JP2005182108A - Medical record information leakage prevention filing system and electronic medical record reference method in electronic medical record reference system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To make it necessary to limit the information of an electronic card file to be disclosed to any person other than a patient according to the contents of medical examination activities even when the person is responsible for the medical examination, and to make it necessary to provide a mechanism for preventing the patient from being specified even when the electronic card file is illegally leaked to the outside. <P>SOLUTION: In an electronic card reference system server system 6, a file does not include any patient basic information but includes an encrypted XML file 4 obtained by encrypting a file having the file name of random numbers by using a secret key for each of the attributes of reference authority and an XML file association table 13 and a secret key. Thus, it is possible to limit files to which a user who operates a client 8 can refer, and to prevent any patient from being specified only by the file. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to an update system server, a reference system server, and a plurality of clients, and relates to a reference system and an electronic medical chart reference method in which a client refers to medical record information.

  As a filing system for medical record information obtained by converting various medical information into electronic information using a computer, a system described in Patent Document 1 is known. Such a system employs a method of finely classifying the structure of data to be used and setting a tag as an identification code for each type of data.

  Conventionally, for example, a reference system such as that shown in FIG. 12 is known as a method in which a client refers to such electronically recorded medical record information. In FIG. 12, the reference system server 1 includes a reference system database 2, an authentication information database 3, and a patient information file, and has a reference system server system 6 having communication control, input control, and output control functions. . The update system server 7 has an update system database 14 and an update system server system 15. The update system server system 15 has a function of transferring updated data to the reference system server 1 in real time in addition to the database update function. . The client 8 has a client system 9 that communicates with the reference server system 6, and a user who operates the client 8 has a user ID and authentication information distributed for each user. In this reference system, the data updated by the update server is reflected in real time on the reference server data, the patient basic information is stored as a database, the medical record information including the patient basic information is stored as a file, and the file is stored on the client. Refer to

JP 2000-293599 A

  Disclosure of the electronic medical record file is limited to the patient who received the medical treatment and the doctors and staff involved in the medical treatment. However, it is necessary to restrict the information to be disclosed to those who are involved in the medical treatment other than the patient depending on the content of the medical practice. . In addition, even if an electronic medical record file is illegally leaked to the outside, a mechanism that does not identify the patient who received the medical treatment is necessary. However, the current electronic medical record file includes a file name and information that can specify a patient such as a patient ID and a patient name in the file.

  In the conventional technology, when the electronic medical record is saved as a file, the basic information of the patient is included in the file name and file contents. Therefore, if the file leaks illegally, the privacy information of the patient may be leaked to the outside There was sex.

  Therefore, in order to solve these problems, the present invention restricts information disclosed to persons involved in medical treatment other than the patient regarding the electronic medical record, and even if the file is illegally leaked to the outside, the patient is not specified. It is an object of the present invention to realize a medical record information leakage prevention filing system and an electronic medical record reference method in a medical record reference system.

  In order to solve the above-described problems, the present invention relates to a reference system that refers to an electronic medical record using a client computer, finely classifies medical information, sets a tag as a control code, and stores the electronic medical record file. A file of an electronic medical record (hereinafter referred to as an electronic medical record excerpt file) encrypted with a secret key with a random file name that has no meaning other than being unique, with only medical record information data obtained by removing basic patient information from A file correspondence table for storing records including patient information that can identify the patient, information on a person authorized to open the electronic medical record excerpt file, and a file name, and for each attribute to which a patient who is a reference target and a person involved in medical care belong A patient key of the electronic medical record excerpt file can be specified using a secret key for each attribute. Characterized in that the.

  In the present invention, a file (electronic medical record excerpt file) that is used in an electronic medical record reference system that refers to patient medical record information and is encrypted with a secret key for each attribute to which a patient and a person involved in medical care belong is generated. By this, it is possible to limit the users to whom medical record information is disclosed. In addition, since the electronic medical record excerpt file does not have basic patient information, even if this file leaks out of the reference system, it has a function to prevent leakage of medical record information so that the patient is not identified. .

  In addition, in the medical record information leakage prevention filing system, the file (electronic medical record excerpt file) held in the reference system is given a file name that has no meaning other than a unique file using a GUID. Prevents leakage of basic patient information and medical record information.

  Also, when referring to a patient's medical record using the medical record leakage prevention system, a record containing the basic patient information and attribute information and file name to which the patient or person involved in medical care who has the authority to open the file belongs is stored. From the file correspondence information table to be downloaded, only files that can be referenced by the client can be downloaded, the file is decrypted using the public key of the client user, and the decrypted file contents and the patient extracted from the patient basic information database By combining with basic information, the contents of the electronic medical record file are displayed. Therefore, even if only the file held in the reference system leaks illegally, it cannot be decrypted without the public key, and even if the file is decrypted, the file name and basic patient information are not included in the file. Is included, so it has a security function to protect patient privacy.

  According to the present invention, when referring to medical record information in a medical institution, even if only the encrypted medical record information file can be obtained illegally, the file name has no meaning other than unique, You can't guess inside the file. Even when the decrypted file is leaked to the outside, the patient's basic information is excluded from the inside of the file, so that personal privacy does not leak to the outside.

  Embodiments of the present invention will be described below with reference to the drawings. The description will be made specifically using two embodiments.

  First, a basic configuration common to each embodiment of the present invention will be described with reference to FIGS. FIG. 1 shows that the data storage format of only medical record information, excluding basic information that can identify a patient who has classified medical information according to the present invention and set a tag as a control code, is an XML (eXtensible Markup Language) format. It is explanatory drawing which shows the structure of the medical record information leakage prevention filing system in a case. The reference system server 1 includes a secret key 5, an XML file 4 (electronic medical record excerpt file) encrypted with a secret key 5 having a random file name, a reference system database 2, and an authentication information database 3. Furthermore, it has the reference system server system 6 which has each function of communication control, input control, and output control.

  The update system server 7 includes an update system database 14 and an update system server system 15, and the update system server system 15 transfers data updated in addition to the database update function to the reference system server 1 in an XML file format in real time. It has a function. The client 8 has a client system 9 that communicates with the reference server system 6, and a user who operates the client 8 has a user public key 10 distributed for each user.

  FIG. 2 is a flowchart showing data update processing of medical record information in the update server system 15 in FIG. S01 indicates a process in which the medical record information in the update database 14 is updated by the update server system 15.

  S02 is a process of creating an XML file (electronic medical record file) based on the contents of the medical record information update process. As shown in FIG. 3, the content of the XML file (electronic medical record file) 400 created on the basis of the update process content includes the patient ID, patient name, date of birth, sex, etc. Consists of written medical record information. As shown in FIG. 3, since the XML file (electronic medical record file) 400 manages information by tags, the description order of the basic patient information and the medical record information and the description order of the individual information may be random.

  S03 indicates a process of transferring the XML file from the update server 7 to the reference server 1.

  Next, a first embodiment of the present invention will be described with reference to FIGS. In this embodiment, attributes to which a patient and a person related to medical care belong are divided according to the patient and a plurality of occupations.

  In the first embodiment, as shown in FIG. 4, the reference system database 2 has a patient basic information table 11, a type information table 12, and an XML file correspondence table 13.

  As shown in FIG. 5, the reference system server 1 has a secret key for each job type of a patient and a person involved in medical care.

  FIG. 6 is a flowchart showing the filing process of the XML file in the reference server system 6 in FIG. When the XML file 400 is transferred from the update server 7, the reference server system 6 starts the filing process.

  S04 indicates a process of reading the patient ID and type data from the patient ID and type tag from the XML file 400 transferred from the update server, and storing the data in the memory.

S05 determines whether the data is patient information or type information from the tag from the XML file, deletes the patient basic information, the type tag portion and the data portion, and performs processing of overwriting the XML file after deletion. Show. (Creation of electronic medical record excerpt file for encryption)
S06 indicates a process of extracting the record of the corresponding type from the type information table 12 of the reference database 2 from the type data on the memory, and storing the file reference authority presence / absence information for each job type in the memory.

  S07 indicates the start of processing for the first job type. The process for determining whether or not there is a file reference authority is performed in S08. If there is a reference authority, the processes from S09 to S14 are performed.

S09 shows a process of generating a random character string that is surprisingly meaningless and storing the data in the memory.
In S10, a process of creating an XML file (hereinafter referred to as a copy XML file) obtained by copying the XML file is shown.
In S11, a process of changing the file name of the copy XML file to a random character string is shown.
In S12, the process of encrypting the copy XML file using the secret key of the corresponding job type is shown. (Creation of electronic medical record excerpt file)
In S13, update processing of the XML file correspondence information table 13 is shown. In the XML file correspondence information table 13, “date” that is the file creation date, “file name” and “patient ID” that are stored in the memory, “patient ID”, “type”, and “job type” are written. .

In S14, a process for saving the copy XML file in a specific folder on the reference server is shown. The encrypted electronic medical record excerpt file is “encrypted XML file 4” in FIG.
In S15, it is determined whether there is a next job type. S16 indicates the start of processing for the next job type.
In S17, a process for deleting data secured in a memory such as a patient ID, type, job type, and file name is shown.
In S18, processing for deleting an XML file (an electronic medical record excerpt file for encryption) is shown.

  Next, referring to FIG. 7, a process for referring to the electronic medical record in the client system will be described. FIG. 7 is a flowchart showing processing for referring to the electronic medical record in the client system 9 in FIG. In S19, a login screen for logging in to the reference server 1 is displayed. Based on the user ID and authentication information entered by the user, the reference server system 6 makes an authentication determination from the data in the authentication information database 3 (S20). If the authentication is successful, the reference server system 6 extracts the user information (user ID, job title) from the authentication information database 3 in the memory, and permits the user to log in to the reference server 1.

  S21 shows processing for displaying a screen for searching for medical record information that the user wants to refer to. The process is interrupted while the search condition is input and confirmed by the user (S22).

  If the user is a hospital employee, the job type of the user information is automatically added to the search AND condition when the user is a hospital employee, and the search AND condition when the user is a patient. The patient ID is automatically added. As a result, records other than those for which the user has reference authority can be searched for the XML file correspondence information table 13. After the user inputs and confirms the search condition, the search condition data is passed to the reference system server system 6, and the reference system server system 6 adds the job type or patient ID of the user information to the search AND condition and the XML file of the reference system database. The number of records that satisfy the condition on the correspondence information table 13 is returned to the client system 9.

  S23 shows a determination process of how many records corresponding to the search condition exist on the XML file correspondence information table 13. If there are no corresponding records, the process returns to S21.

  S24 shows processing for displaying the record contents corresponding to the search condition on the XML file correspondence information table 13. The contents to be displayed are data on the XML file correspondence information table 13 other than the file name and the patient name. For the patient name, the reference server system 6 searches the patient basic information table 11 based on the patient ID in the record, and obtains the patient name information. The reference system server system 6 passes the data of each record other than the file name to the client system 9 together with the patient name. The client system 9 receives data from the reference server system 6 and displays it on the screen.

The process is interrupted while the user selects and confirms the record (S25).
When the user selects and confirms a record, data indicating which record has been selected is passed from the client system 9 to the reference server system 6. The reference server system 6 selects the selected record from the received data, and returns the file name data and the file storage folder name to the client system 9 from the record. The client system 9 receives file name and folder name data from the reference server system 6 (S26).

  S27 indicates a process of downloading a file from the reference server 1. The reference server system 6 determines that the job type and file name of the user information match the XML file correspondence information table 13 and permits the user to download the file.

  S28 indicates a process in which the client system 9 decrypts the downloaded file using the public key 10 provided to the user. Thereafter, it is determined whether or not the decoding is successful (S29).

  If the restoration is successful, the restoration information is transferred from the client system 9 to the reference server system 6. The reference server system 6 searches the patient basic information table 11 based on the patient ID and returns the corresponding patient basic information record to the client system. The client system 9 receives and displays the basic patient information (S30).

  S31 shows processing for displaying the contents of the decrypted XML file together with the basic patient information. Thus, only by combining the contents of the file decrypted and decrypted using the public key of the client user and the patient basic information extracted from the patient basic information database using the secret key of the job type, the electronic medical record file 400 contents are displayed.

  S32 shows error processing when the XML file cannot be decrypted.

  According to the embodiment described above, by having an authentication information database having a secret key for each job category to which a patient and a patient related to medical care belong, a login authentication information, and a job job information to which a user belongs, When referring to medical record information at an institution, even if only the encrypted medical record information file (encrypted electronic medical record excerpt file) can be obtained illegally, it has a meaning other than the file name being unique. There is no way to guess inside the file. Even when the decrypted file leaks to the outside, the patient's basic information is excluded from the inside of the file, so that personal privacy does not leak to the outside.

Next, another embodiment of the present invention will be described with reference to FIGS. In this embodiment, attributes to which patients and persons related to medical care belong are divided into arbitrary plural groups.
As shown in FIG. 8, the reference system database 2 includes a patient basic information table 11, a tab information table 12 ′, and an XML file correspondence table 13.
As shown in FIG. 9, the reference system server 1 has a secret key for each patient and group.

  FIG. 10 is a flowchart showing the filing process of the XML file in the reference server system 6 in FIG. When the XML file is transferred from the update server 7, the reference server system 6 starts the filing process.

S04 ′ represents a process of reading the patient ID data from the patient ID tag from the XML file transferred from the update server and storing the data in the memory.
S05 ′ represents a process of determining whether data is patient information from the tag from the XML file, deleting the tag part and the data part of the patient basic information, and overwriting the XML file after deletion.

S07 ′ indicates the start of processing of the first group.
In S10 ′, a process of creating a new XML file (hereinafter referred to as a new XML file) is shown.
In S33, processing for reading the tag on the first line of the XML file and extracting the tab reference authority presence / absence information from the tab information table 12 ′ of the reference database 2 using the corresponding tab and group as a key is shown. .
The tag reference authority presence / absence determination process is performed in S34, and if there is a reference authority, the process of S35 is performed.
In S35, the process which adds a corresponding tag part and an information part to a new XML file is shown.

In S36, it is determined whether there is a next tag.
In S37, the next tag of the XML file is read, and the tab reference authority presence / absence information is extracted from the tab information table 12 ′ of the reference database 2 using the corresponding tab and group as a key.

In S11 ′, a process for changing the file name of the new XML file to a random character string is shown.
In S12 ′, a process for encrypting a new XML file using the secret key of the corresponding group is shown.
In S13 ′, an update process of the XML file correspondence information table 13 is shown. In the XML file correspondence information table 13, “date” that is a file creation date, “file name” that is a random character string stored in the memory, “patient ID”, and “group” are written.

In S14 ′, processing for saving the new XML file in a specific folder on the reference server is shown.
In S15 ′, a process for determining whether there is a next group is shown. S16 ′ indicates the start of processing of the next group.
In S17 ′, a process of deleting data secured in a memory such as a patient ID, a group, and a file name is shown.

Next, referring to FIG. 11, a process for referring to the electronic medical record in the client system will be described. FIG. 11 is a flowchart showing processing for referring to the electronic medical record in the client system 9 in FIG.
Based on the user ID and authentication information input by the user, the reference server system 6 performs authentication determination from the data in the authentication information database 3 (S20 ′). If the authentication is successful, the reference server system 6 extracts user information (user ID, group) from the authentication information database 3 on the memory, and permits the user to log in to the reference server 1.

  From the user information group obtained at the time of login, the user information group is automatically added to the search AND condition when the user is not a patient on the reference server system, and the search AND condition when the user is a patient. The patient ID is automatically added. As a result, records other than those for which the user has reference authority can be searched for the XML file correspondence information table 13. After the user inputs and confirms the search condition, the search condition data is passed to the reference system server system 6, and the reference system server system 6 adds the user information group or patient ID to the search AND condition and the XML file of the reference system database. The number of records that satisfy the condition on the correspondence information table 13 is returned to the client system 9.

  S27 indicates a process of downloading a file from the reference server 1. The reference server system 6 determines that the group and file name of the user information match the XML file correspondence information table 13, and permits the user to download the file. Then, the contents of the electronic medical record file 400 are displayed only by combining the contents of the decrypted file using the public key of the client user and the patient basic information extracted from the patient basic information database. .

  Also in this embodiment, the medical record information is stored in the medical institution by having an authentication information database having a secret key for each group to which a patient to be referred to and a subject related to medical care belong, and authentication information for login and group information to which the user belongs. Even if only the encrypted medical record information file can be obtained illegally, it cannot be guessed because the file name has no meaning other than being unique. Even when the decrypted file leaks to the outside, the patient's basic information is excluded from the inside of the file, so that personal privacy does not leak to the outside.

  In the embodiment described above, an example using XML as a markup language has been described. However, in carrying out the present invention, any other mark such as HTML may be used as long as it has both a tag and information. Up language may be used.

  Further, the secret key for each attribute may be generated by classification using a method other than the above embodiment.

1 shows a configuration diagram of a reference system according to an embodiment of the present invention. FIG. It is a flowchart which shows the update process of the data of medical record information in the update type | system | group server system of FIG. The contents of the XML file are shown. 2 shows a reference system database of a reference system server in an embodiment of the present invention. 4 shows a secret key of a reference server in an embodiment of the present invention. It is a flowchart which shows the update process of the data of the medical record information in the reference system server system in one Example of this invention. It is a flowchart which shows the process which refers the electronic medical record in a client system in one Example of this invention. The reference system database of the reference system server in the other Example of this invention is shown. 6 shows a secret key of a reference server in another embodiment of the present invention. It is a flowchart which shows the update process of the data of the medical record information in the reference system server system in the other Example of this invention. It is a flowchart which shows the process which refers the electronic medical record in the client system in the other Example of this invention. The block diagram of the conventional reference system is shown.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Reference system server, 2 ... Reference system database, 3 ... Authentication information database, 4 ... Encrypted XML file, 5 ... Private key, 6 ... Reference system server system, 7 ... Update system server, 8 ... Client machine, DESCRIPTION OF SYMBOLS 9 ... Client system, 10 ... User public key, 11 ... Patient basic information table, 12 ... Type information table, 12 '... Tag information table, 13 ... XML file correspondence information table, 14 ... Update system database, 15 ... Update system server system.

Claims (4)

In a reference system that refers to an electronic medical record using a client computer,
Randomized file name that has no meaning other than unique medical data with only medical record information obtained by subdividing medical information, setting a tag as a control code, and removing basic patient information from the electronic medical record file An electronic medical record excerpt file encrypted with a private key with
A file correspondence table that stores records including patient information that can identify the patient, information of a person authorized to open the electronic medical record excerpt file, and a file name;
A private key for each attribute to which a patient who is a reference object and a person involved in medical care belongs,
A medical record information leakage prevention filing system in a reference system system of an electronic medical record, wherein a patient of the electronic medical record excerpt file can be specified using a secret key for each attribute. In a reference system that refers to an electronic medical record using a client computer,
Randomized file name that has no meaning other than unique medical data with only medical record information obtained by subdividing medical information, setting a tag as a control code, and removing basic patient information from the electronic medical record file An electronic medical record excerpt file encrypted with a private key with
Patient basic information table with basic patient information,
A type information table having information that is open to the public depending on the type of job for each type of information indicating the type of medical practice;
A file correspondence table for storing records including patient information capable of identifying a patient, type information indicating a type of medical practice, staff information authorized to open an electronic medical record excerpt file or occupation type information indicating patient information, and a file name;
A secret key for each job category to which the patient and subject related to medical care belong, and
It has an authentication information database with login authentication information and job type information to which the user belongs,
A medical record information leakage prevention filing system in an electronic medical record reference system characterized in that a patient of the electronic medical record excerpt file can be specified using a secret key for each occupation. In a reference system that refers to an electronic medical record using a client computer,
Randomized file name that has no meaning other than unique medical data with only medical record information obtained by subdividing medical information, setting a tag as a control code, and removing basic patient information from the electronic medical record file An electronic medical record excerpt file encrypted with a private key with
Patient basic information table with basic patient information,
A control code information table having public and private information for each group for each control code;
A file correspondence table storing patient information capable of identifying a patient, type information indicating the type of medical treatment, group information indicating a group authorized to open a file, and a record including a file name,
A private key for each group to which the patient and patient involved in the reference belong,
It has an authentication information database with login authentication information and group information to which the user belongs,
A medical record information leakage prevention filing system in an electronic medical record reference system, wherein a patient of the electronic medical record excerpt file can be identified using a secret key for each group. An electronic medical chart reference method for referring to an electronic medical chart using a client computer to a reference system server system connected to an update system server system,
The reference system server system classifies medical information finely, sets a tag as a control code, has only medical record information data obtained by removing basic patient information from the electronic medical record file, and has a meaning other than unique An electronic medical record excerpt file encrypted with a private key with a random file name without
A file correspondence table for storing records including patient information that can identify a patient, information of a person authorized to open the electronic medical record excerpt file, and a file name;
It has a secret key for each attribute to which the patient who is the reference target and the person involved in medical care belongs,
The contents of the electronic medical record file can be displayed by combining the basic patient information extracted from the patient basic information database and the contents of the electronic medical record excerpt file decrypted using the public key of the client user. An electronic medical chart reference method characterized by

Images