CN115277083A - Data transmission control method, device, system and computer equipment - Google Patents

Data transmission control method, device, system and computer equipment Download PDF

Info

Publication number
CN115277083A
CN115277083A CN202210718697.0A CN202210718697A CN115277083A CN 115277083 A CN115277083 A CN 115277083A CN 202210718697 A CN202210718697 A CN 202210718697A CN 115277083 A CN115277083 A CN 115277083A
Authority
CN
China
Prior art keywords
data
maintenance
gateway
target system
sensitive
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210718697.0A
Other languages
Chinese (zh)
Other versions
CN115277083B (en
Inventor
崔健敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan United Imaging Healthcare Co Ltd
Original Assignee
Wuhan United Imaging Healthcare Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan United Imaging Healthcare Co Ltd filed Critical Wuhan United Imaging Healthcare Co Ltd
Priority to CN202210718697.0A priority Critical patent/CN115277083B/en
Publication of CN115277083A publication Critical patent/CN115277083A/en
Application granted granted Critical
Publication of CN115277083B publication Critical patent/CN115277083B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/88Medical equipments

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to a data transmission control method, apparatus, system, computer device, storage medium, and computer program product. The method comprises the following steps: acquiring service data transmitted by a target system through electronic equipment connected with a first gateway; determining operation and maintenance data of a target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet; transmitting operation and maintenance data to a second gateway; and the transmitted operation and maintenance data are used for being transmitted to the data platform, and the data platform is instructed to carry out operation and maintenance analysis based on the operation and maintenance data. By adopting the method, the security and the privacy of data transmission to the data platform can be ensured, the operation maintenance data of a plurality of software systems in the same local area network range can be uniformly collected and controlled, and the maintenance efficiency of the plurality of software systems is improved.

Description

Data transmission control method, device, system and computer equipment
Technical Field
The present application relates to the field of communications technologies, and in particular, to a data transmission control method, apparatus, system, and computer device.
Background
The medical software industry has data security sensitivity, patient information, diagnosis information and image information belong to confidential data, and interface authentication is carried out on interface data transmission among all business subsystems in a hospital so as to prevent hackers from utilizing the confidential data of the hospital.
The current uploading of operation and maintenance data in a medical software hospital adopts a client direct transmission mode, each service subsystem such as an operation and maintenance monitoring platform, a log platform and a deployment platform is respectively deployed with a client in the hospital, and each client collects relevant service data and transmits the relevant service data to a cloud through a network. However, hospital-related data relates to a lot of privacy-sensitive data, the processing mechanisms of the third-party clients for the privacy-sensitive data are different, the direct-transmission collection and transmission modes may relate to hospital information security, and a great security hole exists. In addition, as the number of hospital business subsystems is increased, the data processing mode and format of each client directly transmitted to the cloud are not uniform, so that operation and maintenance work in the hospital needs to be respectively carried out on the clients of the business subsystems, a large amount of manpower and material resources are wasted, operation and maintenance personnel cannot quickly collect operation and maintenance data of a plurality of client systems related to each other, and unified management and control and maintenance of each business system cannot be carried out
Disclosure of Invention
In view of the above, it is necessary to provide a data transmission control method, an apparatus, a computer device, a computer readable storage medium, and a computer program product, which can ensure the security of data transmission while improving the maintenance efficiency of a plurality of software systems.
In a first aspect, the present application provides a data transmission control method. The method is applied to a first gateway configured at the boundary of a hospital intranet in a data transmission system, wherein at least one target system is configured in the hospital intranet, the data transmission system further comprises a second gateway configured in a data platform intranet, and the method comprises the following steps:
acquiring service data transmitted by a target system;
determining operation and maintenance data of a target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet;
transmitting operation and maintenance data to a second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, the determining operation and maintenance data of the target system from the business data includes:
desensitizing sensitive data in the service data to obtain operation and maintenance data of the target system.
In one embodiment, desensitizing sensitive data in the service data to obtain operation and maintenance data of the target system includes:
performing sensitive word recognition at least once and sensitive data processing at least once based on the service data to obtain intermediate process data;
and identifying and processing keywords corresponding to various data in the intermediate process data to obtain operation and maintenance data.
In one embodiment, performing at least one sensitive word recognition and at least one sensitive data elimination process based on the service data to obtain intermediate process data includes:
performing word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data;
identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data;
and removing the first sensitive data from the business data to obtain intermediate process data.
In one embodiment, identifying first sensitive data in the business data based on a first keyword corresponding to each item of data in the business data includes:
acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system;
calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of each first keyword corresponding to the sensitive word set according to the similarity between each first keyword and each sensitive word and the proportion parameter of each sensitive word in the sensitive word set;
marking data corresponding to a first keyword of which the corresponding matching degree meets a preset condition as high-matching-degree data;
and taking all the high-matching-degree data in the service data as first sensitive data.
In one embodiment, before sending the operation and maintenance data to the second gateway, the method further includes:
encrypting the operation and maintenance data to obtain encrypted operation and maintenance data;
and detecting network safety information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network safety information meets the network safety condition.
In a second aspect, the present application further provides a data transmission control apparatus. The device is applied to a first gateway which is arranged at the boundary of a hospital intranet in a data transmission system, at least one target system is arranged in the hospital intranet, the data transmission system further comprises a second gateway which is arranged in a data platform intranet, and the device comprises:
the data acquisition module is used for acquiring the service data transmitted by the target system;
the data processing module is used for determining operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet;
the data transmission module is used for sending the operation and maintenance data to the second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In a third aspect, the present application further provides a data transmission control system. The system comprises a first gateway configured at the boundary of a hospital intranet and a second gateway configured in a data platform intranet, wherein at least one target system is configured in the hospital intranet;
the first gateway is also used for acquiring the service data transmitted by the target system and determining the operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet;
the first gateway is also used for identifying sensitive data in the service data, desensitizing the sensitive data to obtain operation and maintenance data of a target system, and sending the operation and maintenance data to the second gateway;
and the second gateway is used for receiving the operation and maintenance data and transmitting the operation and maintenance data to the data platform, and the transmitted operation and maintenance data is used for indicating the data platform to carry out operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, the first gateway is further configured to obtain a data access request generated by the target system, add a security protection policy to the data access request, and send the data access request to the second gateway;
the second gateway is also used for receiving the data access request, verifying the security protection policy from the data access request, acquiring data information corresponding to the data access request from the data platform under the condition that the verification is passed, and transmitting the data information to the first gateway.
In a fourth aspect, the present application further provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the following steps when executing the computer program:
acquiring service data transmitted by a target system through electronic equipment connected with a first gateway;
determining operation and maintenance data of a target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet;
transmitting operation and maintenance data to a second gateway; and the transmitted operation and maintenance data are used for being transmitted to the data platform, and the data platform is instructed to carry out operation and maintenance analysis based on the operation and maintenance data.
In a fifth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
acquiring service data transmitted by a target system through electronic equipment connected with a first gateway;
determining operation and maintenance data of a target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet;
transmitting operation and maintenance data to a second gateway; and the transmitted operation and maintenance data are used for being transmitted to the data platform, and the data platform is instructed to carry out operation and maintenance analysis based on the operation and maintenance data.
In a sixth aspect, the present application further provides a computer program product. The computer program product comprising a computer program which when executed by a processor performs the steps of:
acquiring service data transmitted by a target system through electronic equipment connected with a first gateway;
determining operation and maintenance data of a target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet;
transmitting operation and maintenance data to a second gateway; and the transmitted operation and maintenance data are used for being transmitted to the data platform, and the data platform is instructed to carry out operation and maintenance analysis based on the operation and maintenance data.
The data transmission control method, the data transmission control device, the data transmission control system, the computer equipment, the storage medium and the computer program product acquire service data transmitted by a target system; determining operation and maintenance data of a target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet; transmitting operation and maintenance data to a second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data. The first gateway is configured at the boundary of the hospital intranet, the business data are collected from each target system in the hospital intranet, the operation and maintenance data are screened out from the business data, the data irrelevant to the operation and maintenance of each target system are removed, then the operation and maintenance data are sent to the data platform, the safety and the privacy of data transmission to the data platform can be guaranteed, the operation and maintenance data of a plurality of software systems in the same local area network range can be collected and controlled in a unified mode, and the maintenance efficiency of the plurality of software systems is improved.
Drawings
FIG. 1 is a diagram of an exemplary data transmission control method;
FIG. 2 is a flow chart illustrating a data transmission control method according to an embodiment;
FIG. 3 is a schematic flow diagram of a desensitization processing method in one embodiment;
FIG. 4 is a logic flow diagram of a data transfer control method in one embodiment;
FIG. 5 is a flow diagram illustrating data transmission according to one embodiment;
FIG. 6 is a block diagram of a data transmission control system according to an embodiment;
FIG. 7 is a block diagram showing the construction of a data transfer control apparatus according to an embodiment;
FIG. 8 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The data transmission control method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. Where a first gateway in first border server 102 communicates over a network with a second gateway in second border server 104. The first border server 102 is configured in a first intranet, and the first gateway communicates with a plurality of target systems in the first intranet, each target system being deployed on each electronic device connected to the first intranet. Second border server 104 is configured in the second intranet, and a data platform is configured in the second intranet, and the second gateway communicates with the data platform. The first gateway may be implemented by a hardware structure and/or a software service deployed on the first border server, and the second gateway may be implemented by a hardware structure and/or a software service deployed on the second border server, which is not limited in this embodiment of the present application. The electronic device can be but not limited to various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices can be smart speakers, smart televisions, smart air conditioners, smart car-mounted devices and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device, and the like. The server may be implemented as a stand-alone server or as a server cluster comprised of multiple servers.
In one embodiment, as shown in fig. 2, a data transmission control method is provided, which is described by taking the application of the method to the first gateway in the first border server 102 in fig. 1 as an example, and includes the following steps:
step 202, acquiring service data transmitted by the target system.
The first intranet may be but not limited to a hospital intranet, the second intranet may be but not limited to a cloud data platform capable of analyzing and processing data related to a target system, and the target system includes but not limited to software, a client, a service system, and the like running on each terminal in the hospital intranet. For example, the target system in the hospital intranet may be a medical imaging software information system, an appointment software information system, a remote diagnosis software information system, an in-hospital monitoring and warning client, an audit deployment client, a log client, and the like. The first gateway may be a software service provided in the first boundary server of the hospital intranet, or may be a hardware device that communicates with the first boundary server of the hospital intranet. The electronic equipment refers to each terminal connected with an intranet of a hospital, and each target system is installed and operated on each electronic equipment.
Optionally, the first gateway may actively collect, from each target system, service data generated when the target system processes services. The first gateway can also send a data collection request to the electronic device through the hospital intranet, request the data collection permission of the electronic device or the target system, and actively collect the service data generated when the target system processes the service from the target system after the electronic device or the target system opens the permission to the first gateway. Each target system can also actively transmit service data generated when the target system processes services to the first gateway. This embodiment is not limited to this.
Step 204, determining operation and maintenance data of the target system from the business data; the operation and maintenance data refer to operation and maintenance data of the target system related to a data platform deployed in a data platform intranet.
Optionally, after collecting the service data of the target system, the first gateway performs data processing on the service data, screens out data that is not related to the operation and maintenance of the target system, and also screens out data that is not related to the data platform, and only retains operation and maintenance data of the target system background that is related to the data platform.
Specifically, the first gateway performs desensitization processing on sensitive data in the service data to obtain operation and maintenance data of the target system. The sensitive data can be recognized through preset sensitive words, and information related to patients and family members in the hospital system, personal information of medical care personnel, disease diagnosis information, prescription information and the like which are irrelevant to the operation of the target system are generally regarded as sensitive information. Desensitization processes include, but are not limited to, data substitution, masking, randomization, generalization, averaging, offset rounding of sensitive data or sensitive words.
Step 206, sending the operation and maintenance data to the second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
The second gateway may be a software service configured in a second border server of the data platform intranet, may also be a hardware device connected to and communicating with the second border server of the data platform intranet, and may also be a data receiving module (configured in the second border server of the data platform intranet) in the data platform.
Optionally, after the first gateway collects the operation and maintenance data of each target system, the operation and maintenance data is transmitted to the second gateway through the external network. Since the first gateway is configured in the hospital intranet, data transmission between the first gateway and the second gateway meets the medical industry software information safety standard and conforms to ISO27001.
In a possible implementation manner, an end user of the hospital intranet may communicate with the first gateway through the hospital intranet, and query the operation and maintenance data to be sent or sent by the first gateway to the second gateway on the interactive interface of the first gateway.
In another possible embodiment, if the hospital includes a main yard and a plurality of subordinate yards, the first gateway may be configured at an intranet boundary of the main yard, and one separate gateway may be configured at an intranet boundary of each of the subordinate yards. Each courtyard gateway can have the same function as the first gateway, but cannot directly transmit data with the second gateway, and after acquiring the operation and maintenance data of the subordinate hospital areas of the target system in the intranet of each subordinate hospital area, each courtyard gateway transmits the operation and maintenance data of the subordinate hospital areas to the first gateway, and then the first gateway transmits the operation and maintenance data to the second gateway through the extranet.
In the data transmission control method, the service data transmitted by the target system is acquired through the electronic equipment connected with the first gateway; determining operation and maintenance data of a target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet; transmitting operation and maintenance data to a second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data. The first gateway is configured at the boundary of the hospital intranet, the business data are collected from each target system in the hospital intranet, the operation and maintenance data are screened out from the business data, the data irrelevant to the operation and maintenance of each target system are removed, then the operation and maintenance data are sent to the data platform, the safety and the privacy of data transmission to the data platform can be guaranteed, the operation and maintenance data of a plurality of software systems in the same local area network range can be collected and controlled in a unified mode, and the maintenance efficiency of the plurality of software systems is improved.
In one embodiment, desensitizing sensitive data in the service data to obtain operation and maintenance data of the target system includes: performing sensitive word recognition at least once and sensitive data processing at least once based on the service data to obtain intermediate process data; and identifying and processing keywords corresponding to various data in the intermediate process data to obtain operation and maintenance data.
The sensitive words are determined based on a sensitive word set matched with a hospital intranet, the sensitive word set is based on a word bank obtained by training real data of medical software, and data containing the words matched with the word bank is sensitive data.
Optionally, the first gateway performs at least one sensitive word recognition and at least one sensitive data elimination processing based on the service data to obtain intermediate process data; and identifying key words corresponding to each item of data in the intermediate process data, and performing character conversion processing on the key words to obtain the operation and maintenance data.
Specifically, the first gateway performs data cleansing on the service data before identifying sensitive data in the service data, and the data cleansing process includes checking data consistency, processing invalid values and missing values, and the like. And then selecting a plurality of sensitive keywords from the business data, removing the keywords with higher sensitivity, and repeating the step for a plurality of times to obtain the intermediate process data. And then, the remaining keywords in the intermediate process data are keywords with lower sensitivity, and words with low matching degree are converted into special characters through a password table, so that the intermediate process data are further desensitized, and the safety compliance of the operation and maintenance data is guaranteed.
In one embodiment, performing at least one sensitive word recognition and at least one sensitive data elimination process based on the service data to obtain intermediate process data includes: performing word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the business data to obtain intermediate process data.
The sensitive data includes, but is not limited to, private information such as Digital Imaging and Communications in Medicine (Digital Imaging and Communications in Medicine) file suffixes and files thereof, medical characteristic pictures, human characteristic pictures, patient names, patient ages, medical records, medical diagnosis special words, telephone numbers, and the like.
In a feasible implementation manner, the first gateway performs word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; removing the first sensitive data from the business data to obtain low matching degree data; performing word segmentation processing on the low-matching-degree data to obtain a second keyword corresponding to each item of data in the low-matching-degree data; identifying second sensitive data in the low matching degree data based on second keywords corresponding to various data in the low matching degree data; and removing the second sensitive data from the low matching degree data to obtain intermediate process data.
Specifically, as shown in fig. 3, the first gateway performs jieba word segmentation on the service data to obtain a first keyword corresponding to each item of data in the service data, matches the segmented data with the sensitive word set, and determines data related to the first keyword having a higher matching degree with the sensitive word set as high-matching-degree data (first sensitive data) to remove the data based on a similarity algorithm of collaborative filtering training. And performing jieba word segmentation on the remaining low-matching-degree data again to obtain a second keyword (the word segmentation result at this time is different from that at the first time due to the change of total data) corresponding to each item of data in the low-matching-degree data, matching the segmented data with the sensitive word set, and determining data related to the second keyword with higher matching degree with the sensitive word set as second-highest-matching-degree data (second sensitive data) to remove the data based on a similarity algorithm of collaborative filtering training. And finally, obtaining intermediate process data subjected to twice high-sensitivity keyword removal. Furthermore, in the second sensitive data removing process, all data related to the second keywords are not removed, and the remaining second keywords in the intermediate process data are converted into special characters through a password table, so that desensitization data (operation and maintenance data) are obtained by further desensitizing the intermediate process data, and the safety and compliance of the operation and maintenance data are guaranteed. The similarity algorithm may be, but is not limited to, euclidean distance, normalized euclidean distance, manhattan distance, chebyshev distance, cosine of included angle distance, pearson correlation coefficient, and hamming distance.
In the embodiment, word segmentation processing is performed on the service data to obtain a first keyword corresponding to each item of data in the service data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the business data to obtain intermediate process data. The method can accurately desensitize the service data, remove data irrelevant to operation and maintenance data, ensure the safety and compliance of data transmission and protect the privacy of users.
In one embodiment, identifying first sensitive data in the business data based on first keywords corresponding to various items of data in the business data includes: acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of each first keyword corresponding to the sensitive word set according to the similarity between each first keyword and each sensitive word and the proportion parameter of each sensitive word in the sensitive word set; marking data corresponding to a first keyword of which the corresponding matching degree meets a preset condition as high-matching-degree data; and taking all the high-matching-degree data in the service data as first sensitive data.
The set of sensitive words includes, but is not limited to, sensitive data based on the accumulation of sensitive data and security compliance of the medical industry customers. The specific gravity parameter is used for representing the sensitivity degree of a sensitive word in the sensitive word set, and the higher the specific gravity parameter of a sensitive word is, the higher the sensitivity degree of the sensitive word is, and the higher the priority of desensitization processing needing to be carried out in all the sensitive words in the sensitive word set is.
Optionally, a plurality of sensitive words corresponding to the target system may be obtained from a pre-constructed sensitive word set, where the sensitive word set includes a plurality of sensitive words corresponding to the target system, the sensitive word set may be configured in a sensitive database, and the sensitive database may store a plurality of sensitive word sets at the same time, where each sensitive word set corresponds to one target system respectively. When the first gateway identifies first sensitive data in the service data of the target system, a sensitive word set corresponding to the current target system is matched from a sensitive database, and then a plurality of sensitive words corresponding to the target system are obtained from the sensitive word set. The first gateway calculates the similarity between each first keyword in the service data and the sensitive words in the sensitive word set through a similarity algorithm of collaborative filtering training, and calculates the matching degree of each first keyword corresponding to the sensitive word set by combining the specific gravity parameter of each sensitive word in the sensitive word set. For example, the higher the similarity of a first keyword α to a sensitive word a is, and the higher the proportion of the sensitive word a in the sensitive word set is, the higher the matching degree of the first keyword α to the sensitive word set is. Marking first keywords with matching degrees higher than a first threshold value, marking data where the marked first keywords are located as high-matching-degree data, wherein the high-matching-degree data are first sensitive data needing to be removed, and obtaining low-matching-degree data after the high-matching-degree data are removed.
Further, the remaining low-matching-degree data is subjected to jieba word segmentation (Python Chinese word segmentation component) again to obtain a second keyword corresponding to each item of data in the low-matching-degree data. And calculating the similarity between each second keyword in the low-matching-degree data after word segmentation and the sensitive words in the sensitive word set by a similarity algorithm of collaborative filtering training, and calculating the matching degree of each second keyword corresponding to the sensitive word set by combining the proportion parameter of each sensitive word in the sensitive word set. Marking second keywords with matching degrees higher than a second threshold value, marking data where the marked second keywords are located as second-highest matching degree data, wherein the second-highest matching degree data are second sensitive data needing to be removed, and obtaining intermediate process data after the second-highest matching degree data are removed. The second threshold may be the same as or different from the first threshold, and this embodiment does not limit this.
In the embodiment, a sensitive word set corresponding to a target system is obtained, where the sensitive word set includes a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of each first keyword corresponding to the sensitive word set according to the similarity between each first keyword and each sensitive word and the proportion parameter of each sensitive word in the sensitive word set; marking data corresponding to the first keyword of which the corresponding matching degree meets the preset condition as high-matching-degree data; and taking all the high-matching-degree data in the service data as first sensitive data. The high-sensitivity data in the service data can be accurately judged, the data are prevented from being transmitted to the outside of a hospital intranet, and the safety and the compliance of data transmission are guaranteed while the privacy of a user is protected.
In one embodiment, before sending the operation and maintenance data to the second gateway, the method further includes: encrypting the operation and maintenance data to obtain encrypted operation and maintenance data; and detecting network safety information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network safety information meets the network safety condition.
Optionally, before the first gateway sends the operation and maintenance data to the second gateway, the operation and maintenance data needs to be encrypted to obtain the encrypted operation and maintenance data. The encryption mode is determined according to the transmitted target data platform, so that only the target data platform can decrypt the encrypted data. And a website Application level intrusion prevention system (WAF for short) is configured on the first gateway, so that malicious attacks can be intercepted in batches, and the information security of data transmission to the data platform is guaranteed. The first gateway carries out malicious attack detection according to a preset period, meanwhile, the malicious attack detection is carried out before data transmission every time, when the malicious attacks of the internal network of the hospital, the electronic equipment of the internal network of the hospital, the first gateway, the second gateway or other network channels are detected, the attack source can be directly blocked, and the data transmission is stopped continuously. And malicious attack detection is performed before data transmission every time, so that data loss and information leakage are avoided.
In this embodiment, the operation and maintenance data is encrypted to obtain encrypted operation and maintenance data; and detecting network safety information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network safety information meets the network safety condition. The data encryption and network security detection can be realized, the security and the compliance of data transmission are ensured, and the privacy of a user is protected.
In one embodiment, as shown in fig. 4 and 5, a data transmission control method is applied to a first gateway configured at the boundary of an intranet of a hospital in a data transmission system, where the intranet of the hospital is configured with at least one target system, and the data transmission system further includes a second gateway configured in an intranet of a data platform, and includes:
and acquiring the service data transmitted by the target system through the electronic equipment connected with the first gateway, and cleaning the service data.
And performing word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data. Acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word to obtain the matching degree of the sensitive word set corresponding to each first keyword; marking data corresponding to a first keyword of which the corresponding matching degree meets a preset condition as high-matching-degree data; and taking all the high-matching-degree data in the service data as first sensitive data. Removing the first sensitive data from the business data to obtain low matching degree data; performing word segmentation processing on the low-matching-degree data to obtain a second keyword corresponding to each item of data in the low-matching-degree data; identifying second sensitive data in the low matching degree data based on second keywords corresponding to various data in the low matching degree data; and removing the second sensitive data from the low matching degree data to obtain intermediate process data. And identifying key words corresponding to each item of data in the intermediate process data, and performing character conversion processing on the key words to obtain operation and maintenance data. The operation and maintenance data refer to operation and maintenance data of the target system related to a data platform deployed in a data platform intranet.
Encrypting the operation and maintenance data to obtain encrypted operation and maintenance data; and detecting network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets network security conditions. And the transmitted operation and maintenance data are used for being transmitted to the data platform, and the data platform is instructed to carry out operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, as shown in fig. 4 and 5, a data transmission control method is applied to a second gateway configured in a data platform intranet in a data transmission system, where the data transmission system further includes a first gateway configured at a boundary of a hospital intranet in which at least one target system is configured, and includes:
receiving encrypted operation and maintenance data transmitted by the first gateway, detecting network security information of an intranet of the data platform, decrypting the encrypted operation and maintenance data and identifying various types of operation and maintenance data in the operation and maintenance data under the condition that the network security information passes authentication, wherein the various types of operation and maintenance data comprise but are not limited to system upgrading data, system log data, system security monitoring data and the like. And respectively transmitting the operation and maintenance data of each category to the service units corresponding to the data platform. And each service unit of the data platform respectively stores and analyzes the operation and maintenance data of different types.
In an embodiment, taking an application of the data transmission control method to a data transmission control system as an example, as shown in fig. 6, the system includes a first gateway configured in a border server of an intranet of a hospital and a second gateway configured in a border server of an intranet of a data platform, at least one target system is configured in the intranet of the hospital, and at least one service unit is configured in the data platform, and each service unit is respectively used for executing one data analysis service.
And the target system is used for transmitting the service data to the first gateway through the hospital internal network.
And the target system is also used for sending a data access request to the first gateway through the hospital intranet.
The first gateway is used for acquiring the service data transmitted by the target system through the electronic equipment connected with the first gateway and cleaning the service data.
The first gateway is further configured to perform word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data. Acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word to obtain the matching degree of the sensitive word set corresponding to each first keyword; marking data corresponding to a first keyword of which the corresponding matching degree meets a preset condition as high-matching-degree data; and taking all the high-matching-degree data in the service data as first sensitive data. Removing the first sensitive data from the business data to obtain low matching degree data; performing word segmentation processing on the low-matching-degree data to obtain a second keyword corresponding to each item of data in the low-matching-degree data; identifying second sensitive data in the low matching degree data based on second keywords corresponding to various data in the low matching degree data; and removing the second sensitive data from the low matching degree data to obtain intermediate process data. And identifying key words corresponding to each item of data in the intermediate process data, and performing character conversion processing on the key words to obtain operation and maintenance data. The operation and maintenance data refer to operation and maintenance data of the target system related to a data platform deployed in a data platform intranet.
The first gateway is also used for encrypting the operation and maintenance data to obtain the encrypted operation and maintenance data; and detecting network safety information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network safety information meets the network safety condition.
The first gateway is also used for acquiring a data access request generated by the target system, adding a security protection strategy to the data access request and sending the data access request to the second gateway. For example, a hospital locally accesses the data platform through the first gateway, then a URL (uniform Resource Locator) local to the hospital adds token, a feature value (a feature value is allowed to be used only once and is updated every request) to a data access request through the first gateway, and data delivered by post is encrypted by JWT. The second gateway receives the request of the hospital, firstly verifies the token, intelligently analyzes whether the second gateway is disguised by a hacker (judged according to the characteristic value), and carries out JWT decryption after passing authentication. Json Web Tokens (JWT), among others, is a JSON-based open standard ((RFC 7519) that is implemented for passing assertions between web application environments.
And the second gateway is used for receiving the encrypted operation and maintenance data transmitted by the first gateway, detecting the network security information of the data platform intranet based on the WAF, decrypting the encrypted operation and maintenance data and identifying various types of operation and maintenance data in the operation and maintenance data under the condition that the network security information passes the authentication, wherein the various types of operation and maintenance data include but are not limited to system upgrading data, system log data, system security monitoring data and the like, and transmitting the various types of operation and maintenance data to the service units corresponding to the data platform respectively.
The second gateway is also used for receiving the data access request transmitted by the first gateway, verifying the security protection policy from the data access request, acquiring data information corresponding to the data access request from the data platform under the condition that the verification is passed, and transmitting the data information to the first gateway. For example, a hospital locally accesses the data platform through the first gateway, then the URL of the hospital locally adds token through the first gateway, the feature value (the feature value is allowed to be used only once and is updated every request), and the post-delivered data is encrypted by JWT. The second gateway receives the request of the hospital, firstly verifies the token, intelligently analyzes whether the second gateway is disguised by a hacker (judged according to the characteristic value), performs JWT decryption after authentication, acquires data information corresponding to the data access request from the data platform according to the decrypted data access request, and transmits the data information to the first gateway.
And the data platform is used for respectively storing and analyzing the operation and maintenance data of different types through each service unit integrated on the platform.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the present application further provides a data transmission control device for implementing the above-mentioned data transmission control method. The implementation scheme for solving the problem provided by the apparatus is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the data transmission control apparatus provided below may refer to the limitations on the data transmission control method in the foregoing, and details are not described here again.
In one embodiment, as shown in fig. 7, there is provided a data transmission control apparatus 700 applied to a first gateway disposed at the boundary of an intranet of a hospital in a data transmission system, wherein at least one target system is disposed in the intranet of the hospital, and the data transmission system further includes a second gateway disposed in the intranet of a data platform, the apparatus including: a data acquisition module 701, a data processing module 702, and a data transmission module 703, wherein:
a data obtaining module 701, configured to obtain service data transmitted by a target system.
The data processing module 702 is configured to determine operation and maintenance data of the target system from the service data; the operation and maintenance data refer to operation and maintenance data of the target system related to a data platform deployed in a data platform intranet.
The data transmission module 703 is configured to send operation and maintenance data to the second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In an embodiment, the data processing module 702 is further configured to perform desensitization processing on sensitive data in the service data to obtain operation and maintenance data of the target system.
In one embodiment, the data processing module 702 is further configured to perform at least one sensitive word recognition and at least one sensitive data processing based on the service data to obtain intermediate process data; and identifying and processing keywords corresponding to each item of data in the intermediate process data to obtain operation and maintenance data.
In one embodiment, the data processing module 702 is further configured to perform word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the business data to obtain intermediate process data.
In one embodiment, the data processing module 702 is further configured to obtain a sensitive word set corresponding to a target system, where the sensitive word set includes a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of each first keyword corresponding to the sensitive word set according to the similarity between each first keyword and each sensitive word and the proportion parameter of each sensitive word in the sensitive word set; marking data corresponding to a first keyword of which the corresponding matching degree meets a preset condition as high-matching-degree data; and taking all the high-matching-degree data in the service data as first sensitive data.
In an embodiment, the data transmission module 703 is further configured to encrypt the operation and maintenance data to obtain encrypted operation and maintenance data; and detecting network safety information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network safety information meets the network safety condition.
The respective modules in the data transmission control device may be wholly or partially implemented by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 8. The computer device includes a processor, a memory, an Input/Output interface (I/O for short), and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The database of the computer device is used for storing operation and maintenance data. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for connecting and communicating with an external terminal through a network. The computer program is executed by a processor to implement a data transmission control method.
Those skilled in the art will appreciate that the architecture shown in fig. 8 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program: acquiring service data transmitted by a target system; determining operation and maintenance data of a target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet; transmitting operation and maintenance data to a second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: desensitizing sensitive data in the service data to obtain operation and maintenance data of the target system.
In one embodiment, the processor, when executing the computer program, further performs the steps of: performing sensitive word recognition at least once and sensitive data processing at least once based on the service data to obtain intermediate process data; and identifying and processing keywords corresponding to each item of data in the intermediate process data to obtain operation and maintenance data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: performing word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the business data to obtain intermediate process data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of each first keyword corresponding to the sensitive word set according to the similarity between each first keyword and each sensitive word and the proportion parameter of each sensitive word in the sensitive word set; marking data corresponding to the first keyword of which the corresponding matching degree meets the preset condition as high-matching-degree data; and taking all the high-matching-degree data in the service data as first sensitive data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: encrypting the operation and maintenance data to obtain encrypted operation and maintenance data; and detecting network safety information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network safety information meets the network safety condition.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of: acquiring service data transmitted by a target system; determining operation and maintenance data of a target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet; transmitting operation and maintenance data to a second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, the computer program when executed by the processor further performs the steps of: desensitizing sensitive data in the service data to obtain operation and maintenance data of the target system.
In one embodiment, the computer program when executed by the processor further performs the steps of: performing sensitive word recognition at least once and sensitive data processing at least once based on the service data to obtain intermediate process data; and identifying and processing keywords corresponding to each item of data in the intermediate process data to obtain operation and maintenance data.
In one embodiment, the computer program when executed by the processor further performs the steps of: performing word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the business data to obtain intermediate process data.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of each first keyword corresponding to the sensitive word set according to the similarity between each first keyword and each sensitive word and the proportion parameter of each sensitive word in the sensitive word set; marking data corresponding to a first keyword of which the corresponding matching degree meets a preset condition as high-matching-degree data; and taking all the high-matching-degree data in the service data as first sensitive data.
In one embodiment, the computer program when executed by the processor further performs the steps of: encrypting the operation and maintenance data to obtain encrypted operation and maintenance data; and detecting network safety information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network safety information meets the network safety condition.
In one embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, performs the steps of: acquiring service data transmitted by a target system; determining operation and maintenance data of a target system from the service data; the operation and maintenance data refer to operation and maintenance data related to a target system and a data platform deployed in a data platform intranet; transmitting operation and maintenance data to a second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform performs operation and maintenance analysis based on the operation and maintenance data.
In one embodiment, the computer program when executed by the processor further performs the steps of: desensitizing sensitive data in the service data to obtain operation and maintenance data of the target system.
In one embodiment, the computer program when executed by the processor further performs the steps of: performing sensitive word recognition at least once and sensitive data processing at least once based on the service data to obtain intermediate process data; and identifying and processing keywords corresponding to various data in the intermediate process data to obtain operation and maintenance data.
In one embodiment, the computer program when executed by the processor further performs the steps of: performing word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data; identifying first sensitive data in the service data based on first keywords corresponding to various data in the service data; and removing the first sensitive data from the business data to obtain intermediate process data.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring a sensitive word set corresponding to a target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system; calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of each first keyword corresponding to the sensitive word set according to the similarity between each first keyword and each sensitive word and the proportion parameter of each sensitive word in the sensitive word set; marking data corresponding to a first keyword of which the corresponding matching degree meets a preset condition as high-matching-degree data; and taking all the high-matching-degree data in the service data as first sensitive data.
In one embodiment, the computer program when executed by the processor further performs the steps of: encrypting the operation and maintenance data to obtain encrypted operation and maintenance data; and detecting network safety information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network safety information meets the network safety condition.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, displayed data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the relevant laws and regulations and standards of the relevant country and region.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), magnetic Random Access Memory (MRAM), ferroelectric Random Access Memory (FRAM), phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (10)

1. A data transmission control method is characterized in that the method is applied to a first gateway configured at the boundary of a hospital intranet in a data transmission system, at least one target system is configured in the hospital intranet, the data transmission system further comprises a second gateway configured in a data platform intranet, and the method comprises the following steps:
acquiring service data transmitted by the target system;
determining operation and maintenance data of the target system from the service data; the operation and maintenance data refers to operation and maintenance data related to the target system and a data platform deployed in the data platform intranet;
sending the operation and maintenance data to the second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform carries out operation and maintenance analysis based on the operation and maintenance data.
2. The method of claim 1, wherein the determining the operation and maintenance data of the target system from the business data comprises:
desensitizing sensitive data in the service data to obtain operation and maintenance data of the target system.
3. The method according to claim 2, wherein the desensitizing the sensitive data in the service data to obtain the operation and maintenance data of the target system includes:
performing sensitive word recognition at least once and sensitive data processing at least once based on the service data to obtain intermediate process data;
and identifying and processing keywords corresponding to each item of data in the intermediate process data to obtain the operation and maintenance data.
4. The method according to claim 3, wherein the performing at least one sensitive word recognition and at least one sensitive data elimination process based on the service data to obtain intermediate process data comprises:
performing word segmentation processing on the service data to obtain a first keyword corresponding to each item of data in the service data;
identifying first sensitive data in the business data based on first keywords corresponding to various data in the business data;
and removing the first sensitive data from the service data to obtain intermediate process data.
5. The method of claim 4, wherein the identifying the first sensitive data in the business data based on the first keyword corresponding to each item of data in the business data comprises:
acquiring a sensitive word set corresponding to the target system, wherein the sensitive word set comprises a plurality of sensitive words corresponding to the target system;
calculating the similarity between each first keyword and each sensitive word, and obtaining the matching degree of each first keyword corresponding to the sensitive word set according to the similarity between each first keyword and each sensitive word and the proportion parameter of each sensitive word in the sensitive word set;
marking data corresponding to the first keyword of which the corresponding matching degree meets the preset condition as high-matching-degree data;
and taking all high-matching-degree data in the service data as the first sensitive data.
6. The method of claim 1, wherein before sending the operation and maintenance data to the second gateway, further comprising:
encrypting the operation and maintenance data to obtain encrypted operation and maintenance data;
and detecting the network security information of the internal network of the hospital, and transmitting the encrypted operation and maintenance data to the second gateway under the condition that the network security information meets the network security condition.
7. A data transmission control apparatus, wherein the apparatus is applied to a first gateway disposed at the boundary of a hospital intranet in a data transmission system, the hospital intranet being configured with at least one target system, the data transmission system further comprising a second gateway disposed in a data platform intranet, the apparatus comprising:
the data acquisition module is used for acquiring the service data transmitted by the target system;
the data processing module is used for determining operation and maintenance data of the target system from the service data; the operation and maintenance data refers to operation and maintenance data related to the target system and a data platform deployed in the data platform intranet;
the data transmission module is used for sending the operation and maintenance data to the second gateway; and the operation and maintenance data sent to the second gateway are used for being transmitted to the data platform, so that the data platform carries out operation and maintenance analysis based on the operation and maintenance data.
8. A data transmission control system is characterized by comprising a first gateway configured at the boundary of a hospital intranet and a second gateway configured in a data platform intranet, wherein at least one target system is configured in the hospital intranet;
the first gateway is further used for acquiring service data transmitted by a target system and determining operation and maintenance data of the target system from the service data; the operation and maintenance data refers to operation and maintenance data related to the target system and a data platform deployed in the data platform intranet;
the first gateway is further configured to identify sensitive data in the service data, perform desensitization processing on the sensitive data to obtain operation and maintenance data of the target system, and send the operation and maintenance data to the second gateway;
the second gateway is used for receiving the operation and maintenance data and transmitting the operation and maintenance data to a data platform, and the transmitted operation and maintenance data is used for indicating the data platform to carry out operation and maintenance analysis based on the operation and maintenance data.
9. The system of claim 8, wherein the first gateway is further configured to obtain a data access request generated by the target system, add a security policy to the data access request, and send the data access request to the second gateway;
the second gateway is further configured to receive the data access request, verify the security protection policy from the data access request, acquire, when the verification is passed, data information corresponding to the data access request from the data platform, and transmit the data information to the first gateway.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 6.
CN202210718697.0A 2022-06-23 2022-06-23 Data transmission control method, device, system and computer equipment Active CN115277083B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210718697.0A CN115277083B (en) 2022-06-23 2022-06-23 Data transmission control method, device, system and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210718697.0A CN115277083B (en) 2022-06-23 2022-06-23 Data transmission control method, device, system and computer equipment

Publications (2)

Publication Number Publication Date
CN115277083A true CN115277083A (en) 2022-11-01
CN115277083B CN115277083B (en) 2024-03-22

Family

ID=83762607

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210718697.0A Active CN115277083B (en) 2022-06-23 2022-06-23 Data transmission control method, device, system and computer equipment

Country Status (1)

Country Link
CN (1) CN115277083B (en)

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080270370A1 (en) * 2007-04-30 2008-10-30 Castellanos Maria G Desensitizing database information
CN106331176A (en) * 2016-10-27 2017-01-11 智者四海(北京)技术有限公司 Interaction platform of internal and external networks
CN106412097A (en) * 2016-11-01 2017-02-15 南方电网科学研究院有限责任公司 Operation and maintenance moving system and method for power transformation equipment
US20170332273A1 (en) * 2016-05-12 2017-11-16 M2MD Technologies, Inc. Method and system for managing the providing of different classes of wireless communications services from different mobile networks
CN107633380A (en) * 2017-08-30 2018-01-26 北京明朝万达科技股份有限公司 The task measures and procedures for the examination and approval and system of a kind of anti-data-leakage system
CN107871086A (en) * 2017-10-13 2018-04-03 平安科技(深圳)有限公司 Sensitive information screen method, application server and computer-readable recording medium
CN108280130A (en) * 2017-12-22 2018-07-13 中国电子科技集团公司第三十研究所 A method of finding sensitive data in text big data
CN111597310A (en) * 2020-05-26 2020-08-28 成都卫士通信息产业股份有限公司 Sensitive content detection method, device, equipment and medium
CN111818187A (en) * 2020-09-03 2020-10-23 国网汇通金财(北京)信息科技有限公司 Intranet and extranet communication method and system
CN111931956A (en) * 2020-08-06 2020-11-13 泛湖海韵(济南)信息科技有限公司 Management system for isolated monitoring of operation and maintenance of medical equipment
CN112073544A (en) * 2020-11-16 2020-12-11 震坤行网络技术(南京)有限公司 Method, computing device, and computer storage medium for processing sensor data
CN112182461A (en) * 2020-08-21 2021-01-05 杭州安恒信息技术股份有限公司 Method and device for calculating webpage sensitivity
CN112434082A (en) * 2020-11-25 2021-03-02 平安普惠企业管理有限公司 Operation and maintenance resource management method, device, equipment and medium
CN113506096A (en) * 2021-09-08 2021-10-15 国网浙江省电力有限公司 Inter-system interface method based on industrial internet identification analysis system
CN114491646A (en) * 2022-02-16 2022-05-13 平安普惠企业管理有限公司 Data desensitization method and device, electronic equipment and storage medium

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080270370A1 (en) * 2007-04-30 2008-10-30 Castellanos Maria G Desensitizing database information
US20170332273A1 (en) * 2016-05-12 2017-11-16 M2MD Technologies, Inc. Method and system for managing the providing of different classes of wireless communications services from different mobile networks
CN106331176A (en) * 2016-10-27 2017-01-11 智者四海(北京)技术有限公司 Interaction platform of internal and external networks
CN106412097A (en) * 2016-11-01 2017-02-15 南方电网科学研究院有限责任公司 Operation and maintenance moving system and method for power transformation equipment
CN107633380A (en) * 2017-08-30 2018-01-26 北京明朝万达科技股份有限公司 The task measures and procedures for the examination and approval and system of a kind of anti-data-leakage system
CN107871086A (en) * 2017-10-13 2018-04-03 平安科技(深圳)有限公司 Sensitive information screen method, application server and computer-readable recording medium
CN108280130A (en) * 2017-12-22 2018-07-13 中国电子科技集团公司第三十研究所 A method of finding sensitive data in text big data
CN111597310A (en) * 2020-05-26 2020-08-28 成都卫士通信息产业股份有限公司 Sensitive content detection method, device, equipment and medium
CN111931956A (en) * 2020-08-06 2020-11-13 泛湖海韵(济南)信息科技有限公司 Management system for isolated monitoring of operation and maintenance of medical equipment
CN112182461A (en) * 2020-08-21 2021-01-05 杭州安恒信息技术股份有限公司 Method and device for calculating webpage sensitivity
CN111818187A (en) * 2020-09-03 2020-10-23 国网汇通金财(北京)信息科技有限公司 Intranet and extranet communication method and system
CN112073544A (en) * 2020-11-16 2020-12-11 震坤行网络技术(南京)有限公司 Method, computing device, and computer storage medium for processing sensor data
CN112434082A (en) * 2020-11-25 2021-03-02 平安普惠企业管理有限公司 Operation and maintenance resource management method, device, equipment and medium
CN113506096A (en) * 2021-09-08 2021-10-15 国网浙江省电力有限公司 Inter-system interface method based on industrial internet identification analysis system
CN114491646A (en) * 2022-02-16 2022-05-13 平安普惠企业管理有限公司 Data desensitization method and device, electronic equipment and storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
刘聪;王永利;周子韬;犹锋;张才俊;: "结合触发事件及词性分析的敏感信息识别方法", 计算机工程与应用, no. 20 *
***;朱卓谨;施咏月;: "基于可信计算的医院数据安全交互平台设计和应用", 江苏卫生事业管理, no. 01 *
***;朱卓谨;施咏月;: "基于可信计算的医院数据安全交互平台设计和应用", 江苏卫生事业管理, no. 01, 28 January 2020 (2020-01-28) *

Also Published As

Publication number Publication date
CN115277083B (en) 2024-03-22

Similar Documents

Publication Publication Date Title
US10268840B2 (en) Systems and methods of determining compromised identity information
US11630918B2 (en) Systems and methods of determining compromised identity information
US10599872B2 (en) Systems and methods of determining compromised identity information
US10454901B2 (en) Systems and methods for enabling data de-identification and anonymous data linkage
Khaloufi et al. Security model for big healthcare data lifecycle
US20230351036A1 (en) Data Analytics Privacy Platform with Quantified Re-Identification Risk
US20230306131A1 (en) Systems and methods for tracking propagation of sensitive data
EP4035033A1 (en) System and method of enhancing security of data in a health care network
US20160301693A1 (en) System and method for identifying and protecting sensitive data using client file digital fingerprint
Okikiola et al. A new framework for detecting insider attacks in cloud-based e-health care system
Hicks et al. Vams: Verifiable auditing of access to confidential data
Sarode et al. Secure data sharing in medical cyber-physical system—a review
Khan et al. An Intelligent Blockchain and Software‐Defined Networking‐Based Evidence Collection Architecture for Cloud Environment
CN115277083B (en) Data transmission control method, device, system and computer equipment
Jahan et al. Security and privacy protection for eHealth data
Elngar et al. Data protection and privacy in healthcare: research and innovations
Sokolova et al. Security of the telemedicine system information infrastructure
Preuveneers et al. Privacy-preserving polyglot sharing and analysis of confidential cyber threat intelligence
Rathore et al. An evolutionary algorithmic framework cloud based evidence collection architecture
Ali et al. IoT security: A review of cybersecurity architecture and layers
De la Torre et al. Analysis of security in big data related to healthcare
US20190014098A1 (en) Method and system for establishing and managing personal black box (pbb) in virtually-networked big-data (vnbd) environment
Rajadorai et al. Data Protection and Data Privacy Act for BIG DATA Governance
Preuveneers et al. Privacy-preserving correlation of cross-organizational cyber threat intelligence with private graph intersections
CN113111365B (en) Online psychological consultation privacy data protection method, storage medium and system based on envelope encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant