• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention relates to a personal data network (1) with a server device (2) for storing personal data of a user and a user assigned to a computer unit (3), in particular a smartphone, tablet PC or iPad and desktop PC. The computer unit (3) and the server device (2) communicate via a network (1, 28) to exchange de-personalized data. The personal data network is created by only passing data over the network and storing it on the network, which does not allow any direct or indirect inference to the person; These are so-called "de-personalized" data. According to the invention, the personal data of the user are already de-personalized on the computer unit 3 with a label (5) and transmitted to the server device (2), where they are stored de-personalized under the label (5). In this case, the identification (5) results from an assignment rule which is stored exclusively on the computer unit (3). A personalization of the de-personalized personal data (4) in the form of an association of the de-personalized personal data with the assigned user is based on the de-personalized personal data (4) and the identifier (5) present on the server device (2). not possible. Furthermore, an assignment during the transmission of the de-personalized data via the network is also not possible.
    公开号:CH712285A1
    申请号:CH00389/16
    申请日:2016-03-21
    公开日:2017-09-29
    发明作者:Krech Thomas
    申请人:Krech Thomas;
    IPC主号:
    专利说明:

    description
    TECHNICAL FIELD OF THE INVENTION
    The present invention relates to methods by which the security of personal data in electronic networks and on servers can be increased. This applies in particular to the collection, de-personalization, re-personalization, processing and modification of data of all kinds of users, such as medical reports, findings, vital data, data in communication with banks and state and private institutions of all kinds.
    STATE OF THE ART
    Electronic data of a person are usually distributed in many locations, ranging from the personal data at the family doctor, in hospitals, health insurance, on smartphones - fitness trackers and vital data and data from devices in terms of Internet of things, such as Water and electricity meters -, insurance data to bank account balances and data from Internet service providers - such as Google and Facebook. There is an increasing interest in bringing this data together and evaluating and sharing it for the benefit of the user and the general public. A user's data is often provided to and kept in a personalized form to people or institutions without this being necessary.
    With the users as well as by the legislator, there is an increasing interest in the de-personalization of personal information in order to avoid misuse of personal information. The importance of the de-personalization of personal data increases, if not only individual personal data are available, but a combination of all personal data of a user is done and u.U. Such summarized personal data is stored centrally.
    The idea of collecting personal data to provide a patient's own mobile file matures more and more, especially in the US, and finds its expression in, for example, the iPhone application Health Chron (see https://www.linkedin.com/pulse/ why-you-should-your-own-health-data-loc-pham).
    [0005] Data Collector Platform is developed in the US under the designation "Physi-IQ" (http://www.physiq.com/markets/). This data collector platform continuously collects vital data from a user and then makes it available to doctors so that they can act proactively based on the vital data. The company, which is developing the data collection platform, has entered into a partnership with Samsung to use a SAMI data exchange platform developed by Samsung to transmit sensor data to the cloud (see https: //developer.samsungsami. io / sami / sami-documentation /).
    In countries such as Denmark or the Netherlands, almost all patient records are already electronically managed. In contrast, the process of introducing a digitization of patient data, for example, in Switzerland or in Germany (http://www.healthbytes.de/eu-studie-health-durchdringung-allgemeinDoctors-deutschiand-potenzial/) is progressing only slowly. The EU launched the pilot study EPSOS (http://www.epsos.eu/home/download-area/information-on-healthcare-and-ehealth.html) with the aim of providing cross-border medical care for EU citizens Supply based on electronically stored personal data. In Switzerland, an interdisciplinary working group IPAG EPD is taking care of the structuring of an electronic patient file (http://www.saez.ch/aktuelle-ausgabe/details/ipag-epd-nach-der-teappe-ist-vor) within eHealth-Suisse -the-etappe.html). The legal aspects are regulated in Switzerland in the federal law on the electronic patient dossier (EPDG).
    OBJECT OF THE INVENTION
    The invention has for its object to propose a personal data network (1.28) and software with control logic for use in a personal data network (1.28), which in terms of - the security of personal data in terms unauthorized access by third parties, - the de-personalization of personal data, a user and / or a plurality of users and / or - the generation of personalized personal data from de-personalized personal data is improved.
    SOLUTION
    The object of the invention is achieved according to the invention with the features of the independent claims. Further preferred embodiments according to the invention can be found in the dependent claims.
    DESCRIPTION OF THE INVENTION
    In a personal data network according to the invention, a server device is used. This server device may be a single server unit or a plurality of networked server units. Personal information of a user is stored on the server device. Such personal data are, for example, vital data of a user, such as blood pressure, body temperature, activity data, such as a distance covered or a number of completed steps or stages, etc., these vital data being, for example, of so-called wearables such as Wristbands (http://www.aerzteblatt.de/nachrichten/62732), a smartphone fitness application (such as the "Endomondo" label or the Health Kit from Apple or S Health from Samsung) , may be derived from a domestic or personal use such as an electric toothbrush, a car or mobile diagnostic devices (http://www.aerztebiatt.de/nachrichten/62729). Alternatively or cumulatively it is possible that personal data are patient data such as, for example, medical and treatment histories, doctor reports, referral reports, examination findings such as X-ray images, ECG, laboratory findings, histological findings, images and videos of patients (in particular concerning results of examination procedures). Skin changes, mucosal lesions, wounds), data for diagnosis and assessment of the healing process, data taken from hospitals and intensive care units, genetic data, etc. is.
    Furthermore, the inventive personal data network has a computer unit which is assigned to a user. To indicate some non-limiting examples in this regard, the computing device associated with the user may be a computer, a tablet, a mobile phone, a smartphone, a smartwatch, a wearable, or a PDA.
    In the context of the invention, the computer unit and the server device communicate via a network to allow an exchange of personal data. This can be done on the one hand to allow the user access to his personal data via the computer unit, and on the other hand, to allow a transfer of personal data from the computer unit to the server device for storage on the server device.
    According to the invention, it is proposed that the personal data on the server device is not stored as personalized personal data. This is to prevent the possibility that third parties who access the server device (authorized or unauthorized) gain knowledge of the personalized personal data. According to the invention, it is proposed that the personal data on the server device be stored exclusively as de-personalized personal data. In this case, "de-personalized personal data" means any form of personal data for which an assignment of the personal data to the person concerning this personal data is not possible. To give only some non-limiting examples in this regard, the data may not have a name, categorization, or a type of "header" that includes a name of the person or any other identifiable association with the person. Alternatively or additionally, it is possible that in the personal data itself (for example in a medical report or in another document, a picture or the like) all personal information is eliminated.
    However, without further measures according to the invention an access of the user to the personal data would not be possible, since a finding of the de-personalized personal information and their assignment to the user would no longer be possible, making the de-personalized personal data «lost» would. In order to avoid this, an assignment rule is present in the scope of the invention on the computer unit which is assigned to the user. The assignment rule is in this case designed to be arbitrary as long as it assigns a label to a user and their personal data, which per se does not allow third parties to identify which user describes this identifier. In order to name only a simple example, which does not limit the invention, the identification can consist of a simple number, which is assigned individually to the user. If the personal data are marked with this number, the user or the computer unit assigned to the user who knows the identifier in the form of the number via the assignment rule can identify and recognize the personal data marked with the number as his.
    In the context of the invention, the personal data is stored on the server device both with the de-personalized personal data and with the said identification. Since personalization of the de-personalized personal data in the form of assignment of the de-personalized personal data to the associated user on the basis of existing on the server device de-personalized personal information and labeling is not possible, is still the confidentiality needs of personal information and protection against abuse.
    The invention proposes that the computer unit which is assigned to the user has a control logic, in particular a software, by means of which a request to the server device that a transmission of the de-personalized personal data of this user should take place, is produced. This request includes the tag associated with the user. When the server device receives such a request with the tag, the server device may select from a variety of de-personalized personal data the de-personalized personal data associated with the tag and transmit it to the requesting computer unit, ultimately providing the user with the information associated with that user de-personalized personal data are transmitted, so that they can be provided to the user for inspection.
    In order to enable the transmission and storage of a plurality of de-personalized personal data with the label, but at the same time without the possibility of inference to the assigned person, the invention further proposes that personalized personal data on the user's computer unit be transformed into de-personalized personal information using the mapping rule. With the control logic of the computer unit then the de-personalized personal data with the associated label from the computer unit via the network to the server device, where they can then be stored without the possibility of inference to the user. Thus, according to the invention, the personal data are in personalized form only on the computer unit, but not on other parts of the personal data network. It is possible to delete this personal data after transmission on the computer unit.
    It is possible that an additional authentication of the user and / or the computer unit is required before a communication and a transfer of de-personalized personal data via the personal data network takes place. In this case, the authentication can also be associated with the de-personalized personal data associated with the user, so that a transfer of the de-personalized personal data from the server device to the computer unit only takes place if cumulatively a request is associated with the de-personalized personal data Labeling and the specific for this de-personalized personal data authentication exists. To increase security, it may also be necessary to authenticate the key of another person. This is also the case, for example, when a third party should have access to the data or parts of the user's data.
    Another aspect of the invention addresses the problem that not only the label, a file name, a header and the like. allow a conclusion to the assigned user. Rather, usually the data of the aforementioned kind themselves are equipped with personal information. For example, these may include the name and / or given name of the user, dates, locations, zip codes, names of visited hospitals, names of visited care facilities, accident locations, telephone numbers, signatures and the like. other person-specific information. In a further embodiment of the invention, it is proposed that the computer unit assigned to the user has control logic by means of which personal information and information relating to the person can be removed or converted into information unit data encompassed by the personalized basic data. It is possible that "personalized personal data" is a comprehensive health record, while the information unit data relates to individual "sheets" or parts of this personal data file. To name just a few non-limiting examples, the information unit data may be an image (which may also be understood as an image sequence in the form of a video), a text, an audio file (eg, a dictated medical report, an echo Cardiogram, etc.) and the like. act. It is possible here that the personal information is manually removed by the user. Alternatively or cumulatively, it is possible that the removal of the personal information takes place automatically. It is also possible that, instead of removing the personal information, a conversion of the personal information takes place in such a way that partial information is still included. which then but a conclusion to the user no longer or only to a reduced extent possible.
    For an automatic identification of the personal information for the purpose of removal or conversion of the same, there are many possibilities. For a proposal of the invention, the computer unit of the user has control logic which includes a recognition logic. With the recognition logic, personal information and information that can be inferred to the person can be automatically recognized in the information unit data. For example, the recognition logic may include an OCR recognition that converts a graphic contained in the information unit data into a text. This text can then be used with logical conditions and well-known educational laws for personal information and those that infer the person, for example - with the search for dates in a given date format, - with the search for text components, which correspond to names, with regard to be taken into account Names can also be accessed on a related database, etc., be searched. If the recognition logic leads to detected personal information, the detected personal information can be removed directly from the information unit data. For the case that the recognition is based on an OCR recognition, for this purpose, the subarea of the image, which correlates with the text component according to the OCR recognition, must be permanently removed. It is also possible that before removing the personal information from the information unit data, a query is made to the user, which must give confirmation before removal.
    For a personal data network according to the invention, the computer unit of the user has control logic which converts at least a part of the recognized personal information in the information unit data into generalized personal information and that which can be inferred to the person. As a non-limiting example in this regard, personal information in a date may include day, month, and year. In this case, the date can be converted to a generalized personal information that only contains the year. It would also be possible, for example, for the personal information to include a place of residence or a federal state, while a conversion into generalized personal information takes place in the form of a federal state or a country or larger territorial area. The generalized personal information ensures the secrecy need for personal information. On the other hand, for example, analysis of personal data such as examining the development of a disease over many years is possible despite elimination of the day and month in the conversion, or statistical studies of disease incidence taking into account regional specifics based on generalized personal information in the form of State, Land or Territory. Another possibility would be that a control logic converts the intervals of events marked by dates into time intervals. So, for example, «onset of illness at the umpteenth in the year so many and hospitalization at the umpteenth in the year umw about» converted to «hospital admission 10 days after onset of illness».
    For a further inventive proposal, the recognition logic includes a text, image or audio recognition logic. The control logic identified by matching recognized words, images or audio components with predetermined words, images, audio components or educational laws personal information and those that infer the person, including appropriate databases can be used with possible personal information. The control logic then removes the personal information thus identified from the information unit data or converts it (eg, as previously mentioned) into generalized personal information.
    If the user is involved in the conversion or removal of personal information, so this can be done for a further proposal of the invention in that the control logic of the computer unit of the user information unit data on an output of the computer unit, in particular a screen or a speaker , spends. The control logic then enables the user to remove personal information identified in the information unit data from the user based on the output, and to disclose personal information that may be inferred to the person. As a mere non-limiting example, the user may mark on a screen a portion of the output information which is then converted or removed. This can be done by the user based on the visual inspection of the output. It is also possible that by means of an automated procedure, the user successively displayed different personal information and those that can be inferred to the person with the request confirmation of whether and possibly to what extent personal information and those that can be inferred to the person be converted or removed.
    It is possible that a converted or removed information in the personal data is lost forever. If, on the other hand, it is to be made possible (especially only) for the user to reconstruct the complete personal data including the converted or removed information at a later time, the invention proposes that with the control logic the computer unit should be removed from the information unit data or converted personal information and those that are inferred to the person can be stored, which is preferably also done on the computer unit. Preferably, both the deleted or converted personal information itself and the location where the deleted or converted personal information was located in the information unit data and the personal data are stored. For at least partial reconstruction of the original personal data or information unit data, the control logic of the computer unit may then receive the de-personalized personal data received from the server device over the network in which personal information and information relating to the person can be deduced from information unit data have been removed, supplemented with the stored personal information again, whereby at least partial completion and / or recovery takes place.
    Quite possible, that communicate in the personal data network exclusively several each assigned to a user computer units with the server device. The greater the number of users and the assigned computer units, the less the assignment of the de-personalized personal data to the users and computer units is possible. In order in particular to enable the beginning of the filling of the server device for the transmission of the data of the first user to these users, at least initially, the server device with de-personalized personal data of fictitious users who have been created, for example, on the basis of random criteria, be filled.
    It is also possible within the scope of the invention, however, that further devices are integrated in the personal data network: [0026] For a proposal of the invention, supporter computer devices, in particular computer units or computer subnets, are integrated into the personal data network. integrated which supporters are assigned to the users. Such supporters may be health care workers such as the doctor or a caregiver or nurse, a practice or a hospital. Other backers that may be integrated into the personal data network through an associated back-up computing device are pharmacies, insurance companies, banks, or research institutions, to name but a few.
    If a supporter computer device to be able to receive de-personalized personal data from the central server device, this can be done in two different ways: a) It is possible that the user of the computer unit itself to the personal data transmits the supporter computing device via another path, for example via a wireless or wired network. b) It would also be possible, however, for the user to transmit the assignment rule or identification to the supporter computer device, whereby the access of the supporter computer device to the server device with the query of the de-personalized personal data sent to the user, here the patient of the Supporters belong, can take place.
    It is also possible that the personal data network has an analysis interface. Via the analysis interface, the personal data network can communicate with an analysis computer device in which an analysis of personal data, for example for the diagnostic evaluation of a user's personal data and / or for surveys or statistical investigations of the personal data of multiple users can.
    The invention further proposes that the supporter computer device, the analysis computer device, the server device and / or the computer unit assigned to the user have control logic which determines findings from the de-personalized personal data of a user.
    Alternatively or cumulatively, it is possible that the control logic generates automatic messages. To name just a few non-limiting examples, a critical circulatory condition may be determined from vital data (eg, blood pressure and pulse) determined via a smart phone or wearable. An automatic message generated may be, for example, an alert of the user or a companion of the user or a physician or other health care professional. It is also possible that as an automatic message, an indication of a regular doctor's visit (for example about an impending vaccination after a predetermined time interval after the previous vaccination) is generated and displayed on the computer unit of the user.
    The invention also proposes that the backer computer device, the analysis computer device, the server device and / or the computer device assigned to the user have / has a detection device. Personal or de-personalized personal data may be collected via the capture device. It is possible that the detection device is a manual detection device, via which the user can enter personal data. This can be a keyboard. Preferably, however, the detection device is a scanner, a photographic device, an audio recording device and the like. trained, over which the personalized or de-personalized personal data can be detected.
    It is also possible that an interface is provided as a detection device on the computer unit, wherein the interface can be wired or wirelessly formed. This interface can be used, for example, to transfer personal data from a computer of a medical or hospital examination facility or to communicate with a scanner, a camera, an audio recording device or the like. respectively.
    Alternatively or additionally, the computer unit assigned to the user can be connected via an interface to a video data acquisition device, in particular a pulse chest belt, a wearable, etc. feature. Here, a "wearable" means a computer unit which is attached to the user's body or clothing during use. Alternatively, data that has already been derived can be received via this interface, for example from the Apple HealthKit or Withings.
    A problem may be in the personal data network, that although the personal data between the computer unit and the server device are de-personalized transmitted, so that from these even the assignment of personal data to the user is not possible. However, u.U. from the transmission path of the de-personalized personal data, an IP address from which the computer unit has sent the de-personalized personal data are determined, which would ultimately be a conclusion to the user or at least a surrounding area of the user possible. If this is to be avoided, in a further refinement of the personal data network according to the invention, a transmission path separating device is interposed between the computer unit assigned to the user and the server device, which receives the de-personalized personal data transmitted by the computer unit and eliminates instructions the IP address from which the transmission path separator has received the de-personalized personal data, then transmits the de-personalized personal data to the server device. In this way, a deduction of the de-personalized personal data on the server device to the transmission path can be made impossible by the computer unit, which still further takes into account the privacy interests of the user and the protection against access by third parties to the personal data.
    A further embodiment of the invention is dedicated to the registration of the user. According to a proposal, the computer unit assigned to the user has control logic which sends out a telephone number of the computer unit, in particular of the smartphone. From the unit responsible for the registration, in particular the server unit, to which the telephone number has been sent by the computer unit, then the computer unit receives a code which allows an authentication of the computer unit. For example, the computer unit can receive this code as an SMS when forming the same as a smartphone. According to the invention, only after the receipt of the code for authenticating the computer unit, the computer unit receives data on the person of the user via the control logic, which may include, for example, name, date of birth, place of birth and the like. can act. These data relating to the person of the user can then be stored in the computer unit, wherein these are not transmitted in particular via the network.
    In principle, it is possible that a mapping rule and the associated by this a user label does not change. A further increase in the security of the personal data network can be brought about under certain circumstances, if a new assignment rule with a new identification is determined by the control logic of the computer unit at regular or certain events. The determined new identification can then then be transmitted to the server device by the computer unit via the network de-personalized personal data. Under certain circumstances - the transfer of the de-personalized personal data from the server device to the computer unit with the old identification, - the determination of the new assignment rule and the new identification by the computer unit, - the deletion of the de-personalized personal data with the old one Marking on the server device and - the retransmission of the de-personalized personal data with the new tag to the server device.
    In the aforementioned events, to which a new assignment rule is determined with a new label from the control logic of the computer unit, it may, for example, to any process of transmission of the de-personalized personal information with the (old) identifier of the Server device to the computer unit and / or the support device act. Alternatively or additionally, it can be used as an event that a transmission of the assignment rule to a support device has taken place.
    It is also conceivable that the method described, with which the user has the sole key to access his data, by alternative methods, such as change code devices, paper code or personal features, such as iris recognition, video sequences of the eyelid, etc., or DNA sequences supplemented or replaced.
    It may be desirable that the user has exclusive personal access to his personal data via the computer unit. This can be problematic, but u.U. in case of loss of the computer unit, powerlessness or inability to act of the user. It is possible that for the provision of such cases by means of the control logic of the computer unit, the assignment rule is transmitted to a trusted person computer unit. The trusted person is, for example, a spouse, a person authorized to make a decision in an emergency for the user, or a security person or a person with a trust function via whom access to the personal data is to be possible if the computer unit is lost. The computer unit associated with the trusted person can then be allowed at least partial access to the de-personalized personal data and its conversion into personalized personal data.
    Basically, the invention also includes embodiments in which all personal information is completely de-personalized in the personal data. However, this may complicate a scientific or other stochastic evaluation with the aim of gaining important insights. The invention proposes for a particular embodiment of the invention that the de-personalized personal data regarding the user still - the year of birth, - the gender of the user, - the ethnicity, - belonging to the state or canton of the place of residence or the country of the place of residence. These data can then be used for further analysis of personal data, for example by scientific analysis institutes, insurance companies and the like. be used.
    In addition to the personal data network, the invention also relates to a software which is equipped with control logic, which is suitable for the use and the formation of a personal data network according to one of the preceding claims. For this purpose, the software has in particular control logic, as claimed in the claims 1.3 to 9, 15, 16.
    Advantageous developments of the invention will become apparent from the claims, the description and the drawings. The advantages of features and of combinations of several features mentioned in the description are merely exemplary and may be effective as an alternative or cumulatively without the advantages of compelling embodiments of the invention having to be achieved. Without thereby altering the subject matter of the appended claims, as regards the disclosure of the original application documents and the patent, further features can be found in the drawings, in particular the illustrated geometries and the relative dimensions of several components and their relative arrangement and operative connection. The combination of features of different embodiments of the invention or of features of different claims is also possible deviating from the chosen relationships of the claims and is hereby stimulated. This also applies to those features which are shown in separate drawings or are mentioned in their description. These features can also be combined with features of different claims. Likewise, in the claims listed features for further embodiments of the invention can be omitted.
    The features mentioned in the claims and the description are to be understood in terms of their number so that exactly this number or a greater number than the said number is present, without requiring an explicit use of the adverb "at least". For example, when talking about an element, it should be understood that there is exactly one element, two elements or more elements. These features may be supplemented by other features or be the only characteristics that make up the product in question.
    The reference numerals contained in the claims do not limit the scope of the protected by the claims objects. They only serve the purpose of making the claims easier to understand.
    BRIEF DESCRIPTION OF THE FIGURES
    In the following the invention will be further explained and described with reference to preferred embodiments shown in the figures.
    Figures 1-4 show different exemplary embodiments of the de-personalized transmission of sensitive data over a network, typically the Internet. In addition, this network may be designed by technical means to create closed A to B connections, e.g. as a virtual private network (VPN) or through tunneling.
    5 shows highly schematized method steps of a control logic for the transmission of de-personalized data, wherein the control logic relates to a method for a first-time registration of a user.
    Fig. 6 shows in a highly schematized manner steps of a control logic for the transmission of de-personalized data, the control logic relating to a method for the transmission of de-personalized personal data to a server device.
    Fig. 7 shows very schematically process steps of a control logic for the transmission of de-personalized data, wherein the control logic relates to a method for the de-personalization of personal data from a server device.
    DESCRIPTION OF THE FIGURES
    Fig. 1 shows a highly schematized data network 1 with a server device 2 and a user or patient associated computer unit 3 of a variety of with the server device 2 via a network 1, 28 communicating, not shown here further computer units. On the one hand de-personalized personal data 4 with associated identification 5 are sent to the server device 2 by the computer unit 3 in order to store the de-personalized personal data 4 in a memory unit 6 of the server device 2 under the identifier 5. On the other hand, it is possible for the computer unit 3 to send a request 7 to the server device 2 with the identification 5, to send the de-personalized personal data 4 associated with the identification 5 as de-personalized personal data 4 to the computer unit 3. The de-personalization takes place by a software A on the computer unit 3, the re-personalization by a software B on the computer unit. 3
    In order to avoid that an assignment of the stored de-personalized personal data 4 is already possible in the server device 2 via a requesting IP address of the computer unit 3, a transmission path separating device can be provided between server device 2 and computer unit 3 according to FIG 9 be interposed. The transmission path separating device 9 receives the request 7 with the identifier 5 from the IP address of the computer unit 3 and sends it with its own IP address without reference to the IP address of the computer unit 3 to the server device 2 , de-personalized personal data 4 stored in the memory unit 6 are then transmitted from the server device 2 to the transmission path separating device 9, which in turn transmits the de-personalized personal data 4 to the only existing IP address of the computer unit 3.
    In otherwise Fig. 1 corresponding communication between the computer unit 3 and the server device 2 has according to FIG. 3, the data network 1 via a supporter-computer device 10, for example, a practice, a hospital, a bank or insurance assigned is. In order to allow access to the personal data there, the user transmits from the computer unit 3 de-personalized personal data 31 to the supporter computer device 10. Simultaneously or staggered delivery of the label is 5. which is provided with the personal details. These are inserted as a header if the identifiers match the document. If the supporter collects further personal data, a return of this personal data can be provided as de-personalized personal data 4 with a random number (identification 5a) to the computer unit 3, whereby the transmission of this personal data is then de-personalized personal data 4 can be made with the associated label 5a for additional storage in the server device 2. Alternatively or in addition to the supporter computing device 10, an analysis computing device 11 may have access to the de-personalized personal data 33 of a plurality of users by communication with the server device 2. Then, in the analysis calculator 11, a plurality of de-personalized personal data 33 can be analyzed, and the analysis result 32 of the analysis calculator 11 can be transmitted to the server device 2 or other devices. It is also quite possible that de-personalized personal data is transmitted from the supporter computer device 10 to an analysis computer device 11, with which an analysis device can then perform an analysis of this personal de-personalized data.
    The analysis computer 11 in this case communicates with an analysis interface 27 of the server device 2. The result of the analysis can then be transmitted in de-personalized form to the backer computer device 10 or the computer unit 3 of the user for further processing.
    Fig. 4 shows an embodiment in which (alternatively or additionally) in the data network 1, 28, a sub-user computer device 10 or a trusted person computer unit 12 is integrated. In order to enable an exchange of the personal data assigned to the user between the server device 2 and the backer computer device 10 and / or the trusted person computer unit 12, the user transmits via the computer unit 3 an assignment rule, in particular the identification 5 assigned to the user Supporter computer device 10 and / or the trusted person computer unit 12. With this assignment rule and possibly further transmitted authentications or passwords can then exchange data regarding the de-personalized data associated with the user between the supporter computer device 10 and / or the person of trust Computer unit 12 on the one hand and the server device 2 on the other hand.
    As an optional further option is shown in Fig. 4 that the computer unit 3 via an interface 29 and vital data 13 can receive which of a Wearable 14 or a vital data acquisition device 30 such as a bracelet, or a chest strap or an application of the computer unit 3 forming smartphones can originate.
    5 shows by way of example a method for a first-time registration of a user by the computer unit 3 assigned thereto: After loading an application, for example onto the computer unit 3 designed as a smartphone, the user transmits his telephone number in a method step 15 the device performing the registration, in particular the server device 2. In a method step 16, the identifier 5 is then determined, which is transmitted back in a method step 17 in particular via SMS via the previously transmitted telephone number to the smartphone. Only then followed by the user in a process step 18, the input of personal data. With this registration, the smartphone or the computer unit 3 is then able to work. In particular, the transmission of de-personalized data with the identification 5 or 5a to the server device 2 can then take place and / or the server device 2 can load the de-personalized data associated with the user with the reference to the identification 5 or 5a. Neither the personal data nor the association between the telephone number and the tag are stored on the server device 2. Accordingly, it is possible to proceed for the registration if the computer unit 3 is not designed as a smartphone, but, for example, as a desktop version to which the application can be loaded.
    Optionally, in a further method step, the computer unit 3 may inquire whether a further computer unit 3 should be registered as authorized with regard to the user. In this case, the further telephone number assigned to another smartphone is then transmitted from the computer unit 3 to the server device 2, for example.
    The information to be entered for the person in method step 18 is, for example, the name, first name, date of birth, gender, ethnicity, weight, height, street, place of residence, country, E Email address, mobile phone number, ID card number, etc.
    Under certain circumstances it can be checked in an additional process step whether the applicant is a natural person. Furthermore, a verification of the personal information can be done by accessing a corresponding database. It is also possible that during the registration a declaration of consent with the terms and conditions is required. Here, the terms and conditions may also include that the user agrees that the de-personalized data of the patient are scientifically evaluated and / or used financially.
    6 shows the transmission of de-personalized personal data to the server device 2 for the purpose of storing the same: [0057] The method steps mentioned above are performed either by the computer unit 3, which can communicate with the server device 2 (FIG. or the supporter computing device 10 or the trusted person computing unit 12 that can communicate with the server device 2 (FIG. 4).
    In a method step 19, personal data are first obtained. This may be accomplished by receiving the personal data from an examination device, from the supporter computing device 10, or by collecting a medical report, and the like. take place via a detection device 26. In a subsequent method step 20 then personal information and those that can be inferred to the person from information unit data, ie, for example, the doctor's report, the X-ray image u.ä. away. Following this, in method step 21, the data packet, which contains both the de-personalized data and the associated identification, is transmitted to the server device 2. The server device 2 then stores the received de-personalized data in the memory unit 6 in the method step 22 under the label 5.
    7 shows the method for loading de-personalized data from the server device 2 into the computer unit 3 (FIG. 1) or into the supporter computer device 10 or trusted person computer unit 12 (see FIG. In a method step 23, the computer unit 3 (or the backer computer device 10 or the trusted person computer unit 12) transmits a request 7 with the identification 5 to the server device 2. The server device 2 loads in a method step 24 that of the identification The de-personalized data is then transmitted in step 25 to the computer unit 3 (or the supervisor computer unit 10 or the trusted person computer unit 12), where it re-personalizes be, for example in a header the data to the person are listed.
    The server device 2 may initially store the de-personalized data of many users on the memory unit 6 after the respective identifier 5. This repository containing multiple user data is shown as 33 in the figures. Extraction of search words to enable a search function for analysis of the de-personalized data of multiple users (33) is also possible. A categorization of the de-personalized data to a user can be done, for example, according to the type of information unit data. Thus, for example, a classification between examination findings, medical reports, discharge reports done. It is also possible that the aggregation of information unit data or identification of the same takes place depending on the implementing institute of the individual examinations and medical reports. Alternatively or additionally, the categorization of the information unit data depending on the disease or affected body part or medical specialty. It is possible that information unit data of different categories are provided individually to the user or a supporter.
    An application of the computer unit 3 may include a search function to allow easy retrieval of information.
    Examples of wearables 14, which can be used in the context of the invention in the data network 1, are, for example. On the Internet site (http://www.emdt.co.uk/ daily-buzz / 5- wearables-could-transform-healthcare). Examples include - "Google lens" for blood glucose monitoring, - "WearSens" for measuring food intake (see http://www.medicaldaily.com/ucla-engineers-develop-wearsens-food-diary-you-can- wear-around-your-neck-324508), - Google's smart pill to discover cancer (see http://mobihealthnews.com/37730/google-x-developing-cancer-scan-ning-piil-that-transmits -to-a-wearable-sensor /), - wearable sensors for the continuous measurement of body fluids (see http://www.emdt.co.uk/daily-buzz/ higher-powered-wearable-sensors) and - Sensors for continuous ECG measurement (see http://internetmedicine.com/irhythm/).
    An integrated into the data network 1 analysis device can evaluate a variety of depersonalized data of one or more patients, with additional validation and release can be done from a medical point of view. The analysis results resulting from the analysis or the generated data extracts may contain, in particular, the following information and data: an electronic doctor's letter (see http://www.aerzteblatt.de/archiv/167716/ Elektronischer-Arztbrief-Arztnetze-fuer- the-trial-seeks), - Outgoing reports, bank statements - Diagnostic lists, expense lists by categories as bank statements - Remittance reports, payment transfers, damage reports - Risk analyzes, - Summaries on specific issues, - Reminders and calls for a doctor visit, vaccination, cancer screening , for taking tablets, etc., for standing orders in bank payments - evaluations and assessments of medical images (X-rays, blood pictures, skin lesions), - Alerting the health staff in critical vital data for patients in the intensive care unit, department, nursing home or at home assisted living and - Auswe for the pharmaceutical, insurance and scientific industries.
    On the computer unit 3, in particular by means of a smartphone application, the registration, the temporary storage of personal data, the procurement and reading new personal data, the de-personalization of personal data, the generation of labels for Use with de-personalized data packets and the connection to the server device 2 with the following upload.
    On the other hand, on the server device 2, the management of the de-personalized personal data with the associated tag and the access management for the users as well as analysis facilities and the like are performed.
    An application of a trained as a smartphone computing device 3 may include, for example. A menu interface containing the menu items - login to enable the login with a user ID and password, - my personal information online », - my next appointment», - Personal data scan », - import personal data», - process personal data », - request a prescription», - perform a laboratory examination », - book a medical appointment», - chat », - manage settings and / or - manage favorites» and the assigned functions To run.
    A transmission of de-personalized data via the data network 1, 28 takes place in particular as metadata according to the standard IHE. It is possible that for re-personalization instead of (re) inserting the patient data in the document, the label 5 is inserted as a header or header in the documents, which can be linked via the assignment rule of the user with his personal data. The download and upload of the de-personalized data takes place via an encrypted connection. Encryption of the de-personalized personal data may additionally be done according to the usual known encryption technologies.
    It is possible that an access management for third parties such as trusted persons or analysis facilities by a protocol marked "OAuth", as described in the relevant literature and at https: // de.wikipedia.org/wiki/OAuth. On which components of the de-personalized data third parties can access, the user can individually determine based on deposited profiles and control by the application on the computer unit 3 or the server device 2.
    It is possible that the user when creating his profile must give the consent that a disclosure of personal information to third parties, agents or a person of trust may be released in the last instance by a fiduciary. A data access by a deputy is particularly in question when the user is unconscious, patronized, died or the computer unit 3, which includes only the assignment rule has been lost.
    It is possible that within the scope of the invention, a method described on the Internet site https://validic.com/api finds use.
    For the elimination of personal information, a document, such as a doctor's letter or an X-ray image, at first completely "blackened" or deleted, after which the user can "reactively" reactivate certain components of this document via a kind of wiping function. Conversely, the user can not blacken even "blackened" places in his document, which suggest his person by a wiping function itself.
    LIST OF REFERENCE NUMBERS
    A program for de-personalization (de-identification) of the data in electronic or handwritten form. B Program to re-personalize (re-identify) the data by restoring the original document or by inserting a header with personal data such as name, first name, gender, date of birth. C Data analysis program (s) 1 Personal closed data network, e.g. tunneled or VPN, via which sensitive data of all kinds - such as health data and bank data - can be exchanged in personalized or de-personalized form. 2 server device (user-remote and network-connected device for storing and managing data) 3 personal computer unit (user-controlled electronic device, such as smartphone, tablet PC, desktop PC, for recording, processing, administration and storage) Personalization of data) 4 De-personalized personal data (data that can no longer be assigned to a person without a key). 5 Labeling (the de-personalized data that can only be assigned to one person with one key). 5a Random identification 6 Storage unit (technical device for storing de-personalized data)
    权利要求:
    Claims (19)
    [1]
    7 Request (electronic request or electronic order) 8 personalized personal data in electronic or other form such as electronic mail. on paper. 8a Re-personalized personal data in the form of the original or with a head (fleader) containing the personal information. 9 transmission path separator (means that makes it impossible to retrace the data for encryption). 10 Supporter computer device (computer device of a user supporting institution, such as hospital, doctor or bank or insurance). 11 Analysis computer equipment (computer equipment for analyzing and analyzing data, such as vital data, banking data, health data, etc. with the primary aim of bringing the evaluations and findings to the attention of the user and the secondary objective of gaining new knowledge of general interest). 12 Trust person computer unit (computer unit of a person with fiduciary function) 13 Vital data (measurement data such as weight, pulse, blood pressure, blood sugar, etc.) 14 Wearable (garment, patch or accessory, such as bracelet, with built-in sensors for measuring vital signs and data) Events, such as taking medicines or registering goods during purchases) 15 Process step 16 Process step 17 Process step 18 Process step 19 Process step 20 Process step 21 Process step 22 Process step 23 Process step 24 Process step 25 Process step 26 Detection device 27 Analysis interface (interface between stored de-personalized data and device for the processing, storage and transfer of data) 28 Personal public network, Internet 29 Interface 30 Collection of data from wearables, handhelds, scales, electronic equipment in vehicles, such as steering wheel and Cameras and in real estate, such as electricity and water meters. 31 personalized personal data 32 analysis result 33 De-personalized data of a large number of users claims
    A data network (1,28) having a) a server device (2) on which personal, sensitive data of a user are stored, and b) a computer unit (3) assigned to a user, c) the computer unit (3) and the server device (2) communicate with one another via a network (1, 28) for exchanging the personal data, characterized in that d) there is an assignment rule on the computer unit (3) assigned to the user, which the user and his de-personalized e) the personal data on the server device (2) are stored exclusively as de-personalized personal data (4) with the identification, whereby a personalization of the de-personalized personal data (4) in the form an association of the de-personalized personal data with the associated user based on the de-personalized personal data present on the server device (2) (4) and the marking (5) is not possible, f) the computer unit (3) assigned to the user has control logic by means of which a) a request (7) to the server device (2) regarding the transmission of the de-personalized personal Data (4) is generated, wherein the request includes the identification associated with the user (5), and the de-personalized personal data transmitted to the request from the server device (2) via the network (28) to the computer unit (3) ( 4) to which the identifier (5) is assigned, and / or b) personalized personal data is converted on the computer unit (3) using the assignment rule into de-personalized personal data (4) with assigned identifier (5) and then the de-personalized personal data (4) with the associated label (5) from the computer unit (3) via the network (1,28) to the server device (2) transmits be elt.
    [2]
    2. Data network (1,28) according to claim 1, characterized in that the user assigned to the computer unit (3) is a computer, a tablet, a mobile phone, a smartphone, a smartwatch, a wearable or a PDA.
    [3]
    3. personal data network (1,28) according to claim 1 or 2, characterized in that the user assigned to the computer unit (3) has control logic, by means of which in personal information embraced by the personal information personal information and information, which may infer the person and provide information that allows inference to the person a) automatically and / or b) manually removed or converted by the user.
    [4]
    4. Data network (1,28) according to claim 3, characterized in that the user assigned to the computer unit (3) has a control logic which includes a recognition logic, by means of which automatically personal information and those that can be inferred to the person and those that indicate the person can be recognized in the information unit data and removed from the information unit data.
    [5]
    5. data network (1,28) according to claim 3 or 4, characterized in that the user assigned to the computer unit (3) has a control logic, which personal information and those who can infer the person and those who rely on to let the person infer generalized personal information and those that make the person infer.
    [6]
    6. Personal data network (1,28) according to one of claims 3 to 5, characterized in that a) the recognition logic includes a text, image or audio recognition logic, b) the control logic by matching recognized words, images or audio components with predetermined words, images, audio components or educational laws, personal information and those that identify the person and identify those that indicate the person; and c) the control logic removes the identified personal information from the information unit data or into generalized personal information and those that make the person infer convert.
    [7]
    7. Personal data network according to one of claims 3 to 6, characterized in that the user assigned to the computer unit (3) has control logic, a) by means of which information unit data on an output of the computer unit (3) are output, and b ) which allows the user to remove personal information identified in the information unit data on the basis of the output and those which allow the person to infer, or to convert it into generalized personal information and those which indicate the person.
    [8]
    8. personal data network (1, 28) according to one of claims 3 to 7, characterized in that the user assigned to the computer unit (3) has control logic, a) by means of which from the information unit data removed or generalized in the personal information and those that infer the person's personal information that has been transformed and those that are inferred to the person being stored, and b) which of ba) the de-personalized personal information received from the server device (2) over the network (1,28) Data (4) in which information items of personal information and those referring to the person are removed or converted into generalized personal information and those that allow the person to infer, and bb) the stored personal information at least partial reconstruction of the original information unit data with the personal information.
    [9]
    9. personal data network (1,28) according to any one of the preceding claims, characterized in that the user assigned to the computer unit (3) has control logic, which a) a transmission of personalized personal data (31) and / or b) a Transmission of the assignment rule to a supporter computing device (10) allows.
    [10]
    10. Personal data network (1, 28) according to one of the preceding claims, characterized in that an analysis interface (27) of the personal data network (1.28) is connected to an analysis computer device (11).
    [11]
    11. Personal data network (1,28) according to any one of the preceding claims, characterized in that the supporter-computing device (12), the analysis computer means (11), the server device (2) and / or the user assigned computer unit (3) has control logic which determines findings from a user's de-personalized personal information (4) and / or generates automatic messages.
    [12]
    12. Personal data network (1,28) according to any one of the preceding claims, characterized in that the supporter computer means (10), the analysis computer means (11), the server device (2) and / or the user assigned computer unit (3) has detection means (26) through which personalized or de-personalized personal data can be collected.
    [13]
    13. Personal data network (1,28) according to one of the preceding claims, characterized in that the user assigned to the computer unit (3) via an interface (29) to a vital data detection device (30) has.
    [14]
    14. Personal data network (1,28) according to any one of the preceding claims, characterized in that between the user assigned to the computer unit (3) and the server device (2) a transmission path separating device (9) interposed, which by the computer unit (3) transmits transmitted de-personalized personal data (4) to the server device (2) and makes it impossible to draw de-personalized personal data (4) on the server device (2) onto the transmission path from the computer unit (3).
    [15]
    15. Personal data network (1,28) according to one of the preceding claims, characterized in that the user assigned computer unit (3) has control logic for registering the user, which a) sends out a telephone number of the computer unit (3), b) receives a code for authentication of the computer unit (3) and c) receives data on the person of the user only after receiving the code for authentication of the computer unit (3), which are then stored in the computer unit (3).
    [16]
    16. The personal data network (1,28) according to any one of the preceding claims, characterized in that the user assigned to the computer unit (3) has control logic, a) which aa) after transmitting the de-personalized personal data (4 ) from the server device (2) to the computer unit (3) and / or the supporter-computer device (10) and / or ab) after a transmission of the assignment rule or label (5) to a supporter-computer device (10) a new C) which then transmits the de-personalized personal data (4) with the new identifier (5) from the computer unit (3) to the server device (2) via the network (1,28).
    [17]
    17 data network (1,28) according to any one of the preceding claims, characterized in that the assignment rule is transmitted to a trusted person trust person computer unit (12) and the trusted person computer unit (12) an at least partial access to the de -personalized personal data and their transformation into personalized personal data.
    [18]
    18. Personal data network (1,28) according to any one of the preceding claims, characterized in that the de-personalized personal data (4) with regard to the user a) the year of birth, b) the gender, c) the ethnicity d) belonging to a race and / or e) the country of residence.
    [19]
    19. Software with control logic for use in a personal data network (1, 28) according to one of the preceding claims.
    类似技术:
    公开号 | 公开日 | 专利标题
    DE112012002514T5|2014-03-27|Procedures and systems to ensure compliance
    Baraybar2008|When DNA is not available, can we still identify people? Recommendations for best practice
    DE112005000926T5|2007-04-05|Image data and data processing system for clinical trials
    US20200019963A1|2020-01-16|Data usage method, system, and program thereof employing blockchain network |
    DE102007019375A1|2007-10-31|Patient data retrieving and re-identifying method, involves locating patient identifier associated with patient identification information in database, and inserting information into file within authorized environment
    Coustasse et al.2019|Use of teledermatology to improve dermatological access in rural areas
    CN106777929B|2019-08-13|Eeg monitoring system based on smart cloud
    DE102008002920A1|2009-01-15|Systems and methods for clinical analysis integration services
    DE102007026802A1|2007-12-20|Electronic medical data searching method for patient, involves executing search of medical data based on search criteria to create pool of potential study participants, and outputting pool of potential study participants
    DE112012006037T5|2015-02-26|Biological information distribution server, program and medical support system using it
    DE102006046319B4|2008-07-03|A method for finding and displaying information in a medical device information system
    Villa et al.2020|The assessment of dermatological emergencies in the emergency department via telemedicine is safe: a prospective pilot study
    CH712285A1|2017-09-29|Software with control logic for converting personalized personal data into de-personalized personal data and transmitting the de-personalized data to a server.
    DE202020103841U1|2021-08-09|Pathogen Treatment Management System
    DE112018005455T5|2020-07-02|DEVICE FOR SUPPORTING HEALTH CARE, PROCEDURE AND PROGRAM
    DE112018001359T5|2019-11-21|MEDICAMENT SUPPORTING DEVICE, METHOD AND PROGRAM FIELD
    US20130290632A1|2013-10-31|Portable device for secure storage of user provided data
    EP1102193A1|2001-05-23|Medical system for patient data referral/transfer
    DE112019002930T5|2021-05-27|DEVICE, METHOD AND PROGRAM TO ASSIST PATIENT QUESTIONNAIRE CREATION
    DE102017217161B4|2019-04-11|Medical-technical system and method for automatically performing a medical-technical measurement as well as a combination of medical-technical systems, a computer program product and a computer-readable medium
    Wonodi et al.2021|Evaluation of Reasons for Non-Complete Filling of Investigation Request Forms by Medical Doctors in Rivers State, Nigeria
    DE102018005746A1|2020-01-23|Medical emergency data access arrangement
    Harjanti et al.2018|Daily Work Load Distribution to Increase TIME Quality of Inpatients' Medical Record Document Procurement in X Hospital
    DE202015106012U1|2015-12-07|System for control and exchange of medical information
    DE102019103665A1|2020-08-13|Device for processing data and operating methods therefor
    同族专利:
    公开号 | 公开日
    EP3433778A1|2019-01-30|
    US20200272761A1|2020-08-27|
    CH712285B1|2020-04-30|
    WO2017161464A1|2017-09-28|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    WO2001018631A1|1999-09-02|2001-03-15|Medical Data Services Gmbh|Method for anonymizing data|
    US20060179073A1|2003-03-20|2006-08-10|Shinya Kimura|Information management system|
    EP1939785A2|2006-12-18|2008-07-02|Surveillance Data, Inc.|System and method for the protection of de-identification of health care data|
    US20150127382A1|2013-11-04|2015-05-07|NxTec Corporation|Systems and methods for implementation of a virtual education hospital|
    法律状态:
    优先权:
    申请号 | 申请日 | 专利标题
    CH00389/16A|CH712285B1|2016-03-21|2016-03-21|Data network for converting personalized personal data into de-personalized personal data and transmission of the de-personalized data to a server.|CH00389/16A| CH712285B1|2016-03-21|2016-03-21|Data network for converting personalized personal data into de-personalized personal data and transmission of the de-personalized data to a server.|
    US16/756,817| US20200272761A1|2016-03-21|2017-03-21|Software having control logic for secure transmission of personal data via the internet from computers to the server, with secure storage of the data on servers|
    EP17712917.8A| EP3433778A1|2016-03-21|2017-03-21|Software having control logic for secure transmission of personal data via the internet from computers to the server, with secure storage of the data on servers|
    PCT/CH2017/000030| WO2017161464A1|2016-03-21|2017-03-21|Software having control logic for secure transmission of personal data via the internet from computers to the server, with secure storage of the data on servers|
    [返回顶部]