Privacy preserving medical data processing system

By constructing structured medical records and a dynamic update mechanism, the problems of static solidification of privacy protection strategies and cross-stage information superposition in the processing of multi-source medical data have been solved. This has enabled unified archiving and efficient utilization of multi-source medical data, ensuring the accuracy of data analysis and privacy security.

CN122157934APending Publication Date: 2026-06-05THE FIFTH MEDICAL CENT OF CHINESE PLA GENERAL HOSPITAL

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
THE FIFTH MEDICAL CENT OF CHINESE PLA GENERAL HOSPITAL
Filing Date
2026-03-31
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies for processing multi-source medical data suffer from problems such as static and fixed privacy protection strategies and privacy sensitivity drift caused by cross-stage information overlay, making it difficult to achieve unified data archiving and efficient utilization.

Method used

A privacy-preserving medical data processing system is constructed. Through structured medical records and dynamic update mechanisms, data is standardized and parsed, and privacy-enhancing processing is performed to generate data units containing privacy protection identifiers. Restricted access and record updates are then implemented, and phased processing results are generated.

Benefits of technology

It enables unified and standardized access and management of multi-source heterogeneous medical data, effectively suppressing the risk of privacy leakage caused by cross-source data correlation inference, ensuring the accuracy and credibility of data analysis, while limiting the scope of data flow and achieving efficient use in compliance with privacy regulations.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122157934A_ABST
    Figure CN122157934A_ABST
Patent Text Reader

Abstract

The application relates to the technical field of medical data processing, and provides a medical data processing system based on privacy protection, which comprises the following steps: acquiring multi-source medical data corresponding to a target object, performing standardization analysis and privacy enhancement processing on the multi-source medical data, and generating a plurality of data units comprising privacy protection marks; calling a structured medical archive corresponding to the target object, extracting a target data view from the structured medical archive; processing the data units and the target data view to obtain a stage processing result, and writing the stage processing result into the structured medical archive. The application realizes unified filing and privacy enhancement of multi-source medical data, effectively suppresses privacy sensitivity drift caused by cross-stage information superposition through dynamic write-back of limited calling of the target data view and the processing result, and guarantees the continuity and privacy compliance of the medical data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of medical data processing technology, and more specifically to a privacy-preserving medical data processing system. Background Technology

[0002] With the development of medical informatization, medical data has become increasingly dispersed and heterogeneous, including clinical diagnosis and treatment data, laboratory testing data, imaging data, and monitoring data. This data is typically stored separately in different medical institutions or systems, with inconsistent formats and standards, creating a serious "data silo" phenomenon. To achieve precision medicine and health management, it is necessary to uniformly archive and comprehensively analyze multi-source medical data. However, medical data involves sensitive patient privacy information, and how to achieve privacy compliance while ensuring data availability is a critical issue that urgently needs to be addressed.

[0003] Existing technologies typically employ data anonymization, encrypted transmission, or static access control to protect privacy. For example, one-time anonymization may be performed during data collection, or fixed access permissions may be set. However, in actual medical management, data processing is often not a one-time event but involves multiple stages such as risk assessment, early warning, and follow-up. The sensitivity of the same original medical information is not constant across different processing stages. When original data is overlaid with historical image summaries, follow-up records, and stage processing results, it may possess stronger disease-specificity or identity-identifying properties in subsequent stages. Most existing technologies employ static privacy protection strategies, failing to detect the shift in privacy sensitivity caused by the overlay of information across stages, easily leading to privacy leakage risks. Furthermore, existing technologies lack effective dynamic record-up mechanisms, making it difficult to guarantee the continuity and integrity of medical data, thus limiting the accuracy of subsequent medical analysis and management.

[0004] To address the above issues, this application presents a privacy-preserving medical data processing system. Summary of the Invention

[0005] To address the problems of existing technologies, such as the difficulty in unifying the archiving of multi-source medical data, the static and fixed nature of privacy protection strategies, and the drift in privacy sensitivity caused by the superposition of information across different stages, this application constructs structured medical records and enables dynamic updates and restricted access through a privacy-protected medical data processing system, thereby achieving privacy compliance and efficient utilization of medical data.

[0006] To achieve the above objectives, the present invention provides the following technical solution:

[0007] A privacy-preserving medical data processing system is applied to a medical data management repository, which includes structured medical records corresponding one-to-one with all target objects. The system includes:

[0008] The data processing module is used to acquire multi-source medical data corresponding to the target object, perform standardized parsing and privacy enhancement processing on the multi-source medical data, and generate multiple data units including privacy protection identifiers;

[0009] The view extraction module is used to call the structured medical records corresponding to the target object and extract the target data view from the structured medical records;

[0010] The file update module is used to process the data unit and the target data view to obtain the stage processing result, and write the stage processing result into the structured medical file.

[0011] The multi-source medical data includes at least one or more of the following: clinical diagnosis and treatment data, laboratory test data, imaging examination data, physiological parameter monitoring data, and health management data. The multi-source medical data is collected through at least one of the following: examination and testing equipment, image acquisition equipment, mobile monitoring terminal, and remote follow-up terminal.

[0012] The data processing module includes:

[0013] The data parsing unit is used to process data from different sources in the multi-source medical data to obtain standardized data;

[0014] A privacy enhancement unit is used to perform cross-source correlation analysis on the standardized data to generate the data unit;

[0015] The data processing module is configured with a data processing strategy, which includes data parsing logic and privacy enhancement logic. The data parsing logic is configured within the data parsing unit, and the privacy enhancement logic is configured within the privacy enhancement unit.

[0016] The data parsing logic includes:

[0017] Field identification is performed on data from different sources in the multi-source medical data, and the data from different sources is converted into a unified field format based on preset field mapping rules;

[0018] The converted data are processed to unify the data format, unit of measurement, and timestamp alignment in order to generate standardized data with a unified data expression format.

[0019] The privacy enhancement logic includes:

[0020] Cross-source association analysis is performed on the standardized data to identify potential association keys for establishing correspondences between data from different sources. The potential association keys include at least: time-type fields representing the collection time or the time of event occurrence, source-type fields representing the correspondence between data sources, order-type fields representing the sequential relationship between multiple data items, and combination-type fields representing low-frequency combination patterns.

[0021] For different types of potential association keys, association weakening processing is performed respectively. The association weakening processing includes performing time granularity generalization processing on time-type fields, performing source identifier recoding processing on source-type fields, performing order perturbation processing on order-type fields, and performing combination splitting processing on combination-type fields.

[0022] The data unit is constructed based on the data after the association reduction processing is performed, and the association reduction level is written into the privacy protection identifier.

[0023] The method for determining the potential association key includes:

[0024] Based on the co-occurrence relationship of each field in the standardized data among different source data, the cross-source co-occurrence frequency of each field is determined, wherein the co-occurrence relationship is determined by statistically analyzing the co-occurrence of fields in different source data corresponding to the target object within a preset time window;

[0025] Based on the timestamp-aligned data, determine the degree of time synchronization between data from different sources;

[0026] Based on the source category identifiers and field correspondences in the standardized data, the degree of source coupling between data from different sources is determined;

[0027] Based on the distribution of multiple fields appearing together, the sparsity of the field combination is determined;

[0028] Based on the cross-source co-occurrence frequency, the time synchronization degree, the source coupling degree, and the sparsity of the field combination, generate the association risk score corresponding to each field and field combination;

[0029] Fields and field combinations that meet preset conditions in the association risk score are used as the potential association keys. The preset conditions include that the association risk score is greater than or equal to a preset risk threshold, and the cross-source co-occurrence frequency of the corresponding field and field combination is greater than or equal to a preset frequency threshold.

[0030] The method for constructing the data unit includes:

[0031] The data after the association weakening process is aggregated, and the aggregated data is grouped based on field type to generate multiple candidate data fragments;

[0032] For each candidate data segment, extract the corresponding field set, time range information, and source category information, and generate the corresponding data payload;

[0033] Based on the weakening method and weakening strength of each candidate data segment in the association weakening process, the corresponding association weakening level is determined;

[0034] The data payload and the target object identifier corresponding to the candidate data fragment are combined and encapsulated to generate the data unit;

[0035] The association weakening level is written into the privacy protection identifier, and the privacy protection identifier is bound to the data unit.

[0036] The view extraction module is configured with view extraction logic, which includes:

[0037] Extracting file content associated with the target object from the structured medical records, wherein the file content includes at least one of field content, time range information, source category information, and privacy protection identifier;

[0038] The archive content is filtered by a clustering algorithm to determine the target archive content. The clustering algorithm generates a clustering feature vector corresponding to each archive content by encoding the field category, time range, source category and privacy protection mark in the archive content, and clusters the archive content based on the similarity between the clustering feature vectors.

[0039] Based on the clustering results, the target file content is determined by combining the privacy protection identifiers corresponding to the multi-source medical data.

[0040] The target file content is organized and combined to generate the target data view.

[0041] The file update module includes:

[0042] The stage result extraction unit is used to extract the result content to be written and generate the stage processing result;

[0043] The stage result writing unit is used to write the stage processing results into the structured medical record;

[0044] The archive update module further includes an update strategy, which comprises stage result extraction logic and stage result writing logic. The stage result extraction logic is configured within the stage result extraction unit, and the stage result writing logic is configured within the stage result writing unit. The stage result writing logic includes:

[0045] Retrieve the corresponding record from the structured medical records and determine the target write location corresponding to the stage processing result;

[0046] The results of the stage processing are encapsulated to generate a result writing payload, wherein the result writing payload includes at least one of the following: stage result content, result generation time information, and minimum witness set identifier information corresponding to the stage processing result;

[0047] The result is written to the payload and associated with the existing file content in the structured medical record to form a result record associated with the target object in the structured medical record;

[0048] The structured medical records that have been written are then updated to complete the writing of the results of the previous stage of processing.

[0049] The logic for extracting the stage results includes:

[0050] Based on the data unit, current evidence elements are extracted, and based on the target data view, historical evidence elements are extracted. The current evidence elements are extracted by parsing the field content, time range information, and source category information in the data unit, and the historical evidence elements are extracted by parsing the field distribution content, time organization content, and source organization content in the target data view.

[0051] Based on the correspondence between the current evidence elements and the historical evidence elements, a candidate witness relationship set is constructed. The candidate witness relationship set is used to characterize the joint support relationship between different evidence elements for the same stage state. The joint support relationship is used to characterize the degree of joint support between the current evidence elements and the historical evidence elements in terms of field category consistency, time evolution continuity, and source distribution correlation.

[0052] The minimum evidence combination is selected from the candidate witness relationship set to determine the minimum witness set, and the stage processing result is generated based on the minimum witness set.

[0053] Compared with the prior art, the beneficial effects of the present invention are:

[0054] This invention achieves unified and standardized access and management of multi-source heterogeneous medical data by constructing structured medical records containing privacy protection identifiers. This method does not rely solely on traditional static anonymization but effectively suppresses the privacy leakage risk caused by cross-source data association inference by identifying potential association keys and performing targeted association weakening processing. Simultaneously, this invention establishes a dynamic record update mechanism, writing the processing results of each stage back into the record, allowing the record to continuously evolve as the medical process progresses, solving the privacy sensitivity drift problem caused by cross-stage information overlay in existing technologies. Furthermore, by restricting access to target data views and generating a minimum witness set, it ensures both the accuracy and reliability of data analysis while strictly limiting the scope of data flow, achieving efficient utilization of medical data under the premise of privacy compliance. Attached Figure Description

[0055] Other features, objects, and advantages of the invention will become more apparent from the following detailed description of non-limiting embodiments with reference to the accompanying drawings:

[0056] Figure 1 A schematic diagram of a privacy-protected medical data processing system provided in an embodiment of the present invention;

[0057] Figure 2 This is a flowchart illustrating a privacy-preserving medical data processing method provided in an embodiment of the present invention. Detailed Implementation

[0058] The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments.

[0059] The term "embodiment" as used herein means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of this application. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. Those skilled in the art will explicitly and implicitly understand that the embodiments described herein...

[0060] In an application environment where the continuous accumulation and phased utilization of medical data are becoming increasingly commonplace, establishing a long-term evolving health information recording system centered around a single target object has become a fundamental supporting capability for intelligent healthcare, remote health management, chronic disease intervention, and multi-source diagnosis and treatment collaboration. Especially in scenarios where multiple types of data, such as laboratory tests, vital sign monitoring, health management, and follow-up tracking, are accessed in parallel, medical data no longer exhibits a static input form of one-time collection and analysis. Instead, it displays a dynamic evolutionary characteristic of continuous accumulation with each collection round, continuous invocation with each processing task, and repeated writing back with each analysis result. Therefore, the object of medical data processing is no longer just a single data record at a particular moment, but has gradually evolved into a structured medical archive that is continuously associated with the target object and can carry historical information, current input, and processing results.

[0061] In such application scenarios, actual business operations often do not involve making a one-time judgment based on raw data. Instead, a continuous processing chain needs to be established between data from different times, sources, and granularities. For example, for the same target object, the system may successively receive recorded information from clinical diagnosis and treatment, indicator information from laboratory examinations, descriptive information from imaging examinations, physiological parameter information from mobile monitoring terminals, and behavioral feedback information from health management or remote follow-up. After entering the processing system, this information usually needs to be standardized and organized first, then associated with existing archival content, and subsequently a target data view is formed for the current task, and the corresponding stage processing results are output. In other words, the actual application is not a simple "data acquisition-data storage" problem, nor an isolated "analysis-output" problem, but a closed-loop processing process that includes heterogeneous data access on the input side, organization of historical content on the archival side, and continuous incremental updates on the result side.

[0062] Those skilled in the art have realized through long-term engineering practice that, in the face of the aforementioned dynamic closed-loop scenarios, relying solely on traditional methods such as field anonymization, identity de-identification, encrypted transmission, or static permission isolation often only addresses partial privacy protection issues related to medical data "before entering the system" or "during a single transfer," but fails to fundamentally address the new privacy risks arising from the continuous evolution of structured medical records. This is because privacy exposure in medical data does not always stem from the direct leakage of a single field. More commonly, initially scattered, independent, and low-sensitivity data content, after being uniformly formatted, time-aligned, cross-source-linked, and written multiple times, gradually forms a composite information structure capable of indicating specific health states, behavioral trajectories, or disease progression trends. At this point, even if each round of data entering the system undergoes seemingly compliant privacy enhancement processing, new identification and inference paths may still emerge within the structured medical record due to the continuous accumulation of content from multiple sources, causing privacy boundaries to drift with the processing.

[0063] Furthermore, in existing solutions in this field, when dealing with medical data that requires long-term accumulation and periodic access, a common technical approach is to standardize and de-identify newly collected data before directly storing it in the database, and then extract content that meets the criteria from the archives for analysis during subsequent processing. This approach is applicable to static scenarios, but in scenarios where structured medical archives are continuously updated and historical information is repeatedly involved in analysis, it often exposes two unavoidable technical challenges. First, after data from different sources is formatted, time-axisd, and attributed to a unified object, content that originally lacked obvious identifiability may re-form implicit association keys through time correspondence, source correspondence, sequence correspondence, or low-frequency combination relationships, thereby improving the ability to make inferences across subsequent rounds. Second, when the system extracts target data views from structured medical archives, if a relatively crude extraction method is still used, historical archive content will participate in the current task with high redundancy, which not only increases the processing burden but also amplifies the dominance of historical content on the current stage's results, making the result generation overly dependent on the stacking of all information and lacking necessary evidentiary constraints.

[0064] It is precisely because of the aforementioned long-standing engineering dilemmas that are difficult to resolve properly through conventional technical means that the technical concept proposed in this application does not simply interpret privacy protection as "de-identifying data before it enters the system," nor does it simply interpret stage processing as "directly fusing and calculating the current input and historical view." Instead, it starts from the real-world application premise of the continuous evolution of structured medical records and reorganizes the relationship between the input side, the view side, and the result generation side. Specifically, this application recognizes that the core contradiction in the continuous processing of medical data is not entirely about whether a single piece of data is sensitive, but rather whether the connections between different sources of content can be continuously reconstructed in subsequent stages. Similarly, the generation of stage processing results should not be based on the direct aggregation of all available information, but rather on the constrained extraction of the effective supporting relationship between the current input and the historical view. In other words, the technical principle of this application is as follows: first, weaken the high-risk association keys that may trigger subsequent association reconstruction before the data enters the structured medical record; then, extract the organized target data view from the structured medical record; and then use the minimum witness relationship between the current data unit and the historical view that can jointly support the target stage state to generate the stage processing result, thereby avoiding the formation of the stage processing result from over-reliance on redundant historical content or over-reliance on cross-source full splicing.

[0065] It should be noted that this application does not apply to a specific processing flow for a particular disease, a specific treatment department, or a specific equipment interface. Instead, it applies to medical data processing scenarios with the following common characteristics: First, scenarios where the target object continuously generates multiple rounds of medical data at different times, and each round of data needs to be correlated with existing records to achieve effective judgment. Second, scenarios where there are time, source, or sequence correspondences between data from different sources, which, after standardization, easily form cross-source joint inference capabilities. Third, scenarios where the current processing result needs to rely on historical record content for support, but it is undesirable for historical content to be unrestrictedly disseminated and involved in the current calculation. Typical applications include, but are not limited to, continuous management of chronic diseases, collaborative follow-up inside and outside hospitals, remote monitoring and early warning, comparative analysis of multiple rounds of examination results, identification of staged health status, and intelligent processing of individual long-term health records. For the above scenarios, this application does not take fixed disease labels, fixed department boundaries or fixed data formats as implementation premises. Instead, it is aimed at a more universal technical fact: as long as the medical data processing process has the closed-loop characteristics of "multi-source heterogeneous input", "structured archive carrying", "target view extraction" and "continuous generation of stage results", it may face the problems of dynamic drift of privacy boundaries and redundant support of stage processing. This application proposes a corresponding technical solution for such problems.

[0066] refer to Figure 1 , Figure 1A schematic diagram of a privacy-protected medical data processing system provided in an embodiment of this application.

[0067] In one example, the system of this application is applied to a medical data management database, which includes structured medical records corresponding one-to-one with all target objects. The system includes:

[0068] The data processing module is used to acquire multi-source medical data corresponding to the target object, perform standardized parsing and privacy enhancement processing on the multi-source medical data, and generate multiple data units including privacy protection identifiers;

[0069] The view extraction module is used to call the structured medical records corresponding to the target object and extract the target data view from the structured medical records;

[0070] The file update module is used to process the data unit and the target data view to obtain the stage processing result, and write the stage processing result into the structured medical file.

[0071] The data processing module includes:

[0072] The data parsing unit is used to process data from different sources in the multi-source medical data to obtain standardized data;

[0073] A privacy enhancement unit is used to perform cross-source correlation analysis on the standardized data to generate the data unit;

[0074] The data processing module is configured with a data processing strategy, which includes data parsing logic and privacy enhancement logic. The data parsing logic is configured within the data parsing unit, and the privacy enhancement logic is configured within the privacy enhancement unit.

[0075] The file update module includes:

[0076] The stage result extraction unit is used to extract the result content to be written and generate the stage processing result;

[0077] The stage result writing unit is used to write the stage processing results into the structured medical record;

[0078] The archive update module further includes an update strategy, which includes stage result extraction logic and stage result writing logic. The stage result extraction logic is configured within the stage result extraction unit, and the stage result writing logic is configured within the stage result writing unit.

[0079] like Figure 2 As shown, this embodiment also provides a privacy-preserving medical data processing method, which is applied to a medical data management library. The medical data management library includes structured medical records that correspond one-to-one with all target objects. This embodiment aims to construct an overall data processing architecture and core flow logic, forming a closed-loop data management process through standardized data access, privacy-enhanced encapsulation, restricted access, and dynamic write-back.

[0080] Specifically, the method in this embodiment includes the following steps:

[0081] Step S100: Obtain multi-source medical data corresponding to the target object, perform standardized parsing and privacy enhancement processing on the multi-source medical data, and generate multiple data units including privacy protection identifiers.

[0082] In this step, multi-source medical data refers to heterogeneous data originating from different medical business systems or acquisition devices. After acquiring this data, the system does not directly store the raw data but first performs standardized parsing to eliminate differences in data format and semantics. Subsequently, privacy enhancement processing is performed. This process is not simply de-identification but generates data units containing privacy protection identifiers. This data unit is the basic carrier of data flow, and the privacy protection identifier indicates the privacy level, usability scope, or degree of reduction of the data unit. By generating data units with privacy protection identifiers, the system completes privacy-compliant encapsulation at the source of data access, laying the foundation for subsequent secure data flow.

[0083] Step S200: Call the structured medical record corresponding to the target object and extract the target data view from the structured medical record.

[0084] This step involves operations on the core data carriers in the medical data management repository. Structured medical records are logical data sets uniquely corresponding to a target object, storing that object's historical medical data and processing records. Unlike existing technologies that directly read the raw database, this embodiment uses a restricted access method of "extracting a target data view." The target data view is a specific subset of data selected from the records based on the needs of the current processing stage. It should be understood that the extraction process of the target data view is constrained by privacy protection flags; that is, only data that meets privacy compliance requirements can be included in the view, thus achieving a secure mechanism of data being "usable but not visible" or "visible on demand."

[0085] Step S300: Process the data unit and the target data view to obtain the stage processing result, and write the stage processing result into the structured medical record.

[0086] After acquiring the newly generated data unit (representing the current state) and the target data view (representing the historical context), the system performs joint processing on both. This processing may include logical operations such as data comparison, trend analysis, and risk assessment, thereby generating a stage processing result. This result is not merely an output value, but also contains key evidentiary information from the processing process. Finally, the system writes the stage processing result back to the structured medical record. This write-back action updates the record content, enabling dynamic evolution of the record. Through this write-back mechanism, the result of each processing step becomes the historical basis for the next processing step, ensuring the continuity and integrity of medical data and effectively solving the privacy sensitivity drift problem caused by cross-stage information overlay.

[0087] In summary, this embodiment establishes a top-level architecture for unified archiving and dynamic updating of multi-source medical data by constructing data units containing privacy protection identifiers and structured medical records. This architecture introduces privacy constraint mechanisms at every stage of data flow, ensuring a balance between data availability and privacy security.

[0088] In one example, this embodiment of the application further refines step S100, mainly involving the specific types of multi-source medical data, collection methods, and the specific implementation process of standardized parsing. The solution of this embodiment can effectively solve the problems of inconsistent formats and asynchronous times in the access phase of multi-source heterogeneous data, providing a high-quality data foundation for subsequent privacy enhancement processing.

[0089] Specifically, multi-source medical data includes at least one or more of the following: clinical diagnosis and treatment data, laboratory test data, imaging examination data, physiological parameter monitoring data, and health management data. It should be understood that the above data types are merely preferred examples given in this embodiment. In practical applications, any data that can reflect the health status or treatment process of the target subject can be included within the scope of protection of this invention. For example, clinical diagnosis and treatment data may specifically include structured or semi-structured text such as chief complaints, present medical history, diagnostic conclusions, and medical orders in electronic medical records; laboratory test data covers numerical data such as complete blood counts and biochemical indicators; imaging examination data is typically DICOM format CT, MRI, or ultrasound image files; physiological parameter monitoring data comes from wearable devices, such as continuous heart rate and blood oxygen monitoring values; and health management data may include patient-reported dietary records and exercise logs. This data is collected through at least one of the following: examination and testing equipment, image acquisition equipment, mobile monitoring terminals, and remote follow-up terminals. For example, the Hospital Information System (HIS) serves as the data source for examination and testing equipment, the Radiology Information System (RIS) and Picture Archiving and Communication System (PACS) serve as the data source for image acquisition equipment, and the smart bracelet worn by the patient acts as a mobile monitoring terminal that uploads data in real time. This multi-source acquisition method ensures the comprehensiveness of the data, but it also introduces the challenge of data heterogeneity.

[0090] To address the aforementioned heterogeneity issue, the standardized parsing provided in this embodiment includes the following specific steps:

[0091] Step S101 involves identifying fields from different sources in the multi-source medical data and converting the data into a unified field format based on preset field mapping rules. Since different medical systems or equipment manufacturers use different data standards—for example, image data typically follows the DICOM standard, while clinical text data may follow the HL7 standard or a proprietary format—direct reading often leads to field ambiguity. This step addresses this issue by using preset field mapping rules. For instance, for DICOM image data, the system identifies the field labeled "PatientName" and maps it to "Target Object Name" in the unified field format; for HL7 text data, the system identifies the field with the segment "PID-5" and similarly maps it to "Target Object Name". In this way, regardless of the naming convention used by the original data, it is converted into a unified field format within the system, eliminating semantic heterogeneity.

[0092] Step S102 involves standardizing the data format, units of measurement, and timestamps of the converted data to generate standardized data with a unified data representation. After field mapping, differences in data types and units still need to be addressed. For example, the white blood cell count in one laboratory test might be measured in "10^9 / L," while another source might use "K / uL." The system needs to standardize all similar indicators according to preset unit conversion rules. More critically, timestamp alignment is crucial. Since the system clocks of different acquisition devices may deviate, or network transmission delays may cause inconsistent data arrival times, directly using the data packet reception time for analysis can lead to errors. Therefore, this embodiment aligns the data based on the event occurrence times recorded in the data content. For example, for an imaging examination record, the examination date and time are extracted; for a medical order record, the order date is extracted. The system converts these event occurrence times into standard timestamps and uses them as the index benchmark for the data in the time dimension. This ensures that even if data arrives at the system at different times, its position on the timeline accurately reflects the actual medical process, providing accurate time dimension support for subsequent cross-source correlation analysis.

[0093] In yet another example, this embodiment of the application provides a more detailed explanation of the privacy enhancement process described in step S100. In the field of medical data processing, simple de-identification is often insufficient to address advanced privacy attacks. Attackers may infer patient identity or sensitive medical information through cross-source data correlation analysis. Therefore, this embodiment focuses on how to identify potential correlation risks and implement targeted mitigation measures.

[0094] Specifically, privacy-enhancing processing includes performing cross-source association analysis on standardized data to identify potential association keys used to establish correspondences between data from different sources. Potential association keys refer to data fields or combinations of fields that, when existing individually, have low sensitivity but, when combined across sources, can uniquely point to a specific individual or reveal a specific medical event. These potential association keys include at least: time-based fields representing the time of data collection or the time of event occurrence; source-based fields representing the correspondence between data sources; sequence-based fields representing the sequential relationship between multiple data items; and combination-based fields representing low-frequency combination patterns.

[0095] To accurately identify the aforementioned potential association keys, this embodiment provides a determination method based on multidimensional feature evaluation, specifically including the following steps:

[0096] Step S1031: Based on the co-occurrence relationships of each field in the standardized data across different source data, determine the cross-source co-occurrence frequency of each field. The co-occurrence relationship is determined by statistically analyzing the co-occurrence of fields in different source data corresponding to the target object within a preset time window. For example, if a patient's "blood oxygen saturation" field frequently appears in the same time period as the "sleep monitoring report" field, then their co-occurrence frequency is high. A high co-occurrence frequency indicates a strong correlation between these two fields, which can easily become a clue for inferring the patient's condition.

[0097] Step S1032: Based on the timestamped data, determine the degree of time synchronization between data from different sources. The degree of time synchronization reflects the tightness of coupling between different data sources in the time dimension. For example, if the timestamp of an imaging examination is exactly the same as the timestamp of a medical order (accurate to the second), the degree of time synchronization between the two is extremely high. Such a precise time overlap can easily become the anchor point for a link attack.

[0098] Step S1033: Based on the source category identifiers and field correspondences in the standardized data, determine the degree of source coupling between data from different sources. The degree of source coupling characterizes the correlation of the data generation environment. For example, data from the same department or the same medical device serial number have a high degree of source coupling, suggesting a specific diagnostic and treatment logic connection behind the data.

[0099] Step S1034: Based on the distribution of the joint occurrence of multiple fields, determine the sparsity of the field combinations. Sparsity is key to identifying "low-frequency combination patterns." For example, in the general population, the combination of "cold" and "headache" is relatively common, with low sparsity; while the combination of "specific gene mutation" and "rare drug use" is extremely rare, with high sparsity. Such high-sparse field combinations can often directly locate a very small number or even a unique individual, belonging to high-risk potential associations.

[0100] Step S1035 generates association risk scores for each field and field combination based on cross-source co-occurrence frequency, time synchronization degree, source coupling degree, and sparsity of field combinations. This step integrates the feature values ​​of the above four dimensions into a comprehensive score using a weighted algorithm. It should be understood that the weighting can be adjusted according to the actual application scenario. For example, in rare disease screening scenarios, the weight of sparsity can be appropriately increased.

[0101] Step S1036: Fields and field combinations whose association risk scores meet preset conditions are designated as potential association keys. These preset conditions include an association risk score greater than or equal to a preset risk threshold, and the cross-source co-occurrence frequency of the corresponding field and field combination being greater than or equal to a preset frequency threshold. Through this filtering mechanism, the system can automatically filter out low-risk fields and only process high-risk potential association keys, thereby maximizing data availability while ensuring privacy and security.

[0102] After identifying potential association keys, this embodiment further performs association weakening processing on different types of potential association keys. The core of association weakening processing is to destroy the strong association between data, thereby blocking the privacy inference path.

[0103] Specifically, association weakening processing includes:

[0104] First, time-granularity generalization is performed on time-related fields. For example, the original check time, "2023-10-01 14:35:28", which was accurate to the second, is generalized to the hour, i.e., "2023-10-01 14:00-15:00". By reducing the time precision, it becomes difficult to match data from different sources one-to-one using precise timestamps, thereby blocking inference attacks based on the degree of time synchronization.

[0105] Second, source identifier recoding is performed on source category fields. For example, the source identifier "Device_A_001", which originally contained a specific device number or department name, is recoded into a generalized category identifier "Imaging Equipment Class". This process severs the direct link between the data and a specific physical device or department, reducing the risks associated with source coupling.

[0106] Third, perform order perturbation processing on sequential fields. For example, for a set of sequential data reflecting the diagnosis and treatment process (such as "registration-consultation-examination-medication pickup"), the order of some non-critical steps can be slightly adjusted or disordered without changing the overall diagnosis and treatment logic. This perturbation makes it difficult for attackers to lock specific diagnosis and treatment processes through strict sequential relationships.

[0107] Fourth, the system performs combination splitting processing on combination fields. For example, for identified high-risk sparse combinations (such as "rare disease A" and "specific drug B"), the system splits the combination and stores it in different data units, and restricts their simultaneous occurrence during the data flow. In this way, even if an attacker obtains some data, it is difficult to reconstruct the complete low-frequency combination pattern, effectively protecting the patient's special disease privacy.

[0108] Finally, the system constructs data units based on the data after correlation weakening processing and writes the correlation weakening level into a privacy protection identifier. The correlation weakening level reflects the strength of the data weakening process; for example, "high weakening" indicates that the data has undergone significant generalization or perturbation, suitable for highly sensitive scenarios; "low weakening" indicates that the data retains a high degree of original accuracy, suitable for routine analysis scenarios. This identifier provides a direct basis for subsequent restricted data access.

[0109] In summary, this embodiment constructs a proactive defense mechanism through multi-dimensional risk identification and targeted association reduction processing. This mechanism not only solves the problem of privacy leakage when a single data source appears secure but is combined across different sources, but also balances the contradiction between privacy protection and data availability through differentiated reduction methods, providing core technical support for the secure construction of structured medical records.

[0110] In another example, this application embodiment further details the specific structural design and construction method of the data unit generated in step S100. After the privacy enhancement processing is completed, although the data has been weakened, it is still in a discrete state, lacking a unified structural encapsulation, making efficient management and restricted access difficult. Therefore, this embodiment aims to construct a standardized data unit structure that binds data content to its privacy attributes, providing a structural foundation for subsequent file construction and view extraction.

[0111] Specifically, the method for constructing data units includes the following steps:

[0112] Step S1041 involves aggregating the data after association weakening processing and grouping it based on field type to generate multiple candidate data fragments. After privacy enhancement processing, the data stream contains various types of fields, such as patient basic information, test indicators, and imaging features. Storing these data in a mixed manner not only leads to low query efficiency but also risks exposing the entire data block due to the leakage of a single field. Therefore, this step first aggregates the data and then logically groups it according to field type. For example, all fields reflecting the patient's routine blood test indicators are grouped together to generate a "Routine Blood Test Candidate Data Fragment"; all fields reflecting the patient's imaging test conclusions are grouped into another group to generate an "Imaging Diagnosis Candidate Data Fragment". It should be understood that the granularity of grouping can be adjusted according to actual business needs; it can be grouped by test item or by data source, as long as the data within the same candidate data fragment has logical relevance.

[0113] Step S1042: For each candidate data segment, extract the corresponding field set, time range information, and source category information, and generate the corresponding data payload. After determining the candidate data segments, the system needs to extract their metadata information. The field set describes the specific data items contained in the segment, such as {white blood cell count, red blood cell count}; the time range information defines the validity period or collection period of the data, such as {2023-10-01 to 2023-10-02}; the source category information records the source of the data, such as {laboratory equipment A}. Subsequently, the system packages the specific numerical content of the candidate data segments with the above metadata to generate the data payload. The data payload is the core content entity of the data unit, carrying the actual medical information.

[0114] Step S1043: Determine the corresponding association weakening level based on the weakening method and strength of each candidate data segment in the association weakening process. In Example 3, the system performed different degrees of weakening processing on different types of potential association keys. This step quantifies this processing result into an association weakening level. For example, for data segments that have only undergone "time-granularity generalization" processing, their weakening strength is low and can be marked as "Level 1 weakening"; while for highly sensitive data segments that have undergone "combination and splitting" processing, their weakening strength is high and can be marked as "Level 3 weakening". The association weakening level intuitively reflects the degree of privacy protection of the data segments and is a key basis for subsequent differentiated authorization.

[0115] Step S1044: The data payload and the target object identifier corresponding to the candidate data fragment are combined and encapsulated to generate a data unit. To ensure clear ownership of data during the transfer process, the system combines and encapsulates the data payload with the target object identifier (such as a patient's unique identification code). The target object identifier is the index key of the data unit, ensuring that the data unit can be correctly archived into the corresponding structured medical record. The encapsulation process uses a preset data structure format to ensure that all data units have a unified interface, facilitating storage and transmission.

[0116] Step S1045: The association weakening level is written into the privacy protection identifier, and the privacy protection identifier is bound to the data unit. Finally, the system generates a privacy protection identifier, which contains at least the association weakening level determined in the preceding steps. The system logically or physically binds this identifier to the data unit. The bound data unit has the ability to describe its own privacy attributes. When a subsequent processing module calls the data unit, it can read the privacy protection identifier to determine its association weakening level, thereby deciding whether to allow the call or whether further authorization is required. For example, for a data unit with an association weakening level of "high," the system can restrict its transmission in insecure network environments or only allow viewing by doctors with high-level authorization.

[0117] In summary, this embodiment constructs structured data units through a series of operations including grouping, metadata extraction, level quantification, encapsulation, and binding. This design not only achieves modular data management but, more importantly, internalizes privacy protection attributes as inherent characteristics of the data units. This allows privacy protection strategies to accompany the entire lifecycle of data flow, providing the necessary data structure support for restricted calls based on privacy identifiers in subsequent embodiments.

[0118] In another example, this embodiment further refines the target data view extraction method described in step S200. After the construction and archiving of data units are completed, the key challenge when subsequent processing is required is how to securely and efficiently extract data from a large number of structured medical records. This embodiment achieves restricted data retrieval through the dual constraints of clustering algorithms and privacy protection identifiers, solving the problem of "how to securely extract data from records".

[0119] Specifically, the method for extracting the target data view includes the following steps:

[0120] Step S201: Extract the file content associated with the target object from the structured medical records. This file content includes at least one of the following: field content, time range information, source category information, and privacy protection identifier. It should be understood that structured medical records store a massive amount of historical data units; directly reading the entire file is not only inefficient but also prone to privacy leaks. Therefore, the system first performs preliminary screening based on the target object's identifier to extract relevant file content. The privacy protection identifier, a key attribute written in the aforementioned embodiments, records the sensitivity or attenuation level of the data fragment and serves as the basis for subsequent restricted access.

[0121] Step S202 involves filtering the archive content using a clustering algorithm to determine the target archive content. The clustering algorithm generates clustering feature vectors for each archive content by encoding features such as field categories, time ranges, source categories, and privacy protection identifiers in the archive content, and then clusters the archive content based on the similarity between the clustering feature vectors.

[0122] Specifically, the feature encoding process converts non-numerical archival attributes into computer-computable vector forms. For example, for field categories, the system can use one-hot encoding or word embedding techniques to vectorize them; for time range information, it can be converted into time span values ​​or timestamp sequences; for source category information, it is also vectorized; and for privacy protection identifiers, they are quantified into numerical levels (e.g., level one attenuation corresponds to a value of 1, level three attenuation corresponds to a value of 3). Through the above encoding, each piece of archival content is mapped to a multi-dimensional clustering feature vector.

[0123] Subsequently, the system calculates the similarity between the feature vectors of each cluster. Similarity can be calculated using metrics such as Euclidean distance and cosine similarity. Higher similarity indicates that the archival content is closer in the feature space, meaning they have greater similarity in field categories, time spans, origins, and privacy attributes. Based on the similarity calculation results, the system uses clustering algorithms (such as K-means, hierarchical clustering, or DBSCAN) to cluster the archival content, grouping similar content into the same cluster. This process organizes the originally discrete and disorganized archival data into several data sets with inherent similarity, facilitating subsequent batch processing and access control.

[0124] Step S203: Based on the clustering results and the privacy protection identifiers corresponding to the multi-source medical data, determine the target file content. This is the core step in implementing "restricted access." Not all data clusters after clustering are suitable for access in the current stage. The system needs to perform matching and filtering by combining the privacy protection identifiers corresponding to the multi-source medical data (i.e., the privacy attributes of the data to be processed) and the privacy features of the clusters.

[0125] For example, if the current processing stage is routine health trend analysis, which is a low-sensitivity operation, the system will prioritize selecting data clusters with lower privacy protection marker values ​​(i.e., lower attenuation and lower sensitivity) in the cluster feature vectors as target archive content. Conversely, if a cluster of data in the clustering results is highly correlated, but its privacy protection marker indicates that it contains highly sensitive information (such as rare disease combination data), and the current caller does not have high-level access permissions, the system will exclude the data in that cluster or perform secondary desensitization on the data in that cluster before including it in the target archive content. In this way, the "minimum necessary" principle for data retrieval and privacy compliance verification are implemented, effectively preventing the exposure of highly sensitive data in unnecessary scenarios.

[0126] Step S204 involves organizing and combining the target file content to generate a target data view. The filtered target file content may come from different clusters or different data sources; the system needs to format and logically combine it to ultimately generate a structured target data view. This target data view serves as the input dataset for the processing logic in step S300.

[0127] In summary, this embodiment achieves automated grouping and filtering of file content through clustering algorithms, and performs secondary permission verification in conjunction with privacy protection identifiers. This mechanism not only improves the efficiency of data extraction, but more importantly, it constructs a dynamic security defense, ensuring that the system extracts only the minimum dataset that meets privacy compliance requirements at different processing stages and for different permission needs, thereby achieving truly restricted access.

[0128] In another example, this embodiment further details step S300, mainly involving the logic for generating the stage processing results and the specific process of dynamically writing the results back to the structured medical records. This embodiment ensures the credibility and representativeness of the processing results by constructing a set of witness relationships and selecting the minimum witness set, while realizing the dynamic evolution of the records through a standardized write-back mechanism.

[0129] Specifically, the processing method for the results of each stage includes the following steps:

[0130] Step S301: Extract current evidence elements based on data units, and extract historical evidence elements based on target data views.

[0131] The current evidence elements are obtained by parsing the field content, time range information, and source category information in the data unit, representing the latest status data of the target object at the current moment. For example, information such as "systolic blood pressure 145 mmHg," "collection time 2023-10-05 09:00," and "source: home monitoring terminal" are parsed from the currently generated data unit as current evidence elements. Historical evidence elements are obtained by parsing the field distribution, time organization, and source organization content in the target data view, representing the historical background of the target object. For example, information such as "the average systolic blood pressure over the past three months has been distributed in the range of 130-140 mmHg" and "historical data mainly comes from hospital outpatient clinics" are parsed from the target data view as historical evidence elements. It should be understood that current evidence elements focus on specific numerical values ​​and immediate status, while historical evidence elements focus on statistical regularities and evolutionary trends. The combination of the two provides comprehensive data support for subsequent accurate judgments.

[0132] Step S302: Construct a set of candidate witness relationships based on the correspondence between current evidence elements and historical evidence elements.

[0133] The candidate witness relationship set is used to characterize the joint supporting relationship between different evidentiary elements for the same stage of the state. This joint supporting relationship is specifically manifested in the degree of common support between current evidentiary elements and historical evidentiary elements in terms of consistency of field categories, continuity of temporal evolution, and correlation of source distribution.

[0134] Specifically, field category consistency refers to whether the field categories in the current evidence element and the field categories in the historical evidence element belong to the same medical indicator system. For example, the current "blood pressure" data and historical "blood pressure" records have category consistency. Temporal evolution continuity refers to whether the timestamp of the current evidence element is within a reasonable range of the temporal evolution trend represented by the historical evidence element. For example, does the current hypertension reading continue the historical hypertension trend? Source distribution correlation refers to whether there is a logical connection between the source of the current data and the source of historical data. For example, do the current home monitoring data and historical hospital diagnosis data point to the same health problem? Through the evaluation of these three dimensions, the system can filter out evidence element pairs that can mutually corroborate and jointly support the judgment of a certain medical condition, thereby constructing a candidate witness relationship set. This process effectively eliminates isolated and accidental noisy data, improving the accuracy of subsequent processing results.

[0135] Step S303: Select the minimum evidence combination from the candidate witness relationship set, determine the minimum witness set, and generate the stage processing result based on the minimum witness set.

[0136] After constructing a large set of candidate witness relationships, directly using all relationships for calculation would waste computational resources and potentially introduce redundant interference. Therefore, this step aims to select the most representative "minimum witness set." The minimum witness set refers to the combination of the fewest evidentiary elements required to fully support the judgment of the current stage's state. For example, in a scenario where a patient's hypertension is worsening, only the "current systolic blood pressure value" and the "three-month average systolic blood pressure" might be needed to support the judgment, without introducing other irrelevant test indicators. The system uses a preset screening algorithm (such as a greedy algorithm or a weight-based sorting algorithm) to eliminate redundant relationships from the candidate witness relationship set, retaining the core supporting evidence to form the minimum witness set. The stage processing results generated based on this minimum witness set are not only concise in data volume but also have a clear logical chain, possessing higher reliability and resistance to interference.

[0137] Step S304: Retrieve the corresponding record from the structured medical records and determine the target write location corresponding to the stage processing result.

[0138] After generating the phase processing results, the system needs to write them back to the structured medical records. First, the system retrieves the corresponding record based on the target object identifier, and determines the specific target write location based on the type of phase processing result (such as diagnosis conclusion, risk assessment report, follow-up record, etc.). For example, if the result is a "risk assessment report", it is written to the "risk assessment" sub-module in the record; if the result is a "follow-up update", it is appended to the end of the "follow-up record" timeline.

[0139] Step S305: Encapsulate the results of the stage processing and generate a result to be written into the payload.

[0140] The payload containing the results should include at least one of the following: the content of the stage result, the result generation time information, and the minimum witness set identifier information corresponding to the stage processing result. The key to this step is encapsulating the minimum witness set identifier information into the payload. The minimum witness set identifier information records the core evidence source supporting the generation of the result, essentially attaching a "credibility traceability label" to the processing result. When subsequent medical personnel or other systems review the result, they can quickly trace back to the original evidence elements through this identifier to verify the reliability of the result. This encapsulation method makes each record in the archive self-explanatory and traceable.

[0141] Step S306: Write the result into the payload and associate it with the existing file content in the structured medical record to form a result record associated with the target object in the structured medical record.

[0142] This step employs associative writing rather than simple overwrite writing. When writing a new result record, the system establishes a logical link between it and existing archive content. For example, it establishes a reference relationship between the current "hypertension risk warning" result and the previous "blood pressure monitoring data unit." This associative writing method ensures the integrity of the archive content, enabling the archive to clearly record the evolution of medical conditions.

[0143] Step S307: Perform file update processing on the written structured medical records to complete the writing of the stage processing results.

[0144] The record update process includes updating metadata such as the record's index information, timestamps, version number, and privacy protection identifier. In particular, the privacy protection identifier is crucial; as new processing results are written, the overall sensitivity of the record may change, requiring the system to reassess and update the record's privacy level. At this point, the structured medical record has completed a dynamic evolution, expanding its content from raw, multi-source medical data to a comprehensive medical record including intermediate processing results and final conclusions, providing a richer and more accurate data foundation for the next stage of data processing.

[0145] In summary, this embodiment achieves highly reliable generation and traceable write-back of processing results by constructing witness relationships, selecting a minimum witness set, and encapsulating traceability identifiers. This mechanism not only solves the problem of broken evidence chains in medical data processing but also enables structured medical records to continuously reflect the latest health status of the target individuals through a dynamic update mechanism, truly realizing closed-loop data management and value enhancement.

[0146] In one example, this embodiment uses the full-process management of patients with metabolic-associated fatty liver disease (MAFLD) as an example to specifically illustrate the technical solution of the present invention. It should be understood that this embodiment is only used to explain the present invention and not to limit the present invention.

[0147] The target group is a patient diagnosed with MAFLD who requires long-term monitoring and management of their condition.

[0148] First, the system executes step S100 to acquire multi-source medical data corresponding to the target object. This data specifically includes: liver ultrasound image data from the hospital's Picture Archiving and Communication System (PACS), blood lipid test reports from the Laboratory Information Management System (LIS), and monitoring data from a patient's fitness tracker. Because these data sources are heterogeneous and have different formats, the system performs standardized parsing. Specifically, the system identifies fields in DICOM format image data and HL7 format test reports, converting data from different sources into a unified field format based on preset field mapping rules. Simultaneously, considering the potential discrepancy between the timestamps recorded by the fitness tracker and those in the hospital system, the system performs timestamp alignment processing on the converted data to ensure consistency in the time dimension, generating standardized data with a unified data representation.

[0149] Before generating data units, the system performs privacy enhancement processing on the standardized data. In this scenario, the system discovered a potential risk point through cross-source association analysis: the patient's liver function indicators (such as ALT enzyme levels) were abnormally elevated at a specific time point (e.g., 2 AM), and simultaneously, the fitness tracker monitoring data showed that the patient engaged in strenuous exercise within an adjacent time period. The system identified the combination of "abnormal liver function at a specific time point" and "strenuous exercise" as a potential association key. Specifically, based on the co-occurrence relationships of various fields in the standardized data across different sources, the system determined that the cross-source co-occurrence frequency of these two fields was high; and based on the data after timestamp alignment, it determined that the time synchronization between the two was extremely high; furthermore, based on the distribution of the joint occurrence of multiple fields, it determined that the sparsity of this field combination was high (meaning that this abnormal combination at a specific time point is uncommon in the general population and easily pinpointed to a specific individual). Based on the cross-source co-occurrence frequency, time synchronization degree, and sparsity of the field combination, the system generated an association risk score corresponding to this field combination. This score was greater than a preset risk threshold, therefore it was used as a potential association key.

[0150] To protect patient privacy, the system performs association weakening processing on this potential association key. Specifically, time-related fields undergo time granularity generalization processing, blurring exercise time accurate to the minute to the "early morning period"; combination-related fields undergo combination splitting processing, allocating liver function indicators and exercise data to different data units to avoid direct association between the two in the same view. Subsequently, the system aggregates the data after association weakening processing, generates candidate data fragments, extracts the corresponding field set, time range information, and source category information to generate a data payload, and determines the association weakening level based on the weakening strength. The system combines and encapsulates the data payload with the target object identifier to generate a data unit, and writes the association weakening level into a privacy protection identifier, binding it to the data unit.

[0151] During the follow-up phase, the attending physician needs to review the patient's recent health status. The system executes step S200, retrieving the patient's corresponding structured medical record and extracting the target data view. The system first extracts the record content associated with the patient, including field content, time range information, and privacy protection identifiers. The system then filters the record content using a clustering algorithm. This algorithm generates clustering feature vectors by encoding the field categories, time ranges, and privacy protection identifiers in the record content, and then clusters the record content based on similarity. Because some data units have a high level of association weakening, the system filters the target record content by considering the privacy protection identifiers corresponding to multi-source medical data. For the physician's current routine follow-up needs, the system excludes data clusters containing highly sensitive combinations, or only provides a de-identified statistical trend view instead of the original, precisely correlated data. In this way, the physician obtains a de-identified target data view, satisfying the follow-up needs while avoiding the leakage of sensitive privacy information caused by the patient's specific lifestyle habits (such as vigorous exercise late at night).

[0152] Finally, the system executes step S300 to process the data units and target data view, obtain the stage processing result, and write the stage processing result into the structured medical record. The system extracts current evidence elements (such as the latest blood lipid indicators) based on the data units and extracts historical evidence elements (such as past blood lipid trends) based on the target data view. Based on the correspondence between current and historical evidence elements, the system constructs a candidate witness relationship set, selects the minimum evidence combination from it, determines the minimum witness set, and generates the stage processing result "The condition is stable; continued observation is recommended." Subsequently, the system calls the corresponding record in the structured medical record, determines the target writing location, and associates the result writing payload, which includes the stage result content, result generation time information, and minimum witness set identifier information, with the existing record content. With the writing of new follow-up records, the patient's structured medical record is dynamically updated, and its privacy protection identifier is adjusted accordingly to adapt to the new data state, thereby effectively suppressing privacy sensitivity drift caused by cross-stage information overlay.

[0153] As can be seen from this embodiment, the present invention can effectively solve the problem of unified archiving of multi-source heterogeneous data, and through privacy enhancement processing and restricted access mechanisms, it achieves refined protection of patient privacy while ensuring data continuity and availability.

[0154] Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention. Those skilled in the art can make changes, modifications, substitutions and variations to the above embodiments within the scope of the present invention.

Claims

1. A privacy-preserving medical data processing system, characterized in that, An application for a medical data management repository, the medical data management repository including structured medical records corresponding one-to-one with all target objects, the system comprising: The data processing module is used to acquire multi-source medical data corresponding to the target object, perform standardized parsing and privacy enhancement processing on the multi-source medical data, and generate multiple data units including privacy protection identifiers; The view extraction module is used to call the structured medical records corresponding to the target object and extract the target data view from the structured medical records; The file update module is used to process the data unit and the target data view to obtain the stage processing result, and write the stage processing result into the structured medical file.

2. The privacy-preserving medical data processing system according to claim 1, characterized in that, The multi-source medical data includes at least one or more of the following: clinical diagnosis and treatment data, laboratory test data, imaging examination data, physiological parameter monitoring data, and health management data. The multi-source medical data is collected through at least one of the following: examination and testing equipment, image acquisition equipment, mobile monitoring terminal, and remote follow-up terminal.

3. The privacy-preserving medical data processing system according to claim 1, characterized in that, The data processing module includes: The data parsing unit is used to process data from different sources in the multi-source medical data to obtain standardized data; A privacy enhancement unit is used to perform cross-source correlation analysis on the standardized data to generate the data unit; The data processing module is configured with a data processing strategy, which includes data parsing logic and privacy enhancement logic. The data parsing logic is configured within the data parsing unit, and the privacy enhancement logic is configured within the privacy enhancement unit.

4. The privacy-preserving medical data processing system according to claim 3, characterized in that, The data parsing logic includes: Field identification is performed on data from different sources in the multi-source medical data, and the data from different sources is converted into a unified field format based on preset field mapping rules; The converted data are processed to unify the data format, unit of measurement, and timestamp alignment in order to generate standardized data with a unified data expression format.

5. The privacy-preserving medical data processing system according to claim 3, characterized in that, The privacy enhancement logic includes: Cross-source association analysis is performed on the standardized data to identify potential association keys for establishing correspondences between data from different sources. The potential association keys include at least: time-type fields representing the collection time or the time of event occurrence, source-type fields representing the correspondence between data sources, order-type fields representing the sequential relationship between multiple data items, and combination-type fields representing low-frequency combination patterns. For different types of potential association keys, association weakening processing is performed respectively. The association weakening processing includes performing time granularity generalization processing on time-type fields, performing source identifier recoding processing on source-type fields, performing order perturbation processing on order-type fields, and performing combination splitting processing on combination-type fields. The data unit is constructed based on the data after the association reduction processing is performed, and the association reduction level is written into the privacy protection identifier.

6. The privacy-preserving medical data processing system according to claim 5, characterized in that, The method for determining the potential association key includes: Based on the co-occurrence relationship of each field in the standardized data among different source data, the cross-source co-occurrence frequency of each field is determined, wherein the co-occurrence relationship is determined by statistically analyzing the co-occurrence of fields in different source data corresponding to the target object within a preset time window; Based on the timestamp-aligned data, determine the degree of time synchronization between data from different sources; Based on the source category identifiers and field correspondences in the standardized data, the degree of source coupling between data from different sources is determined; Based on the distribution of multiple fields appearing together, the sparsity of the field combination is determined; Based on the cross-source co-occurrence frequency, the time synchronization degree, the source coupling degree, and the sparsity of the field combination, generate the association risk score corresponding to each field and field combination; Fields and field combinations that meet preset conditions in the association risk score are used as the potential association keys. The preset conditions include that the association risk score is greater than or equal to a preset risk threshold, and the cross-source co-occurrence frequency of the corresponding field and field combination is greater than or equal to a preset frequency threshold.

7. The privacy-preserving medical data processing system according to claim 5, characterized in that, The method for constructing the data unit includes: The data after the association weakening process is aggregated, and the aggregated data is grouped based on field type to generate multiple candidate data fragments; For each candidate data segment, extract the corresponding field set, time range information, and source category information, and generate the corresponding data payload; The corresponding association reduction level is determined based on the reduction method and reduction strength of each candidate data segment in the association reduction process; The data payload and the target object identifier corresponding to the candidate data fragment are combined and encapsulated to generate the data unit; The association weakening level is written into the privacy protection identifier, and the privacy protection identifier is bound to the data unit.

8. The privacy-preserving medical data processing system according to claim 1, characterized in that, The view extraction module is configured with view extraction logic, which includes: Extracting file content associated with the target object from the structured medical records, wherein the file content includes at least one of field content, time range information, source category information, and privacy protection identifier; The archive content is filtered by a clustering algorithm to determine the target archive content. The clustering algorithm generates a clustering feature vector corresponding to each archive content by encoding the field category, time range, source category and privacy protection mark in the archive content, and clusters the archive content based on the similarity between the clustering feature vectors. Based on the clustering results, the target file content is determined by combining the privacy protection identifiers corresponding to the multi-source medical data. The target file content is organized and combined to generate the target data view.

9. The privacy-preserving medical data processing system according to claim 8, characterized in that, The file update module includes: The stage result extraction unit is used to extract the result content to be written and generate the stage processing result; The stage result writing unit is used to write the stage processing results into the structured medical record; The archive update module further includes an update strategy, which comprises stage result extraction logic and stage result writing logic. The stage result extraction logic is configured within the stage result extraction unit, and the stage result writing logic is configured within the stage result writing unit. The stage result writing logic includes: Retrieve the corresponding record from the structured medical records and determine the target write location corresponding to the stage processing result; The results of the stage processing are encapsulated to generate a result writing payload, wherein the result writing payload includes at least one of the following: stage result content, result generation time information, and minimum witness set identifier information corresponding to the stage processing result; The result is written to the payload and associated with the existing file content in the structured medical record to form a result record associated with the target object in the structured medical record; The structured medical records that have been written are then updated to complete the writing of the results of the previous stage of processing.

10. The privacy-preserving medical data processing system according to claim 9, characterized in that, The logic for extracting the stage results includes: Based on the data unit, current evidence elements are extracted, and based on the target data view, historical evidence elements are extracted. The current evidence elements are extracted by parsing the field content, time range information, and source category information in the data unit, and the historical evidence elements are extracted by parsing the field distribution content, time organization content, and source organization content in the target data view. Based on the correspondence between the current evidence elements and the historical evidence elements, a candidate witness relationship set is constructed. The candidate witness relationship set is used to characterize the joint support relationship between different evidence elements for the same stage state. The joint support relationship is used to characterize the degree of joint support between the current evidence elements and the historical evidence elements in terms of field category consistency, time evolution continuity, and source distribution correlation. The minimum evidence combination is selected from the candidate witness relationship set to determine the minimum witness set, and the stage processing result is generated based on the minimum witness set.