阅读说明：本技术 基于移动健康的个人信息平台 (Personal information platform based on mobile health ) 是由 李大旭 彭姣 白俊 康志强 曹瑾 郝瑞霞 于 2019-11-13 设计创作，主要内容包括：本发明提供一种基于移动健康的个人信息平台,其特征在于,包括DMZ区域,为通过互联网接入的外部用户访问的区域；外联区域,为处理外部访问的区域；系统互联区域,为处理应用管理系统与医疗机构系统、其他接入机构系统互联的区域；管理区域,为负责管理设备的接入的区域；核心交换区域,为负责平台的数据交互的区域；应用服务区域,为负责平台数据与应用服务的区域。本发明通过信息化的个人信息平台可以以病患为中心,实现跨组织、高效率的网络交流和协调配合。通过基于移动健康的个人信息平台,可以使患者、医疗服务提供者和政府管理机构建立起相互信赖的关系,进而降低成本,优化医疗服务资源配置,从而提升卫生行政整体管理水平。(The invention provides a personal information platform based on mobile health, which is characterized by comprising a DMZ area, a personal information platform and a mobile health management platform, wherein the DMZ area is an area accessed by an external user through the Internet; an external connection area, which is an area for processing external access; the system interconnection area is an area for processing interconnection of the application management system, the medical institution system and other access institution systems; the management area is an area responsible for managing the access of the equipment; the core exchange area is an area responsible for data interaction of the platform; the application service area is an area responsible for platform data and application services. The invention can realize cross-organization and high-efficiency network communication and coordination by taking the patient as the center through an information personal information platform. Through the personal information platform based on mobile health, the patient, the medical service provider and the government manager can establish a mutual trust relationship, so that the cost is reduced, the medical service resource allocation is optimized, and the overall management level of the health administration is improved.)

1. A personal information platform based on mobile health is characterized by comprising

A DMZ region which is accessed by an external user through the Internet;

an external connection area, which is an area for processing external access;

the system interconnection area is an area for processing interconnection of the application management system, the medical institution system and other access institution systems;

the management area is an area responsible for managing the access of the equipment;

the core exchange area is an area responsible for data interaction of the platform;

the application service area is an area responsible for platform data and application services.

2. The mobile health-based personal information platform according to claim 1, wherein the system interconnection area implements user management, right management and database management, and a system administrator implements operations of adding, modifying and deleting users through user management, manages roles of the platform and rights of the users through right management, imports and exports data through database management, and backs up the database.

3. The mobile health-based personal information platform of claim 2, wherein the management area comprises a user management module and a system management module, and the user management module is used for performing unified management on the user roles of the platform; and the system management module maintains the parameters of the platform system and related data.

4. The personal information platform based on mobile health as claimed in claim 3, wherein the user management module further comprises a function service module, an account authority module, a login authentication module and a service integration module,

the function service module comprises a plurality of platform function application packages, and each application package corresponds to one platform service function;

the system administrator selects a corresponding menu for a login account of a system worker through the account permission module, so as to distribute menu permission to the login account;

the login authentication service module is used for outputting a login interface to a display, inputting login information to system workers through the login interface and verifying according to the login information to realize account login and application package login;

and the service integration module is used for acquiring the menu distributed by the current login account from the account authority module after the login information passes the verification, and outputting the menu information comprising the corresponding application package.

5. The personal information platform based on mobile health as claimed in claim 4, wherein the login information comprises an account code, an account password and an account name, the application package information comprises an application package code, an application package name and an application package URL, and the menu information comprises a menu code, a menu name and a corresponding application package.

6. The mobile health-based personal information platform according to claim 5, wherein each data record of the key data table in the database has encryption verification information, and encryption verification is performed according to key field information.

7. The personal information platform based on mobile health as claimed in claim 6, wherein the data communication between the respective areas adopts an end-to-end encryption transmission mechanism: the sending end application encrypts the data to be transmitted and then transmits the data through the network, the data is decrypted after reaching the destination end application, and all intermediate links do not process the data content.

8. The personal information platform based on mobile health as claimed in claim 7, wherein the sending end generates a message verification code by using a hash algorithm on the transmitted data, and transmits the message verification code together with the data, and the receiving end can ensure that the data is not tampered during transmission by verifying MAC.

9. The mobile health-based personal information platform according to claim 8, wherein the data encryption is performed by using an asymmetric cryptography and a symmetric cryptography, the key data including the session key is encrypted by using an asymmetric cryptography, and the service data transmission is encrypted by using a symmetric cryptography.

10. The mobile health-based personal information platform of claim 9, wherein the redundant devices are adopted, and the core data layer and the service layer adopt a dual-computer, shared disk array and high-availability cluster multiprocessing disaster recovery software.

Technical Field

The invention relates to a personal information platform based on mobile health, and belongs to the technical field of network informatization services.

Background

Information management is a common remote management mode at present. However, the existing medical system is usually applied independently, and the relation between villages and hospitals and the relation between villages are relatively small, and the coordination and coordination capability is relatively poor. This results in a reduced level of trust between the patient and the healthcare provider and government regulatory agencies. In view of this, chinese patent CN109472440A discloses an information-based and intelligent medical and defense fusion platform, but the technology is only a management rule, and is not at all disclosed for the architecture or security control of the system.

Disclosure of Invention

In view of the above, the invention provides a personal information platform based on mobile health, which has a clear framework and high safety.

In order to achieve the purpose, the invention provides the following technical scheme:

a mobile health based personal information platform comprising:

a DMZ region which is accessed by an external user through the Internet;

an external connection area, which is an area for processing external access;

the system interconnection area is an area for processing interconnection of the application management system, the medical institution system and other access institution systems;

the management area is an area responsible for managing the access of the equipment;

the core exchange area is an area responsible for data interaction of the platform;

the application service area is an area responsible for platform data and application services.

Preferably, the system interconnection area implements user management, authority management and database management, a system administrator implements operations of adding, modifying and deleting users through user management, manages roles of the platform and authorities of the users through authority management, and performs data import and export and database backup through database management.

Preferably, the management area comprises a user management module and a system management module, and the user management module is used for uniformly managing the roles of the platform users; and the system management module maintains the parameters of the platform system and related data.

Preferably, the user management module further comprises a functional service module, an account authority module, a login authentication module and a service integration module,

the function service module comprises a plurality of platform function application packages, and each application package corresponds to one platform service function;

the system administrator selects a corresponding menu for a login account of a system worker through the account permission module, so as to distribute menu permission to the login account;

the login authentication service module is used for outputting a login interface to a display, inputting login information to system workers through the login interface and verifying according to the login information to realize account login and application package login;

and the service integration module is used for acquiring the menu distributed by the current login account from the account authority module after the login information passes the verification, and outputting the menu information comprising the corresponding application package.

Preferably, the login information comprises an account code, an account password and an account name, the application package information comprises an application package code, an application package name and an application package URL, and the menu information comprises a menu code, a menu name and a corresponding application package.

Preferably, each data record of the key data table in the database has encryption verification information, and encryption verification is performed according to the key field information.

Preferably, the data communication between the regions adopts an end-to-end encryption transmission mechanism: the sending end application encrypts the data to be transmitted and then transmits the data through the network, the data is decrypted after reaching the destination end application, and all intermediate links do not process the data content.

Preferably, the sending end generates a message verification code by using a hash algorithm on the transmitted data, and transmits the message verification code together with the data, and the receiving end can ensure that the data is not tampered in the transmission process by verifying the MAC.

Preferably, an asymmetric cipher system and a symmetric cipher system are used for data encryption, an asymmetric cipher is used for encryption processing on key data including a session key, and a symmetric cipher is used for encryption processing on service data transmission.

Preferably, redundant equipment is adopted, and the core data layer and the service layer adopt dual computers, a shared disk array and high-availability cluster multi-processing disaster-tolerant backup software.

The invention has the beneficial effects that: the information-based personal information platform can take patients as a center, so that hospitals, medical management departments and patients in different levels can realize cross-organization and high-efficiency network communication and coordination under the condition of information resource sharing. Through the mobile health-based personal information platform, a patient, a medical service provider and a government manager can establish a mutual trust relationship, so that the cost is reduced, the medical service resource allocation is optimized, and services such as automatic daily monitoring report disease monitoring, medical expense monitoring, disease early warning, decision support and the like are provided, so that the response speed and the handling capacity of the government for dealing with sudden public health events are improved, the efficiency of uniformly scheduling health resources is improved, and the overall management level of health administration is improved.

Drawings

FIG. 1 is a schematic diagram of a topology of a personal information platform based on mobile health according to the present invention.

Detailed Description

The invention discloses a personal information platform based on mobile health, as shown in figure 1, comprising:

a DMZ region which is accessed by an external user through the Internet;

an external connection area, which is an area for processing external access;

the system interconnection area is an area for processing interconnection of the application management system, the medical institution system and other access institution systems;

the management area is an area responsible for managing the access of the equipment;

the core exchange area is an area responsible for data interaction of the platform;

the application service area is an area responsible for platform data and application services.

The system interconnection area realizes user management, authority management and database management, a system administrator realizes the operations of adding, modifying and deleting users through the user management, manages the roles of the platform and the authorities of the users through the authority management, and conducts data import and export and database backup through the database management.

The management area comprises a user management module and a system management module, and the user management module is used for uniformly managing the roles of platform users; and the system management module maintains the parameters of the platform system and related data. The user management module also comprises a functional service module, an account number authority module, a login authentication module and a service integration module, wherein the functional service module comprises a plurality of platform function application packages, and each application package corresponds to one platform service function; the system administrator selects a corresponding menu for a login account of a system worker through the account permission module, so as to distribute menu permission to the login account; the login authentication service module is used for outputting a login interface to a display, inputting login information to system workers through the login interface and verifying according to the login information to realize account login and application package login; and the service integration module is used for acquiring the menu distributed by the current login account from the account authority module after the login information passes the verification, and outputting the menu information comprising the corresponding application package. In the invention, a uniform identity recognition mechanism is provided, and unique identification and index of the identity of the residents are established. The master index (MPI) refers to the code within a particular domain that identifies and keeps unique each individual within that domain. The personal primary index service provides a system service for acquiring unique identification of personal entities in multiple or cross-domain. The API of the message-oriented middleware is used for sending messages between two application programs or in a distributed system to carry out asynchronous communication, and comprises two message modes, namely point-to-point and publisher/subscriber.

The information platform contains a lot of privacy contents of patients, medical institution systems and other access institutions, so that the privacy requirement is very strict.

The login information comprises an account code, an account password and an account name, the application package information comprises an application package code, an application package name and an application package URL, and the menu information comprises a menu code, a menu name and a corresponding application package.

In the present invention, content-based routing and filtering provided by the Enterprise Service Bus (ESB) may be used to support healthcare business collaboration. Supporting a mainstream operating system; supporting a mainstream database system; supporting a main stream server virtualization software system; the latest standard and specification of Web Service are supported; supporting mainstream message middleware; providing support for a mainstream framework of application development and providing a realization interface of a mainstream programming language; compatible mainstream hardware servers. Following SOA design principle and technical standard, providing a loose coupling mode, and realizing separation of service logic, application logic, data logic and the like; support intelligent routing support, adopt the flexible message routing way, support processing and routing based on message content; the format conversion of standard XML data is supported, and the conversion function can be realized in various ways; the method provides a publishing/subscribing function, and supports two subscription modes of a queue and a topic; reliable data or message transmission is provided, mainstream message middleware is supported, and an open communication protocol is supported. The operation of the platform is guaranteed to be 7 multiplied by 24h, the normal operation of the system when the data volume or the application connection number is in peak operation is guaranteed, and the persistent system operation is guaranteed. The method has good transverse expansion capability and realizes load balance. The dynamic addition of hardware servers and ESB nodes is supported without the enterprise service bus being out of service.

A reliable security system must use application as core, and use strategy as means, reasonably distribute resources, form the security architecture of system security self-maintenance. The invention forbids unauthorized access to resources, including application data, hardware resources, network resources and the like; forbidding illegal access to resources, such as remote login, anonymous FTP, network eavesdropping and the like; all critical data, objects and configuration modifications must be well documented.

The safety design of the present invention is particularly specific in light of the above safety objectives.

The platform of the invention adopts a unified user management system, and each object (medical service organization, doctor/doctor, patient or other) which can access system resources is defined as a user and has a unique user code (user name). When a user accesses the system, strict authentication must be passed. The system of the invention provides an identity authentication mechanism based on a user and a password, and supports an external identity authentication mechanism based on a CA certificate or a dynamic password card.

The basic identity authentication mechanism of the platform is a user and password system. Each user has a respective password. The security control of the password is divided into the following 5 parts:

composition-consists of non-weak codes (weak codes) of fixed length, the length can be set according to requirements, and the characters forming the password can be limited according to requirements (all-digital, number + letter, case sensitivity and the like).

Storage, namely, the DES messy code mode is used for storage, and the DES messy code cannot be restored into a clear code.

Change-the system sets a mandatory change deadline, otherwise, login is denied.

Control-the supervisor can set the subordinate digital signature to invalid under certain conditions.

Check-the system checks the user's login status for each transaction.

The platform of the invention allows the biological identification means such as CA certificate, dynamic password card or fingerprint issued by a third party authority to be used for user identification, and the identification of the identification means is reserved for each user to mark the identification mode used by the user. Different authentication information can be set according to different roles of the user, and simultaneously, different authentication information can be set according to different detection points of each user role. In order to facilitate the use of users and the safety of the system, the system sets different authentication information strategies for different user roles, wherein the strategies comprise effective character sets, effective time limits, minimum and maximum lengths of authentication information, repetitive control of the authentication information and the like. The system can also set the number of times of failure of the authentication information and the locking time allowed by different user roles, namely the number of times of failure of the user to try to authenticate the information. Once the number of system settings is reached, the user is not allowed to log on to the system during the lock period, and the system is automatically unlocked after the lock time elapses.

The platform of the invention has encryption verification information in each data record of the key data table, and performs encryption verification according to the key field information, thereby effectively preventing the possibility of directly modifying data manually. Data communication adopts an end-to-end encryption transmission mechanism: the sending end application encrypts the data to be transmitted and transmits the data through the network, and the data is decrypted after reaching the destination end application. All intermediate links do not process the data content. To ensure the integrity of the transmitted data, the sending end generates a Message Authentication Code (MAC) for the transmitted data using a hashing algorithm (e.g., MD 5) and transmits the MAC with the data. The receiving end can ensure that the data is not tampered in the transmission process by verifying the MAC. In order to ensure that data is not intercepted, retransmitted and forged in the transmission process, an encryption transmission mechanism similar to SSL is proposed: an asymmetric cryptosystem (such as RSA) and a symmetric cryptosystem (such as DES or AES) are comprehensively adopted, and key data such as session keys and the like are encrypted by the asymmetric cryptosystem to improve the security performance; and the service data transmission is processed by adopting a symmetric cipher so as to improve the efficiency.

Outside the application software system, the running environment of the system of the present invention, including the host, storage, network, etc., must be strictly handled in terms of the required security level to ensure the availability, reliability, recoverability, disaster prevention, destruction prevention, etc. of these system resources. Redundant equipment, clustering technology (such as HACMP), firewall technology and a periodic backup system are adopted to achieve the safety target of system resources. For example: the core data layer and the service layer adopt double computers, a shared disk array and high-availability cluster multiprocessing standby software (HACMP), and once a server is confirmed to have a fault, the cluster manager starts a reconfiguration process so that another server can take over the running task on the fault equipment in time.

While the preferred embodiments of the present invention have been described in detail with reference to the accompanying drawings, the present invention is not limited to the above embodiments, and various changes can be made without departing from the spirit of the present invention within the knowledge of those skilled in the art. Other variations and modifications which do not depart from the spirit and scope of the invention are intended to be within the scope of the invention.