TW515957B - A secure database management system for confidential records - Google Patents
A secure database management system for confidential records Download PDFInfo
- Publication number
- TW515957B TW515957B TW88101168A TW88101168A TW515957B TW 515957 B TW515957 B TW 515957B TW 88101168 A TW88101168 A TW 88101168A TW 88101168 A TW88101168 A TW 88101168A TW 515957 B TW515957 B TW 515957B
- Authority
- TW
- Taiwan
- Prior art keywords
- database
- data
- request
- identification
- code
- Prior art date
Links
Abstract
Description
515957 A7 B7 五、發明説明() 發明的背景 發明的領域 本發明爲有關於保護機密的資訊。特別是,本發明爲 有關於避免具有高階層電腦存取權限的人員存取機密的資 料。 相關技藝的描述 經濟部中央標準局員工消費合作社印製 (請先閲讀背面之注意事項再填寫本頁) 電腦系統已經有一段時間被用來處理機密的資訊。這 些系統典型地包括資料庫和操縱大量高度私人性和機密性 資料的處理器。爲了要避免外界人士存取這些機密的資 料,防火牆(fire walls)和加密系統(encryption systems)時 常被用來避免這些資料受到未經認可的存取。被用來避免 機密資料受到未經認可的存取之傳統性系統和方法的例子 包括使用者鑑定(user authentication)、存取位置限制 (access location restriction)以及使用者等級存取控制(user level access controls)。雖然這些系統對於避免’'外界人士 (outsider)”存取機密的資料而言是有用的,這些系統典型 地不能夠保護資料免於受到’’內部人士(insiders)”的存取, 這些內部人士擁有足夠高的系統存取授權而得以規避安全 控制。尤其,很難防止系統管理員存取敏感性或機密性資 料。 擁有高階系統存取授權的系統管理員典型地能夠存取 電腦系統上的大部分資料。隨著電腦上的資料變成日益機 密而且有價値,系統管理員或其他”受到信賴的內部人士 (trusted insider)”有著漸增的誘因來破解系統的保護機帋!1 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 515957 A7 _B7__ 五、發明説明(3 ) 理系統的不同具體實施例。 圖4舉例說明在本發明的一個具體實施例裡多重識別 子資_庫的使用。 圖5舉例說明在本發明的一個具體實施例裡在一共同 管理控制之下一組合識別子和資料請求資料庫。 發明的詳細描述 在下列詳細的描述中,本發明將會描述一種保護機密 資料的方法和裝置。下列的詳細描述將會列舉許多明確的 細節使得本發明能被充分理解。然而,熟於此項技藝的人 士將會明白沒有那些細節本發明仍可能被加以實施。在其 它方面,廣爲人知的方法、程序、協定、元件和電路,舉 例來說,熟於此項技藝的人士所習知的公開或非公開的鍵 密碼術(key cryptography),並沒有被詳細地描述以免模糊 本發明的要旨。 經濟部中央標準局員Μ消費合作社印褽 (請先閱讀背面之注意事項再填寫本頁) 在本發明的一個具體實施例中,安全系統使用一個含 有複數個次網路化電腦(subnetworked computers)的大型網 路而被實施。舉例來說,網際網路(Internet)代表一種大 型網路,其耦接有複數個次網路(subnetworks),該些次網 路例如是區域網路(local area network)或耦f接有乙太網路 的電腦(ethernet coupled computers)。爲獲得最佳安全 性,每一次網路將會是在一不同的管理員控制之下。每位 管理員對於其相關次網路以外的電腦將不會有控制。藉由 區隔機密資料而且在不同的次網路電腦中分散儲存和擷取 本紙張尺度適用中國國家標準(CNS ) A4規格(2丨OX297公釐) 515957 A7 B7 i、發明説明() 機密資料’該些資料將能受到保護免於遭受次網路的個別 管理員之不當存取。 圖1舉例說明被用以實施本發明的一個具體實施例之 一種安全資料管理系統1 〇〇。一使用者輸入資料到一來源 終端機104中。典型的使用者可能是醫生或其他具有適當 存取權限以請求所需要資料的人員。在一個具體實施例 中,來源終端機1 04可能是一部電腦,或包括個人電腦的 其他處理裝置。在另一具體實施例中,來源終端機104只 是耦接到一主機電腦或其它處理裝置的一部終端機。該來 源終端機可能被連接到一區域電腦網路或,,來源次網路 (source subnetwork)”l〇6。來源次網路106可能是被一區域 網路連接在一起的複數電腦。來源終端機104典型地藉由 獲得密碼、手印(handprint)、指紋、視網膜掃描、或其它 適當的確認機制來識別或收集資訊以識別該使用者。在確 認該使用者的身分之後,需要得到資訊舉例來說是醫生、 律師、緝毒官員、政府官員或銀行家的該使用者請求存取 有關一個別主題的特定資訊,該資訊由該安全資料管理系 統1〇〇加以處理。該使用者也可以是一電腦程式或系統。 來源終端機1 04接受來自使用者的資訊而且結合該資 訊變成一資料封包(data packet) 1 16以供輸出到安全系統 1〇〇的其它部分。資料封包116是由包含一識別子112和一 資料存取請求124的兩個較小的資料封包所組成。識別子 1 12包括例如使用者LD. 11 8和主題I.D. 120的次資料封包 (subdata packets)。該第一個次資料封包(使用者I.D. 11 8) 本紙張尺度適/ϊϋ國家標準(CNS ) Α4規格(210Χ297公釐) (請先閲讀背面之注意事項再填寫本頁) 衣.515957 A7 B7 V. Description of the Invention () Background of the Invention Field of the Invention The present invention relates to the protection of confidential information. In particular, the present invention relates to avoiding access to confidential information by persons with high-level computer access rights. Description of related skills Printed by the Consumer Cooperatives of the Central Standards Bureau of the Ministry of Economic Affairs (please read the precautions on the back before filling this page) Computer systems have been used for some time to process confidential information. These systems typically include databases and processors that manipulate large volumes of highly private and confidential information. To prevent outsiders from accessing this confidential information, fire walls and encryption systems are often used to protect it from unauthorized access. Examples of traditional systems and methods used to protect confidential data from unauthorized access include user authentication, access location restriction, and user level access controls). Although these systems are useful to prevent "outsiders" from accessing confidential information, these systems typically do not protect data from access by "insiders", these insiders Have a sufficiently high system access authorization to circumvent security controls. In particular, it is difficult to prevent system administrators from accessing sensitive or confidential information. A system administrator with a high-level system access authorization is typically able to access most of the data on a computer system. As the information on your computer becomes increasingly confidential and valuable, system administrators or other "trusted insiders" have increasing incentives to crack the system's protection mechanism! 1 This paper size applies to China National Standard (CNS) A4 specification (210X297 mm) 515957 A7 _B7__ 5. Description of the invention (3) Different specific embodiments of the management system. Figure 4 illustrates the use of multiple identifier sub-repository_banks in a specific embodiment of the invention. Figure 5 illustrates a combination of identifiers and data request databases under a common management control in a specific embodiment of the invention. Detailed Description of the Invention In the following detailed description, the present invention will describe a method and apparatus for protecting confidential information. The following detailed description will list numerous specific details so that the present invention can be fully understood. However, those skilled in the art will appreciate that the invention may be practiced without those details. In other respects, well-known methods, procedures, protocols, components, and circuits, such as public or non-public key cryptography known to those skilled in the art, have not been described in detail. Is described so as not to obscure the gist of the present invention. Member of the Central Standards Bureau of the Ministry of Economic Affairs, M Consumer Cooperatives (please read the precautions on the back before filling out this page) In a specific embodiment of the present invention, the security system uses a computer that contains multiple Large networks are implemented. For example, the Internet represents a large-scale network, which is coupled to a plurality of subnetworks, such as a local area network or a network connected to B. Ethernet coupled computers. For best security, every time the network is under the control of a different administrator. Each administrator will have no control over computers outside their associated secondary network. By separating the confidential data and storing and retrieving this paper in different sub-network computers, the paper size applies the Chinese National Standard (CNS) A4 specification (2 丨 OX297 mm) 515957 A7 B7 i. Description of the invention () Confidential data 'The data will be protected from improper access by individual administrators of the subnet. FIG. 1 illustrates a secure data management system 100, which is used to implement a specific embodiment of the present invention. A user inputs data into a source terminal 104. A typical user might be a doctor or other person with appropriate access rights to request the required information. In a specific embodiment, the source terminal 104 may be a computer, or other processing device including a personal computer. In another embodiment, the source terminal 104 is only one terminal coupled to a host computer or other processing device. The source terminal may be connected to a local computer network or, the source subnetwork "106. The source subnet 106 may be a plurality of computers connected together by a local network. The source terminal The machine 104 typically identifies or collects information to identify the user by obtaining a password, handprint, fingerprint, retinal scan, or other appropriate confirmation mechanism. After confirming the identity of the user, an example of the information is needed to The user who is said to be a doctor, lawyer, anti-drug officer, government official or banker requests access to specific information on a different subject, which is processed by the secure data management system 100. The user may also A computer program or system. The source terminal 104 receives information from the user and combines the information into a data packet 1 16 for output to other parts of the security system 100. The data packet 116 consists of a Identifier 112 and two smaller data packets of a data access request 124. Identifier 1 12 includes, for example, user LD. 11 8 and subdata packets with subject ID 120. The first subdata packet (user ID 11 8) This paper is compliant with the national standard (CNS) Α4 size (210 × 297 mm) (Please read first (Notes on the back then fill out this page) clothing.
、1T 515957 A7 B7 ,—.............. .............. ......................... - _______ 五、發明説明(5 ) 包括有關使用者的資訊,例如確認該位請求資料的醫生所 需要的資訊。此資訊可能包括(但不限於)姓、名、中間 名、社會福利號碼(social security number)、出生日期、 母親本姓、駕駛執照號碼、醫療證號碼、律師執照號碼、 緝毒官員個人編號、發票號碼、指紋號碼、或其它必需或 有用於識別該位請求使用者的資訊。該第二個次資料封包 (主題I.D.120)包括有關主題的資訊。第二次資料封包裡的 資訊包括識別有關於資料存取請求的個體或實體的資料。 舉例來說,此種資料可能包括姓、名、中間名、社會福利 號碼、出生日期、出生地、母親本姓、駕駛執照號碼、街 道位址、電子郵件地址、檔案號碼、病人識別號碼、囚犯 識別號碼、帳號、或公司名稱。 與該來源終端機1 04相關的處理器1 08使用一第一加密 碼將包括次資料封包118、120的識別子112加密。在本發 明的一個具體實施例中,識別子112也包括次資料封包 104,該次資料封包104包含產生次資料封包11 6的來源終 端機104之資訊或位址。該來源終端機的位址可能以一全 面性獨特的識別子(globally unique 1(^111^丨61<)或nGUID’’而 被倂入次資料封包104中。 資料封包Π6也包括內含該資料存取請求124的第二部 分。資料存取請求124包含該被請求資料的細節,例如請 求一實驗結果或請求附加一新的進展記錄。在本發明的一 個具體實施例中資料存取請求1 24也可能是一標記 (token)。一標記可能是一指令、索引或碼,其指定將被標 -8 - 中國國家標準(CNS ) A4規格(210X297公釐) (讀先閱讀背面之注意事項再瑣寫本頁)、 1T 515957 A7 B7, --.............. .................... ..........-_______ 5. The invention description (5) includes information about the user, such as the information needed to confirm the doctor who requested the information. This information may include (but is not limited to) last name, first name, middle name, social security number, date of birth, mother's last name, driver's license number, medical certificate number, lawyer's license number, personal ID of the anti-drug officer, invoice number , Fingerprint number, or other information necessary or useful to identify the requesting user. The second secondary data packet (Subject I.D.120) includes information about the subject. The information in the second data packet includes data identifying the individual or entity with which the data access request was made. Such information may include, for example, last name, first name, middle name, social welfare number, date of birth, place of birth, mother's last name, driver's license number, street address, email address, file number, patient identification number, prisoner identification Number, account number, or company name. The processor 1 08 associated with the source terminal 10 04 uses a first encryption code to encrypt the identifier 112 including the secondary data packets 118, 120. In a specific embodiment of the present invention, the identifier 112 also includes a secondary data packet 104, which contains the information or address of the source terminal 104 that generated the secondary data packet 116. The address of the source terminal may be included in the secondary data packet 104 with a globally unique identifier (globally unique 1 (^ 111 ^ 丨 61 <) or nGUID ''). The data packet Π6 also includes the data. The second part of the access request 124. The data access request 124 contains details of the requested data, such as requesting an experimental result or requesting a new progress record. In a specific embodiment of the present invention, the data access request 1 24 may also be a token. A token may be an instruction, index, or code whose designation will be marked -8-China National Standard (CNS) A4 Specification (210X297 mm) (Read the precautions on the back before reading Write this page again)
515957 五、 A7 B7 發明说明() (讀先閱讀背面之注意事項再瑣寫本頁) 記接受者執行的一記憶位址或其他的指令。該標記授權與 來源次網路106的通訊以獲得該資料請求的細節。處理器 108將該資料請求124加密在一第二碼之內。該資料請求 124在資料封包116之內與識別子112相關聯’使得電腦或 處理器的外部次網路能把該識別子112連結到該資料請求 124 ° 在醫學應用上,來源終端機104典型地是電腦來源次 網路1 06裡應用在例如醫學設施或醫院的設施中的一部電 腦。該來源終端機104將包括識別子112和資料存取請求 i 24的資料封包1 1 6傳送到一第二處理器或識別子資料庫 128。該識別子資料庫較佳爲是一第二電腦次網路130的部 份。該第二次網路130典型地是在一第二管理員控制之下 的一區域網路。第二次網路130和來源次網路106可能位於 國內的不同區域。一通訊連結(communications link)將來 源終端機104和識別子資料庫128耦接在一起。在一個具體 實施例中,該通訊連結是一網際網路連結及/或私人的線 路。 識別子資料庫128有解碼識別子112所必需的碼。識別 子112的編碼和解碼可能以多種方法來進行。在本發明的 一個具體實施例中,來源終端機104使用識別子資料庫128 的一公用鍵碼(public key)來加密識別子112。識別子資料 庫128使用一相對的秘密鍵碼(private key)來解碼資料封包 11 6裡的識別子112。因爲識別子資料庫128沒有讀取包含 在資料存取請求124中的資訊所需的解碼鍵碼,所以該資 本紙張尺度適用中國國家標準(CNS ) A4規格(210X 297公釐) 515957 五、 A7 B7 發明说明(7 ) 料存取請求資訊受到保護使其免於遭到識別子資料庫1 28 和次網路130的系統管理員的讀取。 識別子資料庫128使用包含在識別子1 12裡面的資訊來 產生(1)一個顯示該使用者請求資料的存取裕度(access allowances)的存取權限(access level),和(2)—個識別相對 於該被請求資料的個體(individual)或實體(entity)(主體 (subject))。識別子112資訊充當作爲查詢資料庫的搜尋 鍵,該資料庫典型地爲一對照表132。在一個具體實施例 裡,以指定的使用者I.D. 11 8的使用者請求資料被用來識 別對照表1 32裡的資料而且決定相對於該在主體l.D. 1 20區 段(subject I.D. section)內經確認個體之該使用者經核准的 存取權限。特別是,次網路130決定該使用者就主體 I.D.1 20確認的主體所具有的資料存取活動的類型。舉例 來說,次網路130可能決定該使用者是否是一位正在治療 該經確認個體之醫生。當一位醫生被確認爲是正在治療該 經確認個體時,該位醫生即被賦予一相關的存取權限使該 醫生能夠檢閱X光片、實驗結果、或把一病情進展筆記加 入該病人的記錄中。包含識別子資料庫128的次網路130將 一經認可的使用者存取權限連結到該醫生。典型地使用例 如對照表133的一對照表,識別子資料庫128將一主體內部 l.D .(Subject Internal I.D.)指派給在識別子 112的主體I.D. 區段120中經確認的個體。 識別子資料庫128輸出一包括(1)主體資料區段144和 (2)資料存取請求124的資料封包148。在一個具體實施例 -10 - 本紙张尺度適/fl中國國家標準(CNS ) A4規格(210X 297公釐) (謂先閱讀背面之注意事項再頊寫本頁)515957 V. A7 B7 Description of Invention () (Read the precautions on the back before writing this page) Write down a memory address or other instructions executed by the recipient. The tag authorizes communication with the source sub-network 106 to obtain details of the data request. The processor 108 encrypts the data request 124 within a second code. The data request 124 is associated with the identifier 112 within the data packet 116, so that the external subnet of the computer or processor can connect the identifier 112 to the data request 124. In medical applications, the source terminal 104 is typically Computer Source A computer in the subnet 106 used in, for example, a medical facility or a hospital facility. The source terminal 104 transmits a data packet 1 1 6 including an identifier 112 and a data access request i 24 to a second processor or identifier sub-database 128. The identification sub-database is preferably part of a second computer sub-network 130. The second network 130 is typically a local area network under the control of a second administrator. The secondary network 130 and the source secondary network 106 may be located in different regions of the country. A communications link is coupled to the source terminal 104 and the identification sub-database 128 in the future. In a specific embodiment, the communication link is an Internet link and / or a private line. The identifier database 128 has codes necessary to decode the identifier 112. The encoding and decoding of the identifier 112 may be performed in a variety of ways. In a specific embodiment of the invention, the source terminal 104 encrypts the identifier 112 using a public key of the identifier database 128. The identification sub-database 128 uses a relative private key to decode the identification 112 in the data packet 116. Because the identification sub-database 128 does not have the decoding key code required to read the information contained in the data access request 124, the capital paper size applies the Chinese National Standard (CNS) A4 specification (210X 297 mm) 515957 V. A7 B7 SUMMARY OF THE INVENTION (7) The material access request information is protected from being read by a system administrator identifying the sub-database 1 28 and the sub-network 130. The identification sub-database 128 uses the information contained in the identification 1 12 to generate (1) an access level showing the access allowances of the data requested by the user, and (2) an identification Relative to the individual or entity (subject) of the requested material. The identifier 112 information serves as a search key for a query database, which is typically a lookup table 132. In a specific embodiment, the user request data with the specified user ID 11 8 is used to identify the data in the comparison table 1 32 and the decision is confirmed with respect to the subject ID section 20 in the subject ID section. The individual's authorized access to that user. In particular, the secondary network 130 determines the type of data access activity that the user has for the subject identified by the subject I.D. 120. For example, the sub-network 130 may determine whether the user is a doctor who is treating the identified individual. When a doctor is confirmed to be treating the confirmed individual, the doctor is given a relevant access right to enable the doctor to review X-rays, test results, or add a progress note to the patient's On record. A sub-network 130 containing an identification sub-database 128 links an authorized user access right to the doctor. Typically using a look-up table such as look-up table 133, the identification sub-database 128 assigns a subject internal I.D. (Subject Internal I.D.) to the identified individuals in the subject I.D. section 120 of the identification 112. The identification sub-database 128 outputs a data packet 148 including (1) a main data section 144 and (2) a data access request 124. In a specific embodiment -10-This paper is suitable for size / fl Chinese National Standard (CNS) A4 (210X 297 mm) (that is, read the precautions on the back before writing this page)
515957 A7 B7 五、發明説明() (^先閱讀背面之注意事項再填寫本頁) 中,該主體資料區段144包括一使用者存取權限次區段136 和儲存在主體內部識別子次區段1 40中的一內部識別子。 主體資料區段144也可能包括該開始的來源終端機1 〇4之位 址。因爲包含在主體資料區段144中的資料對於非法侵入 者而言經常是無法理解的,所以主體資料區段144不需要 加密。在最高安全系統中,主體資料(subject data)144中 的主體資料(subject material)被使用碼與以加密,使得該 主體資料只能被資料請求資料庫152讀取。在本發明的一 個具體實施例中,使用者的身分、主體、來源終端機1〇4 的位址和資料接收及/或傳輸的時間被儲存在識別子資料 庫128的記錄(log)156裡。 資料請求資料庫1 52和相關的次網路1 54收到資料封包 148。當主題資料144受到加密時,資料請求資料庫152將 資料封包1 48的主題資料區段144加以解碼而且擷取主題內 部I.D.1 40和使用者存取權限136。資料請求資料庫152也 將資料存取請求124加以解碼。資料封包148的資料存取請 求1 24被使用一種只有資料請求資料庫1 52能夠讀取的碼加 以加密。在本發明的一個具體實施例中,來源終端機104 使用資料請求資料庫1 52的公用鍵碼來加密資料存取請求 124,使得資料請求資料庫152能夠使用一相對的秘密鍵碼 來擷取該資料存取請求1 24。 資料請求資料庫1 52在參考相對於主題內部識別子1 40 的記錄之後,決定該使用者存取權限是否能夠進行在資料 存取請求124中的資料存取類型。當該使用者有適當的使 本紙張尺度適;1]中國國家標準(CNS ) A4規格(210X297公釐) 515957 A7 B7 _ 一,、一—一. * -…· - ' ""el,r 1"'1 五、發明説明(9 ) 用者存取權限而且因此有權力進行該操作的時候’在記錄 被鍵入內部識別子140之後執行該被請求的操作。 在一個具體實施例中,資料請求資料庫152並未包含 使用者統計資料、個人識別子和其他個人地可確認的資 訊,這些資訊能被用來將個體或實體連結到資料記錄157 中所含的資料。舉例來說包括使用者統計資料和特定識別 子(例如位址)之已知個別可確認的屬性(attributes)被取出 而且儲存在識別子資料庫128中。因此,雖然資料請求資 料庫1 52和相對次網路1 54的系統管理員能夠存取相對於被 請求資料的資訊(舉例來說,愛滋病診斷的記錄),該管理 員不能夠獲知患有此愛滋病病人的名字。只有識別子資料 庫128包含將公用本體(public identity)(例如病人的名字和 地址)連接到內部識別子的資訊。可以想像得到,將識別 子資料庫1 28和資料請求資料庫1 52的資料加以分離的做法 可以被用以儲存其他敏感性的資料,該些敏感性資料有需 要除了獲得授權的使用者之外避免兩種資料元素之間的連 結。 在資料請求資料庫1 52執行例如自表1 57擷取一組實驗 結果的請求資料存取操作之後,資料請求資料庫152使用 包含在主體資料1 44中的來源終端機I.D. 1 04將該資料操作 的一結果集合送回來源終端機1 04。資料請求資料庫1 52和 來源終端機1 04之間的連接可能是經由網際網路或該些資 料可能經由一條安全的線路而被傳輸。該結果集合可能被 加密以供傳輸至該來源終端機,舉例來說,使用來源終端 -12 - 本紙張尺度適;^卜國國&準(CNS ) A4規格(210X 297公釐) (讀先閱讀背面之注意事項再頊寫本頁)515957 A7 B7 5. In the description of the invention () (^ Read the notes on the back before filling this page), the main data section 144 includes a user access authority sub-section 136 and the sub-sub-section identified in the main body. An internal identifier in 1 40. The body data section 144 may also include the address of the source terminal 104 at the beginning. Because the data contained in the body data section 144 is often incomprehensible to an intruder, the body data section 144 does not need to be encrypted. In the highest security system, the subject material in the subject data 144 is encrypted and encrypted, so that the subject data can only be read by the data request database 152. In a specific embodiment of the present invention, the identity of the user, the subject, the address of the source terminal 104 and the time of data reception and / or transmission are stored in the log 156 of the identification sub-database 128. The data request database 152 and the associated subnet 1 54 received a data packet 148. When the subject data 144 is encrypted, the data request database 152 decodes the subject data section 144 of the data packet 1 48 and retrieves the subject's internal I.D. 140 and user access rights 136. The data request database 152 also decodes the data access request 124. The data access request 1 24 of the data packet 148 is encrypted with a code that only the data request database 152 can read. In a specific embodiment of the present invention, the source terminal 104 uses the public key code of the data request database 152 to encrypt the data access request 124, so that the data request database 152 can use a relative secret key code to retrieve The data access request 1 24. The data request database 1 52 determines whether the user access right can perform the data access type in the data access request 124 after referring to the record with respect to the subject internal identifier 1 40. When the user has properly adapted the paper size; 1] Chinese National Standard (CNS) A4 specification (210X297 mm) 515957 A7 B7 _ one, one-one. *-… ·-'&Quot; " el "r 1" '1 V. Description of the invention (9) When the user has access rights and therefore has the right to perform the operation', the requested operation is performed after the record is entered into the internal identifier 140. In a specific embodiment, the data request database 152 does not contain user statistics, personal identifiers, and other personally identifiable information, which can be used to link individuals or entities to data contained in the data record 157 data. For example, known individual identifiable attributes including user statistics and specific identifiers (e.g., addresses) are retrieved and stored in the identifier sub-database 128. Therefore, although the system administrator of the data request database 1 52 and the relative subnet 1 54 can access information relative to the requested data (for example, a record of an AIDS diagnosis), the administrator cannot know that he has this The name of an AIDS patient. Only the identity sub-database 128 contains information linking a public identity (e.g., the patient's name and address) to the internal identity. It is conceivable that the method of separating the data in the identification sub database 1 28 and the data request database 1 52 can be used to store other sensitive data, which needs to be avoided except for authorized users A link between two data elements. After the data request database 1 52 performs a request data access operation such as retrieving a set of experimental results from Table 1 57, the data request database 152 uses the source terminal ID 1 04 included in the main data 1 44 to upload the data A result set of the operation is sent back to the source terminal 104. The connection between the data request database 152 and the source terminal 104 may be via the Internet or the data may be transmitted via a secure line. The result set may be encrypted for transmission to the source terminal, for example, using source terminal-12-this paper is of appropriate size; ^ Country & Standard (CNS) A4 (210X 297 mm) (read first read (Notes on the back are reproduced on this page)
515957 五、 A7 B7 ——..............—10 發明説明() 機104的公用鍵碼。 (讀先閱讀背面之注意事項再瑣寫本頁) 爲了要進一步增加安全性’特別是爲了要避免識別子 資料庫128或資料請求資料庫1 52的某一系統管理員質詢系 統而試著獲取內部確認碼或進行未經許可的資料存取,每 一資料庫皆保持一記錄(1 〇 g)。識別子資料庫保持一第一 記錄1 56,該記錄可能儲存某一質詢爲來自來源終端機1 04 的某位特定使用者而且某一質詢發生在某一特定時間。同 樣地,資料請求資料庫152保持一第二記錄164,其記錄主 題內部I.D.操作的記錄(records)、被請求資訊所被送達的 目的地、來源終端機I.D.1 04、以及資訊被送達到或接收 自識別子資料庫128的時間。當系統的無缺狀態受到質疑 的時候,某一第三者稽核員能比較第一記錄156和第二記 錄164以決定是否有不尋常的情事發生。一第三者稽核的 較佳程序爲在使資料呈現給稽核員之前,使用例如查和 (check sum)或混列(hash)函數的一種程序來轉換這些記 錄,藉此保護使用者-主體配對資料的機密性。 識別子資料庫能定期產生報告以揭示在某一特定期間 存取某一特定主體的記錄之所有使用者的本質。這些報告 能直接地被送到該主體或該主體指定的某一人以供檢閱。 任何不尋常的情事即能受到適當的修正。藉此不適當的存 取記錄能及時被發現而且所有的使用者必須要對其行爲負 責。 圖2A和2B是流程圖200,其舉例說明用以實現本發明 的程序。在方塊204,在來源終端機的使用者請求資料。 -13 - 本紙张尺度適州中國國家標準(CNS ) A4規格(210X 297公釐) 11515957 A7 B7 部 屮 •火 il 消 IV 竹 卬 f: 五、發明说明 使用者可能輸入密碼或其它識別資訊以證實該使用者是他 或她聲稱的實體。在方塊208,該來源終端機將例如是病 人姓名的該主體的識別資訊以第一碼加密。在一個具體實 施例中,該識別子被使用識別子資料庫的一公用鍵碼加 密。該識別子典型地包括終端機的位址、和使用者資訊 (例如請求資訊之人的名字)。識別子封裝也可能包括來源 終端機公用鍵碼。 在方塊208,來源終端機也使用一第二碼加密該資料 存取請求。在一個具體實施例中,該資料存取請求被使用 例如是資料請求資料庫的第二資料庫的一第二公用鍵碼加 密。該資料存取請求包含有關於資料請求本質的資訊,例 如刪除一記錄、顯示實驗結果、和更新財務資訊。 在本發明的一個具體實施例中,整個資料封包在方塊 2 12被註記。此一加密之完成可能使用來源終端機的一秘 密鍵碼。此一加密用以識別來源終端機1 04而且避免其他 的終端機僞造來源終端機104。在另一具體實施例中,驗 證之進行可能使用業界習知的數位簽名演算法(例如 RSA、ElGamal和Rabin)來以數位方式簽名該資料封包。 在方塊216,該資料封包被傳送到有一電腦的次網路,該 電腦含有一第一資料庫或識別子資料庫。 在識別子資料庫裡面,識別子資訊在方塊220被解 密。典型地,解密之完成是使用識別子資料庫的秘密鍵 碼。在方塊224,識別子資料庫使用被解密的識別子資訊 來查尋被請求資料的個體(主體),例如醫院裡的某位病 14 - 本紙张尺度適用中國國家標準(CNS ) A4規格(210X297公釐) (讀先閱讀背面之注意事項再填寫本頁) 515957 A7 B7 12 — 五、發‘明説明() (讀先閱讀背面之注意事項再填寫本頁) 人,而且確定那個人或實體存在。識別子資料庫也查證請 求該存取的個體具有存取方塊224裡主體資訊的權限。舉 例來說,該主體可能是某醫院裡的一位病人而該請求資料 的人可能是一位醫生。當使用在醫院的時候,識別子資料 庫可能檢查一表以確定病人和醫生在方塊224中爲一醫生-病人對。如果醫生和病人未形成一醫生-病人對,則在方 塊230中存取不被允許而且來源終端機在方塊232中被通知 該資訊無法獲得。如果醫生和病人是一醫生-病人對,那 麼在決定方塊230中該存取被允許而且資料庫在方塊236中 擷取(1)相對於該對醫生-病人的適當權限等級,以及(2)相 對於病人的內部ID。 識別子資料庫在方塊240中加密該內部ID、權限等級 和來源終端機位址,以供傳輸到在另一受到管理的次網路 中的資料請求資料庫。實際病人的姓名以及醫生的姓名被 自資料中取出,而代之以內部ID。在本發明的一個具體實 施例中,識別子資料庫使用資料請求資料庫的公用鍵碼來 加密內部ID。在圖2B的方塊244中,該含有內部識別子、 使用者存取權限或權限等級、連同原先經加密的資料存取 請求的資料封包在方塊244中被傳輸到資料請求資料庫。 在一個具體實施例中,一登錄(entry)被加入記錄中以記載 方塊244中的傳輸。該傳輸可能是經由一專線或虛擬私人 網路以確保資料的安全性和完整性。在一個具體實施例 中,該整個封包受到加密及簽名。 在方塊248中,資料請求資料庫將接收自識別子資料 -15 - 本纸张尺度適州中國國家標準(CNS ) A4規格(210X 297公釐) 13515957 部 中 •λ il 導 而 J 消 fc 合 竹 印 f: A7 B7 五、發明説明 庫的資料加以解密。在方塊252,資料請求資料庫擷取相 對於內部識別子的病人醫療記錄。在決定方塊256中,資 料請求資料庫根據所收到的存取權限等級決定存取檔案裡 的特定資訊是否可以進行。如果存取不容許進行,在方塊 260中一通知被送到來源終端機。 當權限等級顯示存取該特定資訊可以進行的時候,資 料請求資料庫執行該被請求的操作而且將其結果集合加密 在一資料封包中,以供傳輸到來源終端機。在一個具體實 施例裡,該被請求的資訊在方塊264中被使用來源終端機 的公用鍵碼加密。該來源終端機公用鍵碼能夠已經隨同該 資料存取請求而被接收到。該經加密的資料然後在方塊 268裡被傳輸回到來源終端機。該來源終端機將資料與以 解碼同時將其顯示給該位經授權的使用者。 藉著將在一交易請求封包裡的資料分成數個部份,每 個部份僅能由相對的獨立系統管理員所管理的一個電腦系 統或相對的次網路加以存取,使得主體機密性和該資訊的 資料完整性得以被保存。例如識別子128和資料請求資料 庫152的每種資料庫能被架構在標準的電腦系統上。這些 系統能夠藉由使用直接連接的網路或如果資料傳輸已經受 到加密藉由使用公用的網際網路連接而被整合在一起。 上文的描述也顯示資料由來源終端機104傳輸到識別 子資料庫128,然後經由資料請求資料庫152傳輸回到該來 源終端機。圖3 A和3B分別地舉例說明使用和沒有使用記 錄監視器的此種基本架構。然而,因爲仍有其它資料傳輸 16 - 本紙張尺度適用中國國家標準(CNS ) A4規格(210X 297公釐) (讀先閱讀背面之注意事項再瑣寫本頁)515957 V. A7 B7 ——..............- 10 Description of the invention () The common key code of the machine 104. (Read the precautions on the back before writing this page.) In order to further increase security, especially to avoid identifying a system administrator in the sub-database 128 or the data request database 1 52, try to get the internal Confirmation code or unauthorized data access, each database maintains a record (10g). The identification sub-database maintains a first record 156, which may store a challenge as a specific user from the source terminal 104 and that a challenge occurred at a specific time. Similarly, the data request database 152 maintains a second record 164, which records records of the subject's internal ID operations, the destination to which the requested information was delivered, the source terminal ID 104, and the information reached Time received from the identification sub-database 128. When the integrity of the system is questioned, a third party auditor can compare the first record 156 and the second record 164 to determine if something unusual happened. A better procedure for a third-party audit is to protect the user-subject pairing by converting the records using a procedure such as a check sum or hash function before presenting the data to the auditor. Confidentiality of information. The identification sub-database can generate reports periodically to reveal the nature of all users who access records of a particular subject during a particular period. These reports can be sent directly to the subject or someone designated by the subject for review. Any unusual situation can be appropriately corrected. As a result, inappropriate access records can be found in a timely manner and all users must be held accountable for their actions. Figures 2A and 2B are a flowchart 200 illustrating a procedure for implementing the present invention. At block 204, a user at the source terminal requests data. -13-The size of this paper is China State Standard (CNS) A4 (210X 297 mm) 11515957 A7 B7 Ministry of Fire • Fire illuminating IV Bamboo 卬 f: 5. Description of the invention The user may enter a password or other identifying information to Verify that the user is the entity he or she claims to be. At block 208, the source terminal encrypts the identification information of the subject, such as the patient's name, with a first code. In a specific embodiment, the identifier is encrypted using a common key code of the identifier database. The identifier typically includes the address of the terminal and user information (such as the name of the person requesting the information). The identification subpackage may also include the source terminal public key code. At block 208, the source terminal also uses a second code to encrypt the data access request. In a specific embodiment, the data access request is encrypted using a second public key code such as a second database of the data request database. The data access request contains information about the nature of the data request, such as deleting a record, displaying experimental results, and updating financial information. In a specific embodiment of the present invention, the entire data packet is marked at blocks 2-12. This encryption may be completed using a secret key code of the source terminal. This encryption is used to identify the source terminal 104 and to prevent other terminals from forging the source terminal 104. In another embodiment, the verification may be performed using digital signature algorithms (such as RSA, ElGamal, and Rabin) that are well known in the industry to digitally sign the data packet. At block 216, the data packet is transmitted to a secondary network of a computer, the computer containing a first database or identification sub-database. In the identification sub-database, identification information is decrypted at block 220. Decryption is typically accomplished using a secret key code identifying the sub-database. At block 224, the identification sub-database uses the decrypted identification information to search for the individual (subject) of the requested data, such as a disease in a hospital. 14-This paper size applies the Chinese National Standard (CNS) A4 specification (210X297 mm) (Read the notes on the back before you fill in this page) 515957 A7 B7 12 — V. Send a note () (Read the notes on the back before you fill in this page) person, and make sure that person or entity exists. The identification sub-database also verifies that the individual requesting the access has access to the subject information in box 224. For example, the subject may be a patient in a hospital and the person requesting information may be a doctor. When used in a hospital, the identification sub-database may check a table to determine that the patient and doctor are a doctor-patient pair in block 224. If the doctor and patient do not form a doctor-patient pair, then access is not allowed in block 230 and the source terminal is notified in block 232 that the information is not available. If the doctor and patient are a doctor-patient pair, then the access is permitted in decision block 230 and the database retrieves in block 236 (1) the appropriate level of authority relative to the pair of doctor-patient, and (2) Relative to the patient's internal ID. The identification sub-database encrypts the internal ID, permission level and source terminal address in block 240 for transmission to a data request database in another managed sub-network. The actual patient's name and the doctor's name are taken from the data and replaced with an internal ID. In a specific embodiment of the invention, the identification sub-library uses the public key code of the data request database to encrypt the internal ID. In block 244 of FIG. 2B, the data packet containing the internal identifier, user access authority or permission level, along with the previously encrypted data access request, is transmitted to the data request database in block 244. In a specific embodiment, an entry is added to the record to record the transmission in block 244. The transmission may be via a dedicated line or a virtual private network to ensure the security and integrity of the data. In a specific embodiment, the entire packet is encrypted and signed. In block 248, the data request database will receive the identification sub-data. -15-This paper size is in accordance with the Chinese National Standard (CNS) A4 specification (210X 297 mm) 13515957 in the Ministry. f: A7 B7 5. Decrypt the materials in the library of invention description. At block 252, the data request database retrieves patient medical records relative to the internal identifier. In decision block 256, the data request database determines whether or not access to specific information in the file can be performed based on the received access permission level. If access is not allowed, a notification is sent to the source terminal in block 260. When the permission level indicates that access to the specific information can be performed, the data request database performs the requested operation and encrypts the result set in a data packet for transmission to the source terminal. In a specific embodiment, the requested information is encrypted in block 264 using the public key code of the source terminal. The source terminal public key code can already be received with the data access request. The encrypted data is then transmitted back to the source terminal in block 268. The source terminal displays the data to the authorized user at the same time as decoding. By dividing the data in a transaction request packet into several parts, each part can only be accessed by a computer system or a relative sub-network managed by a relative independent system administrator, making the subject confidential And the integrity of the information is preserved. Each database, such as identifier 128 and data request database 152, can be built on a standard computer system. These systems can be integrated by using a directly connected network or if the data transmission is already encrypted by using a public Internet connection. The above description also shows that the data is transmitted from the source terminal 104 to the identification sub-database 128, and then transmitted back to the source terminal via the data request database 152. Figures 3 A and 3B illustrate this basic architecture with and without a recording monitor, respectively. However, there are still other data transmissions 16-This paper size applies to the Chinese National Standard (CNS) A4 specification (210X 297 mm) (read the precautions on the back before writing this page)
14515957 A7 B7 五、發明説明 方式的可能,因此本發明不應該被限制在此種資料傳輸方 式。圖3C和3D舉例說明資訊傳輸和資料管理系統設計的 其它具體實施例。 圖3 A舉例說明在使用者300和識別子資料庫308之間 沿著資料路徑304的雙向資料傳輸。當識別子資料庫308接 受一查詢的時候,識別子資料庫308將該資料請求送至資 料請求資料庫312。資料請求資料庫312沿著資料路徑316 提供一回應給使用者300。圖3A的舉例架構是一個不包括 記錄監視器的基本單元。 圖3B舉例說明使用獨立的記錄監視器320來監視識別 子資料庫308和資料請求資料庫312之間的資訊傳輸。該記 錄監視器比較來自識別子資料庫308和資料請求資料庫312 的記錄。記錄之間的不相配可能是由於某一使用者未經由 識別子資料庫308而向資料請求資料庫3 12提出未經授權的 查詢以獲得資訊。或者,這也可能是由於嘗試查詢識別子 資料庫而且連結內部I.D.到識別資訊。當此種差異性出現 的時候,記錄監視器320傳輸一種警告給使用者300或某一 獨立的確認系統。 圖3 C舉例說明包括單一使用者3 00和多個資料請求資 料庫350、354的一種系統。多個資料請求資料庫將資料分 割而且藉此減少每個資料請求資料庫350、354的管理員所 需處理和控制資訊的數量。將資訊分割可以增進安全性。 圖3C中,在來源終端機的使用者分割且加密資料以供每 個資料請求資料庫單元350、3 54。識別子資料庫3 58確認 -17 - 本紙张尺度適用中國國家標準(CNS ) A4規格(210X 297公釐) (謂先閱讀背面之注意事項再填寫本頁}14515957 A7 B7 V. Description of the invention The method is possible, so the invention should not be limited to this type of data transmission. 3C and 3D illustrate other specific embodiments of the design of the information transmission and data management system. Figure 3A illustrates a two-way data transfer between the user 300 and the identification sub-database 308 along the data path 304. When the identification sub-database 308 accepts a query, the identification sub-database 308 sends the data request to the data request database 312. The data request database 312 provides a response to the user 300 along the data path 316. The example architecture of Figure 3A is a basic unit that does not include a recording monitor. FIG. 3B illustrates the use of a separate record monitor 320 to monitor the transmission of information between the identification sub-database 308 and the data request database 312. The record monitor compares records from the identification sub-database 308 and the data request database 312. The mismatch between the records may be due to a user making an unauthorized query to the data request database 312 without identifying the sub-database 308 to obtain information. Alternatively, this may be due to an attempt to query the identification sub-database and link internal I.D. to identification information. When such a difference occurs, the recording monitor 320 transmits a warning to the user 300 or some independent confirmation system. Figure 3C illustrates a system including a single user 300 and multiple data request databases 350, 354. Multiple data request databases divide the data and thereby reduce the amount of information that the administrators of each data request database 350, 354 need to process and control. Separating information can increase security. In FIG. 3C, the user at the source terminal divides and encrypts the data for each data request database unit 350, 35. Identification Sub-database 3 58 Confirmation -17-This paper size applies Chinese National Standard (CNS) A4 (210X 297 mm) (It is said that you must read the precautions on the back before filling in this page}
15515957 A7 B7 五、發明说明 使用者300的身分而且將經分割且加密的資料轉送到分別 的第一資料請求資料庫350及/或第二資料請求資料庫 3 54。在本發明的一個具體實施例中,每個資料請求資料 庫3 50、3 54皆有其本身的相關公用-私人加密鍵對(public-private encryption key-pairs) , 以確保使用者 300和 每個資 料請求資料庫350、354之間資料傳輸的安全性。每個資料 請求資料庫350、354回應該請求而且將它的回應直接傳輸 回去給使用者300,後者將這些回應加以再結合。 部 中 央 i'· )1 JT 消 竹 (讀先閱讀背面之注意事項再瑣寫本頁} 圖3D舉例說明分割識別子資料庫以減少被每個識別 子資料庫所需處理資訊的數量。在圖3D中,使用者300將 一個別請求傳輸給第一識別子資料庫362和第二識別子資 料庫366之一或兩者。當第一識別子資料庫362或第二識別 子資料庫366確認使用者300和該查詢的主體之後,識別子 資料庫362和366將該資料存取請求傳送給資料請求資料庫 3 70。資料請求資料庫370將其回應及資料路徑376提供給 使用者300。在本發明的一個具體實施例中,雙重的識別 子資料庫362、366可能被用來提高安全性,其藉著需要在 每一個識別子資料庫362、366提供不同辨認準則的獨立確 認來實施使用者300真實性的額外確認。在被描述的具體 實施例中,資料請求資料庫370只有當可確認的資料庫 362、366確認某一請求之後方提供一回應。或者,多個識 別子資料庫可能被用來將不同的使用者或主體分配給相對 的識別子資料庫以作爲額外的安全性機制或使得整個網路 的資料傳輸負載均衡化。 -18 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 515957 A7 B7 Γ................... 16 ’ ^ 五、發明説明() 圖4舉例說明的系統400中,使用者404將含有使用者 和主體識別資訊的一資料請求傳輸給一連串識別子資料庫 中的第一識別子資料庫408。一連串識別子資料庫中的每 個識別子資料庫408、412、41 6查證使用者或主體識別資 料的某一特定單元。舉例來說,第一識別子資料庫408可 能含有主體的名字。當第一識別子資料庫確認例如姓名的 資料之後,第一識別子資料庫408將該查詢傳遞給第二識 別子資料庫412。第二識別子資料庫412藉由將資訊的第二 單元(例如主體的社會福利號碼)與所收到的資料加以比較 而進一步確認該主體的身分。當資訊再一次受到確認,第 二識別子資料庫4 1 2將該查詢傳輸給第三識別子資料庫 416,其可能比較資料的某一第三單元(例如指紋)以確認 該查詢的主體的身分。 每個識別子資料庫藉由使用回程資料路徑420、424、 428,而使使用者404隨時了解到該查詢在各個不同識別子 資料庫間的進展。.屬於相同主體(或使用者)的記錄使用一 內部識別記號(internal identification)而在識別子資料庫 之間被連接在一起。舉例來說,一識別子資料庫對(例如 識別子資料庫對412、4 16)中的每個識別子資料庫共用一 共同內部識別記號。使用者404以該識別子資料庫的一公 用鍵碼加密資料給每個識別子資料庫408、4 12、4 1 6。當 所有三個識別子資料庫408、412、41 6皆確認該主體或使 用者404已經受到滿意地鑑別之後,資料請求資料庫432接 收該資料存取請求而且沿著資料路徑43 6將回應傳輸給使 -19 - >、紙張尺度適用中國國家標準( CNS ) A4規格(210X297公釐1 " (讀先閱讀背面之注意事項再填寫本頁)15515957 A7 B7 V. Description of the invention The identity of the user 300 and forwards the divided and encrypted data to the respective first data request database 350 and / or the second data request database 3 54. In a specific embodiment of the present invention, each data request database 3 50, 3 54 has its own related public-private encryption key-pairs to ensure that the user 300 and each The security of data transmission between two data request databases 350, 354. Each data request database 350, 354 responds to the request and transmits its response directly back to the user 300, who recombines these responses. Central i '·) 1 JT Xiaozhu (read the precautions on the back before writing this page} Figure 3D illustrates the segmentation of the identification sub-database to reduce the amount of processing information required by each identification sub-database. In Figure 3D In the process, the user 300 transmits a unique request to one or both of the first identification sub-database 362 and the second identification sub-database 366. When the first identification sub-database 362 or the second identification sub-database 366 confirms that the user 300 and the After querying the subject, the sub-databases 362 and 366 identify the data access request to the data request database 3 70. The data request database 370 provides its response and the data path 376 to the user 300. In a specific aspect of the present invention In the embodiment, the dual identification sub-databases 362, 366 may be used to improve security, which implements additional confirmation of the authenticity of the user 300 by requiring independent confirmation of different identification criteria in each identification sub-database 362, 366. In the described specific embodiment, the data request database 370 provides a response only after the confirmable database 362, 366 confirms a request. In addition, multiple identification databases may be used to assign different users or subjects to the relative identification databases as an additional security mechanism or to balance the data transmission load of the entire network. -18 This paper standard applies China National Standard (CNS) A4 specification (210X297 mm) 515957 A7 B7 Γ ......... 16 '^ V. Description of the invention () Figure 4 illustrates the example In the system 400, a user 404 transmits a data request containing user and subject identification information to a first identification sub-database 408 in a series of identification sub-databases. Each identification sub-database 408, 412, 41 in a series of identification sub-databases 6 Verify a specific unit of user or subject identification information. For example, the first identification sub-database 408 may contain the subject ’s name. After the first identification sub-database confirms information such as a name, the first identification sub-database 408 will The query is passed to the second identification sub-database 412. The second identification sub-database 412 uses the second unit of information (such as the subject's social welfare number) and the received data The identity of the subject is further confirmed by comparison. When the information is confirmed again, the second identification sub-database 4 1 2 transmits the query to the third identification sub-database 416, which may compare a certain third unit of the data (such as a fingerprint) ) To confirm the identity of the subject of the query. Each identification sub-database uses the backhaul data paths 420, 424, 428 to keep the user 404 informed of the progress of the query among different identification sub-databases. The subject's (or user's) records are linked between the identification sub-databases using an internal identification. For example, each of the identification sub-database pairs (e.g., identification sub-database pair 412, 4 16) share a common internal identification mark. The user 404 encrypts the data with a common key code of the identification sub-database to each identification sub-database 408, 4 12, 4 1 6. After all three identification sub-databases 408, 412, and 416 confirm that the subject or user 404 has been satisfactorily authenticated, the data request database 432 receives the data access request and transmits a response to the data path 43 6 to Use -19-> and paper size to apply Chinese National Standard (CNS) A4 specifications (210X297 mm 1 " (Read the precautions on the back before filling this page)
Claims (1)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US7274098P | 1998-01-27 | 1998-01-27 |
Publications (1)
Publication Number | Publication Date |
---|---|
TW515957B true TW515957B (en) | 2003-01-01 |
Family
ID=27803644
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW88101168A TW515957B (en) | 1998-01-27 | 1999-01-26 | A secure database management system for confidential records |
Country Status (1)
Country | Link |
---|---|
TW (1) | TW515957B (en) |
-
1999
- 1999-01-26 TW TW88101168A patent/TW515957B/en active
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU761680B2 (en) | A secure database management system for confidential records | |
US6785810B1 (en) | System and method for providing secure transmission, search, and storage of data | |
US7362868B2 (en) | Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data | |
US10599830B2 (en) | System and method for controlled decentralized authorization and access for electronic records | |
US5745573A (en) | System and method for controlling access to a user secret | |
US6874085B1 (en) | Medical records data security system | |
US6421779B1 (en) | Electronic data storage apparatus, system and method | |
US6789195B1 (en) | Secure data processing method | |
CA2231082C (en) | Method and apparatus for storing and controlling access to information | |
US8607332B2 (en) | System and method for the anonymisation of sensitive personal data and method of obtaining such data | |
JP2005505863A (en) | Data processing system for patient data | |
JP2011519102A (en) | Secure data cache | |
KR20050119133A (en) | User identity privacy in authorization certificates | |
US8220040B2 (en) | Verifying that group membership requirements are met by users | |
JP2002517812A (en) | How to provide secure access to network data | |
Ghayvat et al. | Sharif: Solid pod-based secured healthcare information storage and exchange solution in internet of things | |
JP2000331101A (en) | System and method for managing information related to medical care | |
TW515957B (en) | A secure database management system for confidential records | |
Deborah et al. | Blockchain: a possible alternative to achieving health information exchange (hie) | |
Mundy et al. | Secure knowledge management for healthcare organizations | |
US20230177209A1 (en) | Distributed Communication Network | |
Kumar et al. | Security and privacy issues in outsourced personal health record | |
Prakash | Privacy Preserving model for patient centric health record management using chaincode | |
JP2004048336A (en) | Input/output device with data enciphering/deciphering function, storage device, and data management system including them | |
Nair et al. | EHR SECURITY AND PRIVACY: ENCOUNTERING HONEST-BUT-CURIOUS ATTACKS THROUGH SELECTIVE MULTI-LEVEL ACCESS CONTROL POLICY |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GD4A | Issue of patent certificate for granted invention patent |