A method for processing sensitive data secured by a trusted third party and a set of sensitive data processing tools adapted for implementing such a method.
The method securely processes sensitive data by separating identifiable and informative parts using digital signatures and homomorphic encryption, addressing confidentiality and reproducibility issues in existing methods, ensuring GDPR compliance and reducing data leakage risks.
Patent Information
- Authority / Receiving Office
- FR · FR
- Patent Type
- Applications
- Current Assignee / Owner
- VENTIO
- Filing Date
- 2025-04-30
- Publication Date
- 2026-06-26
AI Technical Summary
Existing methods for processing sensitive data, particularly biomedical images, face challenges in ensuring confidentiality and reproducibility while complying with GDPR, with local solutions being complex and costly and cloud solutions lacking complete data confidentiality.
A method involving a trusted third party to process sensitive data by separating it into identifiable and informative parts, using digital signatures and homomorphic encryption to ensure secure processing without exposing identifying data, with encrypted transmission and traceable results.
Ensures secure and reproducible processing of sensitive data with complete confidentiality, reducing risks of data leakage and enabling accurate billing, while maintaining compliance with GDPR.
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
Title of the invention: Method for processing sensitive data secured by a trusted third party and set of sensitive data processing equipment adapted for implementing such a method. Technical field
[0001] The invention relates to the field of processing sensitive data, particularly remotely.
[0002] The invention relates to this purpose to a method of processing sensitive data secured by a trusted third party and a set of sensitive data processing adapted for the implementation of such a method. Prior state of the art
[0003] The context of the present invention is that of securing the processing of sensitive data, in particular of the type "biomedical images", and especially on the cloud in the context of large-scale evaluation, for example for the purposes of scientific research, clinical research or diagnostic assistance.
[0004] With the increasing digitization of health data and the growing need for data analysis, which requires ever-increasing computing power, there has been a proliferation of data processing solutions. These sensitive data processing solutions must provide easy, interoperable, and reusable access to this data, particularly for diagnostic support and medical research, while complying with the General Data Protection Regulation (GDPR), especially with regard to personal data.
[0005] In order to address these two problems, which are difficult to reconcile, there are currently several ways to proceed: i. provision of a local solution implemented directly at the sites of medical data collection, facilitating the management of sensitive data, since it is processed solely locally and, when the tools used have limited external access, presents a low risk of data leakage, ii. provision of sensitive data to be processed to external actors who are able to apply a particular algorithm to the sensitive data, the external actors then providing the result of the application of said particular algorithm.
[0006] Whatever the method used, it is not satisfactory for all stakeholders. Indeed, regarding method (i), the deployment of a local solution (i.e., the provision of object code or executables), such a deployment does not This approach does not guarantee the consistency of the processing, as it will depend on locally available IT tools. In addition to these reproducibility risks, this method introduces relatively significant maintenance, training, and update costs necessary to ensure reliable and available data processing. Therefore, this approach is complex and difficult to implement on a large scale. Furthermore, regarding third-party providers of the local solution, there is a risk associated with supplying object code or executables (potential data leaks and reverse engineering risks), and it is difficult to verify the usage of their software solution (limiting the possibilities for per-task billing).
[0007] Method (ii) requires the transfer of sensitive data between the data collection point and the external actor's facilities. Such a transfer is complex, given the issues of GDPR and DCP, and is subject to restrictions on confidentiality, pseudonymization and / or anonymization, as well as the external actor's sovereignty over processing and storage. This restricts, slows down, or even makes impossible in some cases, the application of an algorithm to the data.
[0008] To address these issues, it is known to use cloud computing technologies to process sensitive data. This processing can, for example, be carried out on dedicated virtual servers. This type of solution eliminates the need for hardware installation and configuration, thus enabling more reproducible data processing by standardizing server configurations. However, as with the method described in (ii), the security constraints of such systems remain significant and depend, for example, on the purpose and duration of the processing, particularly the data retention period.
[0009] Thus, while such a solution allows for overcoming some of the constraints associated with local solutions (method (i)) and limits access to sensitive data by external actors since it occurs only through an external server, generally without intervention from a technician of the external actor, this solution is not entirely suitable. Indeed, during the processing of sensitive data, all data is processed, including the identifying parts of this sensitive data. As a result, particularly in the event of verification of the proper processing of data, this identifying part remains accessible to the technicians of the third party. Therefore, the confidentiality required for this type of data cannot be truly guaranteed even with this type of solution. Description of the invention
[0010] The invention aims to remedy the above disadvantages and therefore aims to provide a processing solution that is more reliable than local solutions while ensuring, like the latter, processing of sensitive data with reduced or even zero external access to the subject's identifying data.
[0011] The invention relates to this purpose to a method for processing sensitive data securely, the sensitive data including a first part of data to be processed and a second part of so-called informative data, or metadata, the second part of data comprising a first portion of so-called identifying data which are relating to a subject from which the first part of data originates and possibly a second portion of so-called useful data for the processing of the first part of data to be processed,
[0012] The treatment process comprising the following steps: A. Receipt of a request to process sensitive data by an initial IT unit, B. configuration by the first computer unit of a second computer unit capable of processing sensitive data, C. providing sensitive data to a third computer unit, D. generation by the third computer unit of a signature relating to at least part of the sensitive data, E. extraction, by the third computer unit and from the sensitive data, of the first part of the data and the possible second portion of the data,
[0013] G. concatenation of the first part of data, the possible second part of data and the signature into a first data container,
[0014] H. encrypted transmission of the first data container to the second computer unit,
[0015] I. after retrieval and possible decryption, processing by the second computer unit of the first part of the data, this processing possibly taking into account the information present in the second portion of the data,
[0016] J. concatenation by the second computer unit of the processing results with at least the signature in a second data container,
[0017] K. transmission by the second computer unit of the second data container in encrypted form to the third computer unit,
[0018] L. verification by the third computer unit of the correspondence of the signature with the sensitive data and, association of the result of the processing with the first portion of data.
[0019] By computing unit, we mean a computing unit, such as a computer as such, a set of servers, a virtual machine running on a or several servers, or an application container running on one or more servers independent of other computer units.
[0020] Of course, the order of the steps in the present method is not limiting; certain steps may be carried out, where technically feasible, before or simultaneously with the preceding step(s), without departing from the scope of the invention. Thus, in particular, and for example, step B, configuring the second computer unit, may be carried out after at least one of steps C through E, without departing from the scope of the invention.
[0021] Thus, in a conceivable application of the invention, the first, second and third computer units can be provided in the form of software containers implemented on one or more servers.
[0022] Such a process allows only the necessary sensitive data to be transmitted to the second computer unit implementing the processing, while ensuring perfect tracking of this data through the digital signature. Indeed, only the third computer unit has access to the first portion of the second set of sensitive data. This third computer unit acts as a trusted intermediary, transferring only the data necessary for processing, ensuring proper tracking of this data through the digital signature, and, again through this digital signature, associating the processing results with the aforementioned first portion of the second set of sensitive data before transmission to the client. Thus, unlike prior art cloud computing solutions, data processing is carried out with complete confidentiality regarding identifying data, since this data is not accessible to the second computer unit.
[0023] Furthermore, by allowing the second computing unit to be configured, in particular, as an encrypted application container, the method according to the invention enables the external party to provide its software solution through a data manager, such as a hosting provider, without the risks associated with providing object code or executables, as presented by prior art methods, and with simplified maintenance. Similarly, with the ability for the first processing unit to record all processing requests, the external party is able to accurately quantify the usage of its processing solutions.
[0024] Before step G. of concatenation, a step F. of anonymization of the first part of data and / or of the second part may be provided, said step consisting of modifying or deleting elements of said first part of data and / or of the second part which are specific to the subject and which are not useful for the processing.
[0025] Such an anonymisation step makes it possible to ensure that only the data necessary for processing are transmitted and to limit the risks relating to the personal data of the subjects.
[0026] During step H. of encrypted transmission of the first data container, at least one of the first data part and the second data portion may be at least partly encrypted by a homomorphic encryption with respect to the processing and in which during step I. of processing by the second computer unit, said at least one of the first data part and the second data portion is not previously decrypted to carry out said processing of the second computer unit.
[0027] With such homomorphic encryption, data processing is not affected by the encryption and it is therefore possible to process sensitive data in a completely anonymous manner without risk of identifying the subject(s) from whom this data originates.
[0028] During at least one of the transmission steps H. and K., the transmitted container can be encrypted by a TLS / SSL transfer protocol by generation of certificates by a trusted third party, and / or SSH by generation of secure key pairs by a trusted third party, and / or via the transfer of an encrypted container.
[0029] Sensitive data may be in DICOM format and may include at least one imaging data item, said at least one imaging data item being preferably obtained by magnetic resonance imaging.
[0030] The method according to the invention is particularly suitable and advantageous for the DICOM format and in the processing of imaging data presenting such a format.
[0031] The process may further include the following step:
[0032] M. After step K. of transmitting the result, resetting or deleting the second computer unit by the first computer unit.
[0033] Such a reset or deletion of the second computer unit ensures that all traces of sensitive data processing are eliminated. In this way, any risk of compromise of the data processed by the second computer unit is avoided.
[0034] The first computer unit can be configured to keep a log of each step implemented by each of the second and third computer units.
[0035] Thus, the first computer unit makes it possible to keep a proof of the processing of the data without having had access to the data, since the processing / transfer of the data was carried out only through the second and third processing units.
[0036] At least one of the second and third computing units is provided by an application container.
[0037] Such a provision makes it possible to ensure that neither of the second and third units retains any trace of the transferred / processed data and to facilitate their resetting.
[0038] Furthermore, when the second processing unit is hosted by a data manager separate from the external party providing the data processing solution, such application containers can be encrypted. As a result, the risks associated with such hosting regarding the provision of object code or executables are significantly reduced, or even eliminated.
[0039] The invention further relates to a set of methods for processing sensitive data securely, the sensitive data including a first part of data to be processed and a second part of so-called informative data, or metadata, the second part of data comprising a first portion of so-called identifying data which relates to a subject from which the first part of data originates and possibly a second portion of so-called useful data for processing the first part of data to be processed,
[0040] Said processing unit comprising: - a first computer unit capable of receiving a request to process sensitive data and of configuring a second computer unit capable of carrying out the processing of sensitive data, - the second computer unit, which is also capable of receiving sensitive data from a third computer unit, - said third computer unit configured for: • extract, from the sensitive data, the first part of the data and any second part of the data, • generate a signature relating to at least some of the sensitive data • Concatenate the first part of the data, the optional second part of the data, and the signature into a data container to form a first data container. • transmit, in encrypted form, a first data container to the second computer unit, - the second computer unit being further capable of: • After retrieval and possible decryption, process the first part of the data, this processing possibly taking into account the information present in the second part of the data, • Concatenate the processing results with at least the signature into a second data container, • transmit the second data container in encrypted form to the third computer unit,
[0041] the third computer unit being further configured to check the correspondence of the signature and sensitive data and to associate the result of the processing with the first portion of data. Brief description of the drawings
[0042] The present invention will be better understood upon reading the description of exemplary embodiments, given purely by way of illustration and in no way limiting, with reference to the accompanying drawings in which:
[0043] [Fig-1] illustrates a treatment assembly according to the invention.
[0044] [Fig.2] illustrates an example of sensitive data as processed within the framework of the invention.
[0045] [Fig.3] illustrates a flowchart of the sensitive data processing method according to the invention.
[0046] The different parts represented in the figures are not necessarily shown on a uniform scale, in order to make the figures more legible.
[0047] The different possibilities (variants and embodiments) should be understood as not being mutually exclusive and can be combined with each other.
[0048] Detailed description of particular embodiments
[0049] Fig. 1 illustrates an ET processing set according to the invention configured to allow the processing of sensitive data, in a secure manner and with reduced or even zero external access to the identifying data of subjects.
[0050] More specifically and in accordance with the invention, the ET processing unit is configured to process sensitive data securely. This sensitive data includes, as shown in [Fig. 2], a first part 12 of data to be processed and a second part 11 of so-called informative data, or metadata, the second part 11 of data comprising a first portion of so-called identifying data 111 which relates to a subject from which the first part 12 of data originates and a second portion 113 of so-called useful data for the processing of the first part 12 of data to be processed.
[0051] In the present embodiment, sensitive data being imaging data, in the context of the example shown in [Fig.2], sensitive data 1 more specifically includes: - the first part 12 of data to be processed, which is imaging data including itself identifying information 121, technical information data 122 and information necessary for processing 123, - the second part 11 of so-called informative data, or metadata, including the first portion 111 called identifying data, the second portion 113 of data said to be useful for processing (or said to be necessary for processing) and a third portion 112 of data said to be technical.
[0052] It will be noted that in an example of implementation of the invention, the sensitive data are in DICOM format and are imaging data including metadata, as second part 11 of data, relating to this imaging data including identifying data (such as a name of the subject, information relating to age, sex...), as first part 111 and possible data useful for processing (such as image acquisition conditions), as second part 113 and possible technical data (such as information relating to the imaging device, the technician and / or practitioner who carried out the examination / analysis of the imaging data).Similarly, the first part 12 of the data to be processed corresponds to the imaging data itself, which may therefore include identifying information 121 (such as image portions relating to specific characteristics of the subject, for example, the shape of a venous network, cerebral sulci, etc.), technical information data (such as calibration images on a phantom prior to imaging the subject), and the information necessary for processing 123 (the image portion required to perform the processing itself). According to a particular implementation example, the sensitive data 1 may be imaging data obtained by magnetic resonance imaging. According to this same particular example, the processing performed on the sensitive data may be carried out based on the procedure taught in document EP 2283373 B1, as described later in that document in relation to the implementation example.
[0053] In accordance with the invention and as shown in [Fig. 1], the ET processing assembly comprises: - a first IT unit SS capable of receiving a request to process sensitive data 1 from a client CL and of configuring a second IT unit SC capable of carrying out the processing of sensitive data, - the second computer unit SC, which is also capable of receiving sensitive data from a third computer unit SIS, - said third SIS computer unit configured for: • extract, from sensitive data 1, the first part 12 of data and the possible second part 113 of data, • generate a signature relating to at least part of the sensitive data 1, • concatenate the first part 12 of data, the possible second part 113 of data and the signature into a data container in order to form a first data container, • transmit, in encrypted form, a first data container to the second computer unit SC, - the second SC computer unit being further capable of: • after retrieval and possible decryption, process the first part 12 of data, this processing possibly taking into account the information present in the second portion 113 of data, • Concatenate the processing results with at least the signature into a second data container, • transmit the second data container in encrypted form to the third SIS computer unit,
[0054] the third SIS computer unit being further configured to check the correspondence of the signature and sensitive data and to associate the result of the processing with the first portion of data.
[0055] It will be noted that according to a usual configuration of the invention, the CL client corresponds to a computer unit of any natural person or organization such as a practitioner, a medical center or a research institute, having sensitive data, for example imaging data of a subject, to be processed by the ET processing unit.
[0056] To illustrate the implementation of the different configurations of the first to third computer units SS, SC, SIS, the various actions A1 to A1 of these units have been shown in [Fig. 1]. Thus, the following actions are performed:
[0057] A1 - service access request from client CL to the first information unit SS,
[0058] A2 - deployment by the first IT unit of the security service through the configuration of the third IT unit SIS,
[0059] A3 - secure transfer of data from the CL client to the third SIS computer unit,
[0060] A4 - access control, quality control, minimization, anonymization, in particular by not transferring the first portion 111 of the second part 11 of data, and encryption and concatenation of the first part 12 of data, the possible second portion 113 of data and the signature in a data container,
[0061] A5 - transmission by the third computer unit SIS, based on the sensitive data received, of a request for specific computing resources to the first computer unit SS,
[0062] A6 - deployment by the first SS computing unit of computing resources with installation of the processing, i.e. the configuration by the first SS computing unit of the second computing unit capable of carrying out the processing of sensitive data,
[0063] A7 - transmission of secure data from the third computer unit SIS to the second computer unit SC, this transmission being carried out in accordance with the invention in an encrypted manner from the data container to the second computer unit SC,
[0064] A8 - Application of the processing to the data transmitted by the second computer unit SC, this processing by the second computer unit (SC) being carried out on the basis of the first part 12 of data and possibly taking into account the information present in the second portion 113 of data,
[0065] A9 - Transmission of results by the second computer unit SC to the third computer unit SIC, this transmission being carried out in the form of a second data container comprising the results of the processing with at least the signature relating to sensitive data,
[0066] A10 - after receipt of the results by the third SIS computer unit, put into the form of these results, including re-identification based on the signature and the first portion of the second part of the data,
[0067] Garlic - delivery of the results thus re-identified to the customer CL.
[0068] In the context of the present invention, according to one embodiment, the first computing unit SS forms a supervisory server, the second computing unit SC forms an on-demand computing server, and the third computing unit SIS forms a secure interface server. As already indicated, such computing units can each be formed either by a computer as such, by a set of servers, by a virtual machine running on one or more servers, or by an application container running on one or more servers independent of other computing units.
[0069] According to an advantageous embodiment of the invention, at least one of the second and third computer units SC, SIS, preferably the second and third computer units SC, SIS, is formed by an application container running on one or more independent servers. In this way, upon receiving a request from a client CL, the first computer unit can easily configure the second and third computer units SC, SIS in relation to the client's needs and reset them by simply closing the session initiated from the corresponding application containers. This ensures the complete deletion of sensitive data stored in the memory of the second and third computer units SC, SIS. According to this embodiment, the first computer unit SS, which receives service requests from client CL and oversees the second and third IT units SC and SCI, can maintain a log, or event history (also known as a "log file"), of at least some of the steps implemented by each of the second and third IT units SC and SCI. In this way, if problems are suspected in the processing of sensitive data, it will be possible to verify the proper implementation of the processing by the entire processing team based on such a log.
[0070] According to the flowchart in [Fig.3], such an ET processing set allows the implementation of a processing method comprising the following steps: A. Receipt of a request to process sensitive data 1 by a first IT unit SS, B. Configuration by the first computer unit SS of the second computer unit SC capable of processing sensitive data 1, C. provision of sensitive data 1 to the third SIS IT unit, D. generation by the third SIS computer unit of a signature relating to at least some of the sensitive data 1, E. extraction, by the third SIS computer unit and from sensitive data 1, of the first part 12 of data and the possible second portion 113 of data, F. anonymization of the first part 12 of data and / or the second part 113, said step consisting of modifying or deleting elements of said first part 12 of data and / or the second part 11) that are subject-specific and not useful for processing, G. concatenation of the first part 12 of data, the possible second portion 113 of data and the signature into a first data container, H. encrypted transmission from the first data container to the second computer unit SC, I. After retrieval and possible decryption, processing by the second computer unit SC of the first part 12 of data, this processing possibly taking into account the information present in the second portion 113 of data, J. concatenation by the second computer unit SC of the processing results with at least the signature in a second data container, K. transmission by the second computer unit SC of the second data container in encrypted form to the third computer unit SIS, L. verification by the third SIS computer unit of the correspondence of the signature with sensitive data 1 and, association of the result of the processing with the first portion 111 of data, Mr. reset or deletion of the second and third computer units SC, SIS by the first computer unit SS.
[0071] In order to enable processing while limiting the risks associated with the transmission of identifying information of the subject from whom the sensitive data contained in one of the first data portion 12 and the second portion 113 originate, during step H, the encrypted transmission of the first data container, at least one of the first data portion 12 and the second portion 113 is at least partially encrypted by homomorphic encryption with respect to the processing performed by the second computer unit SC. According to this possibility, during step I, the processing by the second computer unit SC, said at least one of the first data portion 12 and the second portion 113 is not decrypted beforehand to perform said processing by the second computer unit SC.
[0072] To illustrate such a possibility of homomorphic encryption for at least a portion of the sensitive data. This portion of sensitive data, necessary for processing, may thus include the subject's age, a dose of a compound received by the subject, or any other variable given as a number on a finite scale (between Vmin and Vmax). Such a variable, according to this homomorphic encryption possibility, may, for example, be converted into an integer between 0 and Nv using a linear operation that maps the interval [Vmin, Vmax] to [0, Nv] for all subjects. This converted variable is then encrypted using a fully homomorphic encryption. The encrypted variable is then transmitted to the second computing unit SC. The second computing unit SC calculates the average of the encrypted variables and provides the result.Since the latter is encrypted, the elements provided to the second processing unit cannot be interpreted without decryption. The encrypted aggregate result can then be decrypted by the third SIS computing unit, without requiring any processing of the sensitive data. According to this holomorphic encryption possibility, notably usable in the implementation example described below, the homomorphic encryption method used can be based on the factorization problem of polynomials with integer coefficients, for which two polynomials describing spinors and representing successive rotations are used to encrypt the data.
[0073] Similarly, to limit the risks during transmission steps H and K, the first and second containers transmitted during these steps can be encrypted using a TLS / SSL transfer protocol by generating certificates through a trusted third party, and / or SSH via the generation of secure key pairs by a trusted third party, and / or via the transfer of an encrypted container. The trusted third party providing the key and certificate is, for example, a service installed on the first IT unit (SS) or on another dedicated secure server with specific access control between the second and third IT units (SC, SIS). Regardless of the encryption protocol selected, the asymmetric encryption level is advantageously based on RSA encryption of 4096 bits or higher.
[0074] Of course, these three types of encryption are provided only as advantageous examples, and other types of encryption, equivalent to or offering superior data security compared to these three types, may be implemented without departing from the scope of the invention. In particular, such encryption may be based on a hybrid encryption protocol including classical and post-quantum encryption. Similarly, it may be based on an asymmetric encryption level adapted to the criticality of the data, for example, with 4096-bit RSA encryption.
[0075] According to an advantageous embodiment of the invention, regardless of the encryption type chosen, the encryption key generation can be based on random numbers generated by a quantum computer. Such a solution maximizes entropy during encryption key generation, for example, when generating keys for the SSH protocol or for AES encryption. To implement such a solution, seed files containing a series of random bits can be generated using a quantum processor with at least one qubit. Thus, for a key of size Nk, a quantum processor with Nq qubits (Nq>1) is initialized in a state where the Nq qubits are in equiprobable superposition states. Then, during key generation, a first measurement is performed, randomly assigning a value of 0 or 1 to each qubit.By repeating this process N times, where N is an integer greater than or equal to Nk / Nq, it is possible to generate the Nk bits of said key.
[0076] Of course, in addition to the encryption solutions explained above, the ET processing unit can also implement instruction detection mechanisms, particularly by means of the first SS processing unit. These intrusion detection mechanisms may include a firewall configured to filter incoming and outgoing connections and the ports on which they are made, for example, based on a list of authorized IP addresses and / or authorized MAC addresses. Thus, according to one embodiment of the invention, the port used for communication via SSH may be other than the default port in this protocol in order to enhance security. Similarly, as a complement or alternative, at least one server providing at least one of the first through third units Information systems such as SS, SC, and SIS may include an intrusion detection system. With this capability, the list of users accessing remote resources is limited to unprivileged users.
[0077] With regard to steps G. of generating by the third SIS computing unit a signature relating to at least a portion of the sensitive data 1, and L. of verifying by the third SIS computing unit the correspondence of the signature with the sensitive data 1, the signature can be obtained by hashing, for example SHA-512, at least a fraction of the sensitive data, or even all of it, this fraction being, preferably, a fraction not transmitted in the first container, such as the first portion 121 of the second part of the sensitive data 12. In this way, when retrieving the second container, it is possible, from the signature, to associate this second container, and therefore the results it contains, with said fraction of the sensitive data and thus with the sensitive data. The identification of the results is therefore easy.
[0078] During concatenation steps G and J, the data containers can be data carriers on ephemeral encrypted media obtained by creating virtual disks encrypted with encryption algorithms, for example AES 256, and possibly with hash functions (for example, of the SHA-512 type). This type of container is therefore preferably implemented with ephemeral media whose files and encryption keys are erased after use, preventing any future access after the servers are disassembled or restarted. Alternatively, the media can be reusable; in this case, the encryption keys are retained and can be managed by a key management system with access control, for example, installed on the first SS computer unit.According to this possibility, each time such a medium is mounted, the key management system authenticates the request before providing said key in order to ensure that only legitimate requests allow access to said media.
[0079] Example of implementation of the method according to the invention:
[0080] As specified at the beginning of this detailed description, the present ET processing set and the processing method which it enables to be implemented can in particular be used in the context of applications to the processing of imaging data obtained by magnetic resonance imaging (MRI) in the context of cloud applications (or, according to the English term "cloud computing").
[0081] In the context of this implementation example, the processing enabled by the processing package may be of the R2* and / or QSM brain mapping type for the characterization of brain lesions. According to this example, the processing may thus consist of a reconstruction of R2* relaxation time mapping and / or QSM magnetic susceptibility mapping based on files DICOM of magnetic resonance imaging. According to one possible implementation example, the processing can also include automated analysis of the output, calculating statistics (such as mean, standard deviation) in regions of interest derived from image segmentation, followed by the generation of a summary report. Such a summary report can also include a comparison of the obtained statistics to reference values, such as those obtained from healthy subject populations.
[0082] Regarding the processing itself, it is noted, with respect to the processing implemented in this implementation example, that magnetic susceptibility has well-known effects in MRI. It causes a distortion of the magnetic field and shortens the effective lifetime of the nuclear magnetic resonance signal. Thus, the extraction of synthetic quantitative parameters, namely R2* and QSM, is achievable using specific processing of the images acquired on the machine.
[0083] Indeed, it is important to note that, with regard to MRI image acquisition, this is specific in order to provide optimal sensitivity to the susceptibility of the imaging system on which the experiment is performed. This specificity notably includes: - Typically, the imaging system uses 1.5 Teslas, 3 Teslas, or 7 Teslas in humans, and with higher magnetic field values that can reach up to 17.6 Teslas in small animals to date. The nominal field of the imaging device is generally denoted by Bo. Susceptibility effects tend to increase with the nominal magnetic field Bo, which implies that this metadata must be retained for processing that seeks to analyze susceptibility effects; - To generate an MRI signal, means are needed to excite the magnetization. These consist of a tuned radio frequency field emission device called an antenna or array of radio frequency emission antennas and capable of delivering an oscillating magnetic emission field denoted B1+; - To detect a signal, means of receiving the signal are required. These consist of a tuned radio frequency field receiving device called an antenna or network of radio frequency receiving antennas and a receiving oscillating magnetic field denoted Bl-; - To convert the signal, sampling methods are required, generally using an analog-to-digital converter. To reconstruct and process the raw signal, specialized computer and processing resources are needed; - The imaging sequences correspond to the way the different elements of T MRI are controlled. The static field B0 and the field have already been mentioned. radio frequency B1+, as well as the means of reception and processing. Another major element enabling signal localization consists of what are commonly called imaging gradients, which involve varying the value of the component of the magnetic field along Bo along three axes (direction aligned with the field Bo, as well as in two directions in a plane transverse to Bo). These methods are very classic and familiar to those in the field; - To be sensitive to susceptibility effects, one can, for example, use a three-dimensional gradient echo imaging sequence with several echo times TE. From this sequence, DICOM images can be reconstructed representing the value in each volume element (voxel) of the covered space of the average signal amplitude in these voxels as a function of TE, as well as an average phase map. - The following imaging protocol parameters are important for optimizing, analyzing, and treating susceptibility effects in MRI imaging: - The value of the Bo field; - The type of imaging system used (Manufacturer, brand, model); - The name of the sequence and any variants or versions thereof; - If a particular subsampling was carried out and which one; - The type of image reconstruction used; - The value of the echo time TE for each image; - The value of the acquisition bandwidth BW for each image; - The echo coding direction for each image; - The orientation of the acquisition volume relative to Bo; - The three-dimensional field of view covered and the size of the voxels. - To analyze the multiple images using parameters that synthesize the information from the different echoes, parametric models are used. It is common to extract from this type of acquisition the apparent transverse relaxation time T2*, or equivalently its inverse R2*=l / T2*. In this case, it is assumed that the signal varies with the echo proportionally to an exponential decay of the type: [Math 1] I 0084 ! S VOTe / (TE) = S 0roIe iX ex^-R? x TÉ)
[0085] From this seemingly simple model, in reality, a multitude of algorithms can be used to extract R2* for all voxels. To mention only the most common, one can start with amplitude images only (without phase) and adjust the reconstructed signals to the above model for each voxel using a least-squares minimization algorithm. For other algorithms based solely on the amplitude image, the reader may refer, for example, to the work of Raya, J. G. et al. entitled "T2 measurement in articular cartilage: impact of the fitting method on accuracy and precision at low SNR" and published in 2010 in the scientific journal Magnetic Resonance in Medicine 2010, volume 63, no. 1, pages 181 to 193. It is already clear that the simple extraction of the R2* parameter leads to variability in the algorithms, which is in addition to the aforementioned variability in their implementation in a given environment.Applying the FAIR principles in this case with a view to traceability of the processing carried out (here corresponding to the reconstruction of data derived from the image data initially provided by the imaging system) requires keeping track of more than just the algorithm used, for example, also of the computer environment on which this algorithm was applied; . A second parametric model synthesizing the information contained in images resulting from multi-echo acquisition has been described and is known as quantitative susceptibility imaging (QSM). The basic principles and physical models are familiar to those skilled in the art and are not the subject of this document. What is relevant to emphasize, however, is the complexity of the processing involved, which significantly increases the challenges of reproducibility and traceability of such complex processes.
[0086] To give an idea of this complexity, the main steps of such processing (sequential steps describing a pipeline) which can be implemented by the second SC computer unit in the context of this embodiment are listed below: • Verification and loading of the acquisition parameters necessary for reconstruction, at a minimum the value of Bo or the system frequency, the observed nucleus ('H by default in general), the orientation of the volume relative to Bo, the absolute or relative size of the voxels, the absolute or relative spacing between the different echo times, possibly the acquisition bandwidth and the direction of the read gradient (because some sequence options allow acquisitions of multiple echoes with a read gradient always in the same direction or alternating in one direction for even echoes, and in the other direction for odd echoes), Fitting a magnetic field map from phase information. Several processing methods are possible for this step, and the methods depend on the type of data available. In the most frequent case of images available for regularly spaced echo times (corresponding to an identical interval between the different echo times, preferably with reading gradients in the same direction), it is possible, for example, to synthesize a complex signal from the amplitude and phase measurements, then perform a Fourier transform heavily completed with zeros, then determine the index of the spectral maximum and convert this index into a frequency. Other processing methods are possible, for example by combining a time-phase unfolding followed by a least-squares weighted fitting; Filtering to reduce susceptibility effects, which are often very significant near the interfaces between low-density regions (such as those containing gases, the nose, sinuses, ear canals, digestive system, and pulmonary airways, for example) and tissues composed primarily of water. The resulting field distortions become predominant compared to internal tissue variations (differences of two to three orders of magnitude can be observed), which has led to the development of techniques to filter these effects. Numerous filtering techniques are available, ranging from simple high-pass filtering (see the work of E.M. Haacke et al.).al, published in the scientific journal "Magnetic Resonance in Medicine" volume 52 number 3 page 612- in 2004 under the title "Susceptibility weighted imaging (SWI)"), to more advanced things based on the expected physical properties of these effects, including harmonic characteristics (solution of Laplace's equations) leading to various filtering processes to extract only the so-called 'internal' effects; . Defining a volume of interest within which the internal field will be estimated. This requires defining and implementing an image segmentation process, for example in the case of brain imaging to extract the brain. Adjusting internal effects within a physical model to reconstruct a magnetic susceptibility map. Since field data alone is insufficient to provide a unique solution, it is almost always necessary to add other information, in line with what are known as Bayesian approaches. In particular, it is possible to base the solution not only on field deformation but also on anatomical information, even if this information is a priori uniform. spatially or resulting from the processing of localized information derived from the signal amplitude, or from prior segmentation, • Introduction of regularization parameters which give a relative weight to the measurements compared to the a priori, and here again the methods of selecting these parameters are multiple, with for example a technique known to the person in the business called "L-curve".
[0087] Through the example of implementation of the invention relating to parametric R2* and QSM imaging, the problem associated with the complexity of this type of processing and the benefits provided by the invention clearly appear: it allows traceability of the processing in order to reproduce it, and provides guarantees of the data which are used for the processing.
Claims
1. Demands A method for processing sensitive data (1) securely, sensitive data (1) including a first part (12) of data to be processed and a second part (11) of so-called informative data, or metadata, the second part (11) of data comprising a first portion (111) of so-called identifying data which are relating to a subject from which the first part (12) of data originates and possibly a second portion (113) of so-called useful data for the processing of the first part (12) of data to be processed, The treatment process includes the following steps: A. Receipt of a request to process sensitive data (1) by a first IT unit (SS), B. configuration by the first computer unit (SS) of a second computer unit (SC) capable of processing sensitive data (1), C. provision of sensitive data (1) to a third-party information system (SIS), D. generation by the third computer unit (SIS) of a signature relating to at least part of the sensitive data (1), E. extraction, by the third computer unit (SIS) and from the sensitive data (1), of the first part (12) of data and the possible second portion (113) of data, G. concatenation of the first part (12) of data, the possible second portion (113) of data and the signature into a first data container, H. encrypted transmission from the first data container to the second computing unit (SC), I. after retrieval and possible decryption, processing by the second computer unit (SC) of the first part (12) of data, this processing possibly taking into account the information present in the second portion (113) of data, J. concatenation by the second computer unit (SC) of the results of the processing with at least the signature in a second data container, K. transmission by the second computer unit (SC) of the second data container in encrypted form to the third computer unit (SIS), L. verification by the third computer unit (SIS) of the correspondence of the signature with the sensitive data (1) and, association of the result of the processing with the first portion (111) of data.
2. Processing method according to claim 1, wherein prior to the concatenation step G, there is a step F of anonymization of the first part (12) of data and / or the second part (113), said step consisting of modifying or deleting elements of said first part (12) of data and / or the second part (113) which are subject-specific and which are not useful for the processing.
3. Processing method according to claim 1 or 2, wherein in step H. of encrypted transmission of the first data container, at least one of the first part (12) data and the second portion (113) of data is at least partly encrypted by a homomorphic encryption with respect to the processing and wherein in step I. of processing by the second computer unit (SC), said at least one of the first part (12) data and the second portion (113) of data is not previously decrypted to carry out said processing of the second computer unit (SC).
4. Processing method according to claim 1 to 3, wherein at least one of the transmission steps H. and K., the transmitted container is encrypted by a TLS / SSL transfer protocol by generation of certificates by a trusted third party, and / or SSH by generation of secure key pairs by a trusted third party, and / or via the transfer of an encrypted container.
5. Processing method according to any one of claims 1 to 4, wherein the sensitive data (1) are in DICOM format and include at least one imaging data item, said at least one imaging data item being preferably obtained by magnetic resonance imaging.
6. Processing method according to any one of claims 1 to 5 further comprising the following step: M. After step K. of transmitting the result, reset or deletion of the second computer unit (SC) by the first computer unit (SS).
7. Processing method according to any one of claims 1 to 6, wherein the first computer unit (SS) is configured to keep a log of at least some of the steps carried out by each of the second and third computer units (SC, SIS).
8. Processing method according to any one of claims 1 to 7, wherein at least one of the second and third computing units (SC, SIS) is provided by an application container.
9. A processing set (PS) for sensitive data in a secure manner, the sensitive data including a first part (12) of data to be processed and a second part (11) of so-called informative data, or metadata, the second part (12) of data comprising a first portion (111) of so-called identifying data which relates to a subject from whom the first part (12) of data originates and possibly a second portion (113) of so-called useful data for the processing of the first part (12) of data to be processed, said processing set (PS) comprising: - a first computer unit (SS) capable of receiving a request to process sensitive data (1) and of configuring a second computer unit (SC) capable of carrying out the processing of sensitive data, - the second computer unit (SC) which is also capable of receiving sensitive data from a third computer unit (SIS), - said third computer unit configured for: • extract, from the sensitive data (1), the first part (12) of data and the possible second portion (113) of data, • generate a signature relating to at least part of the sensitive data (1), • concatenate the first part (12) of data, the optional second portion (113) of data, and the signature into a data container to form a first data container, • transmit, in encrypted form, a first data container to the second computing unit (SC), - the second computer unit (SC) being further capable of: • after recovery and possible decryption, process the first part (12) of data, this processing possibly taking into account the information present in the second portion (113) of data, • Concatenate the processing results with at least the signature into a second data container, • transmit the second data container in encrypted form to the third computing unit (SIS), the third computer unit (SIS) being further configured to check the correspondence of the signature and sensitive data and to associate the result of the processing with the first portion of data.