DE102007060677A1 - Data storage e.g. electronic patient card, access method for use by e.g. doctor, involves providing authorization information for access to fundamental information of terminal, where information is not adapted to properties of data storage - Google Patents

Abstract

The method involves providing authorization information for access to fundamental information of a terminal (1), where the authorization information is not adapted to properties of a data storage (2) i.e. chip card, to be protected. The terminal is allowed to access the data memory relative to the fundamental information of the terminal by a server (3) in a communication- or data network. The access to the data storage is secured by input of a personal identification number, which is feed into a data input device. An independent claim is also included for a system for access to a data storage protected from unauthorized accesses.

Description

With the progressive use of electronic or other information technology Data storage such as chip cards, RFID chips, CD, DVD, u. Ä., for a wide variety of applications, z. As "electronic" ID card, as "electronic" File, u. s. w. wins the protection of such data storage against a Access by unauthorized persons increasingly important. It points a person entitled to access frequently but not necessarily on his part with the help of an information technology device as entitled from, for example, with a smart card.

Important Examples are the so-called "electronic patient card" or the "electronic patient record". The former is usually a smart card with a memory and a processor, which protects access to the memory. The access or certain types of access to the patient data stored therein are only allowed to members of certain occupational groups, for example, doctors, pharmacists and possibly other health professionals. These professionals point their entitlement often on their part by a smart card, the so-called "health professional card" after.

Now there are cases in which a member of this Although professional groups are entitled to access basically in which he does not have the usual proof of this authorization or intended entitlement card. If or as long as the "electronic patient cards" including the access protocols are not internationally standardized, This situation is already present at every doctor's visit abroad. The health professional card of the doctor, provided this - after the national rules applicable to him - at all has such, then usually does not fit to the smart card of the patient because he comes from another country.

Of the present invention is based on the object associated with it To solve problems. This task is performed by a procedure or a system according to any one of the independent claims solved. Advantageous developments of the invention result from the dependent claims.

below The invention is based on preferred embodiments and described in more detail by means of figures.

The Invention is - even if the description of the embodiments mainly for reasons of clarity of applications in the field of the "electronic patient card" not limited to this scope, but it is suitable for solving corresponding problems in very different areas, especially in use electronic or other information technology data storage such as smart cards, RFID chips, CD, DVD, u. ä., for a wide variety of applications, eg. B. as "electronic" ID card, as "electronic" file, etc.

1 shows in a schematic way an advantageous embodiment of the method according to the invention.

• – Die elektronische Gesundheitskarte in Deutschland
• – Das e-card-Projekt in Österreich
• – Die Schweizer Versichertenkarte.

Healthcare networking is becoming increasingly important for increasing the quality of treatment and achieving greater efficiency. For this reason, so-called "eHealth initiatives" have emerged in the last few years in Europe in various countries.The aim of these initiatives is the respective nationwide introduction of a telematics infrastructure in the health sector.Examples of such eHealth initiatives are:

• - The electronic health card in Germany
• - The e-card project in Austria
• - The Swiss insurance card.

Of the The level of development of these initiatives varies considerably. While in Austria the e-card already nationwide is currently being introduced in Germany Test carried out with the electronic health card and the introduction of a corresponding insurance card is currently still in conception in Switzerland.

all These initiatives and solutions are common to them In their first phase, they first have a national focus. Internationally they support their own citizens by the imprint of the EHIC (EHIC = "electronic health insurance card ", electronic health insurance card) on the Back, but the electronic integration of foreign Health and insurance cards into the respective system often not considered in the first phase of these projects.

There cross-border traffic is increasing and more and more people undergoing medical treatment abroad, z. For example, as part of their holiday or employment relationship, he wins the cross-border Use of health and insurance cards is becoming increasingly important.

The German telematic infrastructure will be published on the websites of the Gematik [1] shown.

A rector supports today in the Ge the decentralized primary systems in relation to the workflows required for the telematics infrastructure and links the primary systems to the central components of the telematics infrastructure. In addition, the Vice President also serves in practice to control the SICCT-capable [4] eHealth card terminals, which provide access to the electronic health card on the one hand and to the electronic health professional card on the other hand. By means of the data available on the two cards, the role and rights management is carried out, which uses the respective current access options in the various applications, such as: E-insurance data, e-prescription, e-doctor's letter, e-emergency data and e-patient record decides. The first tests are currently being carried out with the applications e-insured data, e-emergency data and e-prescription. A detailed description of the infrastructure and the current state of the specifications can be found on the Gematik website [I].

The architecture of the Austrian system for the e-card is in www.chipkarte.at shown:
The Austrian e-card today primarily includes the sickness certificate replacement, the drug licensing system and the social security numbers and insurance data retrieval system; Further applications such as eg ELGA (Electronic Health Act) and the e-Regulation are currently in the conception or in first tests. The architecture of the system is similar to the architecture of the German system, ie the already existing primary system of the service provider is coupled by means of specially developed for this system GINA box (health information network adapter) and the special card readers with the central services. A detailed description of the architecture and the individual components can be found in [2].

Based the German electronic health card (eGK) or the Austrian e-card Let us briefly describe which requirements exist if the respective card directly in their neighboring country operational should be. The first example is the application "Verification the insured data "as this is the basis for represents all medical treatments.

at The eGK has to differentiate between the insurance data general insurance information (eg name, address, insurance number, ...), which are read by all without restrictions can, and the protected insurance data, z. The entry on participation in special programs, which only after a previous card-to-card authentication using a Security Module Card Type B or a health professional card can be read.

The general insurance data could thus be a primary system in Austria read by a German eGK, if it is has implemented the appropriate read command and if it read the Can interpret data correctly. The access for the Reading is possible in principle. Anders sees it in the area of the protected insurance data. Here is a card-to-card authentication before accessing the eGK data with a health professional card or with a security module card (Institute card).

In order to Do you want the high level of privacy that this data is subject to? Make sure and ensure that this data is only authorized by authorized third parties Health professions are read. These data of the eGK can so that they are not read in Austria, because there is one Card-to-card authentication in this form not currently realized is and appropriate cards are not in use.

considered one now the further applications of the German eGK, so one poses It is clear that for all these applications, a card-to-card authentication is used at the beginning is done to ensure that the appropriate Data (eg emergency data, regulations, ...) only from health professionals used or changed and thus a high level of data protection sure. So these applications can not be used directly in Austria, as the corresponding Counterpart required for card-to-card authentication in this form does not exist in the infrastructure. Of the in Austria existing doctor's card is based z. B. on other cryptographic methods and does not contain any certificates for a card-to-card authentication in the German sense eGK.

A Another hurdle in the use of eGK applications in cross-border traffic represents the syntactic and semantic interpretation of the data. It must be ensured be that both the data stored on the card (eg. Insurance data, emergency data) and, if necessary, on servers stored data that is accessed only through the eGK, correctly processed in the primary system, d. H. properly displayed and clearly understandable for the health professional are.

Considering the case of data stored on servers (eg drug documentation), this requires cross-border access to the central infrastructure components of the respective countries. This is possible in principle because of the global network; However, it assumes that components are used in the respective countries to connect the decentralized primary systems to the telematics infrastructure which are compatible with the components of the country concerned.

For example would have an Austrian GINA box also the implement workflow mechanisms contained in the German connector or these mechanisms would have to be in another form in Austria will be realized. Likewise, it should be ensured that the communication protocols used for the transmission are configured accordingly compatible.

Would to use an Austrian e-card in Germany Although some of the above points would be z. B. the problem regarding. Card-to-card authentication, not occur; however, one would have to consider other requirements. For example, the Austrian e-card contains only key data and the actual health certificate can the doctor only after inserting the card from the central infrastructure recall. A pure offline scenario is for this card not intended at all. So it's clear that a simple solution for cross-border use of the eGK or the e-card does not work. By plugging the At least it is not enough for a map alone.

Next or instead of restricting cross-border Use of the cards for simple reading out of insurance data in the offline case (electronic EHIC), which however under medical Viewpoints only a small benefit, see here The present invention contemplates the use of a communications server in front. In such a solution by means of a communication server the Austrian doctor would use this to be able to access the eGK of a German patient and by means of this the one available to the insured person medical data (eg emergency data, drug documentation) after a corresponding release of the insured and the insured data of the patient to read and if necessary to check.

Of the Communication Server has a user interface, preferably via a WEB surface, by means of the doctor logs in according to his national standard and authenticated. This can z. B. be ensured that Only health professionals use this communication server and no abuse is driven with the medical data of the insured. On Basis of this authentication and corresponding contractual arrangements then the further access to the insurance card can take place.

In order to is for the protected and the medical Data of the insured ensured that the level of protection Access by the communication server is just as high, as in the access in the home country. In the further procedure would the foreign insured now his insurance card stuck. The communication server then performs the appropriate necessary authentication against the insurance card by (eg the card-to-card authentication opposite the German eGK) and allows the health professional the Access to the various applications after approval by the insured. Thus, the doctor can then take a current examination perform the insurance data, the emergency data, the View the medication data and if necessary the patient record and complete.

An advantage of this solution by means of a communication server is that the special commands necessary for the response of foreign health insurance cards are realized centrally and then made available only when needed, for example by the server ( 3 ) via the network (DN). Thus, a separate realization of these functionalities in the various primary systems can be avoided.

As well It avoids that every practice is the special one for communication necessary hardware with foreign infrastructures the communication with foreign telematic infrastructures centrally done. Consider, for example, the use of an Austrian e-card in Germany, then comes for this according to the present invention, the same method is used, d. H. also In this case, communication would be in the Austrian Telematics infrastructure done by means of a communication server.

The Cross-border provision of foreign health insurance by means of electronic data on the health card or also The actuality check of these health certificates can according to the invention simply by means of a communication server, preferably realized in the form of a simple WEB portal become.

The present invention thus provides a method for accessing a data storage protected against unauthorized access ( 2 ), in which a person entitled to access ( 1 ), who does not have an authorization card matching the protected data store, may contact a third party ( 3 ) as having the right to declare, whereupon the third party 1 ) access to the protected data memory ( 2 ).

Accesses in the sense of this invention can be both read and write accesses, whereby it may happen that the entitlement For reading or writing accesses do not always coincide, for example, that one person or institution has only one read access, while another person or institution may also write data to the protected data memory. These permissions may also be different for different records or spaces in some cases. If, in this context or in similar contexts, the claimant ( 1 ), then in technical terms, the device used by him ( 1 ).

In many cases, the protected data store ( 2 ) a chip card ("first chip card", "patient card") and the third party ( 3 ) a server ( 3 ) in a communication or data network, although the invention is not limited to such embodiments.

Some embodiments of the invention provide a method in which the basically entitled ( 1 ) to the third party ( 3 ) with the help of a ("second") chip card ( 4 ) (Health professional card, institute card, or similar) ( 4 ) as justified.

Also advantageous is a method according to an embodiment of the invention, in which the access to the protected data memory ( 2 ) is additionally secured by the entry of a personal identification number (PIN1), which is to be entered by the owner of this data memory in a data input device. This personal identification number (PIN1) can, for example, via a keyboard of the owner ( 1 ) used terminal ( 1 ). It would also be conceivable, however - for example in the case of a telephone consultation with a patient - that the patient enters his personal identification number (PIN1) on a computer which is connected to the terminal device via a communication or data network (FIG. 1 ) or or with the server ( 3 ). The second variant would have the further advantage that the personal identification number (PIN1) would be better protected against misuse because it is not in the terminal ( 1 ) of the claimant ( 1 ), but directly into the server ( 3 ), from which it is tested, unless the test is already carried out locally by a processor of the first chip card (patient card), which would further increase security.

Similarly, the access privilege may also be detected by entering a personal identification number (PIN2) to be entered into a data entry device by a person accessing the protected data store who is not the owner of that data store. With this personal identification number (PIN2) or a plurality of such personal identification numbers (PIN2), the chip card ( 4 ), the terminal ( 1 ) or the login on the server ( 3 ) protected against misuse by unauthorized persons.

In particular, in cases where personal identification numbers, patient data or similarly valuable data are transmitted over a network, it is advantageous if the communication between the participating units ( 1 . 2 . 3 . 4 . 5 . 6 ) - at least partially - done in encrypted form. The relevant certificates could be stored on the server ( 3 ).

• A) ein Endgerät (1) oder eine Person, die sich dieses Endgerätes bedient, weist gegenüber einem Server (3) in einem Kommunikations- oder Datennetz, der mit dem Endgerät (1) über dieses Kommunikations- oder Datennetz (DN) in Verbindung steht seine Berechtigung zum Zugriff auf einen Datenspeicher (2) nach.
• B) Der Server (3) prüft das Vorliegen der Berechtigung zum Zugriff.
• C) Bei positiven Ergebnis dieser Prüfung ermöglicht der Server (3) dem Endgerät (1) den Zugriff auf den Datenspeicher (2).

The method according to the invention preferably comprises the following steps:

• A) a terminal ( 1 ) or a person who uses this terminal points to a server ( 3 ) in a communication or data network connected to the terminal ( 1 ) via this communication or data network (DN), its authorization to access a data memory ( 2 ) to.
• B) The server ( 3 ) checks the existence of the authorization for access.
• C) If the result of this check is positive, the server ( 3 ) the terminal ( 1 ) access to the data memory ( 2 ).

This happens, for example, by the server ( 3 ) Access commands (Cmd1) of the terminal ( 1 ) receives from it and into corresponding access commands (Cmd2) of the data memory ( 2 ) translated and forwarded to this.

It is also possible that the server ( 3 ) Data (Dat) or commands (Cmd) from the terminal ( 1 ) or from the server ( 3 ) and after conversion or translation of these data or commands to the server ( 3 ) or to the terminal ( 1 ).

All meaningful (ie pertinent) combinations of these approaches will be apparent to those skilled in the art from this description as possible variants of the invention, which he depended on from the specific circumstances of its concrete application based on his expertise.

Now there are cases in which the claimant seeking access ( 1 ) or his terminal ( 1 ) expect, on the basis of the national rules that apply to them, that certain data on the data store ( 2 ) are stored or to be stored, although according to the national provisions of the owner of the data store ( 2 ), which stores this data on an external data memory ( 5 ) are stored or to be saved. Also reverse cases are conceivable. Remember in this context to the above signs different situations in Germany and Austria.

In such situations, a method according to an embodiment variant of the invention is advantageous in which the server ( 3 ) external data (extDat), although by the terminal ( 1 ) from the data store ( 2 ) should be read or written to this, not from this data memory reads or writes to this, but from an external data memory ( 5 ) reads or writes to this external data memory.

Are used to access this external data store ( 5 ) in turn requires proof of authorization for access or key, they are in turn according to an embodiment of the invention, in turn, by the third party ( 3 ) or its server ( 3 ) or, if applicable, after having obtained the necessary keys or data from the units involved (terminal equipment, medical certificates, patient card, etc.). Since the third party enjoys the trust of all parties involved, he can in principle replace all direct authentication processes between the parties by means of the authentification provided by him.

In this context, it may be beneficial if on the server ( 3 ) or on an external server ( 6 ) from which external data memory ( 5 ) to read the data or on which external data memory ( 5 ) the data are to be written. It would also be conceivable, however, for this information to be stored in the other units involved or in these stored files.

It is particularly advantageous if the external data memory ( 5 ) via a communication or data network (DN) to the server ( 3 ).

In some cases, it will be especially useful if the server ( 3 ) a card-to-card authentication against the data memory ( 2 ) if the exam result is positive. This will be the case, in particular, in cases of access to a German eGC by a doctor or pharmacist in Austria or another country.

The invention is also advantageously compatible with a method in which the server ( 3 ) Data from the data store ( 2 ) or from an external data store ( 5 ) and read these before passing them to the terminal ( 1 ) so that the terminal ( 1 ) is able by its means to read this data and to interpret it correctly in the sense of an application running on this terminal.

The invention can be advantageously implemented by a system for accessing a data storage protected against unauthorized access ( 2 ) with a terminal ( 1 ) for connecting the data memory ( 2 ) to the system and a server ( 3 ) in a communication or data network (DN) connected to the terminal ( 1 ) is connected via this communication or data network (DN).

Quoted sources of information:

• [1] Gesellschaft für Telematikanwendungen der Gesundheitskarte mbH: www.gmatik.de
• [2] e-card in Austria: www.chipkarte.at
• [3] Netcards Project: www.netcards-project.com
• [4] SICCT = "Secure Interoperable ChipCard Terminal"): http://www.teletrust.de/fileadmin/files/publikationen/Spezifikationen/SICCT Specification 1.03.pdf

1

legitimately, Terminal of the authorized person

2

Data storage, first chip card

3

third, Server of the third party

4

second Chip card, health professional card

5

external data storage

6

external server

DN

Communication network data network

Dat

dates

cmd

Command, commands

cmd1

Command, commands

cmd2

Command, commands

extDat

external dates

PIN1

personal Identification Number

PIN2

personal Identification Number

QUOTES INCLUDE IN THE DESCRIPTION

This list The documents listed by the applicant have been automated generated and is solely for better information recorded by the reader. The list is not part of the German Patent or utility model application. The DPMA takes over no liability for any errors or omissions.

Cited non-patent literature

• - www.chipkarte.at [0014]
• - www.gmatik.de [0048]
• - www.chipkarte.at [0048]
• - www.netcards-project.com [0048]
• - http://www.teletrust.de/fileadmin/files/publikationen/Spezifikationen/SICCT Specification 1.03.pdf [0048]

Claims (15)

Method for access to a data storage protected against unauthorized access ( 2 ), in which a person entitled to access ( 1 ), who does not have an authorization card matching the protected data store, may contact a third party ( 3 ) as having the right to declare, whereupon the third party 1 ) access to the protected data memory ( 2 ). Method according to Claim 1, in which the protected data memory ( 2 ) a first chip card and the third ( 3 ) is a server in a communication or data network. Method according to one of the preceding claims, in which the person entitled on the merits ( 1 ) to the third party ( 3 ) with the help of a second chip card ( 4 ) as justified. Method according to one of the preceding claims, in which the access to the protected data memory ( 2 ) is additionally secured by the entry of a personal identification number (PIN1), which is to be entered by the owner of this data memory in a data input device. Method according to one of the preceding claims, in which the permission to access by entering a personal Identification number (PIN2) is detected by an on the protected data store accessing person who not owning this data store is in a data input device is to enter. Method according to one of the preceding claims, in which the communication between the participating units ( 1 . 2 . 3 . 4 ) happens at least partially in encrypted form. Method according to one of the preceding claims, comprising the following steps: a) a terminal ( 1 ) or a person who uses this terminal points to a server ( 3 ) in a communication or data network connected to the terminal ( 1 ) via this communication or data network (DN), its authorization to access a data memory ( 2 ) to; b) the server ( 3 ) checks the existence of the authorization for access; c) if the result of this check is positive, the server ( 3 ) the terminal ( 1 ) access to the data memory ( 2 ). Method according to one of the preceding claims, in which the server ( 3 ) the terminal ( 1 ) allows access by the server ( 3 ) Access commands (Cmd1) of the terminal ( 1 ) receives from it and into corresponding access commands (Cmd2) of the data memory ( 2 ) translated and forwarded to this. Method according to one of the preceding claims, in which the server ( 3 ) Data (Dat) or commands (Cmd) from the terminal ( 1 ) or from the server ( 3 ) and after conversion or translation of these data or commands to the server ( 3 ) or to the terminal ( 1 ). Method according to one of the preceding claims, in which the server ( 3 ) external data (extDat), although by the terminal ( 1 ) from the data store ( 2 ) should be read or written to this, not from this data memory reads or writes to this, but from an external data memory ( 5 ) reads or writes to this external data memory. Method according to Claim 10, in which on the server ( 3 ) or on an external server ( 6 ) from which external data memory ( 5 ) to read the data or on which external data memory ( 5 ) the data are to be written. Method according to Claim 11, in which the external data memory ( 5 ) via a communication or data network (DN) to the server ( 3 ). Method according to one of the preceding claims, in which the server ( 3 ) a card-to-card authentication against the data memory ( 2 ) if the exam result is positive. Method according to one of the preceding claims, in which the server ( 3 ) Data from the data store ( 2 ) or from an external data store ( 5 ) and read these before passing them to the terminal ( 1 ) so that the terminal ( 1 ) is able by its means to read this data and to interpret it correctly in the sense of an application running on this terminal. System for accessing a data storage protected against unauthorized access ( 2 ) with a terminal ( 1 ) for connecting the data memory ( 2 ) to the system and a server ( 3 ) in a communication or data network (DN) connected to the terminal ( 1 ) is connected via this communication or data network (DN).