Method for processing sensitive data secured by trusted third parties and sensitive data processing assembly suitable for implementing such a method

A method for processing sensitive data by separating and encrypting identifiable and informative parts, using a trusted third party and homomorphic encryption, addresses confidentiality and reproducibility issues in existing solutions, ensuring secure and GDPR-compliant data processing.

WO2026131898A1PCT designated stage Publication Date: 2026-06-25VENTIO

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
VENTIO
Filing Date
2025-12-16
Publication Date
2026-06-25

Smart Images

  • Figure EP2025087490_25062026_PF_FP_ABST
    Figure EP2025087490_25062026_PF_FP_ABST
Patent Text Reader

Abstract

The present invention relates to a method for processing sensitive data, in particular biomedical images, in a secure, automated and reproducible manner on a cloud computing infrastructure. The invention also discloses the device for implementing this method. The invention is based in particular on cloud computing, cryptography, biomedical imaging, pseudonymisation, anonymisation, advanced signal processing and image technologies. The invention also covers a use case for such a method, involving the secure implementation of image processing technologies (a business application) applied to biomedical images. In one embodiment, these images are obtained by magnetic resonance imaging (MRI) and used in particular for the application of advanced processing with the business application in order to map the apparent transverse relaxation rate (R2*) and perform quantitative susceptibility mapping (QSM).
Need to check novelty before this filing date? Find Prior Art

Description

[0001] A method for processing sensitive data secured by a trusted third party and a set of sensitive data processing tools adapted for implementing such a method.

[0002] Description

[0003] technical field

[0004]

[0001] The invention relates to the field of processing sensitive data, particularly remotely.

[0005]

[0002] The invention relates to this purpose to a method of processing sensitive data secured by a trusted third party and a set of sensitive data processing adapted for the implementation of such a method.

[0006] Prior state of the art

[0007]

[0003] The context of the present invention is that of securing the processing of sensitive data, in particular of the type "biomedical images", and especially on the cloud in the context of large-scale evaluation, for example for the purposes of scientific research, clinical research or diagnostic assistance.

[0008]

[0004] With the increasing digitization of health data and the growing need for data analysis, which requires ever-increasing computing power, there has been a proliferation of data processing solutions. These sensitive data processing solutions must provide easy, interoperable, and reusable access to this data, particularly for diagnostic support and medical research, while complying with the General Data Protection Regulation (GDPR), especially with regard to personal data.

[0009]

[0005] In order to address these two problems, which are difficult to reconcile, there are currently several ways to proceed:

[0010] (i) provision of a local solution implemented directly at the locations where medical data is collected, facilitating the management of sensitive data, since it is processed only locally and, when the tools used have limited external access, this presents a low risk of data leakage,

[0011] (ii) providing sensitive data to be processed to external actors who are able to apply a particular algorithm to the sensitive data, the external actors then providing the result of the application of said particular algorithm.

[0012]

[0006] Regardless of the approach, it is not satisfactory for all stakeholders. Indeed, regarding approach (i), the deployment of a local solution (i.e., the provision of object code or executables), such a deployment does not guarantee the consistency of the processing performed, since it will depend on the locally available IT tools. In addition to these reproducibility risks, this approach introduces relatively significant maintenance, training, and update costs necessary to ensure reliable and available data processing. Thus, this approach is complex and makes large-scale application difficult.It should also be noted that, with regard to third-party actors providing the local solution, there is a risk associated with the provision of object codes or executables (possible data leakage and risk of reverse engineering) and it is difficult to verify the use made of their software solution (limiting the possibilities of billing by task).

[0013]

[0007] Method (ii) requires the transfer of sensitive data between the data collection point and the external actor's facilities. Such a transfer is complex, given the issues of GDPR and DCP, and is subject to restrictions on confidentiality, pseudonymization and / or anonymization, as well as the external actor's sovereignty over processing and storage. This restricts, slows down, or even makes impossible in some cases, the application of an algorithm to the data.

[0014]

[0008] To address these issues, it is known to use cloud computing technologies to process sensitive data. This processing can, for example, be carried out on dedicated virtual servers. This type of solution eliminates the need for hardware installation and configuration, thus enabling more reproducible data processing by standardizing server configurations. However, as with the method described in (ii), the security constraints of such systems remain significant and depend, for example, on the purpose and duration of the processing, particularly the data retention period.

[0015]

[0009] Thus, while such a solution allows for overcoming some of the constraints associated with local solutions (method (i)) and limits access to sensitive data by external actors since it occurs only through an external server, generally without intervention from a technician of the external actor, this solution is not entirely suitable. Indeed, during the processing of sensitive data, all data is processed, including the identifying parts of this sensitive data. As a result, particularly in the event of verification of the proper processing of data, this identifying part remains accessible to the technicians of the third party. Therefore, the confidentiality required for this type of data cannot be truly guaranteed even with this type of solution.

[0016] Description of the invention

[0017]

[0010] The invention aims to remedy the above disadvantages and therefore aims to provide a processing solution that is more reliable than local solutions while guaranteeing, like the latter, processing of sensitive data with reduced or even zero external access to the subject's identifying data.

[0018]

[0011] The invention relates to this purpose to a method for processing sensitive data securely, the sensitive data including a first part of data to be processed and a second part of so-called informative data, or metadata, the second part of data comprising a first portion of so-called identifying data which are relating to a subject from which the first part of data originates and possibly a second portion of so-called useful data for the processing of the first part of data to be processed,

[0019]

[0012] The treatment process comprising the following steps:

[0020] A. Receipt of a request to process sensitive data by an initial IT unit,

[0021] B. configuration by the first computer unit of a second computer unit capable of processing sensitive data, C. provision of sensitive data to a third computer unit.

[0022] D. generation by the third computer unit of a signature relating to at least part of the sensitive data,

[0023] E. extraction, by the third computer unit and from the sensitive data, of the first part of the data and the possible second portion of the data,

[0024] G. concatenation of the first part of the data, the possible second part of the data, and the signature into a first data container,

[0025] H. encrypted transmission of the first data container to the second computer unit,

[0026] I. After retrieval and possible decryption, processing by the second computer unit of the first part of the data, this processing possibly taking into account the information present in the second portion of the data,

[0027] J. concatenation by the second computing unit of the processing results with at least the signature in a second data container,

[0028] K. transmission by the second computer unit of the second data container in encrypted form to the third computer unit,

[0029] L. verification by the third computer unit of the correspondence of the signature with the sensitive data and, association of the result of the processing with the first portion of data.

[0030]

[0013] By computer unit, it is understood that a computer unit, such as a computer as such, a set of servers, a virtual machine running on one or more servers, or an application container running on one or more servers independent of other computer units.

[0031]

[0014] Of course, the order of the steps in the present method is not limiting; certain steps may be carried out, where technically feasible, before or simultaneously with the preceding step(s), without departing from the scope of the invention. Thus, in particular, and for example, step B, configuring the second computer unit, may be subsequent to at least one of steps C through E, without departing from the scope of the invention.

[0015] Thus, in a possible application of the invention, the first, second, and third computer units may be provided in the form of software containers implemented on one or more servers.

[0032]

[0016] Such a process allows only the necessary sensitive data to be transmitted to the second computer unit implementing the processing, while ensuring perfect tracking of this data through the digital signature. Indeed, only the third computer unit has access to the first portion of the second set of sensitive data. This third computer unit acts as a trusted intermediary, transferring only the data necessary for processing, ensuring proper tracking of this data through the digital signature, and, again through this digital signature, associating the processing results with the aforementioned first portion of the second set of sensitive data before transmission to the client. Thus, unlike prior art cloud computing solutions, data processing is carried out with complete confidentiality regarding identifying data, since this data is not accessible to the second computer unit.

[0033]

[0017] Furthermore, by allowing the second computing unit to be configured, in particular, as an encrypted application container, the method according to the invention enables the external party to provide its software solution through a data manager, such as a hosting provider, without the risks associated with providing object code or executables, as presented by prior art methods, and with simplified maintenance. Similarly, with the ability for the first processing unit to record all processing requests, the external party is able to accurately quantify the usage of its processing solutions.

[0034]

[0018] Before step G. of concatenation, a step F. of anonymization of the first part of data and / or of the second part may be provided, said step consisting of modifying or deleting elements of said first part of data and / or of the second part which are specific to the subject and which are not useful for the processing.

[0035]

[0019] Such an anonymization step ensures that only the data necessary for processing is transmitted and limits the risks related to the subjects' personal data.

[0020] During step H, the encrypted transmission of the first data container, at least one of the first data portion and the second data portion may be at least partially encrypted by homomorphic encryption with respect to the processing, and in which, during step I, the processing by the second computer unit, said at least one of the first data portion and the second data portion is not previously decrypted to carry out said processing by the second computer unit.

[0036]

[0021] With such homomorphic encryption, data processing is not affected by encryption and it is therefore possible to process sensitive data in a completely anonymous manner without risk of identifying the subject(s) from whom this data originates.

[0037]

[0022] During at least one of the transmission steps H. and K., the transmitted container can be encrypted by a TLS / SSL transfer protocol by generation of certificates by a trusted third party, and / or SSH by generation of secure key pairs by a trusted third party, and / or via the transfer of an encrypted container.

[0038]

[0023] Sensitive data may be in DICOM format and may include at least one imaging data item, said at least one imaging data item being preferably obtained by magnetic resonance imaging.

[0039]

[0024] The method according to the invention is particularly suitable and advantageous for the DICOM format and in the processing of imaging data presenting such a format.

[0040] The process may also include the following step:

[0041] M. After step K. of transmitting the result, resetting or deleting the second computer unit by the first computer unit.

[0042] Resetting or removing the second computer unit ensures that all traces of sensitive data processing are eliminated. This prevents any risk of data compromise on the second computer unit.

[0043]

[0025] The first computer unit can be configured to keep a log of each step implemented by each of the second and third computer units.

[0026] Thus, the first computer unit makes it possible to keep proof of the data processing without having had access to the data itself, since the data processing / transfer was carried out solely through the second and third processing units.

[0044]

[0027] At least one of the second and third computing units is provided by an application container.

[0045]

[0028] Such a provision makes it possible to ensure that neither of the second and third units retains any trace of the transferred / processed data and to facilitate their resetting.

[0046]

[0029] Furthermore, when the second processing unit is hosted by a data manager separate from the external party providing the data processing solution, such application containers can be encrypted. As a result, the risks associated with such hosting regarding the provision of object code or executables are significantly reduced, or even eliminated.

[0047]

[0030] The invention further relates to a set of methods for processing sensitive data securely, the sensitive data including a first part of data to be processed and a second part of so-called informative data, or metadata, the second part of data comprising a first portion of so-called identifying data which relates to a subject from which the first part of data originates and possibly a second portion of so-called useful data for processing the first part of data to be processed,

[0048]

[0031] Said processing set comprising: a first computer unit capable of receiving a request to process sensitive data and of configuring a second computer unit capable of performing the processing of sensitive data, the second computer unit which is further capable of receiving sensitive data from a third computer unit, said third computer unit configured to: o extract, from the sensitive data, the first part of the data and the possible second portion of the data, o generate a signature relating to at least a part of the sensitive data, o concatenate the first part of the data, the possible second portion of the data and the signature into a data container in order to form a first data container, o transmit, in encrypted form, a first data container to the second computer unit, the second computer unit being further capable of: o after retrieval and possible decryption,process the first part of the data, this processing possibly taking into account the information present in the second part of the data, o concatenate the results of the processing with at least the signature in a second data container, o transmit the second data container in encrypted form to the third computer unit,

[0049]

[0032] the third computer unit being further configured to check the correspondence of the signature and sensitive data and to associate the result of the processing with the first portion of data.

[0050] Brief description of the drawings

[0051]

[0033] The present invention will be better understood upon reading the description of exemplary embodiments, given purely by way of illustration and in no way limiting, with reference to the accompanying drawings in which:

[0052] [Fig. 1] illustrates a treatment assembly according to the invention.

[0053] [Fig. 2] illustrates an example of sensitive data as processed within the framework of the invention.

[0054] [Fig. 3] illustrates a flowchart of the sensitive data processing method according to the invention.

[0055]

[0034] The different parts shown in the figures are not necessarily to a uniform scale, in order to make the figures more legible.

[0035] The different possibilities (variants and embodiments) should be understood as not being mutually exclusive and can be combined.

[0056] Detailed description of specific implementation methods

[0057]

[0036] Figure 1 illustrates an ET processing set according to the invention configured to allow the processing of sensitive data, in a secure manner and with reduced or even zero external access to the identifying data of subjects.

[0058]

[0037] More specifically and in accordance with the invention, the ET processing unit is configured to process sensitive data securely. This sensitive data includes, as shown in Figure 2, a first part 12 of data to be processed and a second part 11 of so-called informative data, or metadata, the second part 11 of data comprising a first portion of so-called identifying data 111 which relates to a subject from which the first part 12 of data originates and a second portion 113 of so-called useful data for the processing of the first part 12 of data to be processed.

[0059]

[0038] In the present embodiment, the sensitive data being imaging data, in the context of the example shown in Figure 2, the sensitive data 1 more specifically includes:

[0060] - the first part 12 of data to be processed, which is imaging data including itself identifying information 121, technical information data 122 and information necessary for processing 123,

[0061] - the second part 11 of so-called informative data, or metadata, including the first portion 111 called identifying data, the second portion 113 of so-called useful data for processing (or so-called necessary data for processing) and a third portion 112 of so-called technical data.

[0062]

[0039] It will be noted that in an example of implementation of the invention, the sensitive data are in DICOM format and are imaging data including metadata, as second part 11 of data, relating to this imaging data including identifying data (such as a name of the subject, information relating to age, sex...), as first part 111 and possible data useful for processing (such as image capture conditions), as second part 113 and possible technical data (such as information relating to the imaging device, the technician and / or practitioner who carried out the examination / analysis of the imaging data).Similarly, the first part 12 of the data to be processed corresponds to the imaging data itself, which may therefore include identifying information 121 (such as image portions relating to specific characteristics of the subject, for example, the shape of a venous network, cerebral sulci, etc.), technical information data (such as calibration images on a phantom prior to imaging the subject), and the information necessary for processing 123 (the image portion required to perform the processing itself). According to a particular implementation example, the sensitive data 1 may be imaging data obtained by magnetic resonance imaging. According to this same particular example, the processing performed on the sensitive data may be carried out based on the procedure taught in document EP 2283373 B1, as described later in that document in relation to the implementation example.

[0063]

[0040] In accordance with the invention and as shown in Figure 1, the processing unit ET comprises: a first computer unit SS capable of receiving a request to process sensitive data 1 from a client CL and of configuring a second computer unit SC capable of performing the processing of sensitive data, the second computer unit SC which is further capable of receiving sensitive data from a third computer unit SIS, said third computer unit SIS configured to: o extract, from the sensitive data 1, the first part 12 of data and the possible second portion 113 of data, o generate a signature relating to at least a part of the sensitive data 1, o concatenate the first part 12 of data, the possible second portion 113 of data and the signature into a data container in order to form a first data container, o transmit in encrypted form,a first data container to the second computer unit SC, the second computer unit SC being further capable of: o after retrieval and possible decryption, processing the first part 12 of data, this processing possibly taking into account the information present in the second portion 113 of data, o concatenating the results of the processing with at least the signature in a second data container, o transmitting the second data container in encrypted form to the third computer unit SIS, the third computer unit SIS being further configured to verify the correspondence of the signature and the sensitive data and to associate the result of the processing with the first portion of data.

[0064]

[0041] It should be noted that, according to a typical configuration of the invention, the client CL corresponds to a computer unit belonging to any natural person or organization, such as a practitioner, a medical center, or a research institute, that has sensitive data, for example, imaging data of a subject, to be processed by the ET processing system.

[0042] In order to illustrate the implementation of the different configurations of the first through third computer units SS, SC, and SIS, the various actions A1 to A1 of these units are shown in Figure 1. Thus, the following actions are performed:

[0065] Al - Customer CL service access request to the first SS information unit,

[0066] A2 - Deployment by the first IT unit of the security service through the configuration of the third IT unit SIS,

[0067] A3 - secure transfer of data by the client CL to the third IT unit SIS, A4 - access control, quality control, minimization, anonymization, in particular by not transferring the first portion 111 of the second part 11 of data, and encryption and concatenation of the first part 12 of data, the possible second portion 113 of data and the signature in a data container,

[0068] A5 - transmission by the third IT unit SIS, based on the sensitive data received, of a request for specific computing resources to the first IT unit SS,

[0069] A6 - deployment by the first SS IT unit of computing resources with installation of the processing, i.e. the configuration by the first SS IT unit of the second IT unit capable of performing the processing of sensitive data,

[0070] A7 - transmission of secure data from the third computer unit SIS to the second computer unit SC, this transmission being carried out in accordance with the invention in an encrypted manner from the data container to the second computer unit SC,

[0071] A8 - Application of the processing to the data transmitted by the second computer unit SC, this processing by the second computer unit (SC) being carried out on the basis of the first part 12 of data and possibly taking into account the information present in the second portion 113 of data,

[0072] A9 - Transmission of results from the second computer unit SC to the third computer unit SIC, this transmission being carried out in the form of a second data container comprising the results of the processing with at least the signature relating to sensitive data,

[0073] A10 - after receipt of the results by the third SIS IT unit, formatting of these results including re-identification based on the signature and the first portion of the second part of the data,

[0074] Garlic - delivery of the results thus re-identified to the client CL.

[0075]

[0043] In the context of the present invention, according to one embodiment, the first computing unit SS forms a supervisor server, the second computing unit SC forms an on-demand computing server, and the third computing unit SIS forms a secure interface server. As already indicated, such computing units can each be formed either by a computer as such, by a set of servers, by a virtual machine running on one or more servers, or by an application container running on one or more servers independent of other computing units.

[0076]

[0044] According to an advantageous embodiment of the invention, at least one of the second and third computer units SC, SIS, preferably the second and third computer units SC, SIS, is formed by an application container running on one or more independent servers. In this way, upon receiving a request from a client CL, the first computer unit can easily configure the second and third computer units SC, SIS in relation to the client's needs and reset them by simply closing the session initiated from the corresponding application containers. This ensures the complete deletion of sensitive data stored in the memory of the second and third computer units SC, SIS.According to this scenario, the first IT unit (SS), which receives service requests from the client (CL) and oversees the second and third IT units (SC, SCI), can maintain a log, or event history (also known as a "log file"), of at least some of the steps implemented by each of the second and third IT units (SC, SIS). In this way, if problems are suspected in the processing of sensitive data, it will be possible to verify the correct implementation of the processing by the entire processing team (ET) based on such a log.

[0077]

[0045] According to the flowchart in Figure 3, such an ET processing set allows the implementation of a processing method comprising the following steps:

[0078] A. Receipt of a request to process sensitive data 1 by a first IT unit SS,

[0079] B. Configuration by the first computer unit SS of the second computer unit SC capable of processing sensitive data 1,

[0080] C. provision of sensitive data 1 to the third SIS IT unit,

[0081] D. generation by the third SIS computer unit of a signature relating to at least part of the sensitive data 1,

[0082] E. extraction, by the third IT unit SIS and from sensitive data 1, of the first part 12 of data and the possible second part 113 of data, F. anonymization of the first part 12 of data and / or the second part 113, said step consisting of modifying or deleting elements of said first part 12 of data and / or the second part 11) which are specific to the subject and which are not useful for the processing,

[0083] G. concatenation of the first part 12 of data, the possible second portion 113 of data and the signature into a first data container,

[0084] H. encrypted transmission from the first data container to the second computer unit SC,

[0085] I. After retrieval and possible decryption, processing by the second computer unit SC of the first part 12 of data, this processing possibly taking into account the information present in the second portion 113 of data,

[0086] J. concatenation by the second computer unit SC of the processing results with at least the signature in a second data container,

[0087] K. transmission by the second computer unit SC of the second data container in encrypted form to the third computer unit SIS,

[0088] L. verification by the third SIS computer unit of the correspondence of the signature with sensitive data 1 and, association of the result of the processing with the first portion 111 of data,

[0089] Mr. reset or deletion of the second and third computer units SC, SIS by the first computer unit SS.

[0090] In order to enable processing while limiting the risks associated with the transmission of identifying information of the subject from whom the sensitive data contained in one of the first part 12 and the second part 113 originates, during step H of encrypted transmission of the first data container, at least one of the first part 12 and the second part 113 of the data is at least partially encrypted by homomorphic encryption with respect to the processing performed by the second computer unit SC. According to this possibility, during step I of processing by the second computer unit SC, said at least one of the first part 12 and the second part 113 of the data is not decrypted beforehand to perform said processing by the second computer unit SC.

[0046] To illustrate such a possibility of homomorphic encryption for at least a part of the sensitive data.This sensitive data, necessary for processing, may include the subject's age, a dose of a compound received by the subject, or any other variable expressed as a number on a finite scale (between Vmin and Vmax). Such a variable, according to this homomorphic encryption method, can, for example, be converted into an integer between 0 and Nv using a linear operation that maps the interval [Vmin, Vmax] to [0, Nv] for all subjects. This converted variable is then encrypted using a fully homomorphic cipher. The encrypted variable is then transmitted to the second processing unit (SC). The second SC calculates the average of the encrypted variables and provides the result. Since this result is encrypted, the data provided to the second processing unit cannot be interpreted without decryption.The encrypted aggregate result can then be decrypted by the third SIS computing unit, without requiring any processing of the sensitive data 1. According to this holomorphic encryption possibility, notably usable in the context of the implementation example described below, the homomorphic encryption method used can be based on the polynomial factorization problem with integer coefficients for which two polynomials describing spinors and representing successive rotations are used to encrypt the data.

[0047] .

[0091]

[0048] Similarly, to limit risks during transmission steps H and K, the first and second containers transmitted during these steps can be encrypted using a TLS / SSL transfer protocol by generating certificates from a trusted third party, and / or SSH by generating secure key pairs from a trusted third party, and / or via the transfer of an encrypted container. The trusted third party providing the key and certificate is, for example, a service installed on the first computer unit SS or on another dedicated secure server with specific access control between the second and third computer units SC, SIS. Regardless of the encryption protocol selected, the asymmetric encryption level is advantageously based on RSA encryption of 4096 bits or higher.

[0049] Of course, these three types of encryption are provided only as advantageous examples, and other types of encryption, equivalent to or offering superior data security compared to these three types, may be implemented without departing from the scope of the invention. In particular, such encryption may be based on a hybrid encryption protocol including classical and post-quantum encryption. Similarly, it may be based on an asymmetric encryption level adapted to the criticality of the data, for example, with 4096-bit RSA encryption.

[0092]

[0050] According to an advantageous embodiment of the invention, regardless of the encryption type chosen, the encryption key generation can be based on random numbers generated by a quantum computer. Such a solution maximizes entropy during encryption key generation, for example, when generating keys for the SSH protocol or for AES encryption. To implement such a solution, seed files containing a series of random bits can be generated using a quantum processor with at least one qubit. Thus, for a key of size Nk, a quantum processor with Nq qubits (Nq>1) is initialized in a state where the Nq qubits are in equiprobable superposition states. Then, during key generation, a first measurement is performed, randomly assigning a value of 0 or 1 to each qubit.By repeating this process N times with N an integer greater than or equal to Nk / Nq, it is possible to generate the Nk bits of said key.

[0093]

[0051] Of course, in addition to the encryption solutions described above, the ET processing unit can also implement instruction detection mechanisms, particularly by means of the first SS processing unit. These intrusion detection mechanisms may include a firewall configured to filter incoming and outgoing connections and the ports on which they are made, for example, based on a list of authorized IP addresses and / or authorized MAC addresses. Thus, according to one embodiment of the invention, the port used for communication via SSH may be other than the port provided by default in this protocol in order to enhance security. Similarly, as a complement or alternative, at least one server providing at least one of the first through third processing units SS, SC, SIS may include an intrusion detection system.According to this possibility, the list of users accessing remote resources is limited to users without privileges.

[0094]

[0052] With regard to steps G. of generating by the third SIS computing unit a signature relating to at least a portion of the sensitive data 1, and L. of verifying by the third SIS computing unit the correspondence of the signature with the sensitive data 1, the signature can be obtained by hashing, for example SHA-512, at least a fraction of the sensitive data, or even all of it, this fraction being preferably a fraction not transmitted in the first container, such as the first portion 121 of the second part of the sensitive data 12. In this way, when retrieving the second container, it is possible, from the signature, to associate this second container, and therefore the results it contains, with said fraction of the sensitive data and thus with the sensitive data. The identification of the results is therefore easy.

[0095]

[0053] During concatenation steps G and J, the data containers can be data carriers on ephemeral encrypted media obtained by creating virtual disks encrypted with encryption algorithms, for example AES 256, and possibly with hash functions (for example, of the SHA-512 type). This type of container is therefore preferably implemented with ephemeral media whose files and encryption keys are erased after use, preventing any future access after the servers are disassembled or restarted. Alternatively, the media can be reusable; in this case, the encryption keys are retained and can be managed by a key management system with access control, for example, installed on the first SS computer unit.According to this possibility, each time such a medium is mounted, the key management system authenticates the request before providing said key in order to ensure that only legitimate requests allow access to said media.

[0096] Example of implementation of the process according to the invention:

[0097]

[0054] As specified at the beginning of this detailed description, the present ET processing set and the processing method which it enables to be implemented can in particular be used in the context of applications to the processing of imaging data obtained by magnetic resonance imaging (MRI) in the context of cloud computing applications.

[0098]

[0055] In the context of this implementation example, the processing enabled by the processing suite may be of the R2* and / or QSM brain mapping type for the characterization of brain lesions. According to this example, the processing may thus consist of a reconstruction of R2* relaxation time mapping and / or QSM magnetic susceptibility mapping based on DICOM magnetic resonance imaging files. According to one possibility of this implementation example, the processing may also include automated analysis of the result, calculating statistics (such as mean, standard deviation) in regions of interest derived from image segmentation and then generating a summary report. Such a summary report may also include a comparison of the statistics obtained to reference values, such as those obtained, for example, from populations of healthy subjects.

[0099]

[0056] Regarding the processing itself, it is noted, with respect to the processing implemented in this implementation example, that magnetic susceptibility has well-known effects in MRI. It causes a distortion of the magnetic field and shortens the effective lifetime of the nuclear magnetic resonance signal. Thus, the extraction of synthetic quantitative parameters, namely R2* and QSM, is achievable using specific processing of the images acquired on the machine.

[0100]

[0057] Indeed, it is important to note that, with regard to MRI image acquisition, this is specific in order to provide optimal sensitivity to susceptibility on the imaging system on which the experiment is performed. This specificity incorporates, in particular: classically, the imaging system is 1.5 Teslas, 3 Teslas, or 7 Teslas in humans, and with higher magnetic field values ​​that can reach up to 17.6 Teslas in small animals to date. The nominal field of the imaging device is generally denoted B0. Susceptibility effects tend to increase with the nominal magnetic field B0, which implies that this metadata must be retained for processing that seeks to analyze susceptibility effects; To generate an MRI signal, means are required to excite the magnetization.These consist of a tuned radio frequency field emission device called an antenna or radio frequency transmitting antenna array and capable of delivering an oscillating magnetic emission field denoted B1+;

[0101] To detect a signal, means of receiving the signal are required. These consist of a tuned radio frequency field receiving device called an antenna or array of radio frequency receiving antennas and a receiving oscillating magnetic field denoted Bl-;

[0102] To convert the signal, sampling methods are needed, generally using an analog-to-digital converter. To reconstruct and process the raw signal, specialized computer and processing resources are required;

[0103] Imaging sequences correspond to the way the various elements of the MRI are controlled. The static BO field and the B1+ radiofrequency field, as well as the reception and processing methods, have already been mentioned. Another major element, particularly for signal localization, consists of what are commonly called imaging gradients. These involve varying the value of the BO component of the magnetic field along three axes (the direction aligned with the BO field, as well as in two directions in a plane transverse to BO). These methods are very standard and familiar to professionals. To be sensitive to susceptibility effects, one can, for example, use a three-dimensional gradient echo imaging sequence with several TE echo times.From this sequence, DICOM images can be reconstructed representing the value in each volume element (voxel) of the covered space of the average signal amplitude in these voxels as a function of TE, as well as an average phase map.

[0104] The following imaging protocol parameters are important for optimizing, analyzing, and addressing susceptibility effects in MRI imaging: The BO field value; The type of imaging system used (manufacturer, brand, model); The sequence name and any variants or versions; Whether and which subsampling was performed; The type of image reconstruction used; The echo time value (TE) for each image; The acquisition bandwidth value (BW) for each image; The echo encoding direction for each image; The acquisition volume orientation relative to BO; The three-dimensional field of view covered and the voxel size.

[0105] To analyze the multiple images using parameters that synthesize the information from the different echoes, parametric models are used. It is common to extract the apparent transverse relaxation time T2* from this type of acquisition, or equivalently its inverse R2*=l / T2*. In this case, it is assumed that the signal varies with the echo proportionally to an exponential decay of the type:

[0106] From this seemingly simple model, a multitude of algorithms can actually be used to extract R2* for all voxels. To mention only the most common, one can start with amplitude-only images (without phase) and adjust the reconstructed signals to the above model for each voxel using a least-squares minimization algorithm. For other algorithms based solely on the amplitude image, the reader can refer, for example, to the work of Raya, J. G. et al. entitled "T2 measurement in articular cartilage: impact of the fitting method on accuracy and precision at low SNR," published in 2010 in the scientific journal Magnetic Resonance in Medicine 2010, volume 63, no. 1, pages 181 to 193. It is already clear that simply extracting the R2* parameter leads to variability in the algorithms, which is in addition to the aforementioned variability in their implementation within a given environment.Applying the FAIR principles in this case with a view to traceability of the processing carried out (here corresponding to the reconstruction of data derived from the image data initially provided by the imaging system) requires keeping track of more than just the algorithm used, for example, also of the computer environment on which this algorithm was applied;

[0107] A second parametric model synthesizing the information contained in images resulting from multi-echo acquisition has been described and is known as quantitative susceptibility imaging (QSM). The basic principles and physical models are familiar to those skilled in the art and are not the subject of this document. What is relevant to emphasize, however, is the complexity of the processing involved, which significantly increases the challenges of reproducibility and traceability of such complex processes.

[0108] To give an idea of ​​this complexity, the main steps of such processing (steps that follow one another describing a pipeline) which can be implemented by the second SC computing unit in the context of this example implementation are listed below: o Verification and loading of the acquisition parameters necessary for reconstruction, at a minimum the value of BO or the system frequency, the observed kernel (1H by default in general), the orientation of the volume relative to BO, the absolute or relative size of the voxels, the absolute or relative spacing between the different echo times, possibly the acquisition bandwidth and the direction of the read gradient (because some sequence options allow acquisitions of multiple echoes with a read gradient always in the same direction or alternately in one direction for even echoes, and in the other direction for odd echoes),o Fitting a magnetic field map from phase information. Several processing methods are possible for this step, and the methods depend on the type of data available. In the most frequent case of images available for regularly spaced echo times (corresponding to an identical interval between the different echo times, preferably with reading gradients in the same direction), it is possible, for example, to synthesize a complex signal from the amplitude and phase measurements, then perform a Fourier transform heavily completed with zeros, then determine the index of the spectral maximum and convert this index into a frequency. Other processing methods are possible,for example, by combining a phase-time unfolding followed by a least-squares weighted adjustment; or Filtering to reduce susceptibility effects, which are often very significant near the interfaces between low-density regions (such as those containing gases, the nose, sinuses, ear canals, digestive systems, and pulmonary airways, for example) and tissues composed mainly of water. The resulting field distortions become predominant compared to internal tissue variations (2 to 3 orders of magnitude of differences can be observed), which has led to the development of techniques for filtering these effects. Numerous filtering techniques are available, ranging from simple high-pass filtering (see the work of E.M. Haacke et al., published in the scientific journal "Magnetic Resonance in Medicine," volume 52, number 3, page 612, in 2004 under the title "Susceptibility-weighted imaging (SWI)"),to more advanced methods based on the expected physical properties of these effects, particularly harmonic characteristics (solution of Laplace's equations), leading to various filtering processes to extract only the so-called 'internal' effects; o Definition of a volume of interest in which the internal field will be estimated. This requires defining and implementing an image segmentation process, for example, in the case of brain imaging to extract the brain. o Fitting the internal effects to a physical model to reconstruct a magnetic susceptibility map. Since field data alone are insufficient to provide a single solution, it is almost always necessary to add other information, in line with what are called Bayesian approaches. In particular, it is possible to rely on information that is not based solely on field deformation, but also on anatomical information.whether it is a priori spatially uniform or results from the processing of localized information derived from the signal amplitude, or from prior segmentation, o Introduction of regularization parameters that give a relative weight to the measurements compared to the a priori assumptions, and here again the methods for selecting these parameters are multiple, with for example a technique known to those in the field called "L-curve".

[0109]

[0058] Through the example of implementation of the invention relating to parametric R2* and QSM imaging, the problem associated with the complexity of this type of processing and the benefits provided by the invention clearly appear: it allows traceability of the processing in order to reproduce it, and provides guarantees of the data which are used for the processing.

Claims

Demands 1. A method for processing sensitive data (1) securely, sensitive data (1) including a first part (12) of data to be processed and a second part (11) of so-called informative data, or metadata, the second part (11) of data comprising a first portion (111) of so-called identifying data which are relating to a subject from whom the first part (12) of data originates and possibly a second portion (113) of so-called useful data for the processing of the first part (12) of data to be processed, The treatment process includes the following steps: A. Receipt of a request to process sensitive data (1) by a first IT unit (SS), B. configuration by the first computer unit (SS) of a second computer unit (SC) capable of processing sensitive data (1), C. provision of sensitive data (1) to a third-party information system (SIS), D. generation by the third computer unit (SIS) of a signature relating to at least part of the sensitive data (1), E. extraction, by the third computer unit (SIS) and from the sensitive data (1), of the first part (12) of data and the possible second portion (113) of data, G. concatenation of the first part (12) of data, the possible second portion (113) of data and the signature into a first data container, H. encrypted transmission from the first data container to the second computing unit (SC), I. after retrieval and possible decryption, processing by the second computer unit (SC) of the first part (12) of data, this processing possibly taking into account the information present in the second portion (113) of data, J. concatenation by the second computing unit (SC) of the processing results with at least the signature in a second data container, K. transmission by the second computer unit (SC) of the second data container in encrypted form to the third computer unit (SIS), L. verification by the third computer unit (SIS) of the correspondence of the signature with the sensitive data (1) and, association of the result of the processing with the first portion (111) of data.

2. Processing method according to claim 1, wherein prior to the concatenation step G, there is a step F of anonymization of the first part (12) of data and / or the second part (113), said step consisting of modifying or deleting elements of said first part (12) of data and / or the second part (113) which are subject-specific and which are not useful for the processing.

3. Processing method according to claim 1 or 2, wherein in step H. of encrypted transmission of the first data container, at least one of the first part (12) data and the second portion (113) of data is at least partly encrypted by a homomorphic encryption with respect to the processing and wherein in step I. of processing by the second computer unit (SC), said at least one of the first part (12) data and the second portion (113) of data is not previously decrypted to carry out said processing of the second computer unit (SC).

4. Processing method according to claim 1 to 3, wherein at least one of the transmission steps H. and K., the transmitted container is encrypted by a TLS / SSL transfer protocol by generation of certificates by a trusted third party, and / or SSH by generation of secure key pairs by a trusted third party, and / or via the transfer of an encrypted container.

5. A processing method according to any one of claims 1 to 4, wherein the sensitive data (1) are in DICOM format and include at least one imaging data point, said at least one imaging data being preferably obtained by magnetic resonance imaging.

6. A treatment method according to any one of claims 1 to 5, further comprising the following step: M. After step K. of transmitting the result, reset or delete the second computer unit (SC) by the first computer unit (SS).

7. Processing method according to any one of claims 1 to 6, wherein the first computer unit (SS) is configured to keep a log of at least some of the steps carried out by each of the second and third computer units (SC, SIS).

8. Processing method according to any one of claims 1 to 7, wherein at least one of the second and third computing units (SC, SIS) is provided by an application container.

9. Set of processing (ST) of sensitive data in a secure manner, the sensitive data including a first part (12) of data to be processed and a second part (11) of so-called informative data, or metadata, the second part (12) of data comprising a first portion (111) of so-called identifying data which are relating to a subject from whom the first part (12) of data originates and possibly a second portion (113) of so-called useful data for the processing of the first part (12) of data to be processed, The said processing set (PS) comprising: - a first computer unit (SS) capable of receiving a request to process sensitive data (1) and of configuring a second computer unit (SC) capable of carrying out the processing of sensitive data, - the second computer unit (SC) which is also capable of receiving sensitive data from a third computer unit (SIS), - said third computer unit configured for: to extract, from the sensitive data (1), the first part (12) of data and the possible second part (113) of data, to generate a signature relating to at least a part of the sensitive data (1), to concatenate the first part (12) of data, the possible second part (113) of data and the signature into a data container in order to form a first data container, to transmit, in encrypted form, a first data container to the second computer unit (SC), - the second computer unit (SC) being further capable of: o after recovery and possible decryption, processing the first part (12) of data, this processing possibly taking into account the information present in the second portion (113) of data, o concatenating the results of the processing with at least the signature in a second data container, o transmitting the second data container in encrypted form to the third computer unit (SIS), the third computer unit (SIS) being further configured to check the correspondence of the signature and the sensitive data and to associate the result of the processing with the first portion of data.