WO2003044637A1 - Method and system for the protected storage and readout of useful data - Google Patents

Abstract

The invention relates to a method and a system for the protected storage, maintenance and provision of useful data in an electronic database system, especially for storing, maintaining and providing medical data for patients. The inventive method is characterised by the following steps: at least one data carrier is provided, said data carrier carrying a private code which is associated with at least one set of useful data and/or at least one database code which is used to identify a/the set of useful data during access to the database for the purposes of storage and/or readout; an input authorisation is electronically checked by comparing electronically acquired first data with stored second data; if the input authorisation is granted, the useful data is encoded by means of a public code which is associated with the private code; the encoded useful data is stored in a database; an access authorisation is electronically checked by comparing electronically acquired first or third data with stored second or fourth data; if the access authorisation is granted, the encoded useful data is read out of the database; and the encoded useful data is decoded by means of the code carried by the data carrier. The invention system comprises corresponding software and hardware functionalities.

Description

Method and system for the secure storage and reading of user data

description

The present invention relates to a method and a system for the secure storage, provision and provision of user data using an asymmetrical encryption method which is based on at least one pair of public and private keys.

In order to collect personal data, such as bank customer account information or so-called patient files, e.g. H. Information about diagnostic and therapeutic treatments of a patient, to be stored and managed in an EDP-supported database facility, special measures are necessary which guarantee the protection of the stored data against access by unauthorized persons. In particular, in the latter case in particular, as a prerequisite for the digital recording and processing of patient data in an EDP-supported medical data platform, it must be ensured that the patients concerned not only consent to the digital recording and processing of their data, but also to one at all times You can agree to or deny access to the stored data about yourself.

Methods and systems for securely storing and accessing data stored in an electronic database are known. While the health insurance card that has been in use in the medical field in Germany for years only serves as identification for the patient who does not contain any information about medical treatments, efforts are being made to additionally store further information about the treatment of a patient that has taken place on such a card. Because of the The limited storage space available on today's standard memory or chip cards, efforts are concentrated on using such cards for storing the medication prescribed to a patient in addition to corresponding documentation of the effects of these medication. In addition to the already mentioned necessary limitation of the amount of data due to the available storage space, this method also has the problem that, for data protection reasons, each of these cards must be secured in such a way that the data contained therein are not read or even changed by unauthorized persons if the card is lost can. For this reason, data can only be saved once on the health insurance cards used today when the card is being produced, which makes these cards completely unsuitable for the applications described. Furthermore, when storing patient data on a memory card that the patient carries with him, there is the problem that all data is lost if the patient loses the card.

There are also numerous database systems in which data is stored in a centralized organizational form on corresponding database servers and can be called up from there. The data on the respective database server is usually secured by requesting access authorization to access the file structures corresponding to this data. This can e.g. This can be done, for example, in the form of passwords required for access to the corresponding database system or in that a chip card that contains an access authorization must be provided upon access.

Another option for securing data stored on electronic database systems is that the stored data is encrypted. This means that they can only be read by people who know the associated key and encryption algorithm. By default, symmetrical encryption drive where the algorithm and key for encrypting the data is the same as that for decrypting data. This means that a person who is authorized to write data to the database automatically has the option of reading data from the database.

In particular in connection with Internet applications, such as the so-called "online banking", asymmetrical key processes are increasingly being used. In these methods, a key, the so-called public key, is used to encrypt data than the key required to read the encrypted data, the so-called private key. The advantage of these methods is that only the private key has to be kept secret, and thus people can use the public key to encrypt data without being able to decrypt it again.

It is the object of the present invention to provide a method and a system for the secure storage, provision and provision of user data in an electronic database system of the type explained above, in particular for the storage, provision and provision of medical patient data, which meets high data protection requirements. To achieve this object, a method is proposed which is characterized by the steps: providing at least one data carrier which carries a private key which has at least one user data record and / or at least one for identifying a user data record when it is being stored or / and read out Access to the database serving database key is assigned; Checking an input access authorization electronically by comparing first data obtained electronically with stored second data; given input access authorization: encryption of user data using a private key assigned public key; Storing the encrypted user data in a database; Checking access access authorization electronically by comparing first or third data obtained electronically with stored second or fourth data; given access authorization: reading the encrypted user data from the database; Decrypt the encrypted user data using the key carried by the data carrier.

To carry out the method according to the invention, a system for secure storage, provision and provision of user data is also proposed, comprising: at least one computer-based database; at least one data carrier which carries a private key assigned to at least one user data record of the database; at least one input data station, from which user data can be entered into the database, the input data station being assigned an input access authorization checking unit, the intermediation of which stores an input access authorization electronically by comparing first data obtained electronically with stored data second data can be checked, the input data station also being assigned an encryption and storage unit, the switching of which, given a given input access authorization, can be used to encrypt useful data by means of a public key assigned to the private key and to store it in the database; at least one access data station, possibly identical to an input data station, from which encrypted user data in the database can be accessed, the access data station being assigned or able to be assigned an access-access authorization checking unit, through the intermediation of which an access-access authorization can be checked electronically by comparing first or third data obtained electronically with stored second or fourth data, the access terminal also being assigned a decryption and readout unit, the switching of which, given the access Access authorization user data can be read from the database and decrypted using the private key carried by the data carrier.

According to the invention, it is provided that the private key, which is required for decrypting user data read from the database system, is stored on a data carrier, from which it is made available to a corresponding decryption unit. It is preferably provided that the private key, after it has been generated, is stored on the data carrier without having to save another copy of it at another point in the system. This ensures that the private key can only be released for use by providing the data carrier. The private key is assigned to a corresponding public key, which is generated together with it and is stored in the system in a publicly accessible manner. When setting up a user data structure or user data structures that are intended to hold related user data or user data records in the database system and / or when setting up a database key that enables access to user data or user data structures, a pair assigned to the at least one user data structure or the database key is used generated by public and private keys, by means of which encryption of the user data structure to be assigned or stored via the database key in the database (which then form at least one user data record) or decrypting of already stored user data belonging to this user data record is possible. Since the private key is only on the data carrier, which in turn is in the possession of a specific person, it is ensured that reading of the user data stored in the database system is only possible with the consent of this person. For example, a person whose personal data are to be stored as useful data in the database system can be made available to the data carrier. In order to identify useful data records stored or to be stored in the database system or to correspondingly assign the respective public and private keys, these can, as already indicated, be assigned to corresponding database keys. Such a type of database management can be carried out according to methods that are common in the prior art.

As a further feature for increasing the security of the data stored in the database system according to the invention, it is provided that an input of user data into the database system is only possible after checking an input access authorization. This check is done electronically by certain data, e.g. B. unique identification features or passwords, can be detected via corresponding electronic devices, and compared with corresponding data that are or are stored, for example, in the database system for granting input access authorization. If an entry access authorization check has been successful, user data to be stored can be entered or read in via an input unit. The entered user data are then encrypted using the public key assigned to the private key and, as mentioned, stored in the database system, as a rule in relation to at least one assigned database key. From this point on, this user data can only be decrypted using the corresponding private key, which according to the invention is only stored on the associated data carrier. According to the invention, an input data station is available for entering user data in accordance with the aforementioned method, to which an access authorization checking unit and an encryption and storage unit are assigned.

To enable access to user data stored in the database system, a corresponding access is again made electronically. Handle access authorization checked by electronically collecting data, on the basis of which it can be decided by comparison with data stored in the system, for example, whether access is permitted or not. In accordance with the above explanations for checking the input access authorization, the data queried or recorded in this connection can be, in particular, passwords or unique identification features of a person.

It is clear from the above explanations that both the input of user data and the access to user data already stored require a corresponding authorization, which can be based on a corresponding predefined rights structure. In the event of a positive check of the access authorization, encrypted user data can be read out of the database. In order to be able to read the user data read out, it is then necessary to decode the encrypted user data using the private key. For this purpose, the data carrier must be provided with the private key assigned to the user data read out. In general, having access authorization to read a specific user data record from the database is not the same as owning the data carrier with the private key stored on it and assigned to the user data record. For this reason, two mutually independent conditions must generally apply so that useful data can be read out from the database system and decrypted.

An access terminal, which is assigned an access authorization checking unit and a decryption and readout unit, is used to carry out accesses to user data stored in the database system.

In particular, it should be noted that access to data stored in the database does not always mean reading out or in particular entering Outputting the user data on an output device must mean, although this will be the case very often in practice. However, it is also conceivable that user data stored in the database system should serve as input data for certain procedures, for example for the further processing of the data. This data must be accessed and the data must be decrypted.

The data carrier, which carries the private key for a user data record, is preferably designed as a chip card or memory card. Depending on the type of user data record assigned to the private key, this data carrier is referred to below as a key card, study card or patient card, depending on the context.

As explained, the invention provides that access, for example the opening of an input or / and access data session, to the user data or the database system, for example via one of the input or / and output data stations, only after one successful verification of an access authorization. It is preferably provided that at least one further data carrier is provided for checking such an access authorization, which carries identification or / and access authorization data, on the basis of which the input access authorization and / or the access access authorization is checked, the identification or / and access authorization data are read out electronically as first or third data or as data associated with the first or third data and sent to the test. In the simplest variant of the method, this further data carrier, which is also referred to below as an access authorization card, ID card or doctor's card, serves as a "key", with the aid of which an input or / and an access data session, for example on one of the input and / or access workstations. The further data carrier, which is preferably designed as a chip card or memory card, is in particular a person who has access to the data banking system to be granted. It is particularly advantageous if the access authorization data contained on the further data carrier also allow identification of this person. To read out or record the identification or / and access authorization data, the respective input or / and access data station can be equipped with a corresponding reading device, e.g. B. a smart card reader. The identification or / and access authorization data can then be fed via the reading device from the further data carrier to a comparison unit of the input access authorization checking unit of the input data station or a comparison unit of the access access authorization checking unit of the access data station, and from this with corresponding stored data be compared. The access authorization can be checked solely on the basis of the identification and / or access authorization data which are stored on the further data carrier. However, it is also conceivable that further data are obtained for this, e.g. B. Passwords that must be entered manually in the input and / or access data station.

Furthermore, it is advantageous in the method according to the invention if the data carrier carrying the private key also carries identification or / and access authorization data, on the basis of which the access authorization, possibly related to the private key stored on the data carrier, is checked, the identification or / and access authorization data being read out electronically as fourth data or as data associated with the fourth data and fed to the test. In this way, misuse of data can be reliably prevented, even if the data carrier should fall into the wrong hands. Furthermore, the validity of a private key can generally be checked with the aid of the identification or / and access authorization data read from the data carrier. INS In this way, the validity of a private key can be limited in time.

It is also possible to check the checking of an access authorization to an input and / or access data station by the fact that the first or / and third data comprise identification or / and access authorization data to be entered manually into an input device, which are queried electronically or / and be put to the test. For this purpose, an input device is assigned to a respective input or / and an access data station for manual input of identification or / and access authorization data as first or third data or data associated with the first or third data which can be fed to the comparison unit of the relevant access authorization checking unit. In the simplest embodiment, the checking of an access authorization thus includes the query of a password. It is even possible to dispense with the additional data carrier, in which case the access authorization is only checked by requesting a password. A higher security of the database system can be achieved, however, in that when checking an access authorization, both the provision of identification and / or access authorization data which are stored on the further data carrier, and the manual input of data, e.g. B. a password are required. The method practiced in this case can essentially correspond to a combination of data carrier cards with the query of a so-called PIN number. Such methods are well known. In general, when querying a PIN number, this number is entered using a suitable input device, e.g. B. a specially provided keyboard (often called a PIN pad), entered and then compared with the corresponding number that is stored on the data carrier or the other data carrier. In this case, the second or fourth data with which the manually entered identification and / or access authorization data are compared is stored on the data carrier or the further data carrier. In addition, however, it is also conceivable to store these second or fourth data centrally in the database system, for example in the respective input or access data station, or in a memory to which the respective input or / and access data station, for. B. over a computer network, has access to save.

A particularly elegant method of providing identification or / and access authorization data for checking an access authorization is that the first or / and third data comprise identification data which is generated electronically by means of recording at least one biometric feature by means of a recording device and the Examination. The advantage of capturing a biometric feature compared to using passwords and / or PINs is that a user no longer has to remember a password or a PIN number. However, there is a possibility that the user will forget his number or enter it incorrectly. Another problem is that a user sometimes has to remember several PIN numbers, which means that the acceptance of such a method is greatly reduced among the respective users. Unauthorized third parties could also get knowledge of the PIN number or the password. These problems do not exist when querying a biometric feature that can uniquely identify a person based on unique, individual and biological features. Such characteristics can be physiological and behavior-based. In particular, the following should be mentioned as features that are suitable for biometric identification: an electronic recording of the face, iris (eye), retina (eye), hand geometry, and a person's fingerprint. Furthermore, the typing rhythm of a person, their voice and a dynamic signature can be recorded electronically, which represent behavior-based biometric features. It is to capture one of these characteristics necessary that the input or / and access data station comprises a corresponding recording device for biometric data as first or / and third data or data associated with the first or / and third data, or that at least one such recording device is assigned, so that the data from this acquired biometric data can be fed to a comparison unit of the input access authorization checking unit and / or access s access authorization checking unit. In principle, the biometric data recorded in this way can either be compared with second or fourth data which are stored on the data carrier or the further data carrier or with second or fourth data which are stored in the system.

In the method according to the invention, access authorization to a respective user data record stored in the database can be given to only one person or to several people at the same time. In the latter case, it is expedient that a plurality of data carriers each carrying the private key are provided and issued to a group of people with regard to an access authorization for reading out and decrypting user data which is to be granted or granted to the group of people. In this case, several data carriers are generated with the private key for a specific user data record and output to the appropriate person. This method will be used especially when e.g. B. for evaluating patient data in the context of a medical study, a plurality of assistants involved in the study are entrusted with the evaluation of the same user data set. In this case, it makes sense to identify the data carrier used to access the user data with the private key during an access in order to be able to log each access to the user data uniquely. It is provided that the identification of the data carrier used in each case preferably directly via a corresponding identifier that the data carrier bears, for. B. a corresponding identification number. Alternatively or additionally, one such identification also takes place via an identification of the person who accesses the user data using the corresponding private key. Such identification should then expediently be carried out when checking the access authorization of this person.

In a further variant of the method according to the invention, it is provided that at least one data carrier carrying the private key is transferred between persons in a group of people, with regard to an access authorization for reading out and decrypting user data which is granted or to be given to the respective person of the group of people receiving the data carrier , Above all, it is thought that exactly such a data carrier is in use and is handed over between the people in the group of people. In this case, each user data record stored in the database is assigned only one data carrier carrying the private key. This case is useful, for example, to create an "electronic patient file" in the database for individual patients. The patient himself is then in possession of the data carrier carrying the respective private key and passes it on to a respective doctor who has to access the patient file in connection with a treatment of the patient. Since the data stored encrypted in the "electronic patient file" can only be accessed by means of the data carrier carrying the private key, the patient is "master" of his data without this data being physically stored on the data carrier. Storage space problems and data loss problems in the event of loss of the data carrier are thus avoided or can be avoided in a simple manner.

In the method according to the invention described above, a plurality of further data carriers each carrying identification and / or access authorization data can be provided and output to a group of people with regard to one group of people granted or to be granted access authorization for encrypting and storing user data and / or for reading and decrypting user data. It is conceivable that the identification data only identify the group of people to whom access authorization is or is to be granted, so that the individual persons of this group of people cannot be distinguished from one another. Depending on the application, it can also make sense to assign an access authorization to a certain, predefined group of people, whereby each individual person in this group of people is identified by an individual identification feature that is queried during the access authorization check. With both methods it is ensured that both an input of user data into the database system and access to user data stored in the database system is only possible for a predetermined group of people.

A further embodiment of this method can consist in the fact that at least one further data carrier carrying the respective identification and / or access authorization data is handed over between persons of a group of people, with regard to an access authorization granted or to be given to the respective person of the group of persons receiving the further data carrier for encrypting and storing user data or / and for reading and decrypting user data.

In the case of the storage of medical user data, it is generally sensible to only grant access authorization to doctors with a valid license, for example by specifying another data carrier of the type described to a respective doctor. This ensures that the user data stored in the database system can only be stored or used in the manner directed towards a medical application. It has already been described above that the checking of the input access authorization and / or the access access authorization can in principle be carried out in a manner in which the identity of the person whose access authorization is checked is not known or becomes known. This applies e.g. B. to if only a manually entered PIN number is compared with a comparison number stored on the other data carrier.

However, a particularly advantageous embodiment of the method according to the invention provides that the checking of the input access authorization and / or access access authorization comprises an identity check based on the comparison of the first data with the second data or on the comparison of the third data with the fourth data , In this case, it is possible, for example, to provide further, more precisely specified restrictions with regard to the possible use of this user data by a respective person of the group of people within a group of people who have generally been granted entry and access access authorization to user data in the database , In this way, in the case of the storage and provision of medical data, it is very easily possible, for example, to give all doctors with a valid license general access to such a database system, but to restrict this access in such a way that specialists only provide data that relate to their specialist area. Furthermore, the detection of the identity during the access authorization check enables exact logging of who entered or accessed user data stored in the database, which reduces the risk of an inadmissible change in stored user data. If the identity of a person who has access to the database system is known, it is also possible to regulate the access and input options of this person by means of independent rights management. For example, a given access authorization can be changed or deleted at any time in this way, without having to change or retract the additional data carrier that has already been issued.

A particular advantage of such an identity check results if the check of the input access authorization and / or access access authorization further comprises a storage authorization check or a read authorization check, in which identification data obtained electronically upon successful identification is compared with the access data provided are assigned to at least one user data record and / or at least one database key which serves to identify a user data record when the database is being stored and / or read out. In this case it can even be taken into account that a certain person should have write access to a certain user data record, but not automatically access to this user data record at the same time, or vice versa. In this embodiment of the method according to the invention, a further check is therefore carried out after a successful access authorization check as to whether the respective person is authorized to make the selected entry or to access a selected user data record. This second check can either be carried out simultaneously with the access authorization check or after the selection has been made on the part of the person. In principle, this check can be carried out by further providing data on the part of the person, for example by manual input, providing a corresponding data carrier or the like. If, however, the respective person has already been identified during the first access authorization check, it is much easier to carry out this second check on the basis of input or access rights assigned to this person. In order to ensure a subsequent check of entries or accesses to user data records in the database system or to prove possible attempts to gain unauthorized entry or access access, it is expedient that security-relevant steps are carried out during the implementation of the method, including those when checking the entry -Access authorization or / and the access-access authorization obtained identification or / and access authorization data are logged. For this purpose, the database system is equipped with at least one corresponding logging unit.

The data carrier that is used to store the private key required for decrypting the encrypted user data is preferably designed as a chip card. Such a chip card must have at least one storage device in which at least the private key can be stored. Expediently, a database key can also be stored on such a chip card, via which the private key can be assigned to the corresponding public key and a corresponding user data record. If the chip card used as a data carrier is a pure memory card, the private key stored in the chip card must be readable by a chip card reader assigned to an input or access data station. In the event that a further data carrier is used, which contains identification or / and access authorization data which serves to check an access authorization, it is also advantageous to also design this further data carrier as a chip card.

The security when decrypting useful data records can be further increased by the chip card used as a data carrier having a processor, possibly a special crypto processor. The processor can advantageously be used to decrypt the encrypted user data. In this case, it is not necessary to read the private key from the chip card in order to carry out a decryption procedure but the decryption of user data takes place directly on the chip card. For this purpose, the encrypted user data are read into the chip card, then decrypted using the crypto processor and the private key, and the decrypted data is read out again from the chip card. This method ensures that, under all circumstances, decryption of user data is only possible if the chip card is in an appropriate reader. Another advantage of this variant of the method is that the private key is not transferred to the access terminal and has to be temporarily stored there.

As a further security precaution in the event of a loss of the chip card used as the data carrier for the private key, provision can further be made for a / the processor of the chip card to be authorized to access the on the basis of the identification and / or access authorization data and at least part of the third data obtained checks the private key and, depending on the test result, enables or blocks access and decryption. Basically, it is provided that the identification or / and access authorization data used for the comparison are stored on the chip card. However, it is also conceivable to store them in the system and to assign them to the data carrier via an identifier of the data carrier. It should also be noted that such a check is possible even without the use of a processor on the chip card. The identification or access authorization data are then checked by a processor of the respective access terminal. This security precaution ensures that a private key located on a data carrier cannot already be read out when the chip card is inserted into a corresponding reading device, so that if this card is lost, the private key remains secured. The chip card used as a data carrier can have a non-readable memory for storing the private key and / and the identification or / and access authorization data for checking the access authorization for the private key. In this case it is practically impossible to read out the private key and use it independently of the chip card. A prerequisite for this implementation, however, is that the decryption of user data and / or the access authorization check can be carried out on the chip card, for which purpose an appropriately equipped processor is necessary.

In order to prevent that user data that are to be entered into the database or user data that have been read out of the database and which are therefore temporarily stored in one of the input or access data stations can be read by unauthorized persons after If a corresponding input or access data session has ended, it can be provided that after the end of an input session by means of the input data station and / or an access session by means of an access data station, user data present locally in the relevant station is deleted by means of an automatic delete functionality thereof. are cash.

In the context of the present invention, it can be provided that the system comprises a computer unit assigned to the at least one database and at least one computer network connecting the computer unit, the at least one input data station and the at least one output data station. In particular, it is provided that the computer network comprises the Internet or / and intranet or / and a WAN or / and a LAN. For the storage and provision of data that are to be protected in a special way against unauthorized access, it is preferred to choose a closed computer network and not the Internet itself. But such a network can also be based on appropriate technologies such as the Internet. The connection of the at least one computer unit assigned to the database with the input or output data stations can be carried out via any established computer network. Various solutions have already been developed for this, e.g. For example, as part of the CHIN (Community Health Integrated Network) project, Deutsche Telekom is providing a corresponding network that is designed as a data platform for medical data and is based on Internet technologies. This network is a completely separate network without an explicit connection to the Internet. The data flow and data storage in this CHIN network is always encrypted.

Via a computer network such as the CHIN network, it is also possible, for example, to combine a plurality of computer units, on the basis of which a database or several individual databases, each assigned to a computer unit, for the useful data. The useful data of the at least one database can thus be stored or stored in a manner distributed over a plurality of storage units which may be associated with separate computer units.

In the context of the present invention, the at least one input data station and / or the at least one output data station can both be separate units, that is, they can also be combined in a single computer unit (in this case, the unit is referred to as a data station for the sake of simplicity). This computer unit can be formed, for example, by a workstation or a personal computer which comprises the at least one input data station and / or the at least one output data station and, if appropriate, the associated encryption or decryption unit.

The system according to the present invention should particularly preferably be designed such that the user data can be entered into the database system exclusively via the at least one input data station, and that the user data can only be accessed via the at least one access data station. It is thereby achieved that the user data stored in the database system can only be manipulated or accessed after a prior successful access authorization check. This represents a further security measure in addition to the encryption of the user data, which is carried out in any case. Such a database system can be implemented, for example, by the individual database computer units in which the user data is stored, in addition to the corresponding network work connections to the input or Access data stations are not assigned any input or output devices.

It is furthermore provided in a preferred embodiment of the present invention that a computer-assisted administration unit is provided for the management of user data records of the at least one database and for the administration of input and / or access rights to the latter, the administration unit preferably neither an input terminal nor has an access terminal. The individual administrative functions that are to be performed by such an administrative unit mainly concern the release or blocking of input or access access authorizations, the generation of the pairs of public and private keys assigned to one another, and the provision of the public keys, the establishment and administration the user data record structures for encrypted user data, and, if appropriate, the logging of the accesses to stored user data records, or the input operations of encrypted user data.

In particular, it is preferably provided that a so-called trust center is connected to the database system in order to generate the public and private keys assigned to a user data record, to provide the private key on a data carrier, and the public key in a publicly accessible manner, preferably in a public way accessible database. Such a trust center can possibly also provide an electronic signature for the public key, with which the authenticity of such a public key can be checked.

The invention is explained below on the basis of exemplary embodiments illustrated or illustrated in the figures, which exemplarily show possible applications and possible embodiments of the invention, but which are in no way intended to restrict the scope of the invention.

1 shows a schematic representation of an example of the implementation of an overall system according to the invention for secure storage, provision and provision of user data using an asymmetrical encryption method.

2 shows an example of a schematic representation of a greatly simplified embodiment of the system according to the invention for the secure storage, provision and provision of user data on the basis of encryption and decryption of the user data using an asymmetrical encryption method, in which only a single copy of each component of the system is shown in each case and where the input terminal is identical to the

Access terminal is.

Fig. 3 shows a flow diagram illustrating a possible flow of a

Procedure for entering user data in the system according to the invention. Fig. 4 shows a flow diagram illustrating a possible flow of a

Procedure for accessing user data stored in the database according to the inventive method.

5 shows a schematic block diagram, which exemplarily shows a

Execution of a data station, as well as an example for a data carrier that carries access authorization to the database system according to the invention (access authorization card) and a data carrier that carries a private key assigned to a user data record stored in the database (key card).

Fig. 6 shows a schematic block diagram similar to Fig. 5, which shows a further embodiment of a data station according to the invention and each of a data carrier that carries an access authorization (access authorization) and a data carrier that carries a private key (key card), the Key card additionally has a crypto processor for decrypting user data.

7 shows a schematic diagram which illustrates the establishment of a clinical-medical study in an integrated medical data platform as a first example of application of the method and system according to the invention.

Fig. 8 shows a schematic image, which the essential processes in

Entering user data into the integrated medical data platform according to the first application example of the present invention shows. Fig. 9 shows a schematic image, which the essential processes in

Access to user data stored in a medical data platform according to the first application example of the present invention shows.

Fig. 10 shows a schematic image showing the establishment of an electronic

Patient record illustrated in the integrated medical data platform according to a second application example of the present invention.

Fig. 1 1 shows a schematic image that shows the essential processes in the

Entering user data into the integrated medical data platform according to the second application example of the present invention shows.

Fig. 1 2 shows a schematic image, which shows the essential processes in the

Access to user data stored in the integrated medical data platform according to the second application example of the present invention shows.

1 shows an example of a system 10 according to the invention for the secure storage, provision and provision of user data on the basis of encryption and decryption of the user data using an asymmetrical encryption method in which a database is stored in four different database computers 1 2a-1 2d. The user data stored in the database computers 1 2a-1 2d are encrypted data which have been encrypted with the aid of a public key 14a-14c assigned to a respective user data record, which is shown by way of example for three user data records in FIG. 1. The individual database computers are each assigned one or more input or access data stations 1 6a-1 6g, seven of which are exemplified in FIG. 1. there one, none or more of these input and access data stations can be directly assigned to each of the database computers 1 2-1 2d. In the context of the invention, the input data stations and the access data stations can be separate units; 1, however, shows an embodiment of the system according to the invention in which an input data station also serves as an output data station at the same time (such a station is referred to simply as a data station in the following). Each of the data stations 1 6a-1 6g is connected to at least one of the database computers via a network line and / or via an interposed computer network (for example the Internet, an intranet or another, possibly closed, computer network (for example the CHIN network)), can be entered into the database via the user data or can be called up from the database. The data stations 1 6a-1 6g serve to access the database system in the sense that user data can be entered and encrypted in the data stations 1 6a-1 6g, which is encrypted in the database computers 1 2a-1 2d or in storage units assigned to them and, conversely, useful data which are stored in encrypted form in the database computers 12a-1d or the storage units are to be read out in the data stations 1 6a-1 6g and can be decrypted there for output or / and further processing.

The individual data stations 1 6a-1 6g can each be individual computers, e.g. B. Personal computers, but they can also be integrated into other networks, via which the user data to be entered are provided (in the case of a medical application, for example of diagnostic subsystems), or via the user data read out, after their decryption, are fed to further processing units can. In general, the database stations 1 6a-1 6g can be realized by computers of various types. For example, personal computers, workstations or portable computers can be used. In the exemplary embodiment shown in FIG. 1 there are four different database computers 1 2a-1 2d which are connected to one another via a network. It is of course also conceivable to accommodate the entire database on only one database computer, or to use any other number of database computers. The network connection of these database computers 1 2a-1 2d to one another can be carried out in a wide variety of ways, as long as it is only ensured that the useful data stored in the different database computers 1 2a-1 2d can be consistently addressed via a network-wide file system. For normal applications it can e.g. B. make sense to use these network connections using publicly available networks such. B. the Internet to train. If user data is to be stored that should not be exchanged over the Internet for data protection reasons, it is conceivable that networks separated from the Internet are used, but which can be based on appropriate technologies. One example of this is the CHIN network (Community Health Integrated Network), which is initiated and operated by Deutsche Telekom and is used primarily to set up medical data networks. In this network, the data flow and data storage are always encrypted.

The connection between the data stations 1 6a-1 6g and the database computers 1 2a-1 2d, via which encrypted data are also exchanged, can in principle be implemented using technologies of the same type as the connection between the individual database computers 1 2a-12d. It is not absolutely necessary for these connections to be permanently maintained; rather, they can be set up on the respective data station when an input or access data session is opened and can be cleared down again at the end of this session. The data stations 1 6a-1 6g and the database computers 1 2a-1 2d are also connected to an administration computer 1 8, possibly also via the connection between the data stations and the database computer intermediate computer network. This administration computer 1 8 performs a number of functions in the exemplary embodiment of the system according to the invention described here. On the one hand, it serves to set up and manage file and data structures on the database computers 1 2a-1 2d. On the other hand, the administration computer 1 8 basically sets up and manages access authorizations 20a-20c to the system according to the invention via the data stations 1 6a-1 6g. In order to be able to open an input and / or access data session on one of the data stations 1 6a-1 6g, the administration computer 1 8 first has to set up a corresponding access authorization 20a-20c. When an access authorization 20a-20c is set up, it is preferably already determined which user data records can be accessed in the database system or which user data records can be written to the database system. The administration computer 1 8 can change this rights structure at any time. As part of an access authorization check, this access authorization 20a-20c is checked when an input or / and access data session is opened on one of the data stations 1 6a-1 6g.

Several different variants are conceivable for checking the access authorization 20a-20c. On the one hand, this check can consist of asking for a manually entered password or a PIN number. A further possibility for checking the access authorization 20a-20c is to electronically query a biometric feature of the person who wants to open an input or access data session and with a corresponding one stored when the access authorization 20a-20c was issued Feature to compare. It is of course also possible to use a combination of both methods. In the embodiment of the system or method according to the invention shown in FIG. 1, a corresponding access authorization chip card 28a-28c is issued when an access authorization is issued, which is to be introduced into a reader assigned to a corresponding data station 16a-1 6g to open an input or / and access data session. 1 shows three examples of such access authorization chip cards 28a-28c. The access authorization check can be carried out in various ways with the aid of the access authorization chip cards 28a-28c. On the one hand, it is conceivable that the respective access authorization chip card 28a-28c, for example card 28a, can be used directly as a "key", so that an entry is made immediately after inserting the card into the reading device of a data station 1 6a-1 6g - or access data session can be opened. Furthermore, with the help of the access authorization card 28a-28c, an access authorization check can be carried out in a simple manner by using corresponding data, eg. B. a password, a PIN number or a biometric feature to open an input and / or access data session of the corresponding data station 1 6a-1 6g must be made available electronically, ie either entered manually or by an appropriate detection device must be recorded, which are then compared with corresponding comparison data that are stored on the card.

In the context of the method according to the invention, it is also advantageous to combine the access authorization check with an identity check, in which the identity of a person who opens an input and / or access data session can be determined in each case. Such an identity check makes it possible in a simple manner to carry out a check of the respectively permitted input or / and access rights to or / and of user data records as soon as an input or / and access data session is opened.

A further task of the administration computer 1 8 is to create this user data when creating a user data record or file or / and data structures in the database system that are used to record user data. assign a pair of asymmetrical encryption and decryption keys to the data record or these structures. According to the invention, the coding method used to encrypt or decrypt user data that is stored in the database is a so-called asymmetrical coding method in which the user data are encrypted using a public key 14a-14c and in which the encrypted data is only used using a private keys 22a-22c different from the public key 14a-14c can be decrypted again. With this method, it is important that the private key 22a-22c must be kept secret under all circumstances, while the corresponding public key 14a-14c in principle does not require any secrecy. It is therefore provided that the private key 22a-22c, after it has been generated, is stored on a chip card, the so-called key card, 24a-24c, otherwise preferably no copy of this key is stored in the system. The greatest possible security of the private key is ensured if it is only stored on the chip card, but if the chip card is lost, all useful data associated with the corresponding private key are lost. To avoid this, it can be provided, for example, that a further copy of a private key is stored in such a way that it is separated both from the chip card and from the system, in particular in such a way that a copy of a private key is not can be accessed over the network. This can be done, for example, by storing the copy of a private key in an encrypted form on a particularly secure "safe server" that is separate from the network and, if necessary, broken down into parts. Such a "vault server" can be managed in an elegant manner by one of the trust centers described below.

In contrast, the public key 14a-14c is stored by the administration computer 18 in a generally accessible database structure 26, so that it can be used at any time, in particular by the Data stations 1 6a-1 6g, can be accessed. It should also be noted that a corresponding pair of public (14a-14c) and private (22a-22c) keys are assigned to each user data record that has been generated in the database, only three of which are shown by way of example in FIG. 1.

2 of the database system 10 is only an administration computer 1 8, a database computer 1 2, a data station 1 6, which serves both as an input data station and as an access data station, an access authorization card 28 carrying an access authorization 20, and one shown key card 24 carrying private key 22. 2, an overview is given below of the manner in which data is exchanged between the individual components of the database system 10 during an input or access data session. It has to be taken into account that, in practice, when executing this database system according to the invention, a large number of data stations 16 as well as access authorization cards 28 and key cards 24 are generally used in parallel. In contrast to the database system 1 0 shown in FIG. 1, in the block diagram shown in FIG. 2, the generation and management of the public 14 and private 22 coding keys assigned to a specific user data record is entrusted to a so-called trust center 30, as described, for example, in FIG. B. is operated by Deutsche Telekom. Such trust centers are generally used to provide and manage public and private keys. B. are also often used to generate digital signatures. By engaging such trust centers, which are subject to certain requirements and are monitored according to the German Signature Act, the integrity of the public and private keys used can generally be ensured.

In the database system shown in FIG. 2, for granting access authorization, opening an input or / and access handles data session on the data station 1 6, generates corresponding authorization data from the trust center 30 and provides an access authorization card 28 representing the access authorization and carrying the authorization data. This measure is also intended to ensure the integrity of the access authorization cards 28 issued. All measures which are carried out by the trust center 30 are preferably carried out solely on the request of the administration computer 1 8 and are registered by this administration computer 1 8. In particular, once the access authorization card 28, which comprises an identifier for identifying the access authorization 20 stored on it, has been issued, the administration computer 18 sets a rights structure which determines which user data records can be accessed by means of this access authorization 20 or which user data records can be accessed of the respective access authorization 20 can be entered into the database system.

To open an input or / and access data session on a data station, the access authorization card 28 is provided in such a way that the access authorization 20 assigned to it can be checked as part of an access authorization check. This access authorization check can be carried out, for example, by directly reading out a feature stored on the access authorization card 28. However, it can preferably also be carried out by storing a password or a PIN number or corresponding comparison data on the access authorization card and by entering the password or the PIN number when opening an input or access data session. A further conceivable possibility of the access authorization check is that a biometric characteristic of a person is stored on the access authorization card 28, which is used for the access authorization check with an electronically is compared by the data station 16 by means of a corresponding biometric data acquisition device.

After the successful opening of an input or access data session, it must be specified whether an entry of user data in the database 12 or an access to user data stored in the database 12 is desired. If an input of user data into the database 12 is selected, this user data can first be entered locally into the respective data station 16, structured there in a desired manner and prepared for storage in the database 12. Furthermore, after it has been specified for which user data record user data is to be stored, it is checked whether there is a corresponding authorization for this. This can be realized in a particularly elegant manner in that the administration computer 18 assigns a specific rights structure to each access authorization data carrier 28, and thus the corresponding authorization for entering a specific user data record can be queried by a simple query at the administration computer 18. For this purpose, the corresponding access authorization card 28 can be identified at the same time during the access authorization check. If the corresponding authorization is present, the user data to be stored in the database 12 are encrypted using the public key 14 assigned to the user data record. In the embodiment shown in FIG. 2, this public key 14 is provided by the trust center 30 and kept ready in the system. After encryption, the user data can then be set in the database 12.

If, after an access authorization check has been carried out, access to user data stored in the database 12 is desired, a check is first carried out as to which user data the granted access authorization contains an authorization to access user data. The file and possibly data structure of this user data can then can be read from the data station 1 6, a user data set or a specific part of a user data set can be selected therefrom and transferred from the database 1 2 to the data station 1 6. Afterwards, the user data read out must be decrypted, for which purpose the private key 22 corresponding to the respective user data must be provided. In this regard, it is provided in the exemplary embodiment that this private key 22 is stored on a key card 24, which must be provided in order to provide the private key 22 in a corresponding reading device which is assigned to the data station 16.

Two different variants are particularly suitable for decrypting user data by means of the key card 24. According to a first variant, the private key 22 is stored on the key card 24 and is read out from there via the reader into the data station 16. In the data station 16, a decryption of the useful data is carried out by means of a corresponding algorithm with the help of the private key 22. According to a second, preferred variant of the decryption method, it is provided that, in addition to the private key 22 contained in a memory, the key card 24 also contains a processor suitable for decrypting data, in addition to an algorithm stored there for carrying out the decryption procedure. In this case, the decryption of the user data can (preferably must) be carried out directly on the key card 24, which avoids the disadvantage that the private key 22 is transmitted from the chip card to the data station 16. For decryption, the encrypted user data are thus transmitted from the data station 1 6 to the chip card reader, decrypted by the processor and transmitted back to the data station 1 6 as decrypted data. Finally, the decrypted data are output by the data station 1 6 or are used for other purposes. 3 shows in the form of a flow chart the individual steps of a procedure which is processed when the user data is entered into a database system 10 according to the invention. After the start of the procedure 50, an access authorization check is first carried out in step 52 according to one of the methods described above. In the preferred embodiment of the method according to the invention, a corresponding access authorization card 28 must be provided for this purpose, so that access authorization or / and identification data can either be read from this card into a data station 16 and can be compared there with data stored in the system 10. On the basis of this comparison, a decision is made as to whether an input data session can be opened on the corresponding input data station 16. A further possibility of checking an access authorization 20 with the aid of an access authorization card 28 is that access authorization or identification data stored on the access authorization card 28 are compared with corresponding data that have to be entered into the data station 16 when an input data session is opened, or respectively are detected by means of appropriate detection devices.

If the access authorization check is negative, the input data session is terminated in step 82 and, after deleting all the data previously entered into the data station 16, is ended in step 84. At this point it should also be noted that although the data are deleted locally in the data station 1 6, it is preferably provided that all attempts to open an input and / or access data session are logged by the administration computer 1 8.

If the access authorization check is successful, the procedure continues to step 56, where manual input must be used to specify that an input of user data into the database system stem should take place. Thereafter, the user data to be stored can be entered locally into the data station 1 6 or read into the data station 1 6 from other devices and prepared there for storage in the database system 10. It should be noted that the useful data can in principle be any data, for example also digital image data (in the case of a medical application, for example, digital X-ray or NMR image data). Thereafter, in the method shown in FIG. 3, in step 60 a user data record or a corresponding data or file structure is selected in the database 12 to which the user data to be stored are to be assigned. If there is no data in the database 1 2 for this user data record or for this data or file structure, the assignment is made in accordance with a database key which is also assigned to the user data record when the public 14 and private 22 keys assigned to it are generated. It is then checked in step 62 whether, on the basis of the existing access authorization, it is permitted to enter data in relation to the selected user data record. If this is not the case, the procedure is aborted in step 82, as described above. Otherwise, the user data provided can then be encrypted.

At this point, it should also be noted that it is preferably provided in step 60 that only those user data records are made available as selection options in which the rights assigned to the user data records are ensured on the basis of identification data that were ascertained during the access authorization check that there is actually an input authorization for the respective user data record. In this case, steps 60 and 62 coincide to form a common step. A variant of the method is also conceivable, in which the user data record for which user data is to be entered is to be entered immediately after the confirmation that user data are to be entered into the database system 10 (that is to say after step 56 in FIG. 3). representation The input authorization for the respective user data record is then immediately checked before the user data to be stored can be entered locally into the data station 16.

To encrypt the user data, the public key 14 must be read into the data station 16 in step 64. This public key is preferably provided either by the administration computer 18 or a trust center 30 in a database which is generally accessible, for example via public networks. In step 66, the user data are then encrypted using the public key 14 and finally, in step 68, transferred to the database 1 2 as encrypted user data. After confirmation that the storage of the data has ended (step 70), all the data read locally into the data station 16 are deleted and then the user data input session is ended.

FIG. 4 shows a flowchart in which the individual steps for carrying out a user data access session are shown. In this case, in accordance with the steps taken at a user data input session, the access authorization 20 is first checked in step 92 and, if the access authorization check is successful, access to the database system 10 is granted. In step 96 it is entered into the data station 16 that access to user data is to take place, after which in step 98 a user data record stored in the database and which is to be accessed is selected. Then, in step 100, it is again checked whether the selected user data record can be accessed on the basis of the access authorization session that took place in step 92 or on the basis of identification data likewise determined during this access authorization check. If this check is negative, the data access session is terminated in step 1 14 in accordance with FIG. 3 and then all the data entered in the data station is locally deleted in step 1 1 2 and the data access session is ended in step 1 1 6. Here too It should be noted that the administration computer 18 preferably logs all attempts to access it.

Different variants come into consideration with regard to the user data access. Above all, two further variants are thought of, which correspond to the variants mentioned for the user data input. On the one hand, it can be provided that on the basis of identification data determined in the access authorization check in step 92 and on the rights structures assigned in the user data records stored in the database system 10, such a selection is made in step 98 from the user data records stored in the database system 10 that in step 98 only those user data records are offered for selection for which there is authorization to access them. In this case, steps 98 and 1 00 take place simultaneously again. On the other hand, a variant is also conceivable in the case of user data access, in which the user data record to be accessed must be entered immediately after the entry that user data is to be accessed (step 96). This entry can also be made in particular by briefly providing the key card 24 corresponding to the user data record to be accessed and bearing the corresponding private key 22 in a corresponding reading device of the data station 16 after step 96. On the basis of an identifier stored on the key card 24, a decision can then be made immediately as to whether there is access authorization for the selected user data record.

If the check of the access authorization in step 100 is positive, the selected user data can be transferred from the database 12 to the data station 16. Then they must be decrypted using the private key 22 assigned to the user data record. For this purpose, it is necessary to have the key card 24 carrying the corresponding private key 22 in a corresponding reading device to provide the access terminal. As discussed above, depending on the design of the key card 24, with or without a (crypto) processor, the decryption of the user data can take place either in the data station 16 or in the key card 24. After the user data has been decrypted, it can be output locally on the data station 1 6 or supplied from the data station 1 6 to corresponding processing units or processing functionalities (for example a selected evaluation program possibly running on the data station) for further processing.

After it has been specified in step 1 10 that the output session is to be ended, in step 1 1 2 all data read into the data station 1 6 are deleted locally, so that access to this data is no longer possible in later sessions, and in step 1 1 6 the user data access session ended.

5 shows a schematic block diagram that shows an example of a possible implementation of a data station 1 1 6 and an access authorization card 1 28 and key card 1 24 assigned to this data station. The data station 1 1 6 shown in FIG. 5, which can be constructed on the basis of a multipurpose computer, for example in the form of a personal computer or a workstation, comprises a number of components which can be subdivided into hardware, operating system-like components and application software. For example, the hardware can largely correspond to the so-called "industry standard" with Intel processors, to name just one example. Other hardware configurations are also conceivable for higher requirements, for example in the form of a server computer or a workstation. The hardware comprises at least one processor 144, read / write memory 142, read-only memory 140, a data output device 146, a data input device 148, mass storage for storing the operating system and application programs 156, network hardware for connection to at least one database computer 1 50, network hardware for connection to an administration unit 1 52, a chip card reading device 1 60 as well as an encryption device 1 62 and a decryption device 1 58. The latter components can also be taken over by the processor itself if appropriate encryption or Decryption software is installed on data station 1 1 6. In addition, the hardware of the data station 1 1 6 includes a device for recording biometric data. Any operating system, for example a standard operating system such as Windows NT, Unix, Linux, SunOS etc., can be used as the operating system for such a data station 1 1 6. The operating system is represented in FIG. 5 by block 1 64. To connect the data station 1 1 6 to a database computer 1 1 2 and to connect the data station 1 1 6 to an administration computer 1 1 8, appropriate network software 1 66 or 1 68 is required, for example based on the TCP / IP protocol or a WAN or LAN protocol.

Corresponding application software is also required to operate a data station 1 1 6. In detail, this includes software 1 72 for database access, software 1 70 for entering, displaying and processing data, in particular user data, software 1 74 for checking access authorizations, software 1 76 for recording biometric data, and encryption software 1 80 and decoding software 1 87 for encryption or decryption of user data.

FIG. 6 shows a further embodiment of a data station 21 6 for use in the database system according to the invention, in addition to a corresponding access authorization card 228 and a corresponding key card 224 which carries a private key 220, in an exemplary block diagram similar to FIG. 5. Reference numerals of such components that correspond to components shown in FIG. 5, are the same in FIG. 6, but increased by 100. Only those components whose function differs from the components shown in FIG. 5 are to be discussed below. The key card 224 shown in FIG. 6 differs from the key card 1 24 shown in FIG. 5 in that the key card contains, in addition to the private key 220, a (crypto) processor which can be used to decrypt user data. For this reason, the provision of a decryption device can be omitted in the hardware configuration of the data station 21 6. Furthermore, the provision of corresponding decryption software in the data station 21 6 can be dispensed with if a corresponding software program running on the processor of the chip card itself is kept available on the key card 224.

In the following, the invention will be further explained by way of example using detailed application examples. 7 to 9 show a first application example in which the method according to the invention is used for storing and providing medical data that are to be evaluated in the context of a clinical-scientific study. This application example therefore relates to the establishment and provision of an electronic study file. 10 to 1 2 show a second application example, in which the method according to the invention is used to store and provide medical data of therapeutic treatments of individual patients in electronic form, so that they are available for access by certain doctors. This application example therefore relates to the establishment and provision of an electronic patient record.

To set up a clinical-scientific study in an integrated medical data platform for medical study data (IDM), a list of all persons who should be authorized to store user data in the system is created on the administration computer 31 8 or access. For this purpose, the precise function of the individual persons should be specified or defined so that a hierarchical rights management can be set up on this basis. The individual persons named as authorized persons receive so-called doctor ID cards 328, which contain a defined ID code and a PIN number. Using these cards, the people involved in the study can gain access to IDM terminals 31 6, which serve as data stations for the IDM network. Furthermore, one or more study cards 324 are created for each study, which contain an ID code, a PIN number and the private key for decrypting the user data stored in the course of the study. Both the study cards and the doctor's ID cards are produced and issued by a trust center 330 operated, for example, by Deutsche Telekom. The complete administration of rights for data access lies with the administration computer 31 8. The connection of the IDM terminals 31 6 with the administration computer 31 8 and with the database computers 31 2 takes place via a (preferably closed) computer network, for example that of Deutsche Telekom provided CHIN network.

In the clinics participating in the study, there is a digital information system that can be used to structure and select user data that are to be saved as part of the study. After a corresponding declaration of consent has been submitted by the participating patients, these user data can be read into the participating clinics as input data for the integrated medical data platform for medical studies in an IDM terminal 31 6. To enter user data into the IDM system, a study assistant involved in a study can open an input data session using his ID card 328 at an appropriately equipped IDM terminal. Based on the identification data determined during the access authorization check using the ID card, it is then checked whether the assistant may enter useful data as part of a study. If this is the case, the structured User data can be sent to the CHIN system. Before the data is sent from the IDM terminal 31 6 via the IDM-CHIN network to the data storage 31 2, the data is encrypted in the asymmetrical encryption system with the aid of a public key assigned to the respective study. This ensures that only user data that has already been encrypted reaches the IDM-CHIN network. After submitting the user data, the study assistant can no longer access the stored user data. The personal doctor ID card only entitles the user to enter user data in the CHIN network. Each input of user data is logged via an administration function of the CHIN network.

Within the CHIN network, the user data storage 31 2 is mandatory in encrypted form in digital archives, which are generally location-independent. This means that the user data does not necessarily have to be stored in a central computer 312, but can be distributed over several computers connected via a network (cf. the general system according to FIG. 1). Since precise routing management exists within the CHIN network, it is ensured that all stored user data can be accessed from every IDM terminal.

To access user data stored in the IDM, a person requesting user data must open an access data session at an IDM terminal via the personal ID card 328 and is identified in the process. In this way, the person has access to the IDM-CHIN network. After the person has indicated that he wants to access user data after a successful access authorization check, the program prompts for the study card 324 to be entered, on which, in addition to the private key for decrypting user data, a description of the study is also stored. The information provided when the study was set up in the IDM is then used to check whether the person querying is entitled to access the study data. If this is not the case, access is denied despite the presence of the study card 324 and the connection to the CHIN network is terminated. If the person is authorized, they can access the user data and select the user data to be read out. The user data transfer of the user data to the IDM terminal 31 6 is still encrypted. The user data is only decrypted in the IDM terminal 316 using the private key stored on the study card 324. To decrypt the user data, it is necessary for the study card 324 to be inserted in a corresponding chip card reader of the IDM terminal 31 6.

The decrypted user data are stored for a maximum of one access data session in the IDM terminal 316 and are deleted from the card reader of the IDM terminal when the access data session is ended or the study card 324 is removed. It is therefore not possible to access stored user data with a time delay without the study card 324 being present at the same time. The use of the IDM can be limited in time. By moving in or physically destroying the study card 324, to which user data access is mandatory, the use of the IDM for a specific user data record can be terminated. Alternatively, access to a specific user data record stored in the IDM can be prevented by deleting the identifier belonging to a study card 324 from the database of the trust center 330. Furthermore, the administration software held on the administration computer 318 preferably offers the possibility of blocking or deleting corresponding data or files of a user data record stored in the IDM without the corresponding user data having to be decrypted via the administration computer 318. This is possible via the routing system of the IDM and represents a possibility to remove individual user data from the IDM if, for example, a patient withdraws his consent to the storage of his user data during the course of a study. Another application example of the method and system according to the invention is shown in FIGS. 10-1 2. This involves setting up an electronic patient file that can be used to store information about therapeutic treatments and medical reports, including, if applicable, the underlying diagnostic data (possibly also digital image data) of individual patients in electronic form and make them available for access by appropriate doctors. In order to set up an electronic patient record according to the present invention, which is shown in FIG. 10, a specific rights structure is set up for the respective patient record, in which the individual doctors are specified, the user data in which for storing and making available the electronic patient record allowed to enter used IDM or to access the user data stored in it. However, it could also be provided that basically all doctors or all doctors in a certain specialty have such access authorization. One could also think of including special other people or groups of people, such as pharmacists and therapists, whereby these other people or groups of people are preferably given less extensive access authorizations. In addition, a patient card 424 is produced for the patient, on which the patient's identity and a personal private key, which is required for decrypting the user data stored in the respective electronic patient file, are stored. This patient card 424 is preferably manufactured and issued by a trust center 430, such as that operated by Deutsche Telekom. A public key, which is assigned to the respective electronic patient file, is also generated by this trust center 430 and is stored in a publicly accessible manner.

Furthermore, access authorization to the IDM is provided for doctors (and possibly the other persons or groups of persons mentioned). This also happens because a corresponding chip card 428 from a trust center 430 is used to identify the respective doctor or the respective person can be determined, is issued to appropriate doctors or persons. In the following it is assumed that a corresponding chip card is only issued to licensed doctors. These so-called doctor ID cards 428 thus contain personal data of the doctor and a PIN number.

Regarding rights management for access to the respective electronic patient files of a particular patient, it must also be said that once the respective file has been set up, the rights structure can be changed or expanded at any time. In principle, it is also conceivable that a patient is in possession of several patient files and thus also in possession of several patient cards 424, which can relate, for example, to various medical “specialist areas”.

For the input of medical data of a patient shown in FIG. 4, a doctor must open an input data session at an IDM terminal 41 6 using his doctor ID card 428. This gives him access to the IDM's CHIN network. After selecting the function of a user data input, the doctor enters the patient identification of the patient for whom user data are to be entered in the IDM. The rights management in the IDM then checks whether the doctor is authorized to enter user data for the respective electronic patient file. If he is not authorized, the connection to the IDM is terminated without the doctor being able to perform any function. If the doctor is authorized, the user data is still encrypted in the IDM terminal 41 6 using the public key, which is requested, for example, from a server of the trust center 430 participating in the IDM. After the user data has been encrypted with the public key, this user data can only be decrypted using the corresponding private key. This means that the doctor who entered the user data in the IDM can no longer read this user data after it has been encrypted. unless the patient hands the patient card to the doctor. The same applies to other doctors who are subsequently consulted by the patient.

With this procedure, the authenticity of the public key used is ensured by two factors:

1 . the secure, encrypted communication signal via the CHIN network, and 2. a digital signature, which is issued by the trust center 430 for the public key and which allows any IDM user to verify the public key used.

A patient can have access to his digital patient file in a suitably equipped clinic / practice. This process is shown in Fig. 1 2. For access, the attending physician must open an access data session using his physician ID card 428 in an IDM terminal 41 6 and then select the menu item "user data access". The doctor must then specify the electronically stored patient file from which he wants to read the user data. It is preferably provided that the patient hands the doctor his patient card 424, which contains the private key and also an identifier of the card. This identifier then gives the doctor access to the file structure of the associated electronic patient record. The doctor can then select the appropriate user data from this file system and load it onto the IDM terminal 41 6. To decrypt this user data, the patient card 424 must then be provided in a chip card reader belonging to the IDM terminal 41 6. During the decryption or the output of the user data, the patient card 424 must remain permanently in the chip card reader. After removing the card, the private key in the IDM terminal 41 6 is deleted when the IDM session ends. So that is Possibility of access to user data limited to the possession of the 424 patient card.

The use of the method according to the invention in the sense of an electronic patient file can also serve to implement a system for documenting and possibly prescribing all medical preparations or medications which are or are to be administered to a patient. In this case, for example, a doctor can use his doctor ID card to open an input data session to issue a prescription at an IDM terminal, during which the system provides him with a suitably prepared prescription form in which he can enter the prescription form prescribing medication. The completed recipe is then encrypted and stored in the database system. To obtain the medication, the patient hands over his patient card to a pharmacist in a pharmacy, who can open an access data session using his ID card at an IDM terminal and then read the prescription using the patient card and dispense the corresponding medication. With the aid of such a system, it could in particular also be avoided that a patient is prescribed several medications which are incompatible with one another at the same time. Such a system would have essentially the same structure as the application example of the electronic patient record. The only differences are in the much smaller scope of the data to be stored and the fact that in this case it would make sense to grant pharmacists access authorization to the database system in addition to doctors. It may be possible to dispense with the issuing of written prescriptions if the prescription is made by means of user data stored in the system and readable by the pharmacist by means of the patient card.

A method and a system for the secure storage, provision and provision of user data in an electronic database system of the type explained above are proposed, in particular for storing, holding and providing medical patient data. The method according to the invention is characterized by the following steps: providing at least one data carrier which carries a private key which has at least one user data record and / or at least one database key which serves to identify a user data record when the database is stored and / or read out and / or read out assigned; Checking an input access authorization electronically by comparing first data obtained electronically with stored second data; given input access authorization: encryption of user data using a public key assigned to the private key; Storing the encrypted user data in a database; Checking an access authorization by electronic means by comparing first or third data obtained electronically with stored second or fourth data; given access authorization: reading the encrypted user data from the database; Decrypt the encrypted user data using the key carried by the data carrier. The system according to the invention has corresponding software and hardware functionalities.

Claims

Expectations

Process for secure storage, provision and provision of user data based on encryption and

Decryption of the user data using an asymmetrical encryption method, which is based on at least a pair of public and private keys, characterized by the steps: - Providing at least one data carrier that carries a private key, which has at least one user data record and / or at least one for identifying one / is assigned to the user data record when storing or / and reading out access to the database serving database key,

Checking an input access authorization electronically by comparing first data obtained electronically with stored second data, given input access authorization: encryption of user data by means of a public key assigned to the private key, storage of the encrypted user data in a database, checking of an access -Access authorization electronically by comparing electronically obtained first or third data with stored second or fourth data, given access authorization:

Reading the encrypted user data from the database,

Decrypt the encrypted user data using the key carried by the data carrier.

2. The method according to claim 1, characterized in that the method comprises the step of providing at least one further data carrier carrying identification and / or access authorization data, on the basis of which the input access authorization and / or the access access authorization is checked, wherein the identification or / and access authorization data is read out electronically as first or third data or as data associated with the first or third data and is sent to the test.

3. The method according to any one of claims 1 or 2, characterized in that the at least one data carrier further carries identification and / or access authorization data, on the basis of which the access access authorization is checked, the identification or / and access authorization data being the fourth Data or as data belonging to the fourth data can be read out electronically and fed to the test.

4. The method according to any one of claims 1 to 3, characterized in that the first and / or the third data manually into one

Identification device and / or access authorization data to be input device included, which are queried electronically and / or the verification.

5. The method according to any one of claims 1 to 4, characterized in that the first and / or the third data comprise identification data which are generated electronically by means of a detection of at least one biometric feature by means of a detection device and are fed to the test.

6. The method according to any one of claims 1 to 5, characterized in that a plurality of each carry the private key. is provided to the data carriers and issued to a group of people with regard to an access authorization granted or to be granted to the group of people for reading out and decrypting user data.

7. The method according to any one of claims 1 to 6, characterized in that at least one data carrier carrying the private key is handed over between persons of a group of people with a view to an access authorization for reading which is granted or to be given to the respective person of the group of people receiving the data carrier and decrypting user data.

8. The method according to any one of claims 2 to 7, characterized in that a plurality of further data carriers each carrying identification and / or access authorization data is provided and is issued to a group of people with regard to an access authorization granted or to be given to the people of the group of people encrypting and storing user data and / or for reading and decrypting user data.

9. The method according to any one of claims 2 to 8, characterized in that at least one further data carrier carrying the respective identification and / or access authorization data is transferred between persons of a group of people, with regard to one of the respective persons receiving the further data carrier Access authorization granted or to be granted to a group of people for encrypting and storing user data or / and for reading and decrypting user data.

1 0. The method according to any one of claims 1 to 9, characterized in that the checking of the input access authorization or / and Access access authorization includes an identity check based on the comparison of the first data with the second data or on the comparison of the third with the fourth data.

1 1. Method according to Claim 10, characterized in that the checking of the input access authorization and / or access access authorization further comprises a storage authorization check or a read authorization check, in which identification data obtained electronically upon successful identification are compared with the access data provided, at least are assigned to a user data record and / or at least one database key which serves to identify a user data record during the storing and / or reading access to the database.

1 2. The method according to any one of claims 1 to 1 1, characterized in that security-relevant steps are logged during the implementation of the method, including identification and / or access authorization data obtained during the testing of the input access authorization and / or the access access authorization.

1 3. The method according to any one of claims 1 to 1 2, characterized in that a chip card is used as a data carrier and / or as a further data carrier.

14. The method according to claim 1 3, characterized in that the chip card used as a data carrier has a processor, possibly a crypto processor, which is used to decrypt the encrypted user data.

5. The method according to claim 3 and according to claim 1 3 or 14, characterized in that the chip card used as a data carrier has a processor which, based on the identification and / or access authorization data and at least part of the obtained third data, has an authorization to access checks the private key and, depending on the test result, enables or blocks access and, if necessary, decryption.

6. System for the secure storage, provision and provision of user data based on encryption and decryption of the user data using an asymmetrical encryption method which is based on at least one pair of public and private keys, comprising: at least one computer-based database, at least one data carrier, which bears a private key assigned to at least one user data record of the database, at least one input data station from which user data can be input into the database, the input data station being assigned an input access authorization checking unit, the switching of which causes an input access authorization can be checked electronically by comparing first data obtained electronically with stored second data, the input data station also being assigned an encryption and storage unit, among which n Mediation with given input access authorization user data by means of a private one

Public key-assigned keys can be encrypted and stored in the database, at least one access data station, possibly identical to an input data station, from which encrypted user data in the database can be accessed, the access data station being assigned or able to be assigned an access-access authorization checking unit, the mediation of which gives access-access authorization can be checked electronically by comparing first or third data obtained electronically with stored second or fourth data, the access data station also being assigned a decryption and readout unit, the transmission of which, given access authorization, gives useful data from the Database can be read out and by means of the private data carrier

Key can be decrypted.

7. System according to claim 16, characterized by at least one further data carrier, which carries identification and / or access authorization data, the identification or / and access authorization data as first or / and third data or as to the first or / and third data associated data can be read out electronically and can be fed to a comparison unit of the input access authorization verification unit and / or the access access authorization verification unit.

8. System according to one of claims 1 6 or 1 7, characterized in that the at least one data carrier further carries identification or / and access authorization data, the identification or / and access authorization data as fourth data or as data associated with the fourth data on electronic Ways out are readable and can be fed to a / the comparison unit of the access-access authorization checking unit.

1 9. System according to one of claims 1 6 to 1 8, characterized by at least one of an input terminal and / or an access

Input device assigned to the data station for manual input of identification and / or access authorization data, which can be fed as first or third data or data associated with the first or third data to a / the comparison unit of the relevant access authorization checking unit.

20. System according to one of claims 1 6 to 1 9, characterized by at least one detection device for detecting at least one biometric feature, wherein from the detection device biometric data as first or / and third data or data associated with the first or / and third one / the comparison unit of the input access authorization verification unit and / or access s access authorization verification unit can be supplied.

21. System according to one of claims 1 6 to 20, characterized in that a plurality of data carriers each carrying the private key is provided.

22. System according to one of claims 1 7 to 21, characterized in that a plurality of further data carriers each carrying identification and / or access authorization data is provided.

23. System according to one of claims 1 6 to 22, characterized by at least one logging unit for logging security-relevant events during the operation of the system, including when checking the input access authorization or / and the access access authorization obtained identification or / and access authorization data.

24. System according to one of claims 16 to 23, characterized in that the data carrier and / or the further data carrier as

Chip card is formed.

25. System according to claim 24, characterized in that the chip card used as a data carrier has a processor, possibly a crypto processor, for decrypting the encrypted user data.

26. System according to claim 18 or 19 and according to claim 24 or 25, characterized in that the chip card used as a data carrier has a processor which is designed and / or programmed, based on the identification and / or access authorization data and at least part of the third data obtained to check an authorization to access the private key and, depending on the test result, to enable or block access and, if necessary, decryption.

27. System according to claim 24, 25 or 26, characterized in that the chip card used as a data carrier has a non-readable memory for storing the private key and / or the identification and / or access authorization data for checking the access authorization to the private key ,

28. System according to one of claims 16 to 27, characterized in that after the end of an access session by means of the input data station and / or an output session by means of the access data station, the station is present locally User data can be deleted by means of an automatic delete functionality thereof.

29. System according to one of claims 1 6 to 28, characterized in that the system comprises at least one computer unit assigned to the at least one database and at least one computer network connecting the computer unit, the at least one input data station and the at least one output data station.

30. System according to claim 29, characterized in that the computer network comprises the Internet and / or an intranet or / and a WAN or / and a LAN.

31 System according to one of Claims 1 6 to 30, characterized in that the useful data of the at least one database can be stored or stored in a manner distributed over a plurality of storage units which may be assigned to respective separate computer units.

32. System according to one of claims 1 6 to 31, characterized in that a computer unit formed, for example, by a workstation or a personal computer comprises the at least one input data station and / or the at least one output data station, and, if appropriate, each assigned encryption or decryption unit.

33. System according to one of claims 1 6 to 32, characterized by such a design that the user data can be entered into the database exclusively via the at least one input data station and that the user data can only be accessed via the at least one access terminal.

34. System according to one of claims 16 to 33, characterized by a computer-assisted administration unit for managing user data records of the at least one database, and of access rights to this, the administration unit preferably having neither an input terminal nor an access terminal.