Patent Application
20220350921
The following relates to computing devices and computing methods for transforming secure data into a format that is safe for physical or digital transfer, and allowing for the verification to a specific identity.
Various systems and methods are known to generate sensitive health information, known as protected health information (PHI). PHI consists of two aspects: personally identifiable information (PII), and health information (HI). PII is any information that individually, or in combination with other readily accessible information, is statistically likely to be able to be linked to an individual person. HI is any information related to the past, current, or future physical or mental health of a person.
It may be desired to transmit PHI from one location to another. In one example, a surgeon may have some information stored on a server in one physical location, such as a hospital network, but may need access to the information at a home office to perform diagnosis or analysis. In another example, a surgeon may desire to share patient images with a third part for processing, and have the results returned.
This transmission may be digital, or physical. Strict regulations exist around the transmission of PHI to protect the individual it refers to. These regulations are complex and expensive to implement, and may include requirements around the security of data at rest, and in transit (encryption), the physical ability to access the data, and the administrative rules regulating access to the data. In addition to this, there may be regulations surrounding what actions a company or individual must take should and PHI be disclosed to an unauthorized party.
When PHI is transmitted from one location to another, it must be able to be linked to the correct patient. For example, if a pre-operative plan is created for a specific patient for hip surgery, then it must be confirmed during surgery that the plan corresponds to the patient undergoing that hip surgery. Failing to use the correct patient specific plan may result in severe consequences for all parties involved, such as the patient, the surgeon, and the hospital.
The regulations for the safe transfer of data are region specific. In the United States, the regulations are outlined in the Health Insurance Portability and Accountability Act (HIPAA). More specifically, the transfer of digital information is governed by the Privacy Rule (why protecting health information is required), and the Security Rule (how to protect health information). The security rule outlines how PHI must be secured, and includes three classes of protection: technical, physical, and administrative.
There are provided systems and methods for the safe transfer and verification of sensitive digital information comprising uniquely identifying information and health information. A first computing device may be configured to encode uniquely identifying information from the sensitive digital information for an individual using a colliding hashing algorithm to produce verifiable identifying information. The verifiable identifying information is encapsulated with the health information to produce verifiable digital information, and provided for use with a second computing device.
A second computing device may be configured with to receive verifiable digital information from a first computing device and test identifying information of a second person, and process the test identifying information using a colliding hashing algorithm to produce test verifiable identifying information.
The uniquely identifying information may comprise one or more of the following: patient name, medical record number, social security number/social insurance number, date of birth, date of surgery, or other uniquely identifying codes. The health information may comprise information related to a surgical procedure. In one example the information may be co-registration information and implant target information for hip surgery. The co-registration information may comprise a set of pre-define points in an anatomic coordinate system. The implant target information may comprise one or more of acetabular implant inclination, acetabular implant anteversion, acetabular implant location, acetabular implant make and model, femoral implant version, femoral implant offset, femoral implant make and model, or bone cut locations.
The colliding hashing algorithm may comprise steps which when executed by a first or second computing device computes verifiable digital information from uniquely identifying information which is statistically likely to be share among multiple individuals in a population (e.g. with different uniquely identifying information), but is statistically unlikely to be identical between two random individuals in a population. The colliding hashing algorithm may comprise a first mapping function which has a statistically insignificant change of output collision (e.g. such as MD5, SHA-1, SHA-2, SHA-256, SHA-3) and a second mapping function to increase the chance of output collision (e.g. such as a binning function or integer modulus function).
The first computing device may be configured to export the verifiable digital information as a QR code image. The first computing device may be further configured to perform preoperative planning and provide the results of planning as health information for use by a second computing device.
The second computing device may be located in an operating room, and may be further configured to receive a preoperative plan form a first computing device and to deliver the preoperative plan using computer aided navigation.
The test identifying information may be derived from another source at the time of the surgical procedure which the other source may be a patient chart, a networked medical database, or a physical or digital image in the operating room.
The second computing device may be configured to provide for display to a user the verifiable identifying information from the verifiable digital information and the test verifiable identifying information to a user for visual comparison, or may be configured to perform the comparison and provide for display to a user the results of the comparison. The second computing device may be further configured to automatically begin a further process based on the results of the comparison such beginning an anatomic registration step.
The present concept of the invention is best described through certain embodiments thereof, which are described herein with reference to the accompanying drawings, wherein like reference numerals refer to like features throughout. It is to be understood that the term invention, when used herein, is intended to connote the concept underlying the embodiments described below and not merely the embodiments themselves. It is to be understood further that the general concept is not limited to the illustrative embodiments described below and the following descriptions should be read in such light. More than one concept may be shown and described and each may standalone or be combined with one or more others unless stated otherwise.
Method 100 comprises operations such as to perform steps. Operations of method 100 include, at 120, receiving sensitive digital information (SDI) 102. SDI may also be known as PHI as defined according to HIPAA, but may be defined using other terminology in other regions. The source of SDI 102 may be a hospital, a patient, or a third-party such as a planning company. The information may be in a standard format such as DICOM, or may be received in a custom format, such as JSON or CSV, unique to a third-party. The information may be received from a communication to computing device 10, by receiving input thereto via a keyboard, microphone, touch screen, pointing device or other input device, by media such as a CD ROM, flash drive, etc. or retrieval from remote storage such as a server, database, etc.
SDI 102 comprises uniquely identifying information (UII) 104, and health information (HI) 106. Ull 104 may comprise one or more identifying characteristics. Characteristics may be considered identifying individually, such as a social security number (SSN) or a medical records number (MRN). Characteristics may also be considered identifying when combined in plurality, such as name and address, or name and zip code, such that the characteristics may not be individually identifying (multiple individuals may have the same name, or may have the same zip code), but together, are statistically likely to identify a unique individual.
HI 106 may comprise of any data which relates to the health of an individual. HI 106 may comprise a plan for a surgical procedure such as orthopaedic hip surgery or other surgical procedures require health information (not shown). This plan may comprise implant specifications and targets, and information for co-registration between a pre-operative planning coordinate system, and an intra-operative navigation coordinate system.
Operations 100 further comprise, at 122, processing the SDI using a colliding hashing algorithm (CHA) 108. CHA 108 may be configured to deterministically transform Ull 104 into verifiable identifying information (VII) 112 comprising text data (which may include alphabetic characters, numeric characters and other symbols, such as punctuation and mathematical symbols and any combination of same). CHA 108 may generate VII 112 to have statistical characteristics that limit the information from being considered statistically identifiable. Identical, non-unique VIls 112 may be generated from multiple individuals from the respective unique Ulls 104 from those individuals. Determining the identity of any person using VII 112 alone (without any other identifying data) would be statistically unlikely. CHA 108 may be configured such that all possible encoded output VII 112 (e.g. each respective instance of output in the output space) have a statistically equal chance of being generated. Operations 100 include, at 124, providing VII 112 for use such as is further described herein below with reference to
In accordance with an example, CHA 108 comprises multiple steps to perform the transformation such as shown in flow 200 of
A second step 206 comprises using a (first) mapping function to calculate a mapping output value from the sanitized input data. Preferably the mapping function is a one way function. A good function also preferably outputs a significantly different value, even for small changes made to the input. Further a good mapping function avoids collision. The function may be a (cryptographic) hash function such as MD5, or alternatively SHA-1or SHA-256, a fingerprinting function (e.g. a high-performance hash function such as Rabin's algorithm), a checksum function, etc. It may be assistive to define an input string of Ull 104 with a minimum length (e.g. a number of characters) such as by padding fields such as first name, surname, etc. In the example, the string “johnsmith19651221” is hashed to the hexadecimal string “3968d22aa819132722ae3526292599df”.
A third step 208 comprises a step wherein the hash is binned (e.g. using a second mapping function) into a finite small number of bins. In some instances, limitations of the computing device (e.g. working with very large numbers) may require that the hash string is first reduced by utilizing only a short substring. In an example, the last 8 characters “292599df” may be used, and first converted to the decimal equivalent number 690330079, and then binned using integer modulus (where the modulo function is the second mapping function, which does not avoid collisions). If there are 128 bins, the number 690330079 is put in the bin with number 95.
Thus the CHA 108 transforms Ull 104 using a first mapping function to encode the Ull into a deterministic value to obscure the Ull information but which encoded Ull may identify the individual by distinguishing them from all other individuals and then uses a second mapping algorithm to transform the encoded Ull to a final code (VII 112) that ensures sufficient collisions so that the final code is evenly distributed among all possible final codes.
It will be apparent that other first mapping functions or second mapping functions may be employed. A (cryptographic) hashing function may be preferred as a good hashing function for the first mapping function because of the properties such hashing functions provide, such as the one way nature of the encoding and the fact that small changes in input become large changes in output. Further after the binning step (e.g. using the modulo function, a type of hash reduction function herein), due to the apparent pseudorandom nature of hashes each of the possible bins (e.g. 0 to 127 per the example) are equally likely to be generated. The modulo function is convenient as it is easy to increase or decrease the number of bins (i.e. change the size of the output space for the encoded output) to adjust for risk as described further below.
Method 100 may then combine VII 112 with HI 106 to produce verifiable digital information (VDI) 110. Method 100 may be enabled to provide VDI 110 for communication with another system (comprising a second computing device). In one example, this communication may be through an internet server. In other implementations, this communication may utilize an email client or a USB storage device or other storage media, etc.
Method 100 may alternatively be configured to provide VDI 110 for communication using a standard physical encoding, such as a quick response (QR) code, which may enable the physical transfer on paper or via a display screen each using an optical transfer (e.g. for reading into a second computing device through a camera).
Regional regulations may restrict the transmission of SDI 102 unless subject to strict rules, because SDI 102 can link HI 106 directly to an individual using Ull 104. These same regulations may instead permit the transmission of VDI 110, because there is no specific information which can link directly to a single individual.
Method 300 comprises operations such as to perform steps. Operations of method 300 include, at 320, receiving VDI 110 from computing device 10, comprising HI 106, which may be a pre-operative plan for an individual, and VII 112 which is derived using CHA 108 from Ull 104 corresponding to that same individual.
When health information is provided to a system to provide treatment to an individual, it is necessary to ensure that the correct health information is used. Providing treatment to an individual based on incorrect health information can have negative consequences, possibly resulting in harm or death to an individual. It may therefore be desirable for VDI 110 to be verified to correspond to the individual being treated intra-operatively.
For verification, method 300 may also, at 322, receive test identifiable information (TII) 302, which is known (e.g. expected) to correspond to the individual undergoing treatment. In one example, TII 302 may be known to correspond to the individual because the information is derived from the individual's “chart” which is read aloud prior to treatment. TII 302 is defined in an identical format to Ull 104.
At step 324, method 300 is configured to process TII 302 using CHA (as part of instructions 304) to create test verifiable identifying information (TVII) 306. The CHA in instructions 304 may be configured to be identical to CHA 108 in method 100. Method 300, at step 326, compares VII 112 to TVII 306 using a comparison algorithm (part of instructions 300) to determine if VDI 110 corresponds to the individual undergoing treatment based and, at step 328, provides a result of the comparison, which may be presented via display 36 and/or other output device (e.g. speaker, bell, light etc. all not shown).
Since there may be multiple identifying characteristics which may generate the same VII 112, it may also be possible that VII 112 corresponding to a different individual may be equal to TVII 306, which may result in the incorrect treatment of the individual. CHA 108 may be configured to generate a VII 112 such that the likelihood of incorrect identifying information also generating an equivalent TVII 306 is lower than an acceptable risk threshold yet still satisfy the desire that the VII 112 is statistically unlikely to identify any individual. As noted above, adjusting the second mapping function such as by adjusting the number of bins via the modulo function may be performed to vary the rate of collisions.
In one example, an acceptable risk threshold may be determined such that that one out of every 10,000 individuals may be provided incorrect treatment. It may also be determined that the likelihood of the incorrect VDI 110 being received by method 300 to be one percent, or one out of 100. The incorrect VDI 110 may be received by method 300 due to human error. If VII 112 was generated with the properties that there were 128 unique possible VIIs, and each was statistically likely to be generated, then there would only be a one out of 128 chance (0.78%) that VII 112 generated from one individual would be equivalent to TVII 306 generated from a different individual. In combination, the likelihood of the incorrect VDI 110 being provided to method 300, and the likelihood that VII 112 would also be equivalent to TVII 306, results in a likelihood that only 1 out of every 12,800 individuals would receive incorrect treatment, which is a lower likelihood than the defined acceptable risk.
Alternatively or in addition, method 300 may be configured to simultaneously display TVII 306 and VII 112 for comparison by a user by visual inspection using display 36, or other means.
Method 300 (e.g. at 330) may be configured to automatically launch (or prevent the launch of) a further process such as a pre-defined workflow based on results at step 328. In one example, method 300 may proceed to a co-registration step if the result at step 328 identifies a positive match between TVII 306 and VII 112.
Practical implementation may include any or all of the features described herein. These and other aspects, features and various combinations may be expressed as methods, apparatus, systems, means for performing functions, program products, and in other ways, combining the features described herein. A number of embodiments have been described. Nevertheless, it will be understood that various modifications can be made without departing from the spirit and scope of the processes and techniques described herein. Accordingly, other embodiments are within the scope of the following claims.
Throughout the description and claims of this specification, the word “comprise” and “contain” and variations of them mean “including but not limited to” and they are not intended to (and do not) exclude other components, integers or steps. Throughout this specification, the singular encompasses the plural unless the context requires otherwise. In particular, where the indefinite article is used, the specification is to be understood as contemplating plurality as well as singularity, unless the context requires otherwise. Herein, “A and/or B” means A or B or both A and B.
Features, integers, characteristics, etc. described in conjunction with a particular aspect, embodiment or example are to be understood to be applicable to any other aspect, embodiment or example unless incompatible therewith. All of the features disclosed herein (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive. The invention is not restricted to the details of any foregoing examples or embodiments. The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings).
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/CA2020/050843 | 6/18/2020 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 62864677 | Jun 2019 | US |
