JPH09282393A - Cooperation method for health insurance medical care card and on-line data base - Google Patents

Abstract

PROBLEM TO BE SOLVED: To realize the safety the same as before via a health insurance medical care card system that is cooperative with an on-line data base by storing work key information which has been used for the password number applied to the data which are registered in the data base. SOLUTION: When patient data generated at a hospital through medical examination and treatment are registered in a data base, the data are encoded by a work key 114 and registered in the data base. A the same time, an address 112 set in a network 103 for the data storing the encoded patient data is stored in an IC card 107 together with a file name, i.e., an identifier which specifies the data of the data base. Then an authentication code 113 is produced for the data by means of a prescribed hash function and stored in the card 107, so that the data alteration can be detected. The record of the key cipher key obtained by enciphering the key 114 used for encipherment of the data by a card master key 115 is stored at the hospital, i.e., the data owner together with the ID number of the card 107.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a health care card and an online database capable of ensuring safety so as not to be exposed to eavesdropping, falsification, etc. even when the health care card system is linked with an online database. Regarding cooperation method.

[0002]

2. Description of the Related Art Conventionally, a health care card has a high quality because it is possible to observe changes in a patient's health condition over time by recording the patient's medical history and drug history on an IC card. It was noted for its usefulness in medical treatment and medical consultation. Another benefit of the health care card is that multiple medications and multiple tests are taken, as prescribing medications and test data are recorded for patients undergoing examinations and treatments across different hospitals. Is to be avoided. Further, regarding drugs, it is possible to check whether or not drugs prescribed in different hospitals have a combination that causes drug interactions, and therefore it is possible to prevent drug damage due to drug interactions. However, since the health care card stores data relating to the health condition of an individual, it is not desirable from the viewpoint of privacy protection if the contents are known to an unspecified third party.
Therefore, normally, an authentication process for accessing the card is performed. In order to perform the access check as the authentication process, it is necessary to have an IC card in which a microprocessor is embedded in the card itself and the access right can be checked by the microprocessor.

[0003]

However, at present, the storage capacity of the IC card is too small to store and store a large amount of data such as an image, so that the data to be recorded is a numerical value based on a character text. Mainly data and findings of doctors. For the same reason, it is difficult to store atypical data such as a medical chart written in a word processor in the IC card in the form of a file. Therefore, a method of dealing with a large amount of data by registering a large amount of data in an online database connected to a network, managing the address information on the IC card side, and linking the IC card with the online database is considered. To be However, simply managing the online database address with an IC card cannot protect the privacy of the patient. Thus, I
By recording patient information in a physically safe medium called a C card, the privacy of the patient can be protected, but when this IC card is linked with an online environment, there is a problem that the security is lost. Threats in the online environment include tampering with data on a database connected to the network, and wiretapping on the network or the database. Here, a particularly problematic point is that a legitimate user who manages a database in which patient data is registered must also consider tampering with data that is inconvenient for himself. For example, there is a case where a hospital, which has been sued for misdiagnosis or the like, operates the data. In the case of the conventional offline health care card, since the patient usually has the card itself, the above-mentioned illegality on the network or the database is impossible. An object of the present invention is to solve such problems and to realize the same safety as that of a conventional offline health care card for a health care card system linked with an online database. It is to provide a cooperation method. Also, another object of the present invention is to safely and securely store an IC card from an online database even when the IC card is lost.
It is to provide a method of linking a health care card and an online database that can restore the contents of the card.

[0004]

To achieve the above object, in the method of linking a health care card and an online database according to the present invention, (a) a plurality of medical institutions (1 in FIG. 1) are used.
01, 102), the communication terminal devices (201 in FIG. 2) distributed and installed, the health care card (107, 108 in FIG. 1) for exchanging information with the communication terminal device, and the communication terminal device. In a method of linking a health care card having a plurality of databases connected to the communication network and shared by the plurality of medical institutions with an online database, the health care card includes the database Network address information (112 in FIG. 1) which is set for each data registered in at least one and which identifies the database in which the data is registered in the communication network (103 in FIG. 1), and the data in the database. File name information (11 in FIG. 1) that specifies the detailed location of the data
2), a numeric authenticator (113 in FIG. 1) calculated by a predetermined one-way hash function from the data registered in the database, and a work key used for encryption processing performed on the data registered in the database. Information (114 in FIG. 1) is stored. (B) Further, at least one of the plurality of databases has an ID number uniquely assigned to each health care card storing the data (509, IDc in FIG. 5).
And the work key information used to encrypt the data is encrypted with the master key information of the card (kK
_M (K _W )), or the key encryption key information (the same Ks) used to generate the work key information by encrypting the master key information, and the detailed location of the data in the database are specified. It is also characterized in that the file name information (same filename) is recorded.

(C) In addition, the work key information generation process for data encryption, the data encryption process, and the authenticator generation / verification process are not performed in the health care card. In the case of using the device (in the case of FIG. 4C), at least one of the plurality of databases has an ID number (IDc) uniquely assigned to each health care card storing the data. , and the information of the work key information used to encrypt the data is encrypted with the master key information of the card _{(K M (K W))} , identifying the detailed location of the data in the database file It is also characterized in that name information (filename) is recorded. (D) Further, the data (106 in FIG. 1) registered in at least one of the plurality of databases (105 in FIG. 1).
Is the network address information for identifying the database in which the data is registered in the communication network in response to a search request from a medical institution (101 in FIG. 1), and the detailed location of the data in the database. Based on the file name information that identifies the file, the database is transferred (605 in FIG. 6) to the communication terminal device of the medical institution that issued the search request via the communication network (103 in FIG. 1). . (E) Further, when the medical institution that has made the search request receives the data transferred from the registered database (605 in FIG. 6), the data is applied to the data at the time of database registration and is subjected to encryption processing. It is also characterized in that the used work key information is obtained from the card in advance and the decryption processing is performed based on the work key information (607 in FIG. 6). (F) Further, the medical institution that has issued the search request calculates an authenticator for the data subjected to the decryption processing (607 in FIG. 6) using a predetermined one-way hash function (see FIG. 6). 608), the authenticator is compared with the authenticator registered in the health care card, and if the result of the comparison is that they are the same, the decrypted data is regarded as correct and stored in the memory of the medical institution. Store (608 in FIG. 6)
It is also characterized.

(G) Further, the medium (card in FIG. 8) of the health care card is connected to the above-mentioned database (center in FIG. 8) via a communication network, and each data is registered in one of the databases. File name information (im in FIG. 8) that specifies the detailed location of the data in the database.
get0) and store it in its own medium. At that time, the file name information is encrypted by the key information (Kt) shared by the health care card and the database (Kt).
t (image0)) communication (804 in FIG. 8) is also a feature. (H) In addition, the encryption processing (607 in FIG. 6) when encrypted by the key information shared by the health care card and the database and communicated is performed by the health care card (70 in FIG. 7).
It is also characterized in that it is performed inside 4) (FIG. 4 (1)). (I) Further, in at least one database (center in FIG. 8) shared by the plurality of medical institutions, an ID number uniquely assigned to each health care card (IDc in 807 in FIG. 8) is stored. File name information (image 0 of the same 807) that identifies the detailed location of the data is recorded, and the database of each medical institution (terminal in FIG. 8) different from the shared database is stored in the shared database. One of at least two pieces of key information necessary for the cryptographic processing applied to the data registered in one (see FIG. 8).
806) and the ID number (the same IDc) uniquely assigned to each of the health care cards is recorded. (J) In the database (terminal in FIG. 8) of each medical institution, etc. different from the shared database, the work key information (K _W used for the encryption process applied to the data registered in one of the shared databases). In addition, the ID number (IDc) uniquely assigned to each health care card is recorded (806 in FIG. 8).

[0007]

BEST MODE FOR CARRYING OUT THE INVENTION In the present invention, data itself is encrypted as a measure for preventing wiretapping of data. A key is required to encrypt data, but this key (hereinafter,
A master key for generating a work key) is uniquely assigned to each card. Then, together with the ID number of the IC card, the master key assigned to each person is stored in the IC card. The above work is performed by a trusted third party such as a local government, and the card is issued to the residents. At a trusted third party, the cardholder and IC card ID number and master key are issued when issuing the card.
Strictly manage and store so that it will not be known by a third party. Next, when a patient receives medical treatment at a hospital and registers the patient data generated at that time in the database, the data is encrypted with a work key, registered in the database, and then stored in the database network. The file name, which is an identifier for identifying the above address and the data on the database, is stored in the IC card. Next, in order to detect data tampering, a predetermined hash function is used to create an authentication code for the data, and this is stored in the IC card. The original owner of the data, the hospital,
A record of the work key used to encrypt the data along with the ID number of the C card encrypted with the master key of the card, or the key encryption key used to generate the work key by encrypting the master key. Keep it.

An embodiment of the present invention will be described below. The embodiment will be described by taking a health care card in the medical field and medical record information stored in a database in a hospital as an example. FIG. 1 is a configuration diagram of an entire health care card processing system showing a first embodiment of the present invention. In FIG. 1, it is assumed that image data is transferred between two entities (entity) of the hospital 101 and the hospital 102. Hospital 10
1 and the hospital 102 include file servers 104 and 105 that are open to the network 103 outside the hospital. In the file servers 104 and 105, chart data of patients who have undergone medical treatment at hospitals are registered. For example, it is assumed that medical record information 106 of a patient is registered in the file server 105. The patient also has a health care card 107. This health care card 107
Each item of the patient basic information 109, the image data section 110, the master key 115 determined for each card holder, and the card ID number 116 is assigned to the storage area of the. There is. That is, in addition to the patient basic information 109 such as name and date of birth,
Although there is an image data section 110, this image data section 110
Is the name of the hospital that actually has the image data, its address,
Attribute information 111 such as the date the image was taken, the part to be imaged, the imaging device, address information 112 (which also includes the file name) that identifies the file server connected to the network 103, and a message digest of the medical record information (message 11 which is a condensed version of)
3 and a work key 114 are included. Here, the authenticator 113 calculates the first value and the next value among the values arranged as code data, calculates the calculation result and the next value, and calculates the calculation result and the next value. The authenticator 113 is operated and sequentially repeated, and the final operation result is used as the authenticator 113.

FIG. 2 is an external view of the medical staff terminal in FIG. As shown in FIG. 2, a card reader device 202 is connected to the terminal 201, and by inserting a health care card owned by the patient, information can be read / written on the card. In addition, the medical staff terminal 2
It is possible to access the file servers 104 and 105 shown in FIG. 1 from 01 through the network inside the hospital. In FIG. 2, only one card reader device 202 is connected, but normally two card reader devices 202 are connected, which facilitates the operation of exchange between the health care card and the operator card described later. Becomes That is, when exchanging cards with each other, when only one card reader device 202 is used, it is necessary to alternately take out and insert the cards, but if there are two card reader devices 202, the exchange can be performed with the card inserted. it can. First, the access rights to the health care card will be explained. Since the medical history card describes the individual medical history, etc., anyone can access the card.
Personal privacy cannot be protected. Therefore, it becomes necessary to set some restrictions on access. Normal,
For the health care card, data to be handled is specified depending on the occupation such as doctor, nurse, and technician. Therefore, since the access right can be set for each job type, the data that can be accessed is different for each job type also in this embodiment. Also, when performing some kind of operation on the health care card, it is necessary to first verify the operator's authentication and its access right. Here, the operator authentication is to identify whether or not the user belongs to a group related to the applicable health care card (for example, whether or not the patient is the group in charge of the patient). What is access right?
It is to identify whether or not a person who is qualified to access the data registered in the card (for example, is a doctor). Although there are various methods for operator authentication, a method in which the operator uses an operator card different from the health care card will be described below. First, in the health care card, all master keys defined for each job type are embedded in a secret zone that cannot be read or written by all card access users. The owner himself cannot know where the card is embedded. For example, KD for doctors, KN for nurses, KT for radiologists
As shown in, the master key that differs for each job type is embedded in the health care card. Next, regarding the operator card, only the master key corresponding to the operator's job type is embedded in the secret zone of the card. For example, if you are a doctor, only the master key KD is embedded in the doctor's operator card.

FIG. 3 is a sequence chart showing an operator authentication process between a health care card and an operation card (operation card) in the embodiment of the present invention. The following exchanges between the healthcare card and the operator card authenticate each other as legitimate accessors. It is assumed that two card reader devices 202 in FIG. 2 are connected. The method described below is a well-known method called 3-pass partner authentication. Here, it is assumed that the operator is a doctor. That is, the secret zone of the operation card has a master key KM for verifying the access right of the doctor.
2. While the master key KD for authenticating the operator is embedded, the secret zone of the healthcare card has master keys KD, KN, KT for each job type and a master for access right verification. The key KM1 is embedded.
Although not shown here, I of the health care card
IDc, which is D, and IDo, which is the ID of the operator card,
Embedded in each card. [Operator Authentication Processing] [Step 301] The health care card generates a random number RC and transmits it to the operator card. [Step 302] The operator card generates a random number RO,
The RC received in step 301 and the I of the operator card
IDo D, which is D, is encrypted with the doctor's master key KD and is sent to the health care card together with the flag Doc representing the doctor.
The flag Doc indicating a doctor is a flag for informing the health care card side that the doctor is a doctor.

[Step 303] The health care card selects the master key KD from the message sent in step 302 by the flag Doc representing the doctor and decrypts the encrypted part to obtain RC, RO, IDo. . Decrypted R
In step 302, C is compared with RC previously generated, and it is authenticated that the other party who has transmitted the electronic message is a doctor. [Step 304] RC and R obtained in step 303
O, IDc which is the ID of the health care card, and the temporary key Kt generated in the health care card are encrypted with the master key KD and transmitted to the operator card. As for the temporary key Kt, when the same key is used for exchange, by transmitting the key Kt having different contents for each session,
Retain safety. [Step 305] The operator card decrypts the message sent in step 304 with the master key KD, RC, RO,
Obtain IDc and Kt. The decrypted RO is compared with the previously generated RO, and it is verified in step 303 that the other party who has transmitted the electronic message is a valid health care card. By this procedure, the health care card side can authenticate that the operator is a doctor.

Next, the process of registering the image data 106 in the file server 105 in the hospital 102 will be described. FIG. 4 is a module configuration diagram of the registration process on the side of the medical staff and the side of the health care card, showing three patterns. In the pattern (1), the generation of the work key 403 for encryption, the encryption processing 402, and the generation verification 404 of the authenticator are all performed on the card side. In this pattern, the encryption processing 402 is performed by the card, so that the encryption key does not leak out of the card even temporarily, so the security is extremely high. Pattern (2)
Then, only the encryption processing 402 of the pattern (1) is transferred to the medical staff terminal side. A large amount of calculation processing capacity is required for the encryption processing of a large amount of data such as an image. Since the microprocessor on the card side usually has a limited calculation processing capacity, the burden on the card side can be reduced by transferring the processing requiring a large calculation processing capacity to the medical worker terminal side. However, since the work key generated by the card is temporarily leaked to the medical staff terminal side, it is possible to record this work key and then perform fraud, which results in low security. Pattern (3)
Then, the work key generation 403 for encryption, the encryption process 402, and the authenticator generation verification 404 are all performed on the medical worker terminal side. In this type, the security is low because the work from the generation of the work key to the encryption processing is performed on the terminal side. However, operational efficiency can be increased. In the types of patterns (1) and (2), the encryption work cannot be performed because the encryption work key cannot be generated unless the patient has a health care card. Therefore, since the data of a plurality of patients cannot be encrypted in advance, the throughput of the data registration process cannot be increased. On the other hand, in the type of pattern (3), the work key required for the encryption process is generated on the terminal side, and the health care card only registers this work key, so the terminal side collects multiple patient data at once. It can be processed.

FIG. 5 is a diagram showing a data flow for the registration processing in FIG. In order to register the image data in the file server 105 in FIG. 1, first, the health care card 107 owned by the patient is set in the card reader 202 connected to the terminal 201 of the medical staff in FIG. "Registration process" [Step 501] The "operator authentication process" described above is shown in FIG.
The operator is authenticated by performing the access right check module 401 via the card access manager 406. The access right check module 401
Performs both operator authentication processing and access right check. From step 502 below, the operator cannot proceed unless the operator is a doctor, nurse, or radiologist. [Step 502] When the card access manager 406 of FIG.
An area (hatched portion) for a newly registered image is secured in the area of the image data portion (110 in FIG. 1) in FIG. [Step 503] The work key generation module 403 in the card of FIG. 4 generates the key encryption key Ks, encrypts it with the master key (115 of FIG. 1) stored in the card,
Generate a work key. [Step 504] The work key generated in step 503 is registered in the work key area (114 in FIG. 1) of the storage area 405 in FIG. 4 secured in step 502. [Step 505] Card access manager 4 of FIG.
06 reads the image data of FIG. 2 from the disk device of the terminal 201 (right part of FIG. 5) and stores it in the buffer in the manager. [Step 506] Card access manager 4 of FIG.
06 sends the image data read in step 505 to the authenticator generation verification module 404 on the card side. In the authenticator generation verification module 404 of FIG. 4, an authenticator is calculated from the image data by a predetermined hash function and registered in the authenticator area (113 of FIG. 1) of the storage area 405 of FIG. 4 secured in step 502. .

[Step 507] The card access manager 406 of FIG. 4 sends the image data read in step 505 to the encryption processing module 402 on the card side. In the cryptographic processing module 402 of FIG. 4, step 5
The image data is encrypted with the work key generated in 03. [Step 508] The image encrypted in step 507 is stored in the card access manager 406 from the card in FIG.
Public file server (public server storage) via
(105 in FIG. 1) is registered. At this time, the card access manager 406 of FIG. 4 automatically gives the file name image0 of the image to be registered, and registers it in the public file server (105 of FIG. 1) with this name, and at the same time, the file server (105 of FIG. 1). ) Address information and file name imag
e0 is registered in the address part (112 in FIG. 1) of the storage area 405 in FIG. 4 secured in step 502. [Step 509] The ID of the health care card (107 in FIG. 1) is added to the disk device of the terminal 201 in FIG.
c, the key encryption key Ks generated in step 503, and the file name image0 assigned in step 505 [IDc, K
s, image0]. In this way, if there are a plurality of image data to be registered in the file server 105 of FIG. 1, the processing from step 502 to step 509 is repeated for the number of image data to be registered. When the above embodiment is implemented in the card system of the type shown in FIG. 4C, the key encryption key Ks in step 509.
Instead of the work key used when encrypting the image, encrypted with the master key of the card (that is, K
_It is necessary to save _M (K _W ) = K _M (K _M (K _M ))).

Next, the effect of the above registration processing will be described. In FIG. 1, at least the system administrator of the hospital 102 usually thinks that the file on the file server 105 can be freely read and written. Therefore, it is possible that the hospital rewrites the data for convenience, and it is necessary to detect data tampering by some method. Conventionally, a method of calculating a message digest of data with a hash function, encrypting it with a work key, and attaching it to a file is often used.
This makes it impossible to modify the file to hide the fact of tampering, without knowing the work key. However, if a card system that performs most of the processing on the terminal side is adopted as shown in FIG. 4C, the work key becomes known to the hospital side, so the method of adding an authenticator to a file is not effective. That is, simply by adding the authenticator to the file, the image registered in the file server 105 is tampered with, the message digest calculated by a predetermined hash function is encrypted with the work key, and the tampered image is added to the file. This is because it may be replaced with the registered image of the server 105. On the other hand, in order to speed up the encryption process and increase the throughput of the image registration process, the process shown in FIG.
It is necessary to adopt a configuration like (3). Therefore, if the authenticator of the image to be registered in the file server 105 is registered on the card side as in the present embodiment, FIG.
Even if the model is adopted, it is virtually impossible to falsify the authenticator, so there is no problem even if the work key is known to the hospital side.

At step 505 in FIG. 5, the image is encrypted and registered in the file server 105 in FIG. 1. The reason for encrypting the image in this way is that the file server 105 is open to the network 103. This is to prevent the data from being wiretapped by an external third party. Next, consider a case where the patient has lost his or her health care card 107. The patient informs the institution that issued the card that he / she has lost the card and requests that the card be issued again. Here, the third party institution that issued the card strictly manages the master key when the card was first issued, together with the ID of the card. Therefore, the card ID and the master key can be restored in response to the request for card reissue. The patient goes to the hospital 102 with the reissued health care card, and based on the ID of the health care card, IDc, from [IDc, Ks, image0] saved in step 509 of FIG. Regarding the image information, the in-card information excluding the authenticator can be restored. In this case, the card reissue process of the third party institution needs to be performed under strict operational rules. This is because if a card is issued to a third party's other person, the third party can collect the other person's data in the data restoration process. Therefore, the reissuing process of the card needs to be performed after sufficiently confirming that the person himself / herself has requested the reissuing.

It is assumed that a third person other than the medical staff impersonates a certain patient, forges a card, and attempts to illegally obtain the data by the data restoration process. In this case as well, it will be explained that the confidentiality of data can be ensured. First, since the card ID number may leak on the network, it can be obtained by a third party in some way. Therefore, by embedding this ID in the counterfeit card and following the process of the data restoration process, the file name where the data is located and the key encryption key Ks can be obtained. However, even if the data is stolen from the illegally obtained file name, in order to see the contents of the data, it is necessary to generate the work key from the key encryption key Ks and the master key corresponding to the illegally obtained ID. However, since the master key does not leak to the network and is strictly managed by a third party organization, it is virtually impossible for anyone other than the medical personnel to obtain it illegally. Therefore, it is virtually impossible for a third party other than the medical staff to see the contents of the data. Even when implemented in the card system of the type shown in FIG. 4C, even if the work key encrypted with the master key and the file name can be obtained illegally for the same reason as above, You need the master key to know.
Therefore, it is virtually impossible to see the contents of the data. Note that the encryption processing module 4 as shown in FIG.
When 02 is installed inside the card, the IDc which is the ID of the healthcare card 107, the key encryption key Ks generated in step 503, and the step 505 in the disk device of the terminal 201 in step 509 of FIG. Kw (code) that is the file name image0 given in step 504 and the authenticator calculated in step 506 is encrypted with the work key generated in step 503.
[IDc, Ks, image0, Kw (code)] may be stored. In this case, the authenticator can be restored when the card is lost. The code indicates the code of the authenticator.

Next, a search process for searching medical information of another hospital for a patient who has visited the hospital 101 of FIG. 1 will be described. FIG. 6 is an explanatory diagram showing a flow of the search processing in the present invention. Here, it is assumed that the file image0 stored in the file server 105 connected to the network 103 in the hospital 102 in FIG. 1 is searched and downloaded to the file server 104 in the hospital 101. Figure 4 for the search process
Although each type of (1), (2), and (3) is conceivable, although there is a difference in safety regarding each type as in the registration process, the process itself is basically the same. Here, the type shown in FIG. 4A will be described. First, the medical card 107 owned by the patient
Is set in the card reader 202 connected to the terminal 201 of the medical staff. "Search Process" [Step 601] The operator is authenticated by performing the above-mentioned "operator authentication process" by the access right check module 401 via the card access manager 406 of FIG. After the next step 602, the operator must be a doctor or a radiologist to proceed. [Step 602] The data of the area in which the attribute information 111 included in the image data section 110 of the health care card 107 of FIG. 1 is stored is read through the card reader 202 of FIG. 2 and displayed on the screen of the medical staff terminal 201. indicate.

[Step 603] From the displayed attribute information, the terminal operator selects an image to be searched from the screen based on the information such as the date and the imaged region. [Step 604] For the image selected in step 603, the card access manager 406 in FIG. 4 sets the address information 11 included in the image data portion (110 in FIG. 1).
2 is read from the health care card 107. Then, the card access manager 406 sends the read address information to the network manager 407. here,
The following description will proceed assuming that the address of the file server 105 of the hospital 102 in FIG. 1 and the file image0 are selected. [Step 605] Based on the address information obtained in step 603, the network manager 407 in FIG. 4 attempts to access the file server 105 on the network 103, and the corresponding file is stored in the file server 104 in the hospital 101 in FIG. to download. In this case, the file image0 of the file server 105 in the hospital 102
Will be downloaded to the file server 104 in the hospital 101 through the network 103. [Step 606] Network manager 40 of FIG.
7 fetches the image data downloaded to the file server 104 in step 605 into the medical staff terminal 201 of FIG. 2 and then sends it to the card access manager 406, which then sends the image data to the cryptographic processing module 402 inside the card. Send to.

[Step 607] In the cryptographic processing module 402 of FIG. 4, the image data captured in step 606 is converted into the work key registered in the work key area 114 of the image data included in the image data section 110 of FIG. Decryption is performed based on the original. Then, the decrypted image is sent to the authenticator generation verification module 404. [Step 608] Authenticator generation verification module 4 of FIG.
At 04, an authenticator is calculated for the image data decrypted by the above decryption processing by a predetermined hash function. Next, this authenticator and the image data section 11 of FIG.
The image data included in 0 is compared with that registered in the authenticator area 113. As a result of the comparison, if it is determined that they are the same, the decoded image data is discharged to the local disk connected to the terminal. The effect of this search processing will be described below. First, this search process allows you to download the data in the file server on the network from the address information recorded on the card, so you can obtain it as if it were the data recorded on the card. . Further, in step 605, the data is downloaded through the network 103 in FIG. 1, but since the data is encrypted in advance by the registration process, there is no fear of eavesdropping. In addition, tampering on the network is also confirmed by the verification of the authenticator in step 608.
Tampering can be detected. Therefore, it is possible to ensure the same level of security as the offline health care card.

In the previous embodiment, the system in which the patient data is distributed and managed according to its source has been described. In the next embodiment, a method in which data can be stored in a server installed in each area as needed will be described. FIG. 7 is an overall configuration diagram of a card processing system showing another embodiment of the present invention, and FIG.
8 is a sequence chart of the data registration process in FIG. 7. As shown in FIG. 7, the regional medical information center 701 is provided with a file server 702.
By accessing 02 from medical institutions throughout the region, it is possible to share patient data.
This file server 702 is independent of each hospital,
Since it is under the control of the local government, it is assumed that there is a possibility that the data accumulated inside the person will be intercepted or tampered with. In this embodiment, a process of registering image data of a patient having a hospital 703 in the file server 702 of the regional medical information center 701 will be described. In this embodiment, the type shown in FIG. 4 (1) must be adopted as the card system. The procedure of the data registration process will be described below with reference to FIG. "Registration process" [Step 801] "Operator authentication process" described in FIG.
By the access right check module 401 via the card access manager 406 of FIG.
Authentication processing is performed between the patient health care card 704 on the side of the hospital 703 and the file server 702 of the regional medical information center 701. That is, the card access manager 406 in the medical staff terminal of FIG. 7 performs operator authentication processing on the card 704 inserted in the card reader. At this time, the terminal sends the temporary key Kt to the medical information center and the card. If the authentication process fails, you cannot proceed to the following steps. [Step 802] Steps 502 to 507 of the "registration process" shown in FIG. 5 are executed. By these processing steps, the encryption process and the authenticator generation process are performed, and the work key Kw, the authenticator code, and the data data are sent to the card side, and the data is encrypted with the work key Kw.
(Data) is sent to the center side. [Step 803] The card access manager 406 in the terminal of FIG. 4 requests the file name from the file server 702 of the regional medical information center 701.

[Step 804] The file server 702 of the center 701 encrypts the file name image0 with the temporary key Kt obtained in the "operator authentication process" as an encryption key in response to this request, and Kt (image0) is displayed. 4 to the health care card 704 of the terminal 706 via the card access manager 406. Encrypted file name Kt
The health care card 704 that has received (image0) knows Kt in the "operator authentication process", so it decrypts the encrypted file name Kt (image0) and the original file name imag.
Get to know e0. Then, the address information of the file server 702 and the obtained file name image0 are allocated to the address portion of the storage area 405 of FIG.
Register in 2). [Step 805] The authenticator generated in step 506 of FIG. 5 is encrypted with the work key Kw generated in step 503, and further encrypted with the temporary key Kt Kt (Kw
(Code)) and send from the card 704 to the card access manager 406. Then, Kt (Kw (cod
e)) and the encrypted image are transmitted to the file server 702 of the center 701 via the network manager 407. The encrypted image sent to the file server 702 is the file name issued by the file server 702.
Image0 is registered in the file server 702. at the same time,
Encrypted authenticator Kw (code), encrypted image Kw
(Data) is also stored in the file. [Step 806] The health care card 704 stores the key encryption key Ks in the protected disk device 706 of the hospital 703 together with the ID c of the health care card. [Step 807] The file server 702 obtains the file name image0 obtained in step 803 and the file name image0 obtained in step 803 together with the IDc which is the ID of the health care card 704 obtained in step 305 of the "operator authentication process" shown in FIG. Kt (Kw (code)) that was decoded with Kt
ode) is saved.

Next, the effect of the embodiment shown in FIG. 7 will be described. By adopting this embodiment, since the patient data is collectively managed by the regional health and medical information center 701, the hospital that registered the data or the doctor of the hospital deletes the data to destroy the evidence. Is impossible. Further, as an advantage of the centralized management as in this embodiment, it is possible to reduce the storage capacity of the file server of each hospital. On the other hand, community health information center 70
Since the patient data of the local residents are concentrated in the first area, it is not so preferable from the viewpoint of privacy protection. Further, as described in the above premise, a person inside the regional medical information center may sniff or tamper the data stored in the file server. However, since the data in the file server 702 of the community health information center 701 is encrypted with the work key stored in the patient's health care card 704, the contents of the data cannot be viewed unless the work key is obtained. Can not. Further, even if the falsification is made, the falsification can be detected by verifying the authenticator of the health care card.

Here, assuming that the patient has lost his or her health care card, a method of coping with it will be described. In this case, the regional medical information center 701 and the hospital 70 in FIG.
3, and with the patient's agreement, the patient's data at hospital 703 can be restored. the patient,
Report the loss of the card to the institution that issued the card,
Request a reissue of the card. As in the previous embodiment, the institution that issued the card strictly manages the master key used when the card was first issued, along with the card ID.
Therefore, even if the request for card reissue is issued, the card ID
And the master key can be restored. Step 8 of FIG.
At 07, the file server 702 of FIG. 7 together with IDc which is the ID of the health care card, the file name (image0) of the data to be registered in the file server 702 and the work key Kw.
Since the authenticator (Kw (code)) encrypted by is stored in advance, the authenticator encrypted with the file name and the work key Kw based on this ID must be collected from the file server 702. Is possible. Further, in step 806, the file server 705 of FIG. 7 stores the key encryption key Ks together with IDc which is the ID of the health care card.
The key encryption key Ks is used for the file server 7 based on this ID.
It is possible to collect from 05. Therefore, since all the work keys can be restored by the master key Ms of the newly issued health care card and the key encryption key Ks collected from the file server 705, the encrypted authenticator (Kw (code)) Will also be able to be restored.

As in the previous embodiment, it is virtually impossible for a third party including a medical person to forge a card and impersonate himself as a person to illegally obtain data or steal the contents. This is because, in this embodiment, the card system shown in FIG. 4 (1) is used, so that even a medical person cannot know the master key. And since you can not know the work key unless you have the master key,
This is because the data registered in the regional medical information center 701 cannot be decrypted. In step 806, the key encryption key Ks used to generate the work key is stored in the protected disk device 706 of the hospital 703, but the work key and the work key are stored in a different place. Think of saving. In this case, as described above, even if the hospital side knows the work key, the secret of the data does not have to be leaked. That is, as described in the effect of the registration process of the previous embodiment, since the authenticator is registered in the card, if the data is tampered with, it can be reliably detected by verifying using the authenticator. Is. However, it should be noted that in the above card recovery process, this work key should never be notified to a card lost person (a person who can be a card forgery).
The merit of storing the work key in another place as described above is that the past medical information of the patient can be known in an emergency, for example, when the patient encounters an accident while he does not have the card. If desired, even if there is no card if the patient's consent is obtained, the regional medical information center 701 broadcasts a telegram containing information indicating an emergency with the patient's ID nationwide and obtains a work key from the hospital. It is possible to decrypt the patient information and urgently send this data to other hospitals.

As described above, in the offline health care card, in order to see the data recorded on the card and to perform some operation on the data, the patient passes the health care card to a doctor or the like to save the data. Delegation of rights is essential. Therefore, it can be said that the security is fairly strong if the access control to the card is solid. On the other hand, if the health care card system is linked to an online database, some of the patient data will be stored in the database on the network, which means that it will inevitably be exposed to threats such as eavesdropping and tampering. Further, by linking with an online database, it is possible to operate data illegally when a legitimate system administrator or user suddenly becomes an illegal person for some reason. In the present invention, since the above-mentioned peculiar problems caused by linking with an online database can be solved, a health care card system linked with an online database has the same security as that of a conventional offline health care card. But it can be realized. Then, it is possible to realize a method of restoring the contents when the card is lost, which is difficult to realize with the offline type health care card.

[0027]

As described above, according to the present invention,
The same level of security as conventional offline health care cards can be achieved with a health care card system linked to an online database, and the contents of the card can be safely restored from the online database even if the card is lost. You can

[Brief description of drawings]

FIG. 1 is a diagram showing the configuration of a healthcare card processing system and the contents of a card showing an embodiment of the present invention.

FIG. 2 is a schematic view of a medical staff terminal and a card reader in FIG.

FIG. 3 is a sequence chart of an authentication process between a health care card and an operation card showing an embodiment of the present invention.

FIG. 4 is a module configuration diagram of an inside of a card and a medical staff terminal showing an embodiment of the present invention.

FIG. 5 is a diagram illustrating a flow of data registration processing according to an embodiment of the present invention.

FIG. 6 is a diagram illustrating a flow of a data search process according to another embodiment of the present invention.

FIG. 7 is a configuration diagram of a health care card system showing another embodiment of the present invention.

8 is a sequence chart of the data registration processing in FIG.

[Explanation of symbols]

101: hospital, 102: hospital, 103: network,
104, 105: File server, 106: Electronic medical record, 107: Health care card, 108: Contents of health care card, 109: Patient basic information, 110: Image data section, 111: Attribute information, 112: Address, 113: Authentication Child, 114: work key, 115: master key, 116:
ID, 201: medical worker terminal, 202: card reader, 401: access right check module, 402:
Cryptographic processing module, 403: Work key generation module, 404: Authenticator generation verification module, 405: Storage area, 406: Card access manager, 407: Network manager, 501: Partner authentication processing, 50
7: encryption processing, 502: storage area in card, 503: work key generation processing, 504: work key registration processing, 505: data loading, 509: log recording processing, 506: authenticator generation processing, 601: Partner authentication process, 60
3: data selection process, 508: data registration process to public server and file name registration process to card, 602: display of stored contents in card, 806: log recording process in hospital, 604: data address to network manager Notification, 605: Download of data, 607: Encryption processing, 702: File server, 701: Community medical information center, 703: Hospital, 704:
Health care card, 606: Data transmission downloaded to the encryption processing module inside the card, 807: Log recording processing in the regional medical information center, 705: File server, 608: Authenticator verification processing and transmission of data to local disk, 706: Protected disk device, 80
1: partner authentication process, 802: encryption process, authenticator generation process, 803: file name request, 804: file name assignment and transmission to a card, 805: image and an authenticator encrypted by a key encryption key Send to local medical information center file server.

Claims (10)

[Claims] 1. A communication terminal device distributed in a plurality of medical institutions, a health care card for exchanging information with the communication terminal device, a communication network connecting the communication terminal devices, and the communication. In a method of linking a health care card having a plurality of databases connected to a network and shared by a plurality of medical institutions with an online database, the health care card includes each data registered in at least one of the databases. The network address information for specifying the database registered with the data in the communication network, the file name information for specifying the detailed location of the data in the database, and the data registered in the database. In the data to be registered in the above database and the authenticator of the numerical value calculated by the predetermined one-way hash function A method for linking a health care card and an online database, characterized in that it stores the work key information used for the encryption processing to be performed. 2. The method for linking a health care card and an online database according to claim 1, wherein at least one of the plurality of databases is uniquely assigned to each health care card storing the data. The ID number and the work key information used to encrypt the data are encrypted with the master key information of the card, or used to generate the work key information by encrypting the master key information. A method for linking a health care card and an online database, characterized in that key encryption key information and file name information specifying a detailed location of the data in the database are recorded. 3. The method for linking a health care card and an online database according to claim 1 or 2, wherein the work key information generation process for data encryption, the data encryption process, and the authenticator generation / When the verification process is not performed in the health care card but is performed entirely in the terminal communication device, at least one of the plurality of databases is uniquely assigned to each health care card in which the data is stored. The ID number, the work key information used to encrypt the data is encrypted with the master key information of the card, and the file name information that specifies the detailed location of the data in the database. A method of linking a health care card with an online database, which is characterized by keeping a record. 4. The method for linking a health care card with an online database according to claim 1, wherein the data registered in at least one of the plurality of databases is registered by a search request from a medical institution. Based on the network address information that identifies the database in the communication network and the file name information that identifies the detailed location of the data in the database, a search request is issued from the database through the communication network. A method for linking a health care card and an online database, which is transferred to a communication terminal device of a medical institution. 5. The method for linking a health care card and an online database according to claim 1 or 3, wherein when the medical institution making the search request receives the data transferred from the registered database, the data is transferred. On the other hand, a health care card and an online database characterized in that the work key information used at the time of database registration and used for encryption processing is obtained from the card in advance, and decryption processing is performed based on the work key information. How to work together. 6. The method of linking a health care card and an online database according to claim 1, 3 or 4, wherein the medical institution that has made the search request is for the data that has undergone the decryption processing according to claim 4. Then, the authenticator is calculated by a predetermined one-way hash function, the authenticator is compared with the authenticator registered in the healthcare card, and if the result of the comparison shows that they are the same, the decryption process is performed. The method for linking a health care card with an online database, characterized in that the data obtained is stored as correct data in the memory of the medical institution. 7. A communication terminal device distributed in a plurality of medical institutions, a health and medical card for exchanging information with the communication terminal device, a communication network connecting the communication terminal devices, and the communication. In a method of linking a health care card having at least one database connected to a network and shared by a plurality of medical institutions with an online database, the medium of the health care card is connected to the database via a communication network. , For each data registered in one of the databases, file name information that specifies the detailed location of the data in the database is obtained and stored in its own medium. A health care card and an online database characterized by encrypting information by key information shared by the health care card and the database for communication. Scan with the methods of cooperation. 8. The method for linking a health care card and an online database according to claim 7, wherein the encryption processing when the communication is performed by encrypting with the key information shared by the health care card and the database. A method for linking a health care card with an online database, which is characterized by being performed inside the card. 9. The method for linking a health care card with an online database according to claim 7, wherein at least one database shared by the plurality of medical institutions has an ID number uniquely assigned to each health care card. In addition, the file name information that specifies the detailed location of the data is recorded together, and in a database such as each medical institution that is different from the above shared database, the encryption applied to the data registered in one of the shared databases is recorded. A method of linking a health care card and an online database, characterized in that one of at least two pieces of key information necessary for processing is recorded together with an ID number uniquely assigned to each health care card. 10. The method for linking a health care card and an online database according to claim 9, wherein the database of each medical institution or the like different from the shared database is data registered in one of the shared databases. ID uniquely assigned to each health care card, along with the work key information used for encryption processing
A method of linking a health care card with an online database, which is characterized by recording the number.