1. Technical Field
The present invention relates to a health care system capable of protecting confidentiality of vital data such as the weight and blood pressure of a patient measured using measurement devices.
2. Background Art
Recent years have seen a rapidly aging society with an increase in the number of patients who need to take medical treatment (such as consultation and surgery). However, on the other hand, due to reduction in medical expenses, the numbers of doctors and hospital beds have not been increased especially in the rural areas. For this reason, it is predicted that, in the future, the hospital sides will try to reduce the hospitalization periods of patients as much as possible because the hospital sides will become short of the hospital beds with respect to an increasing number of patients. A countermeasure specifically conceivable in view of this is home care in the homes of the patients. In such a case, the use of the following health care system can be considered. First, a patient leases, from a hospital, various kinds of measurement devices for measuring vital data such as weight, blood pressure, and body composition. The patient measures his or her vital data everyday using these devices, and accumulates the measured vital data in the devices. A nursing staff member dispatched from the hospital periodically visits the patient's home, collects the vital data accumulated in the measurement devices, and registers the collected vital data in a server device managed by the hospital. At the same time, the nursing staff member gives the patient guidance and advice relating to the health of the patient based on the collected vital data. Furthermore, a doctor in charge checks the vital data registered in the server and gives the nursing staff member appropriate instructions as necessary. Providing such home care services makes it possible to reduce the hospitalization periods of patients in the hospital, which solves the problem of a lack of the hospital beds.
From the standpoint of the patient, the vital data is private information. Thus, it is essential that a countermeasure against the leakage of the private information is taken. For example, the nursing staff member may lose the information terminal in which the vital data obtained from the patient is recorded. One of conceivable countermeasures against such a threat is to encrypt the measured patient's vital data in such a manner that the server device that is the destination of the vital data can decrypt the vital data. More specifically, each of the measurement devices and the server device shares a secret key in advance, the measurement device encrypts the vital data using the secret key and transmits the encrypted vital data to the server device, and the server device decrypts the vital data into the original vital data using the shared secret key. This eliminates the possibility that the vital data is exposed to a third party when the nursing staff member who receives and passes the vital data loses the information terminal that has been held.
However, in the case where the measurement device encrypts and transmits the vital data using the secret key shared with the server device as described above, the vital data cannot be decrypted using the information terminal held by the nursing staff member because the information terminal does not store the secret key. For this reason, the nursing staff member cannot refer to the vital data of the patient using the information terminal. This is inconvenient for the nursing staff member. However, allowing the nursing staff member to always refer to the patient's vital data using the information terminal may result in the exposure of the vital data to a third party if the information terminal is lost. One of known techniques for satisfying the two demands of the convenience for the operator and the confidentiality of the confidential data is a system using a secret sharing scheme as disclosed in Patent Literature (PTL) 1. Constituent devices of the system hold mutually different shares. It is possible to obtain secret information by combining the shares although none of the constituent devices can obtain the secret information independently. According to the secret sharing scheme, it is possible to configure a system which allows obtainment of secret information when an information terminal held by a nursing staff member and a measurement device held by a patient are present at a same place and does not allow the information terminal held by the nursing staff member to obtain the secret information independently. The system can satisfy the aforementioned two demands.