醫療資訊管理應用之行動代理人及個人健康紀錄安全存取控制

Abstract

隨著數位科技與網際網路的普及化，不僅使大眾的消費模式由原本的實體店面購買轉變成網路虛擬店鋪交易，雖然交易型態的改變帶來便利的生活及購物環境，但是對於網路交易的資訊安全以及產品服務品質皆存在著疑慮。然而，現今醫療資訊系統的轉變也陸續將實體紙本資料以數位資訊的方式呈現或保存，提供使用者透過網路快速分享並取得資訊。 在數位化的發展模式下，各醫療機構的傳統紙本資訊，包含病歷資料、護理資料、藥劑資料也逐漸發展成各種便於管理的資訊系統模式；如何將這些電子化的資訊妥善管理並整合成有用的資訊，以提供給合法授權的醫療人員使用，使醫療人員能夠更有效率的執行各種決策與管理，是目前最重要的議題。醫療資訊的內容，包含個人資料、醫療資訊等機密資訊，只要透過網路存取資料，就可能存在遭受攻擊或竊取資料的風險；倘若遭受線上惡意攻擊或資料遭竊取，非但個人隱私不保，甚至可能遭受財產或名譽損失。因此，隨著智慧型行動裝置愈加普及，所衍伸出的資安防護需求也開始於市場醞釀，該如何進行權限管控，保護存取的安全性，將是資訊分享是否得以有效獲得推展的關鍵，為了防範惡意的網路攻擊，必須建立一個有效且安全的存取控制系統。 本論文運用行動代理人的優點來克服異質性的系統環境，建構一個虛擬整合的醫療資訊分享模式，並且透過行動代理人收集分散在各個醫療機構的醫療資訊，達到跨醫療院所醫療資訊分享的目的，使用公開金鑰密碼系統和 Lagrange插值法提出一個存取控制與金鑰管理機制，來確保醫療資訊分享的安全性與機密性。此外，基於個人健康紀錄(PHR)均為患者自身的健康醫療資訊，因此，其隱私設定及存取權限則必須嚴格控管，個人健康紀錄系統除了提供具有存取權限之使用者合理存取之外，也需要避免無持有權限的單一使用者或是團體非法入侵存取。因此，本系統的安全性分析是以網路攻擊者的角度分析，且根據本論文分析結果顯示文中所提出的存取控制與金鑰管理機制可以有效率且安全地保護各醫療院所所分享的醫療資訊。

A procedure is with the digital technology and the internet become more and more common, they make people change their original consumption pattern. Originally, people purchase at physical stores while they change the way to internet virtual shops. Even though this kind of transaction type brings convenient life and shopping environment, internet transaction still exists some problems about information security and product’s quality. However, medical information system also replaces the paper data to digital information for presenting and storing. This provides users to share and acquire information immediately through internet. Under the development of digitalization, the traditional paper information which includes medical records, nursing information, and pharmaceutical information. This information gradually develops into different kinds of information system modes and easily to manage; otherwise, how to properly store and integrate this electronic information into available information in order to offer the legal and authorized medical staff. This makes medical staff could implement the decision and manage efficiently. It becomes the most important issue recently. The content of medical information which includes confidential information such as personal and medical information might have been attacked or stolen through internet. If we suffer from hostility attack or data stolen, this situation would cause personal information be stolen and even lose property and reputation. Therefore, with the smart mobile devices become more and more common, the needs of information security also brew among the market. This form a problem that how to control the authority and protect the security will be the pivotal key to acquire effective develops. In order to prevent hostility attack form internet, we need to build an effective and secure system to store and control. This paper uses the action agent’s benefit to overcome heterogeneous system environment to establish a medical information sharing mode which is virtual and integrated. Through action agent, we can collect each medical institution’s medical information in order to approach the purpose of sharing the information across medical facilities. Using the public key cryptography system and the Lagrange interpolation method to propose an access control and key management mechanism to ensure the safety and confidentiality of medical information sharing. Otherwise, Personal health records are the information of patient; therefore, the privacy settings and access must be strictly controlled. Besides providing access to users with access rights, the PHR system also needs to avoid unauthorized access to a single user or group without permission. Therefore, the security analysis of the system is based on the analysis of network attackers. According to the analysis of the results of this paper, it shows that the proposed access control and key management mechanism can be efficient and safe to protect the medical institutions to share the information.