.

(Effect of embodiment)
As described above in detail, in one embodiment, each hospital public server SV1 to SVn defines, as a guest user, a medical worker who belongs to another hospital that is regionally linked to the guest user by the linkage server SV0. When a medical worker at one hospital browses the patient's medical information stored on a public server at another hospital, the pseudonym of the access source medical worker is set as the access destination. By replacing it with a pseudonym for a guest user of a hospital, a medical worker's ID is linked between hospital public servers. Alternatively, the linkage server SV0 temporarily issues a pseudonym, and replaces the pseudonym of the access source medical worker with the temporary issued pseudonym, thereby enabling the medical worker ID linkage between the hospital public servers. Like to do.

  Therefore, it is possible to reduce the number of pseudonyms managed by the linkage server SV0, thereby reducing the load required to maintain and manage the pseudonyms and the user IDs associated therewith. For example, when the linkage server SV0 issues and maintains a pseudonym for all user IDs, it has been necessary to maintain and manage the number of pseudonyms corresponding to the number of users × the number of public hospitals to be linked. In one embodiment, the number of users + (the number of public hospitals to be linked x the number of attributes defined by the conversion rule) can be significantly reduced.

  Also, by defining guest users for each of the hospital public servers SV1 to SVn, it is not necessary for all the hospital public servers SV1 to SVn to manage user IDs of users who do not know whether to use the system. For this reason, it becomes possible to prevent the leakage of the ID of the user who does not use the system, thereby improving the security for managing the user ID.

  Further, in the cooperation server SV0, a conversion rule setting file for determining whether or not kana can be converted is prepared, and it is determined whether or not the attribute information of the access source user satisfies the conversion rule. Only when it is determined that the attribute information satisfies the conversion rule, the pseudonym for the access source user is converted to the pseudonym of the guest user. For this reason, users other than those having preset attribute information can be prevented from being recognized as guest users, so that only users belonging to a predetermined organization and having appropriate qualifications perform data access as guest users, for example. It becomes possible.

  Further, in the hospital public servers SV1 to SVn, an access control rule for the patient's medical information is set for each patient in association with the user ID, and when the data access request is received, the attribute information of the access source user is Only when it is determined that the access control rule is satisfied, the access process for the medical information of the patient specified by the data access request is executed. Therefore, the medical information is disclosed only to the access source user who satisfies the disclosure condition of the medical information set for each patient, and the medical staff who can access the medical information of the patient is appropriately selected. Can be limited.

  Further, in the linkage server SV0, the access source hospital disclosure server SV1, and the access destination hospital disclosure server SV2, log information including the session ID and thread ID is generated each time an access process to the patient's medical information is performed. Remembered. For this reason, when access to the patient's medical information is made, what user has accessed what individual information of which patient is tracked in the session information and thread information of the stored log information. By doing so, it becomes possible to specify.

[Other Embodiments]
In the above embodiment, a case where a plurality of hospital public servers SV1 to SVn are connected to the cooperation server SV0 via the communication network NW, thereby enabling patient medical information to be browsed between the referral source hospital and the referral destination hospital. Was described as an example. However, the present invention is not limited to this, and by connecting a plurality of school servers via a linkage server, for example, information regarding transferred students may be viewable. Further, by connecting servers such as company factories, sales offices, and affiliated companies via a linkage server, for example, information on employees who have been transferred or transferred, and information related to employees may be viewable.

  In addition, the configuration of the cooperation server and each data server, the processing procedure and processing contents thereof, the configuration of the cooperation user ID and the communication identifier, and the like can be variously modified and implemented without departing from the gist of the present invention.

  In short, the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Further, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, you may combine suitably the component covering different embodiment.

  SV0 ... cooperation server, SV1 to SVn ... hospital public server, NW ... communication network, UT0 ... operator terminal, UT1 to UTn ... user terminal 10, 20, 30 ... processing unit, 11, 21, 31 ... storage unit, 12 ... Conversion rule setting file storage unit, 13, 23, 33 ... Communication interface unit, 14, 24, 34 ... User interface unit, 101, 201, 301 ... Web access reception unit, 102, 202, 302 ... Authentication / ID linkage processing , 103, 203, 303 ... access control determination unit, 104, 204, 30 ... remote data access processing unit, 105, 205, 305 ... data operation processing unit, 106, 206, 306 ... log output unit, 111 ... user information Storage unit, 112, 213, 313 ... ID linkage information storage unit, 113, 21 , 314 ... access control information storage unit, 114,216,316 ... log information storage unit, 211, 311 ... patient user information storage unit, 212, 312 ... medical personnel information storage unit, 215, 315 ... medical information storage unit.

Claims (7)

First and second data servers that individually manage individual information and individual user IDs for each user to be managed, and a cooperation server that can communicate with these first and second data servers via a communication network An information management system comprising:
The first and second data servers are
A user group managed by a data server other than its own server is defined as a guest user, and includes means for issuing and storing a guest user ID for the guest user,
The linkage server
For the management target user and guest user, a common user ID for managing each user in common throughout the entire system is issued, and the own server communicates with the first and second data servers individually for each user. Means for issuing a communication identifier for performing, and generating and storing first linkage information in which the issued common user ID and the communication identifier are associated with each other;
The first and second data servers are
Means for receiving an identifier for communication issued by the cooperation server for the management target user and guest user from the cooperation server;
Means for generating and storing second linkage information in which the received communication identifier and the individual user ID and guest user ID managed independently by the own server for each user are associated with each other;
When a user managed by the first data server accesses individual information of another user managed by the second data server,
In response to the assertion acquisition request regarding the access source user and the other user that is the access destination sent from the first data server, the cooperation server is the guest user and the other access destination that are defined in the second data server. Communication identifier that is issued to each of the users is searched from the first link information, and the assertion information including each searched communication identifier is returned to the first data server of the acquisition request source Perform the conversion process,
The first data server sends a data access request for the individual information of the other user to the second data server together with the assertion information returned from the cooperation server,
When the second data server receives the data access request and the assertion information sent from the first data server, based on each communication identifier included in the received assertion information, the guest user ID and The individual user ID of the access destination user is searched from the second linkage information, and the access process for the individual information of the access destination user is executed based on each searched user ID and the received assertion information. An information management system characterized by   The linkage server further includes means for storing a conversion rule for determining whether or not the communication identifier can be converted, and attribute information of the access source user included in the assertion acquisition request sent from the first data server Determines whether or not the stored conversion rule is satisfied, and if it is determined that the conversion rule is satisfied, the communication identifier issued for the guest user of the second data server is stored in the stored second 2. The information management system according to claim 1, wherein retrieval is performed from one piece of linkage information.   The second data server includes means for storing an access condition for the individual information of the management target user in association with the individual user ID for each user to be managed, and when the data access request is received, the data It is determined whether or not the attribute information of the access source user included in the assertion information received together with the access request satisfies the stored access condition. When it is determined that the access condition is satisfied, the attribute is specified by the data access request. 3. The information management system according to claim 1, wherein an access process for individual information of the managed user is executed.   Each of the first data server, the second data server, and the cooperation server includes session information representing processing executed in the server from the generation of the assertion acquisition request to the end of the access processing for the individual information of the management target user. 4. The information management system according to claim 3, further comprising means for generating and storing log information including thread information indicating an execution unit of the processing. First and second data servers that individually manage individual information and individual user IDs for each user to be managed, and a cooperation server that can communicate with these first and second data servers via a communication network An information management system comprising:
The linkage server
For the user to be managed, a communication for issuing a common user ID for managing the user in common in the entire system and for the server to communicate with the first and second data servers individually for the user Means for generating and storing first linkage information that issues an identifier for use, and associates the issued common user ID and communication identifier with each other;
The first and second data servers are
Means for receiving an identifier for communication issued by the cooperation server for the user to be managed from the cooperation server;
Means for generating and storing second linkage information in which the received communication identifier and the individual user ID uniquely managed by the own server for the user are associated with each other;
When a user managed by the first data server accesses individual information of another user managed by the second data server,
In response to an assertion acquisition request regarding an access source user and an access destination other user sent from the first data server, the cooperation server is issued for another user as an access destination in the second data server The communication identifier is searched from the first link information, the communication identifier is temporarily issued to the access source user, and the assertion information including the search and issued communication identifier is obtained from the first request source. 1) convert the communication identifier to be returned to the data server
The first data server sends a data access request for the individual information of the other user to the second data server together with the assertion information returned from the cooperation server,
When the second data server receives the data access request and the assertion information sent from the first data server, the second data server individually identifies the access destination user based on each communication identifier included in the received assertion information. Information management characterized in that a user ID is searched from the second linkage information, and an access process for the individual information of the access destination user is executed based on the searched user ID and the received assertion information system. First and second data servers that individually manage individual information and individual user IDs for each user to be managed, and a cooperation server that can communicate with these first and second data servers via a communication network A data linkage method executed by an information management system comprising:
The first and second data servers define a user group managed by a data server other than the own server as a guest user, and a guest user ID is issued to the guest user to generate an ID link data storage unit of the own server The process of memorizing
The cooperation server issues a common user ID for managing each user in common with the entire system for the management target user and guest user, and the server itself is the first and second data server for each user. ID information is stored in the local server by generating communication identifiers for individually communicating with each other, generating first linkage information in which the issued common user ID and the communication identifier are associated with each other. The process of memorizing in the department,
A process in which the first and second data servers receive communication identifiers issued by the cooperation server for the management target user and guest user from the cooperation server;
The first and second data servers include second linkage information in which the received communication identifier is associated with an individual user ID and a guest user ID that are managed independently by the server for each user. And generating and storing it in the data storage unit for ID linkage of the own server,
When a user managed by the first data server accesses individual information of another user managed by the second data server,
In response to an assertion acquisition request regarding the access source user and the other user that is the access destination sent from the first data server, the cooperation server is the guest user and the other access destination that are defined in the second data server Communication identifier that is issued to each of the users is searched from the first link information, and the assertion information including each searched communication identifier is returned to the first data server of the acquisition request source Perform the conversion process,
The first data server sends a data access request for the individual information of the other user to the second data server together with the assertion information returned from the cooperation server;
When the second data server receives the data access request and the assertion information sent from the first data server, based on each communication identifier included in the received assertion information, a guest user ID and The individual user ID of the access destination user is searched from the second linkage information, and the access process for the individual information of the access destination user is executed based on each searched user ID and the received assertion information. Data linkage method characterized by First and second data servers that individually manage individual information and individual user IDs for each user to be managed, and a cooperation server that can communicate with these first and second data servers via a communication network A data linkage method executed by an information management system comprising:
The cooperation server issues a common user ID for the user to be managed in common for the entire system, and the server communicates with the first and second data servers individually for the user. Process of generating a first linkage information in which the issued common user ID and the communication identifier are associated with each other and storing the first linkage information in the ID linkage data storage unit of the own server When,
A process in which the first and second data servers receive a communication identifier issued by the cooperation server for the management target user from the cooperation server;
The first and second data servers generate second linkage information that correlates the received communication identifier and the individual user ID that the server itself manages for the user, Storing in the data storage unit for ID linkage of the server,
When a user managed by the first data server accesses individual information of another user managed by the second data server,
In response to an assertion acquisition request relating to an access source user and an access destination other user sent from the first data server, the cooperation server is issued for another user to be an access destination in the second data server The communication identifier is searched from the first link information, the communication identifier is temporarily issued to the access source user, and the assertion information including the search and issued communication identifier is obtained from the first request source. 1) convert the communication identifier to be returned to the data server
The first data server sends a data access request for the individual information of the other user to the second data server together with the assertion information returned from the cooperation server;
When the second data server receives the data access request and the assertion information sent from the first data server, the individual access destination users are individually identified based on the respective communication identifiers included in the received assertion information. A data linkage characterized in that a user ID is searched from the second linkage information and an access process for the individual information of the access destination user is executed based on the searched user ID and the received assertion information. Method.

Images