Open Access  Subscription Access

含個人健康資訊的病歷資料，對於個人而言是屬於相當機密的，需要有一個有效的存取控制作為管制手段，而金鑰管理是目前最常用且有效的方法。在HIPAA規範下，導入金鑰管理授權與註銷的機制，同時強化病人對於病歷資料的管控。最近幾年，有許多符合HIPAA的金鑰管理機制陸續被提出來，用來保護病歷資料的安全，然而有些機制卻存在著授權下，可以獲得全部病歷資料，同時也需要大量的運算來產生金鑰。在一個階層式結構的病歷資料下，現有的金鑰管理機制是一個病人就一把金鑰保護病人的病歷資料，無法進行部分病歷資料的授權與保護的機制，進而無法發揮金鑰管理機制所要達成保護病歷資料的目的。因此需要低運算量的金鑰運算同時以不同的鑰匙來保護不同的病歷資料，擁有者則可以管理與控制不同病歷資料的金鑰。在這兩大項的考量，由於混沌映射在運算效能上比模指數運算或橢圓曲線點乘運算更好，同時也被證明符合半群以及其他數學上的特性，因此適合運用在複雜階層式資料存取控制上。本研究利用混沌映射之快速運算與數學上的優點，及其適合運用在階層式資料存取控制的特性，提出符合HIPAA規範與同時具有安全與效率的病歷資料存取控制的金鑰管理機制。Medical records containing personal health information are confidential for individual. Therefore, an effective method such as key management to control and access these files is needed. Health Insurance Portability and Accountability Act (HIPAA) is a standard regulation for medical records management. Under HIPAA specifications, the key management mechanisms, such as authorization and revocation of access right for the medical records, are regulated. Additionally, accessing electronic medical records by medical staff requires authorization from patients. In recent years, many HIPAA key management schemes were proposed in order to provide confidentiality protection of sensitive information for patient's medical record. However, there exist some security problems in these schemes. For example, an authorize person (medical staff) can access to all medical records, or the scheme need heavy computational cost in order to maintain a key management scheme. The structure of medical records may be regarded as hierarchical. However, some key management schemes protect one patient's medical records by using one set of secret key, may reveal partial unauthorized medical records. Additionally, most key management schemes require time-consuming modular exponential computations and scalar multiplications on the elliptic curve. Recent studies showed that cryptography using chaotic maps was demonstrated to provide the semi-group property and commutative property. Additionally, cryptosystems using chaotic map operations were more efficient than cryptosystems using modular exponential computations and scalar multiplications on the elliptic curve. Therefore, this study develops a key management scheme using extended chaotic maps for HIPAA privacy/security regulations. The proposed key management scheme is not only more efficient than related approaches, but also has revocation of authorization and is suitable for complex hierarchical data structure in electronic medical records.

存取控制; 金鑰管理; 混沌映射; HIPAA; 病歷資料; 病歷資料授權與註銷; Access control; key management; chaotic maps; HIPAA; personal health information; revocation; authorization