Medical data desensitization method and device
By combining deep learning models and medical knowledge graphs, features of medical data are extracted, solving the problems of unstructured information and inconsistent terminology in medical data. This enables efficient identification and de-identification of sensitive information in medical data, improving the automation and accuracy of privacy protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ALIBABA CLOUD COMPUTING CO LTD
- Filing Date
- 2021-11-09
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies struggle to effectively identify and process unstructured information and medical industry terminology in medical data, resulting in inadequate privacy protection.
By employing a deep learning model combined with a medical knowledge graph, features of medical data, including structured and unstructured information, are extracted for sensitive information identification and classification. Using medical entity, entity relationship, and event features, the sensitive information identification model is used for judgment and desensitization.
It enables comprehensive identification and de-identification of sensitive information in medical data, improving the accuracy of privacy protection and the ability to automate processing, and adapting to the flexible needs of different application scenarios.
Smart Images

Figure CN114580007B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of big data processing, and more particularly to a method and apparatus for de-identifying medical data. Background Technology
[0002] Medical data contains a large amount of sensitive information involving personal privacy, such as health insurance card numbers, names, names of medical institutions, diseases suffered, family history, medication records, etc. The leakage of this information can harm patients. Although current technologies use regular expression matching to process some sensitive content in structured information, there is still a lack of effective de-identification solutions for massive amounts of unstructured information and various medical industry terms.
[0003] As my country's privacy protection system improves, the need for more comprehensive and accurate de-identification processing of medical data is also growing.
[0004] Therefore, a medical data anonymization solution is needed that can provide anonymization processing for various types of data. Summary of the Invention
[0005] One technical problem this disclosure aims to solve is to provide an improved medical data anonymization scheme. This scheme can process various types of medical data, especially unstructured information, extracting medical entities, entity relationships, and even medical events, and feeding them into a sensitive information identification model for classification and identification. This allows for the determination of whether the data is sensitive and its sensitivity level, as well as corresponding anonymization processing. The extracted vector features can also be combined with a pre-constructed knowledge graph indicating relationships between medical entities, thereby achieving comprehensive identification of complex forms of sensitive information.
[0006] According to a first aspect of this disclosure, a method for desensitizing medical data is provided, comprising: extracting features from the medical data to be desensitized to obtain medical data features, wherein the medical data to be desensitized includes structured information and unstructured information; feeding the medical data features into a sensitive information identification model to obtain identification results marked with sensitivity levels; and determining the desensitization method of the sensitive data according to the identified sensitivity levels.
[0007] Optionally, feature extraction of the medical data to be anonymized includes: obtaining structured features from structured information; and obtaining cascaded features from structured fields specific to the medical subject.
[0008] Optionally, the method further includes: feeding unstructured medical text and fields into a preprocessing model to obtain medical entity features, entity relationship features, and / or medical event features.
[0009] Optionally, the method further includes: defining key medical events; and obtaining medical event features from multiple entity features and entity relationship features based on the defined key medical events.
[0010] Optionally, the method further includes: feeding the medical data features and the medical knowledge graph into a vector encoding model to obtain a fusion vector, and feeding the medical data features into a sensitive information identification model, which includes: feeding the fusion vector into the sensitive information identification model.
[0011] Optionally, feeding the medical data features and the medical knowledge graph into a vector encoding model to obtain a fusion vector includes: extracting a graph vector based on the relevant entities included in the medical knowledge graph and the relationships between the relevant entities; and the vector encoding model processing the medical data features together with the graph vector into the fusion vector.
[0012] Optionally, the sensitive information identification model is also used to output at least one of the following: the sensitivity type of the sensitive field; the location of the sensitive field; the specific content of the sensitive field; and the frequency of occurrence of the sensitive information.
[0013] According to a second aspect of this disclosure, a medical data desensitization apparatus is provided, comprising: a feature acquisition unit, configured to extract features from the medical data to be desensitized and acquire medical data features, wherein the medical data to be desensitized includes structured information and unstructured information; a sensitivity identification unit, configured to input the medical data features into a sensitivity information identification model and acquire identification results with marked sensitivity levels; and a desensitization method determination unit, configured to determine the desensitization method of the sensitive data according to the identified sensitivity levels.
[0014] According to a third aspect of this disclosure, a computing device is provided, comprising: a processor; and a memory having executable code stored thereon, which, when executed by the processor, causes the processor to perform the method described in the first aspect above.
[0015] According to a fourth aspect of this disclosure, a computer program product is provided, including executable code that, when executed by a processor of an electronic device, causes the processor to perform the method described in the first aspect above.
[0016] Therefore, this invention combines a deep learning model and a medical knowledge graph fusion identification scheme, which can process various medical data, including structured features and unstructured information. It can extract cascaded features from structured features and extract medical entities, entity relationships, and even medical events from unstructured information and feed them into a sensitive information identification model for classification and identification. Thus, it can determine whether medical data in a broad sense and various combinations of medical data are sensitive and the level of sensitivity, and perform corresponding de-identification processing. Attached Figure Description
[0017] The above and other objects, features and advantages of this disclosure will become more apparent from the more detailed description of exemplary embodiments thereof taken in conjunction with the accompanying drawings, wherein like reference numerals generally denote like parts.
[0018] Figure 1 This illustrates an example of how medical data flows between different stakeholders.
[0019] Figure 2 A schematic flowchart of a medical data anonymization method according to an embodiment of the present invention is shown.
[0020] Figure 3 A schematic diagram of a medical data desensitization device according to an embodiment of the present invention is shown.
[0021] Figure 4 A schematic diagram of a computing device that can be used to implement the above-described medical data anonymization method according to an embodiment of the present invention is shown.
[0022] Figure 5 A schematic diagram illustrating the specific implementation steps of a medical data desensitization method according to a preferred embodiment of the present invention is shown.
[0023] Figure 6 An example of sensitive information classification based on vector fusion according to an embodiment of the present invention is shown. Detailed Implementation
[0024] Preferred embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. While preferred embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that the present disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
[0025] Medical data contains a large amount of sensitive information involving personal privacy, such as health insurance card numbers, names, names of medical institutions, diseases suffered, family history, medication records, etc. The leakage of this information can harm patients. Specifically, medical data involving patient privacy can include personal attribute data, health status data, medical application data, and medical payment data.
[0026] Personal attribute data refers to data that can identify a specific natural person, either alone or in combination with other information. For example, it may include demographic information such as name and date of birth; personal identification information such as personal identification ID number, social security card number, and hospital number; personal communication information such as mobile phone number and email address; personal biometric information such as fingerprint, voiceprint, and facial features; and personal health monitoring sensor device ID, etc.
[0027] Health status data refers to data that reflects an individual's health condition or is closely related to an individual's health condition, and may specifically include chief complaint, present medical history, past medical history, physical examination (signs), family history, symptoms, laboratory test data, etc.
[0028] Medical application data refers to data that reflects the status of healthcare, outpatient services, inpatient services, discharges, and other medical services. Specifically, it may include: outpatient (emergency) medical records, inpatient medical orders, examination and test reports, medication information, medical progress records, surgical records, anesthesia records, blood transfusion records, nursing records, admission records, discharge summaries, referral (hospital) records, informed consent information, etc.
[0029] Healthcare payment data refers to cost-related data involved in services such as healthcare or insurance, typically including healthcare transaction information and insurance information.
[0030] Patient-generated medical data, besides being used to record the patient's medical history, can also serve social functions such as research and statistics. Therefore, in addition to being properly stored in medical institutions, medical data is utilized by different organizations or individuals in various scenarios. For this reason, based on the specific application scenarios of specific medical data, relevant organizations or individuals can be divided into the following four roles:
[0031] a) Subject of personal health and medical data (hereinafter referred to as "subject"): The natural person identified by the personal health and medical data.
[0032] b) Health data controller (hereinafter referred to as "controller"): An organization or individual that can determine the purpose, method, and scope of health data processing. This includes organizations that provide health services, health insurance institutions, management agencies, health research institutions, and individual clinics, which transmit or process health data electronically.
[0033] c) Health and medical data processors (hereinafter referred to as "processors"): Organizations or individuals that collect, transmit, store, use, process, or disclose health and medical data in the possession of the controller, or provide services related to the use, processing, or disclosure of health and medical data to the controller. Common processors include: health and medical information system providers, health and medical data analysis companies, and providers of auxiliary diagnosis and treatment solutions.
[0034] d) Health and medical data users (hereinafter referred to as "users"): relevant organizations or individuals who utilize health and medical data in specific scenarios, without being the subject, controller, or processor of the data.
[0035] In different application scenarios, data can flow between different roles. Figure 1 This diagram illustrates an example of the flow of medical data among different stakeholders. The different roles involved in the data flow are labeled in Chinese, and different flow scenarios are distinguished by numbers.
[0036] First, as shown in number 1, medical data can flow from the subject to the controller. For example, when patient A visits hospital A, all relevant medical data generated during this visit flows from subject A to controller A.
[0037] Medical data can also flow from controllers to subjects, as shown in number 2. For example, patient A can use their social security card to check their test results at a terminal in hospital A.
[0038] Medical data can circulate and be used within the controller's network, as shown by arrow 3. For example, patient A's medical records can be accessed not only by patient A's attending physician but also by senior physicians for review or consultation.
[0039] Data flow, as shown in number 4, can also exist between controllers. For example, Hospital A centrally reports patient visit data to the management agency, or a research institution obtains medical data from the hospital or management agency for research purposes.
[0040] Medical data can also be handed over to processors for processing by the controller. Figure 1 As shown by arrow 5 in the diagram. For example, management agencies can entrust massive amounts of medical data to data centers for processing to obtain desired data processing results, such as making the medical data searchable on the platform.
[0041] Finally, medical data can also be made available to users by the controller, as shown by arrow 6. For example, other researchers can access anonymized medical data under controlled conditions to conduct their own medical research, and so on.
[0042] In all the scenarios described above, health and medical data controllers should take reasonable and appropriate management and technical safeguards to ensure the confidentiality, integrity, and availability of health and medical data; ensure the legality and compliance of the process of using and disclosing health and medical data; and meet various development needs while ensuring that health and medical data meets the above security requirements.
[0043] When using the aforementioned medical information, the sensitivity of the data can be categorized based on its importance, risk level, and the potential harm or impact on the individual's health and medical data subject. For example, medical data can be divided into the following five levels:
[0044] a) Level 1: Data that can be used completely publicly. For example, hospital names, addresses, and telephone numbers can be directly made public on the Internet.
[0045] b) Level 2: Data that can be accessed and used on a larger scale. For example, data that cannot identify individuals, which can be used for research and analysis by doctors in various departments after application and approval.
[0046] c) Level 3: Data that can be accessed and used within a moderate scope. For example, data that has been partially de-identified but may still be re-identified, and is limited to use within the authorized project team.
[0047] d) Level 4: Data accessible within a limited scope. For example, data that can directly identify an individual, accessible only to relevant healthcare personnel.
[0048] e) Level 5: Data available for use only within a very limited scope and under strict restrictions. For example, detailed information on specific diseases (e.g., HIV / AIDS) is limited to access by attending physicians and requires strict control.
[0049] Therefore, due to the varying degrees of sensitivity involved in different medical data and different application scenarios (such as...), Figure 1 As shown in the figures 1-6, the degree to which medical data can be made public varies in different scenarios. Therefore, it is necessary to be able to sensitively identify various types of medical data and flexibly select desensitization methods according to the application scenario.
[0050] Existing sensitive information identification and de-identification technologies cannot effectively address the aforementioned privacy protection issues in the healthcare industry, primarily for the following reasons:
[0051] 1) Existing technologies are usually designed for general industries and are not customized for the medical industry. They can only identify some common sensitive fields such as name, address, unique ID number, and mobile phone number, but cannot identify medical-specific sensitive information such as medical records, diseases, medication records, and examination and test records.
[0052] 2) In terms of data structure, traditional technologies are mainly aimed at identifying structured sensitive fields, whose content is relatively standardized and clear. However, the medical field involves a large amount of unstructured text information, such as chief complaint, present medical history, discharge summary, etc., which are complex in form and difficult to parse and identify.
[0053] 3) From a technical perspective, existing methods are typically based on regular expression matching, which can only perform simple recognition, with poor accuracy and recall, and requires a significant amount of manual configuration time. Healthcare data contains a large number of clinical terms, such as diseases, surgeries, medications, symptoms, examinations, tests, and billing items. Furthermore, terminology standards are inconsistent, and human errors by doctors, such as abbreviations and typos, lead to poor recognition results when relying solely on regular expression matching.
[0054] To address this, the present invention proposes a novel medical data anonymization scheme. This scheme utilizes a deep learning model to extract features from unstructured data and integrates a vast medical terminology database and knowledge graph. This solves the industry-specific problems in the medical field, such as the inability to identify unstructured sensitive information and the inconsistencies in terminology, numerous aliases, and high knowledge barriers in medical data.
[0055] Figure 2 A schematic flowchart of a medical data anonymization method according to an embodiment of the present invention is shown.
[0056] In step S210, feature extraction is performed on the medical data to be de-identified, thereby obtaining the medical data features. The medical data to be de-identified includes structured information and processed unstructured information.
[0057] As mentioned earlier, medical data can be categorized by content into personal attribute data, health status data, medical application data, and medical payment data. However, if categorized by storage format, it can be divided into structured data and unstructured data.
[0058] Structured data refers to data that exists in a fixed format within record files. Structured data is typically represented and stored using relational databases, appearing as two-dimensional data. It can be retrieved from various structured databases or tables (e.g., Oracle, MySQL, RDS, PostgreSQL, Excel, etc.). For structured fields, which are usually columns in a data table, such as name or ID number, the field name and content can be directly used as features for extracting medical data.
[0059] Furthermore, cascaded features can be extracted from structured fields specific to a medical subject as the medical data to be processed. In medical information, some fields or content, when displayed individually, may not involve sensitive information, but if they are linked together, they can uniquely identify a specific patient or significantly narrow down the population. For example, the four features of a patient's female identity, hospital name, department name, and length of hospital stay are usually insensitive or have a very low sensitivity level. Individually, they can only correspond to a large group of patients, but if combined, such as a woman being admitted to the neurosurgery department of a certain hospital and staying for 21 days, the population can be greatly narrowed down, potentially even identifying a unique patient, thus leading to privacy breaches. These fields may come from multiple fields in the same patient's hospitalization table or from multiple tables for the same patient. Therefore, it is necessary to construct cascaded features for structured fields, such as multi-table, multi-field cascaded features.
[0060] Besides directly obtaining structured fields as medical data features as described above, and combining structured fields to obtain cascaded features, this invention is particularly suitable for extracting medical data features from unstructured data. Unstructured information lacks fixed format and scope features; common examples include a piece of text or an image. Therefore, unstructured text can be obtained from various unstructured files (such as txt, xml, html, word, etc.) and even from data streams and character streams transmitted over the network. It can also extract excessively long or difficult-to-parse unstructured fields from information with structured forms, such as "a 2 cm nodule was found on a chest CT scan" entered in the examination results field.
[0061] Therefore, the medical data desensitization method of the present invention may further include a preprocessing step for unstructured data, specifically including: feeding unstructured medical text and fields into a feature extraction model to obtain medical entity features, entity relationship features and / or medical event features as the processed structured information.
[0062] For unstructured text and fields, parsing and decomposition are required. In one embodiment of the present invention, three types of algorithms based on deep learning models—medical entity recognition, entity relationship extraction, and medical event extraction—can be used for preprocessing of unstructured data, thereby obtaining medical entity features, entity relationship features, and medical event features.
[0063] Named entity recognition (NER) is a sequence labeling task within natural language processing. It involves identifying specific named words, such as names of people, places, and organizations, from text. Specifically, it takes a natural language sequence as input and outputs a corresponding label sequence. In medical entity recognition, a specially trained medical entity recognition model can extract medical entities such as disease names, surgery names, symptoms, and drug names from unstructured data.
[0064] Specifically, medical entities in unstructured data can be identified based on BiLSTM and CRF models. LSTM (Long Short-Term Memory) is well-suited for modeling time-series data due to its design characteristics. Because LSTM learns which information to remember and which to forget during training, it can better capture long-distance dependencies. However, modeling sentences with LSTM has the limitation of not being able to encode information from back to front. BiLSTM, a bidirectional LSTM composed of forward and backward LSTM, can better capture bidirectional semantic dependencies. A CRF (Critical Random Field) layer can be placed after the BiLSTM layer. The CRF layer can then incorporate constraints (e.g., the sentence must begin with a name or organization, not a non-entity) to ensure the validity of the final prediction. These constraints can be automatically learned by the CRF layer during training.
[0065] There are various relationships between entities. Therefore, after obtaining entity information, entity relationship models can be used to identify the relationships between entities. For example, the relationships between pairs of entities can be identified first based on the relationship model, and then the relationships between multiple entities can be combined. For example, in the unstructured field "2 cm nodule seen on chest CT scan" in the example above, after entity relationship identification, the imaging examination item can be preprocessed into three entities including the examination name (e.g., chest CT), the examination location (chest), and the findings (2 cm nodule), as well as the relationships between them.
[0066] After obtaining the entity relationships, medical events can be further extracted. Here, a medical event refers to a series of key moments that occur at specific times and locations during a patient's treatment process. In this invention, various key medical events can be defined, and these events can be extracted from multiple entities and entity relationships based on the defined key medical events. For example, a medical event extraction model can be used to further extract medical events that contain more entities and relationships and conform to the defined key events from the already acquired multiple entities and relationships. That is, an event typically contains multiple entities and relationships. For example, hospitalization events can be further extracted from the identified entities and extracted relationships, such as patient A being admitted to xx hospital xx department on xx year xx month xx day; surgical events can also be extracted, such as patient B undergoing xx surgery performed by xx doctor at xx hospital on xx year xx month xx day at xx hour xx minute.
[0067] The feature extraction performed on unstructured information as described above can also be performed using a more powerful BERT-based medical pre-trained model.
[0068] The structured features obtained above, the cascaded features based on the structured features, and the features extracted from unstructured information (medical entity features, entity relationship features, and medical event features) can be used as medical data features obtained in step S210 for subsequent processing.
[0069] In step S220, the medical data features obtained above can be sent to the sensitive information identification model to obtain the identification results marked with the sensitivity level.
[0070] Specifically, the structured features described above, the cascaded features based on the structured features, and the features extracted from unstructured information can be fed into the sensitive information identification model. This model can be various types of classification models based on machine learning, such as fully connected neural networks or traditional machine learning models like LightGBM. This model can classify the input features as sensitive information; furthermore, it can also classify the sensitivity level of the information. Therefore, this sensitive information identification model can also be called a classification model. In one embodiment, the classification model can include five sensitivity levels, from level one to level five. For this purpose, the model can be trained by inputting various types of information corresponding to the first level (not sensitive) to the fifth level (most sensitive), according to the sensitivity information classification described above.
[0071] Because there are a large number of entity relationship features, medical event features, and cascading features input into the model, in other words, because the classification model needs to identify features containing multiple entity relationships, and even whether long sentence features (e.g., corresponding to medical events) are sensitive, in one embodiment, it is necessary to use the large amount of relationship information between medical entities contained in the medical knowledge graph for classification.
[0072] A knowledge graph is a structured semantic knowledge base used to rapidly describe concepts and their relationships in the physical world. Knowledge graphs can effectively organize fragmented information into knowledge based on a graph format. In this invention, a specialized medical knowledge graph can be constructed. The content of the medical knowledge graph includes entities such as diseases, surgeries, symptoms, examinations, tests, and drugs, as well as the relationships between them. Various entities have multiple synonyms. For example, "chest pain" and "chest pain" are synonyms for symptoms. The medical knowledge graph includes various synonyms for the same entity. Therefore, through the medical knowledge graph, inconsistent terms can be identified as the same entity, and it can serve as a benchmark for finding relationships between entities.
[0073] Therefore, the medical data anonymization method of the present invention may further include: feeding the medical data features and the medical knowledge graph into a vector encoding model to obtain a fusion vector. Specifically, a graph vector can be extracted based on the relevant entities included in the medical knowledge graph and the relationships between the relevant entities, and the vector encoding model processes the medical data features together with the graph vector into the fusion vector. This vector encoding model can also be a machine learning-based model, and the model used includes, but is not limited to, LSTM, BERT, etc.
[0074] After obtaining the fused vector, it is fed into the sensitive information identification model as input. The model then classifies the information based on the fused vector and obtains the corresponding identification results. These results are labeled with sensitivity levels, for example, level one indicates no sensitivity, and levels two through five indicate progressively increasing sensitivity.
[0075] In a preferred embodiment, the sensitive information identification model may also output other information, such as at least one of the following: the sensitivity type of the sensitive field; the location of the sensitive field; the specific content of the sensitive field; and the frequency of occurrence of the sensitive information.
[0076] After obtaining the above identification results, in step S230, the method for desensitizing sensitive data can be determined according to the sensitivity level of the identification.
[0077] Specifically, for identified sensitive information, it can be automatically de-identified according to the sensitivity level. De-identification methods include, but are not limited to, the following:
[0078] 1) Delete, that is, directly delete the content marked as sensitive;
[0079] 2) Replacement, which replaces sensitive content with preset characters, such as replacing all three digits of a phone number with asterisks;
[0080] 3) Generalization is used to replace some specific information with a broader range. For example, stage 3 diabetes is a very fine-grained disease, which can be generalized to a broader disease, such as metabolic diseases; another example is to generalize the patient's age of 39 to the larger range of 18-64 years old.
[0081] 4) Encryption: Use encryption or hash algorithms to encrypt the information. For example, encrypt the hospital number "200357" into "4cdbacdeecb3ed61564c91cb45007409faaecf41".
[0082] In a preferred embodiment, the decision on whether to display sensitive data de-identified and the method of display de-identification can also be determined based on the permission level of the medical data requester. In other words, the decision on whether to de-identify and the method of de-identification is not only based on the sensitivity level, but also on the specific usage scenario of the medical data, to adjust the display method of sensitive content.
[0083] Specifically, the classification model can return the results of sensitive information identification to the original data source, thereby enabling the data source to obtain medical data labeled with sensitivity levels. For example, in patient A's medical record, structured information such as patient A's name and social security card number is labeled with corresponding levels of sensitivity, and features based on unstructured information, such as symptom descriptions, examination result descriptions, hospitalization events, and surgical events, are also labeled with corresponding levels of sensitivity. This results in a medical record with comprehensive sensitivity labeling. When this record is queried, different levels of sensitivity information can be displayed based on the queryer's identity. For example, when patient A's attending physician queries the record, all information labeled as sensitive can be displayed normally to facilitate the physician's decision-making regarding treatment plans. When, for example, a physician in the same department views the medical record for case analysis, it is usually necessary to anonymize content that uniquely identifies the patient, such as the name and social security card number. When the aforementioned medical records are used for scientific research, in addition to anonymizing names and social security card numbers, it is also necessary to blur hospitalization and surgical events to a certain extent, such as only indicating the length of hospitalization and the day on which the surgical event occurred.
[0084] This invention employs a deep learning model combined with existing identification methods (e.g., regular expression matching), and integrates a vast medical terminology database and knowledge graph to address the industry-specific problems of inconsistent medical terminology, numerous aliases, and high knowledge barriers. This enables the automated identification and desensitization of a large amount of sensitive content in medical information.
[0085] The present invention can also be implemented as a medical data desensitization device, which is capable of performing the medical data desensitization method described above. Figure 3 A schematic diagram of a medical data desensitization device according to an embodiment of the present invention is shown.
[0086] As shown in the figure, the medical data desensitization device 300 includes a feature acquisition unit 310, a sensitivity identification unit 320, and a desensitization method determination unit 330. The feature acquisition unit 310 extracts features from the medical data to be desensitized, acquiring medical data features. The medical data to be desensitized includes structured and unstructured information. The sensitivity identification unit 320 inputs the medical data features into a sensitivity information identification model to obtain identification results with marked sensitivity levels. The desensitization method determination unit 330 determines the desensitization method for the sensitive data based on the identified sensitivity level.
[0087] The medical data anonymization scheme of the present invention can also be implemented by corresponding computing devices. Figure 4 A schematic diagram of a computing device that can be used to implement the above-described medical data desensitization method according to an embodiment of the present invention is shown.
[0088] See Figure 4 The computing device 400 includes a memory 410 and a processor 420.
[0089] Processor 420 may be a multi-core processor or may contain multiple processors. In some embodiments, processor 420 may include a general-purpose main processor and one or more special-purpose coprocessors, such as a graphics processing unit (GPU), a digital signal processor (DSP), etc. In some embodiments, processor 420 may be implemented using custom circuitry, such as an application-specific integrated circuit (ASIC) or a field-programmable gate array (FPGA).
[0090] Memory 410 may include various types of storage units, such as system memory, read-only memory (ROM), and permanent storage devices. ROM may store static data or instructions required by processor 420 or other modules of the computer. Permanent storage devices may be read-write storage devices. Permanent storage devices may be non-volatile storage devices that retain stored instructions and data even when the computer is powered off. In some embodiments, permanent storage devices use mass storage devices (e.g., magnetic or optical disks, flash memory) as permanent storage devices. In other embodiments, permanent storage devices may be removable storage devices (e.g., floppy disks, optical drives). System memory may be a read-write storage device or a volatile read-write storage device, such as dynamic random access memory. System memory may store some or all of the instructions and data required by the processor during operation. Furthermore, memory 410 may include any combination of computer-readable storage media, including various types of semiconductor memory chips (DRAM, SRAM, SDRAM, flash memory, programmable read-only memory), and disks and / or optical disks may also be used. In some embodiments, memory 410 may include a removable storage device that is readable and / or writable, such as a laser disc (CD), a read-only digital multifunction optical disc (e.g., DVD-ROM, dual-layer DVD-ROM), a read-only Blu-ray disc, an ultra-high density optical disc, a flash memory card (e.g., SD card, mini SD card, Micro-SD card, etc.), a magnetic floppy disk, etc. Computer-readable storage media do not contain carrier waves or transient electronic signals transmitted wirelessly or via wired connections.
[0091] The memory 410 stores executable code, which, when processed by the processor 420, enables the processor 420 to execute the medical data desensitization method described above.
[0092] Application examples
[0093] To facilitate understanding of the preferred embodiments of the present invention, Figure 5 A schematic diagram illustrating specific implementation steps of a medical data anonymization method according to a preferred embodiment of the present invention is shown. This method can, for example, be performed by a medical data processor as described above, and the processing result is returned to the controlling party providing the data.
[0094] As shown in the figure, medical data can first be obtained from various data sources in step 1. In a preferred embodiment of the invention, the processor can support a wide variety of data source formats. First, structured data can be obtained from various structured databases or tables, such as Oracle, MySQL, RDS, PostgreSQL, Excel, etc. Second, various unstructured files, such as TXT, XML, HTML, Word, etc., can be directly obtained. Third, even data streams and character streams transmitted over the network can be obtained as structured or unstructured data sources.
[0095] After obtaining the above data, at least a portion of it can be preprocessed in step 2. For example, unstructured information can be preprocessed using deep learning. Specifically, unstructured text and fields are parsed and decomposed as necessary. Here, deep learning-based medical entity recognition algorithms, entity relationship extraction algorithms, and medical event extraction algorithms can be used for preprocessing. Specific models can be based on BiLSTM+CRF or BERT medical pre-trained models, and three types of features—medical entities, entity relationships, and medical events—can be obtained.
[0096] After preprocessing, step 3, feature extraction, can be performed on the acquired data. The feature extraction described above can include three sub-steps.
[0097] First, in sub-step 3.1, feature extraction can be performed on structured information. For structured fields, which are usually columns in a data table, such as name or ID number, the field name and field content can be directly used as features.
[0098] In sub-step 3.2, feature extraction can be performed on unstructured data. For example, for unstructured fields and files, the three types of features obtained through preprocessing in step 2 can be directly acquired. Therefore, in some embodiments, step 2 can be incorporated into sub-step 3.2.
[0099] In step 3.3, multi-table, multi-field cascaded feature extraction can be performed on structured information. In medical information, some fields or content may not involve sensitive information when taken individually, but if they are associated, they may uniquely identify a specific patient or greatly narrow down the population. For example, the four features of a patient's female identity, hospital name, department name, and length of hospital stay are usually non-sensitive or have a very low level of sensitivity, but when combined, "a woman was admitted to the neurosurgery department of xx hospital and stayed for 21 days," it can greatly narrow down the population and may even pinpoint a single patient, leading to privacy breaches. Therefore, it is necessary to identify these cascaded features that create sensitivity based on multiple fields.
[0100] After extracting the above features, we can proceed to step 4, which uses the sensitive information recognition model to identify sensitive information from the input features.
[0101] Here, a sensitivity field classification table defines and categorizes sensitive information in the healthcare field. For example, hospital names, addresses, and phone numbers are completely publicly available information, classified as level 1; patient mobile phone numbers are directly identifiable information, classified as level 4; and information about a patient having had HIV is the most sensitive (level 5), accessible only to the patient's attending physician. A sensitive information identification model (also known as a "classification model") can be trained based on this sensitivity field classification table.
[0102] Furthermore, this sensitive information identification model can be implemented as a multi-model fusion sensitive information identification technology. Specifically, it can integrate regular expression matching, deep learning, medical knowledge graphs, and other methods to enhance the identification effect. For some well-structured fields or information, regular expression matching is usually sufficient to achieve good identification results. For most unstructured information, it is necessary to integrate deep learning and knowledge graphs for identification.
[0103] The specially constructed medical knowledge graph contains entities such as diseases, surgeries, symptoms, examinations, tests, and drugs, as well as the relationships between these entities, and includes multiple synonyms for each entity.
[0104] In a preferred embodiment, step 4 may also include an additional vector fusion step. Figure 6 An example of sensitive information classification based on vector fusion according to an embodiment of the present invention is shown.
[0105] As mentioned earlier, for most unstructured information, it is necessary to integrate deep learning and knowledge graphs for identification. Therefore, the entity features, relation features, and event features obtained in step 3, especially step 3.2, can be simultaneously input into a vector encoding model along with the associated knowledge graph. The vector encoding model can be implemented based on LSTM, BERT, etc., and is used to process the above features and knowledge graph into word vectors, corresponding to entity vectors, relation vectors, event vectors, and graph vectors in the graph. These vectors can then be input into a sensitive information recognition model used as a classification model. The classification recognition model identifies the results based on the fused feature vectors. The model used can be any suitable machine learning model, such as a fully connected neural network or a traditional machine learning model like LightGBM.
[0106] This yields the identification results of whether it is sensitive and the level of sensitivity, for example... Figure 5As shown in step 5. When the classification model includes classification results based on the five sensitivity levels described above, the sensitivity and sensitivity level can be determined simultaneously based on the category to which the identification result belongs. For example, if it is classified as sensitivity level 1, it is considered insensitive, while if it is classified as sensitivity level 2-5, it is considered sensitive, and the higher the level, the more sensitive the content.
[0107] In addition to whether the field is sensitive and its sensitivity level, the identification results may also include some statistical information, such as the name and location of the sensitive field; the specific content of the sensitive information; the sensitivity level of the sensitive information; and the frequency of the occurrence of this sensitive information.
[0108] Based on the identification results, the data source, or data preprocessed from the data source, can undergo the automatic desensitization process shown in step 6. Specifically, for the identified sensitive information, desensitization can be automatically performed according to the sensitivity level, such as direct deletion, replacement with preset characters, generalization, or encryption. In some embodiments, the decision on whether to encrypt sensitive data and the form of encryption can be made based on the user's usage level or the application context of the data when actually requesting medical data.
[0109] Therefore, this invention combines a deep learning model and a medical knowledge graph fusion identification scheme, which can de-identify unstructured data; at the same time, it identifies and de-identifies multi-dimensional sensitive information through cascaded features.
[0110] The medical data anonymization scheme according to the present invention has been described in detail above with reference to the accompanying drawings. Addressing the problems of existing technologies based on regular expression matching, which are overly simplistic, can only handle structured data, and have poor recognition performance, this invention combines deep learning models with existing technologies such as regular expression matching. Furthermore, it integrates a vast medical terminology database and knowledge graph to solve industry-specific problems such as inconsistent medical terminology, numerous aliases, and high knowledge barriers, thereby achieving automated identification and anonymization of a large amount of sensitive content in medical information.
[0111] Furthermore, the method according to the present invention can also be implemented as a computer program or computer program product, which includes computer program code instructions for performing the steps defined in the above-described method of the present invention.
[0112] Alternatively, the present invention can also be implemented as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium) storing executable code (or computer program, or computer instruction code) thereon, which, when executed by a processor of an electronic device (or computing device, server, etc.), causes the processor to perform the various steps of the method described above according to the present invention.
[0113] Those skilled in the art will also understand that the various exemplary logic blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein can be implemented as electronic hardware, computer software, or a combination of both.
[0114] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems and methods according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions marked in the blocks may occur in a different order than those marked in the drawings. For example, two consecutive blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0115] The various embodiments of the present invention have been described above. These descriptions are exemplary and not exhaustive, nor are they limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles, practical application, or improvement of the technology in the market, or to enable others skilled in the art to understand the embodiments disclosed herein.
Claims
1. A method for desensitizing medical data, comprising: Feature extraction is performed on the medical data to be anonymized to obtain medical data features. The medical data to be anonymized includes structured and unstructured information. In the case of structured data, structured features are obtained from the structured information, and multi-table, multi-field cascaded features are obtained from structured fields specific to the medical subject. In the case of unstructured data, the unstructured medical text and fields are fed into a preprocessing model to obtain medical entity features, entity relationship features, and / or medical event features. The entity relationship features are used to characterize the relationships between entities in the unstructured fields. The structured features, the cascaded features, the features extracted from unstructured information, and the medical knowledge graph are fed into a vector encoding model to obtain a fusion vector. The fusion vector is then fed into a sensitive information identification model to obtain identification results with the sensitivity level marked. Based on the identified sensitivity level, determine the method for de-identifying sensitive data.
2. The method of claim 1, further comprising: Define key medical events; as well as Based on the defined key medical events, the medical event features are obtained from multiple entity features and entity relationship features.
3. The method as described in claim 1, wherein, The medical data features and medical knowledge graph are fed into a vector encoding model to obtain a fusion vector, including: Based on the relevant entities included in the medical knowledge graph and the relationships between these entities, a graph vector is extracted; and The vector encoding model processes the medical data features together with the map vector into the fusion vector.
4. The method of claim 1, wherein, The sensitive information identification model is also used to output at least one of the following: Sensitive data type of sensitive fields; The location of sensitive fields; The specific content of the sensitive fields; and Frequency of occurrence of sensitive information.
5. A medical data anonymization device, comprising: The feature acquisition unit is used to extract features from the medical data to be anonymized, acquiring medical data features. The medical data to be anonymized includes structured and unstructured information. In the case of structured data, structured features are acquired from the structured information, and multi-table, multi-field cascaded features are acquired from structured fields specific to the medical subject. In the case of unstructured data, the unstructured medical text and fields are fed into a preprocessing model to acquire medical entity features, entity relationship features, and / or medical event features. The entity relationship features are used to characterize the relationships between entities in the unstructured fields. The sensitive identification unit is used to input the structured features, the cascaded features, the features extracted from unstructured information, and the medical knowledge graph into the vector coding model to obtain a fusion vector, and then input the fusion vector into the sensitive information identification model to obtain the identification result marked with the sensitivity level. The desensitization method determination unit is used to determine the desensitization method for sensitive data based on the identified sensitivity level.
6. A computing device, comprising: processor; as well as A memory having executable code stored thereon, which, when executed by the processor, causes the processor to perform the method as described in any one of claims 1-4.
7. A computer program product comprising executable code that, when executed by a processor of an electronic device, causes the processor to perform the method as described in any one of claims 1-4.