JP2007286879A - Security management method for medical apparatus, medical apparatus, and security management method for medical apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To secure the security of a medical apparatus connected through a network to a maintenance terminal. <P>SOLUTION: A place accessible to a medical apparatus 10 is preliminarily registered in an access permission position management means 12 of the medical apparatus 10. A position information acquisition means 32 extracts latitude information and longitude information from the position information acquired by a GPS receiver connected to the maintenance terminal 30. An access permission application preparation means 33 prepares an application message including the current position information(latitude information and longitude information), and transmits it to the medical apparatus 10. When it is determined that the received current position information is matched with the position information preliminarily registered in the access permission position management means 12, or included in a predetermined allowable range, an access permission detection means 14 of the medical apparatus 10 permits access from the maintenance terminal 30 to the medical apparatus 10. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to security management when a medical device is accessed via a network.

  In the technology related to remote access, until now, the focus has been on authentication technology that confirms the identity of the user and whether or not the user is qualified for access. Authentication technologies are roughly classified into the following technologies. (1) Authentication technology that uses a user ID or password, (2) Authentication technology that uses a user's belongings such as a USB token or smart card, and (3) Uses the user's physical characteristics such as biometrics. Authentication technology.

  Since the authentication techniques (1) to (3) have their merits and demerits, and there is a limit to increasing the level of security with one authentication technique, an authentication system combining the two systems has also been proposed.

  By the way, in order to maximize the uptime of the medical device, 24 hours 365 days, the medical device is monitored to check whether there is an abnormality, the cause of the abnormality is identified before the medical device breaks down, and the cause of the abnormality It is required to replace, adjust, or change settings. Such monitoring is executed by a maintenance service company remotely operating a medical device via a network. The medical device corresponds to, for example, a medical image diagnostic apparatus such as an X-ray CT apparatus, an X-ray diagnostic apparatus, an MRI apparatus, or an ultrasonic diagnostic apparatus.

  When a medical device detects an abnormality with the above monitoring system configured, if the abnormality is detected by the maintenance service company, the maintenance service company that has received the notification remotely operates the medical device. Check the status of the medical device. In this way, the presence or absence of abnormality of the medical device is confirmed by remote operation. Further, the maintenance service company periodically accesses the medical device and checks the medical device, thereby confirming whether there is an abnormality in the medical device.

  On the other hand, personal information related to patient privacy is stored in the medical device. Therefore, confirmation of an operator who remotely operates a medical device, confirmation of a terminal used by the operator, and confirmation of handling of personal information stored in the medical device are very important. For example, by specifying operators who can remotely control medical devices, restricting access, specifying terminals that can be remotely controlled, restricting access, recording personal information referenced or acquired by remote operation, and accessing You need to manage your history.

  Conventionally, various user authentication techniques have been proposed as a technique for restricting access by specifying an operator who can remotely operate a medical device (for example, Patent Document 1). For example, the above-described user authentication techniques (1) to (3) can be mentioned.

  In addition, as for a technology for restricting access by specifying a terminal capable of remotely operating a medical device, an access control technology for restricting access from the terminal to the medical device based on an IP address (Internet Protocol Address) assigned to the terminal. It has been known.

  In addition, an operator and a terminal that can remotely operate the medical device by installing a terminal capable of remotely operating the medical device in a physically secure room and managing the entry and exit of the operator to the room. It has been proposed to restrict access by specifying.

  Various remote access tools and file transfer tools are used for medical devices so that the medical devices can be remotely controlled. These remote access tools and file transfer tools ensure the security of medical devices by executing security functions such as user authentication.

  Here, a configuration of a network for remotely accessing a medical device from a maintenance service company will be described with reference to FIGS. 17 and 18. FIG. 17 is a block diagram showing a schematic configuration of a network for remotely accessing a medical device from a maintenance service company. FIG. 18 is a diagram showing an X-ray CT apparatus as an example of a medical device.

  The network of the medical institution 100 includes a plurality of network segments 110 and is connected to a public network (Internet). The medical device is connected to the network segment 110 of a department where the medical institution 100 is located. Also, an imager 112 that prints a film, an image management system (PACS) 113 that stores and manages captured images, and an interpretation terminal 114 that interprets captured images are connected to the same network segment 110 as the medical device 111. Yes.

  In order to enable remote access via the public telephone line network or ISDN (Integrated Services Digital Network) line network, the network segment 110 has a dial-up router, TA (Terminal Adapter) / DSU (Digital Service Unit / A remote access router 115 such as a line connection device is installed.

  Here, as an example of the medical device 111, an X-ray CT apparatus will be described with reference to FIG. The X-ray CT apparatus includes a bed 301, a gantry 302, a scan console 303, and a review console 304. The scan console 303 controls the operations of the X-ray tube and the X-ray detector disposed on the bed 301 and the gantry 302, and further performs computer processing based on data detected by the X-ray detector, thereby Generate a tomographic image of the specimen.

  Based on the data detected by the X-ray detector, the review console 304 generates a tomographic image of the subject again, generates a three-dimensional image, prints the image on a film, PACS 113, etc. under new conditions. Or transfer images to.

  The bed 301, the gantry 302, the scan console 303, and the review console 304 are connected by a communication cable to transfer data. The communication cable may be directly connected between computers as in serial communication or may use a network such as TCP / IP.

  The scan console 303 and the review console 304 are connected to other systems in the medical institution 100 and a network N for accessing medical devices from a remote location.

  The network of the maintenance service company 200 is also composed of a plurality of network segments 210 and is connected to a public network (Internet). A maintenance terminal 211 for accessing a medical device from a remote location is connected to a network segment 210 in a department of the maintenance service company 200.

  This network segment 210 has a remote access, such as a dial-up router or TA (Digital Adapter Unit) / DSU (Digital Service Unit / line connection device), for accessing medical devices via a public telephone line network or ISDN line network. A router 212 is installed.

  Remote access from a maintenance service company to a medical device can also be performed via a VPN (Virtual Private Network) that implements a virtual dedicated network line on the public network. . Also in this case, access is performed via the remote access router R as shown in FIG.

  The firewall FW and the switch SW are installed in the medical device 100 and the maintenance service company 200.

  In the network having the above-described configuration, when remotely accessing the medical device 111 installed in the medical institution 100 from the maintenance terminal 211 installed in the maintenance service company 200, first, the user logs on to the maintenance terminal 211. At this time, user authentication for the maintenance terminal 211 is performed, and the identity of the operator is verified.

  Next, when a medical device is accessed remotely via a public line network or ISDN line network, the maintenance terminal 211 is connected to a remote access router 115 installed in the medical institution 100. As a result, the maintenance terminal 211 is as if it is connected to the network segment 110 to which the medical device 111 is connected.

  Then, a remote access tool such as TELNET, SSH (Secure Shell), or VNC (Virtual Network Computing) is started on the maintenance terminal 211 and connected to the remote access tool that operates on the medical device 111 to perform user authentication. The medical device 111 can be operated from the maintenance terminal 211. The remote operation is terminated by a communication disconnection request from the maintenance terminal 211 or a communication disconnection at the medical device 111.

  In addition, a file transfer tool such as FTP is activated on the maintenance terminal 211, connected to a file transfer tool operating on the medical device 111, and user authentication is performed, so that the maintenance terminal 211 and the medical device 111 are connected. File transfer between them. The file transfer is terminated by a communication disconnection request from the maintenance terminal 211 or a communication disconnection at the medical device 111.

  When the remote operation and file transfer are completed, the connection with the remote access router 115 installed in the medical institution 100 is cut off, thereby completing a series of operations.

  The remote access router 115 identifies the caller by user authentication using a user ID or password, incoming call authentication using an incoming telephone number, IP packet filtering, or caller ID notification function, and makes a callback. Security functions such as automatic callback function are implemented. Here, an example of a user authentication screen is shown in FIG. When the user ID and password are input at the maintenance terminal 211, if the user ID and password registered in advance match the input user ID and password, it is determined that the user is the user. It is like that. As a result, the remote access tool and the file transfer tool function.

  By the way, since there are so many medical devices operating in the market, it is practically difficult to register the latest user registration for all medical devices every time the service person in charge changes. It is. Therefore, an account that can be commonly used by a plurality of service personnel is generally set for the remote access tool and the file transfer tool. Thereby, a plurality of service personnel can remotely operate the medical device by using the common account.

  However, if an account ID or password that can be used in common is known to an unintended third party, there is a problem that the third party can easily remotely operate the medical device. For example, by registering a terminal in a wireless LAN installed in a medical institution and making it appear as if it is a medical institution terminal, the terminal accesses a medical device or connects to the medical institution There is a problem that it is possible to access a medical device from a terminal installed in another institution.

  In addition, by performing IP filtering based on the IP address, it is possible to restrict terminals that are allowed to access, but when the IP address itself is spoofed, access restriction by IP filtering does not function.

  Furthermore, when the terminal is taken out and the medical device is remotely operated using the terminal when going out, personal information stored in the medical device may be displayed on the screen of the terminal. In this case, the security of the information stored in the medical device is likely because an unintended third party may look into the screen of the terminal or sneak the personal information displayed on the screen with a mobile terminal. May not be secured.

  As described above, according to the security method according to the related art, there is a risk that information stored in the medical device cannot be protected from theft, destruction, or tampering.

JP 2001-344349 A

  The present invention solves the above-described problems, and identifies a terminal that can remotely access a medical device and restricts access from the terminal, thereby ensuring the security of the medical device. It is an object to provide a security management system, a medical device, and a security management method for a medical device.

  The invention according to claim 1 is a security management system for a medical device in which a medical device and a terminal are connected via a network, the position information acquiring means for acquiring the position information of the terminal, and the acquired An access permission determination unit that permits access from the terminal to the medical device via the network according to position information.

  According to a third aspect of the present invention, a medical device and a terminal are connected via a network, and based on operator identification information for identifying an operator, permission / non-permission of access from the terminal to the medical device is determined. A medical device comprising: a first access permission determining unit that determines permission; and a remote access unit that enables access to the medical device from a terminal that is permitted to be accessed by the first access permission determining unit. In the security management system, a registration unit that pre-registers authentication information for determining permission / non-permission of access from the terminal to the medical device, and receiving an application message including the authentication information from the terminal, Second access permission determination means for determining whether or not the authentication information included in the application message is registered in the registration means; and the second access permission determination means. Control means for causing the first access permission determination means to determine permission / non-permission of the access when the permission determination means determines that the authentication information is registered in the registration means. Is a security management system for medical devices.

  The invention according to claim 8 is a medical device connected to a terminal via a network, and has access permission determination means for permitting access from the terminal according to position information of the terminal. Medical equipment.

  The invention according to claim 9 is a first access that is connected to a terminal via a network and determines permission / non-permission of access from the terminal based on operator identification information for identifying the operator. A medical device comprising permission determination means and remote access means for enabling access from a terminal permitted to be accessed by the first access permission determination means, wherein permission / non-permission of access from the terminal A registration unit that pre-registers authentication information for determining permission and an application message including authentication information from the terminal, and determines whether or not the authentication information included in the application message is registered in the registration unit And the second access permission determination means and the second access permission determination means determine that the authentication information is registered in the registration means. In a medical device, characterized in that and a control means for determining permission / non-permission of the access to the first access permission determination means.

  The invention according to claim 10 is a security management method for a medical device in which a medical device and a terminal are connected via a network, the location information acquiring step for acquiring the location information of the terminal, and the acquired An access permission determination step of permitting access from the terminal to the medical device via the network according to position information.

  The invention according to claim 11 is a security management method for a medical device in which a medical device and a terminal are connected via a network. In the medical device, permission / inhibition of access from the terminal to the medical device is permitted. A registration step for pre-registering authentication information for determining permission; and whether the medical device receives an application message including authentication information from the terminal and whether the authentication information included in the application message is registered. When it is determined that the authentication information is registered by the first determination step and the first determination step, from the terminal based on the operator identification information for identifying the operator A second determination step for determining permission / non-permission of access to the medical device and a terminal permitted to access by the second determination step. And initiating a connection to the serial medical devices, a security management method of the medical device, which comprises a.

  According to the present invention, by permitting access from the terminal to the medical device based on the position information of the terminal, the access is restricted when access to the medical device is requested in an unregistered place. Therefore, the security of the medical device can be ensured.

  In addition, according to the present invention, when authentication information is registered in advance, whether access is permitted / not permitted is determined, and when access is permitted, the terminal can access the medical device from the terminal. Become. Therefore, if the authentication information included in the application message sent from the terminal is different from the pre-registered information, access permission / non-permission is not determined and the medical device cannot be accessed from the terminal. Even when information is leaked, it is possible to ensure the security of the medical device.

[First Embodiment]
(Constitution)
The configuration of the security management system for medical equipment according to the first embodiment of the present invention will be described with reference to FIG. FIG. 1 is a functional block diagram showing a schematic configuration of a security management system for a medical device according to the first embodiment of the present invention.

  The medical device security management system according to the first embodiment includes a medical device 10 and a maintenance terminal 30. The medical device 10 is installed in a medical institution. For example, the maintenance terminal 30 is installed in a maintenance service company or is carried outside and used outside the maintenance service company. The medical device 10 corresponds to a medical image diagnostic apparatus such as an X-ray CT apparatus, an MRI apparatus, an X-ray diagnostic apparatus, or an ultrasonic diagnostic apparatus.

  The medical device security management system according to the first embodiment determines permission / non-permission of access from the maintenance terminal 30 to the medical device 10 based on the position information of the maintenance terminal 30.

<Registering access-permitted position information on the medical device 10>
First, a configuration for registering a location (position) that permits access to the medical device 10 on the medical device 10 will be described.

  The operator uses the input unit 11A of the UI 11 installed in the medical device 10 to indicate information (hereinafter, may be referred to as “access-permitted position information”) that indicates a location (position) where access to the medical device 10 is permitted. Enter. For example, a place where access is permitted is specified by latitude and longitude. When the latitude and longitude are input by the input unit 11A, the latitude and longitude are registered in the access permission position management unit 12 as access permission position information. The access-permitted location management unit 12 corresponds to the “registration unit” of the present invention.

  In addition, when registering an accessible place for each operator, the operator inputs a user ID for specifying the operator, together with the access-permitted position information, using the input unit 11A. As a result, the user ID and the access-permitted position information are associated with each other and registered in the access-permitted position management unit 12.

  Further, the location where access is permitted may be specified by the facility name, address, postal code, or area code on the map book. For example, the facility name, address, zip code, or latitude and longitude of the area code scheduled to be accessed to the medical device 10 are registered in advance in a storage device (not shown) as a setting file. When the address, postal code, or area code is input by the input unit 11A, the latitude and longitude of the input location are registered in the access permission position management unit 12.

  In addition, information indicating a location (position) where access to the medical device 10 is scheduled is displayed on the display unit 11B of the UI 11, and a location (position) where access is permitted is designated from the displayed location (position). You may do it. FIG. 2 shows an example of a registration screen displayed on the display unit 11 </ b> B of the UI 11. In FIG. 2, the facility name is displayed on the display means 11B as an example of the location (position). On this registration screen, the place (position) designated by the operator is registered in the access-permitted position management means 12 as a place (position) where access is permitted. In the example shown in Fig. 2, the facility name "(not listed for public order and morals violations)" and "Tokyo branch (not listed for public order and morals violations) Tokyo branch" are designated, so the latitude and longitude of the facility is permitted to access. The location information is registered in the access-permitted location management means 12.

  Here, the structure of the setting file will be described with reference to FIG. FIG. 3 is a diagram for explaining information for specifying a place. “Category” is information for indicating whether a place (position) is specified by a facility name, an address, or a zip code. In the example shown in FIG. 3, since the location is specified by the facility name, “category” is “facility name”. “Title” is a character string displayed on the registration screen shown in FIG. In the example shown in FIG. 3, the facility name “Toshiba Medical Headquarters” is the title. “Latitude information”, “longitude information”, and “area code” are information for specifying a place. The “area code” is information representing an area including a place specified by “latitude information” and “longitude information” on a map book. The area code may not be included in the setting file. Further, instead of “latitude information” and “longitude information”, a place where access is permitted may be specified only by an area code.

  Thus, by registering the setting file in a storage device (not shown) in advance, the facility name, address, or zip code is input by the input unit 11A, so that the access-permitted location management unit 12 sets the setting file. With reference to the file, the longitude information and the latitude information corresponding to the input information are registered as access permission position information.

  The access permission position management unit 12 manages the user ID input by the input unit 11A and the access permission position information in association with each other. Here, the structure of the management data managed by the access-permitted location management means 12 will be described with reference to FIG. FIG. 4 is a diagram for explaining the structure of management data managed by the access-permitted location management unit 12. The management data has an area for storing an identification number for identifying each data, a user ID, latitude information, longitude information, an area code, and a comment, and these pieces of information are associated with each other. The management data may be realized as a data file or as a table such as a database management system.

  As described above, a location (position) where the medical device 10 can be remotely accessed is registered in the access permission position management unit 12.

<Application for access permission on the maintenance terminal 30>
Next, a configuration for obtaining permission for access from the maintenance terminal 30 to the medical device 10 on the maintenance terminal 30 will be described.

  The operator uses the input means 31A of the UI 31 installed in the maintenance terminal 30 to specify information for specifying an operator who accesses the medical device 10, information for specifying a device for acquiring position information, and Information for specifying the connection destination (medical device 10) is input. For example, a user ID is input as information for specifying an operator, and a device ID is input as information for specifying a device. For example, an IP address is input as information for specifying the connection destination (medical device 10). The user ID corresponds to “operator identification information” of the present invention.

  An example of an application screen for applying for access to the medical device 10 is shown in FIG. On this application screen, information for identifying a connection destination (medical device 10), a user ID, and a device ID can be input. Then, by pressing (clicking) the “application button” on the application screen, an application for access is made. Further, the connection unit (medical device 10), the user ID, and the device ID may be displayed on the display unit 31B so that they can be selected.

  When information indicating a connection destination (medical device 10), a user ID, and a device ID are input by the input unit 31A, the information is output to the access permission application creating unit 33. The device ID is output from the input unit 31A to the position information acquisition unit 32.

  The position information acquisition means 32 acquires position information using the device specified by the input means 31A, and extracts latitude information and longitude information from the position information. A GPS receiver (GPS receiver) is used as an example of a device that acquires position information. For example, as shown in FIG. 6, the maintenance terminal 30 and the GPS receiver 40 are connected by a cable 41 such as a USB cable. The position information acquisition means 32 receives the position information received by the GPS receiver 40 and extracts latitude information and longitude information included in the position information.

  Data output from the GPS receiver 40 is output in a format standardized by NMEA-0183. The position information acquisition unit 32 extracts latitude information and longitude information from the data output from the GPS receiver 40.

  Here, the configuration of data output from the GPS receiver 40 will be described with reference to FIG. FIG. 7 is a diagram illustrating a structure of data output from the GPS receiver. The output data is composed of a plurality of records called sentences. There are a plurality of types of sentences. Each sentence is delimited by a [CR] [LF] character code, the first character starts with “$”, and the type can be discriminated by the first character string. The sentence is described in CSV format separated by commas. Typical sentence types include GGA (Global Positioning System Fix Data), GLL (Geographic Position Latitud and Long tide), GSA (GNSS DOP and Active Sell), GSA (GNSS DOP and Active Sell), GSA (GNSS DOP and Active Sell) ), VTG (Course Over Ground and Ground Speed), and ZDA (Time & Date). FIG. 7 shows the data format of RMC.

  The position information acquisition unit 32 compares the first character string of each line of data output from the GPS receiver 40, sets the line “$ GPRMC” as a processing target, and the third data separated by a comma indicates the status. Therefore, it is confirmed that the value is “A: valid”. If valid, the fourth data is extracted as latitude and the sixth data is extracted as longitude.

  The access permission application creation means 33 is based on the user ID and device ID input by the input means 31A and the current position information (including latitude information and longitude information) acquired by the position information acquisition means 32. Create an application message for permission. This application message is composed of a user ID, device ID, latitude information, longitude information, and a character string in which an area code is separated by a colon. Note that the area code may not be included in the application message. When the area code is included in the application message, the access permission application creating unit 33 specifies the area code on the map book based on the latitude information and the longitude information, and includes the area code in the application message.

  As a countermeasure against fraud, the access permission application creating unit 63 may create a signature using a public key or a private key, and add the signature data to the application message.

  The transmission unit 34 transmits the application message created by the access permission application creation unit 33 to the connection destination (medical device 10) input by the input unit 31A. For example, when the information indicating the connection destination is an IP address, the transmission unit 34 transmits an application message to the IP address. If the host name is specified as information indicating the connection destination, the transmission unit 34 acquires an IP address from the host and transmits an application message to the IP address.

  The application message is transmitted by a unique protocol by socket communication on TCP / IP. Note that a standardized communication protocol such as RPC (Remote Procedure Call), SOAP (Simple Object Access Protocol), IIOP (Internet Inter-ORB Protocol), or RMI (Remote Method Invocation) may be used. Further, in order to ensure the safety of data flowing on the network, it may be exchanged by encrypted communication using SSL (Secure Socket Layer) / TLS (Transport Layer Security).

  As described above, an application message including information indicating the current position of the maintenance terminal 30 (current position information) is transmitted from the maintenance terminal 30 to the medical device 10.

<Access permission determination on the medical device 10>
Next, a configuration for determining permission of access from the maintenance terminal 30 to the medical device 10 on the medical device 10 will be described.

  The receiving unit 16 of the medical device 10 receives the application message transmitted from the maintenance terminal 30 and sends the application message to the access permission determining unit 14.

  When a signature is added to the application message, the receiving unit 16 creates signature data using a key that is not used by the maintenance terminal 30 among the public key and the private key. Then, the receiving means 16 compares the created signature data with the signature data of the application message, and determines the presence or absence of misrepresentation. If the signature data is different, the receiving unit 16 determines that the application message has been misrepresented, and prohibits access from the maintenance terminal 30. In this case, the transmission unit 17 transmits an inaccessible answer to the maintenance terminal 30.

  The access permission determination unit 14 extracts the user ID, device ID, latitude information, longitude information, and area code from the received application message, and outputs the user ID to the access position information search unit 13. Upon receiving the user ID from the access permission determination unit 14, the access location information search unit 13 extracts access permission location information with the same user ID from the management data managed by the access location information management unit 12. The access permission position information is output to the access permission determination means 14. When a plurality of access permitted position information is associated with the user ID, a plurality of locations (positions) where access is permitted are registered. A plurality of pieces of position information are extracted and output to the access permission determination means 14.

  When the location information is managed as a file in the access location information management means 12, the access location information search means 13 reads the file and searches for location information. In the access position information management unit 12, when the position information is managed by the database management system, the access position information search unit 13 searches for the position information using the database search language.

  The access permission determination means 14 compares the current position information (latitude information and latitude information) included in the application message with the access permission position information (latitude information and longitude information) managed by the access position information management means 12. . When a plurality of pieces of position information are extracted by the access position information search unit 13, the access permission determination unit 14 compares the list of position information with the current position information included in the application message. When the position information registered in the access position information management unit 12 matches the current position information, the access permission determination unit 14 permits access from the maintenance terminal 30 to the medical device 10. On the other hand, if there is no matching location, the access permission determination means 14 disallows access. When permitting access, the access permission determination unit 14 outputs the user ID included in the application message to the control unit 15. Further, the access permission determination unit 14 outputs a determination result indicating permission or non-permission of access to the transmission unit 17. The access permission determining means 14 corresponds to the “second access permission determining means” of the present invention.

  Further, even if the current position information included in the application message and the access permission position information managed by the access position information management unit 12 do not completely match, the access permission determination unit 14 can connect the medical device from the maintenance terminal 30. 10 may be permitted. For example, when the place (position) indicated by the current position information is included in a range set in advance with respect to the place (position) indicated by the access-permitted position information, the access permission determination unit 14 determines that the maintenance terminal 30 Is permitted to access the medical device 10. By providing an allowable range in the accessible place in this way, it is possible to access the medical device 10 even if the operator moves in the facility where the access is permitted while holding the maintenance terminal 30. Become.

  Upon receiving the determination result from the access permission determination unit 14, the transmission unit 17 transmits the determination result to the maintenance terminal 30.

  The control unit 15 applies the user authentication information provided by each tool so that only the user ID permitted to be accessed by the access permission determination unit 14 can use the remote access tool or the file transfer tool provided by the medical device 10. Only the user ID is valid. If the user authentication information is managed as a file, the control unit 15 updates the user authentication file and validates only the user ID. For example, the control unit 15 updates the user authentication file 20 in FIG. 1 and validates only the user ID permitted to access.

  The control unit 15 activates a port monitoring unit 19 that can activate a remote access tool or a file transfer tool. The port monitoring unit 19 waits for a connection request from the remote access tool or file transfer tool of the maintenance terminal 30. Here, a case will be described in which the medical device 10 is provided with remote access means 21 that functions as a remote access tool, and the maintenance terminal 30 is provided with remote access means 36 that functions as a remote access tool.

  When the medical device 10 is remotely operated from the maintenance terminal 30, the remote access means 36 of the maintenance terminal 30 transmits a connection request including the user ID of the operator to the medical device 10. When a connection request is transmitted from the remote access unit 36 of the maintenance terminal 30 to the medical device 10, the access permission determination unit 18 of the medical device 10 indicates that the user ID included in the connection request is valid in the user authentication file 20. It is determined whether or not. When the user ID is valid in the user authentication file 20, the access permission determination unit 18 permits remote operation from the maintenance terminal 30 to the medical device 10. On the other hand, if the user ID is not valid in the user authentication file 20, the access permission determination means 18 disallows remote operation. The access permission determining means 18 corresponds to the “first access permission determining means” of the present invention.

  When the remote operation by the user ID is permitted by the access permission determining unit 18, the port monitoring unit 19 takes over subsequent communication to the remote access unit 21 associated with the designated port.

  Thereby, the remote access means 21 of the medical device 10 and the remote access means 36 of the maintenance terminal 30 enable the remote operation of the medical device 10 from the maintenance terminal 30. In the case of the file transfer tool, the same processing as that of the remote access tool is executed, so that the file can be transferred between the medical device 10 and the maintenance terminal 30.

  When the remote access unit 21 has already performed a remote operation when the control unit 15 receives a notification permitting access from the access permission determination unit 14, the control unit 15 Answer in use. That is, if the remote operation has already been permitted for another operator, the control means 15 gives an answer in use to the access permission determination means 14. In this case, the access permission determination unit 14 sends a determination result indicating that access is not possible to the transmission unit 17.

<Confirmation of access application result on maintenance terminal 30>
Next, a configuration for confirming access permission from the maintenance terminal 30 to the medical device 10 on the maintenance terminal 30 will be described.

  The reception unit 35 of the maintenance terminal 30 receives the determination result transmitted from the transmission unit 17 of the medical device 10 and outputs the determination result to the display unit 31B of the UI 31. The determination result is displayed on the display means 31B. FIG. 8 shows a display example when access is permitted. In this example, the display means 31B displays that the access application is permitted. When the access application is not permitted, a message indicating that the application is not permitted is displayed on the display unit 31B.

  As described above, by determining permission / non-permission of access to the medical device 10 based on the current location of the maintenance terminal 30, user authentication information (user ID and password) of the remote access tool and the file transfer tool is obtained. Even in the case of leakage, it is possible to impose restrictions on access to the medical device 10. This can reduce the risk of leakage or falsification of personal information via the network with respect to the medical device 10, so that the security of the medical device 10 can be ensured.

  In addition, by permitting access only from a pre-registered location, for example, even when the maintenance terminal 30 is carried around and the location is not registered, the medical device 10 can be restricted. As a result, it is possible to avoid the risk that the information stored in the medical device 10 will be peeped or voyeurized while away from home.

(Operation)
Next, a series of operations (security management method) performed by the security management system for a medical device according to the first embodiment of the present invention will be described with reference to FIG. FIG. 9 is a flowchart showing a series of operations by the security management system for the medical device according to the first embodiment of the present invention.

(Step S01)
First, a location (position) where access to the medical device 10 is permitted is registered on the medical device 10. For this purpose, the operator inputs information (access permission position information) indicating a location (position) where access to the medical device 10 is permitted by the input unit 11A of the UI 11 installed in the medical device 10. For example, a place where access is permitted is specified by inputting latitude and longitude. When the access-permitted position information is input by the input unit 11A as described above, the input access-permitted position information is registered in the access-permitted position management unit 12.

  For example, the registration screen shown in FIG. 2 is displayed on the display unit 11B of the UI 11, and the operator designates a user ID and a place where access is permitted on the registration screen. In the example shown in FIG. 2, “(not listed for public order and morals violation) headquarters” and “(not listed for public order and morals violation) Tokyo branch” are designated as the facility names. By referring to a setting file stored in an apparatus (not shown), latitude information and longitude information corresponding to the designated facility are registered as access permission position information. For example, as shown in the table of FIG. 4, the access-permitted position management unit 12 manages the user ID input by the input unit 11A and access-permitted position information (latitude information and longitude information) in association with each other.

(Step S02)
Next, an application for obtaining permission to access the medical device 10 is made on the maintenance terminal 30 on the maintenance service company side. The operator inputs a user ID, a device ID, and information (for example, an IP address) for specifying a connection destination (medical device 10) by using the input unit 31A of the UI 31 installed in the maintenance terminal 30. For example, the application screen shown in FIG. 5 is displayed on the display means 31B of the UI 31, and the user ID, device ID, and connection destination (medical device 10) information are input on the application screen. The connection destination (medical device 10) information, the user ID, and the device ID input by the input unit 31A are output to the access permission application creation unit 33, and the device ID is output to the position information acquisition unit 32.

(Step S03)
The position information acquisition means 32 acquires position information using a device designated by the input means 31A, for example, the GPS receiver 40 shown in FIG. 6, and extracts longitude information and latitude information from the position information. Specifically, the position information acquisition unit 32 extracts latitude information and longitude information included in data output from the GPS receiver 40.

(Step S04)
As described above, when the user ID and the device ID are input by the input unit 31A and the current position information (latitude information and longitude information) is acquired by the position information acquisition unit 32, the access permission application creation unit 33 And an application message for requesting access permission including the device ID and current position information.

(Step S05)
When the application message is created, the transmission unit 34 transmits the application message to the connection destination (medical device 10) input by the input unit 31A. For example, when the information indicating the connection destination is an IP address, the transmission unit 34 transmits an application message to the IP address.

(Step S06)
Next, the access permission determination unit 14 of the medical device 10 determines permission or non-permission of access to the medical device 10 based on the current position information (latitude information and longitude information) included in the application message.

  Specifically, upon receiving the application message transmitted from the maintenance terminal 30, the receiving unit 16 of the medical device 10 sends the application message to the access permission determining unit 14. The access permission determination unit 14 extracts the user ID, device ID, latitude information, longitude information, and area code from the received application message, and outputs the user ID to the access position information search unit 13. The access position information search means 13 extracts access permission position information with the same user ID from the management data managed by the access position information management means 12, and stores the access permission position information in the access permission determination means 14. Output. Then, the access permission determination means 14 uses the current position information (latitude information and longitude information) included in the application message and the access permission position information (latitude information and longitude information) managed by the access position information management means 12. Compare. When the position information matches, the access permission determination means 14 permits access from the maintenance terminal 30 to the medical device 10, and when the position information does not match, the access permission determination means 14 denies access. .

  When permitting access, the access permission determination unit 14 outputs the user ID included in the application message to the control unit 15. Further, the access permission determination unit 14 outputs a determination result indicating permission or non-permission of access to the transmission unit 17.

  Even if the current position information included in the application message and the access-permitted position information do not completely match, the location indicated by the current position information is within a preset range for the location where access is permitted. If included, the access permission determination unit 14 may permit access from the maintenance terminal 30 to the medical device 10.

(Step S07)
Next, when receiving the determination result from the access permission determination unit 14, the transmission unit 17 of the medical device 10 transmits the determination result to the maintenance terminal 30. When access is permitted, the transmission unit 17 transmits a determination result indicating access permission to the maintenance terminal 30, and when access is not permitted, the transmission unit 17 maintains a determination result indicating access disapproval. It transmits to the terminal 30.

(Step S08)
The reception unit 35 of the maintenance terminal 30 receives the determination result transmitted from the transmission unit 17 of the medical device 10 and outputs the determination result to the display unit 31B of the UI 31. For example, as shown in the screen of FIG. 8, the display unit 31B displays that the access application is permitted or not permitted.

(Step S09)
When access is permitted, the control unit 15 of the medical device 10 updates the user authentication file 20 provided by each tool so that only the user ID permitted to access can use the remote access tool or the file transfer tool. Only the user ID is valid.

(Step S10)
Next, the control means 15 of the medical device 10 activates the port monitoring means 19. Accordingly, the port monitoring unit 19 waits for a connection request from the remote access tool or the file transfer tool of the maintenance terminal 30.

(Step S11)
Next, in order to remotely control the medical device 10 from the maintenance terminal 30, the remote access means 36 of the maintenance terminal 30 transmits a connection request including the user ID of the operator to the medical device 10.

(Step S12)
When the connection request is transmitted to the medical device 10 in step S11, the access permission determination unit 18 determines whether or not the user ID included in the connection request is valid in the user authentication file 20. When the user ID is valid in the user authentication file 20, the access permission determination means 18 permits access (remote operation) from the maintenance terminal 30, and when it is not valid, access (remote operation). ) Is not permitted.

(Step S13)
When the access is permitted, the port monitoring unit 19 takes over subsequent communication to the remote access unit 21 associated with the designated port. Thus, the remote access means 21 of the medical device 10 and the remote access means 36 of the maintenance terminal 30 enable the remote operation of the medical device 10 from the maintenance terminal 30.

  As described above, by determining permission / non-permission of access to the medical device 10 based on the current position of the maintenance terminal 30, user authentication information (user ID and password) of the remote access tool and the file transfer tool is obtained. Even in the case of leakage, it is possible to impose restrictions on access to the medical device 10.

(Modification)
Next, a modification of the security management system for medical devices according to the first embodiment will be described. Since this modification is characterized by the functions of the control means 15 and the port monitoring means 19, the functions of the control means 15 and the port monitoring means 19 will be mainly described.

  First, when access is permitted by the access permission determination unit 14, the control unit 15 activates the port monitoring unit 19. That is, based on the current position information of the maintenance terminal 30, when access from the maintenance terminal 30 to the medical device 10 is permitted, the control unit 15 activates the port monitoring unit 19. On the other hand, when access is not permitted by the access permission determination unit 14, the control unit 15 does not activate the port monitoring unit 19. As a result, the port monitoring unit 19 is activated only when access is permitted based on the current location information of the maintenance terminal 30, and the port monitoring unit 19 is not activated when access is not permitted.

  As described above, when access is not permitted by the access permission determination unit 14, the port monitoring unit 19 is not activated. Therefore, even if a connection request is transmitted from the remote access unit 36 of the maintenance terminal 30 to the medical device 10. The remote access means 21 of the medical device 10 does not respond to the connection request. As a result, even if operator identification information (user ID or password) of the remote access tool or file transfer tool is leaked, access from a place where access is not permitted is denied, so the security of the medical device 10 is ensured. can do.

  When the port monitoring unit 19 is activated and the connection request is transmitted from the remote access unit 36 of the maintenance terminal 30 to the medical device 10, the access permission determination unit 18 determines the user ID included in the connection request. Is determined to be valid in the user authentication file 20. When the user ID is valid in the user authentication file 20, the access permission determination means 18 permits access, and when it is not valid, denies access.

  When the access by the user ID is permitted, the activated port monitoring means 19 activates the remote access means 21 associated with the designated port, and the remote access means 21 that activates the subsequent communication. take over.

  As a result, the remote access unit 21 of the medical device 10 and the remote access unit 36 of the maintenance terminal 30 enable remote operation from the maintenance terminal 30 to the medical device 10. In the case of the file transfer tool, the same processing as that of the remote access tool is executed, so that the file can be transferred between the medical device 10 and the maintenance terminal 30.

  As described above, authentication is performed based on the current position of the maintenance terminal 30. When access to the medical device 10 is not permitted, the port monitoring unit 19 itself is not activated, so that the remote operation by the remote access unit 21 can be performed. Therefore, even when the user ID or password of the remote access tool or file transfer tool is leaked, the security of the medical device 10 can be ensured.

  Further, when the remote operation through the remote access means 21 is finished, the control means 15 finishes the port monitoring means 19. As a result, unless the access permission determination based on the position information is performed again, the remote operation through the remote access means 21 becomes impossible, so the security level of the medical device 10 can be increased.

  In the first embodiment and the modification, latitude information and longitude information are used as information for specifying a location (position) where access to the medical device 10 is permitted, and latitude information and longitude information are used as access permission position information. Registration in the management means 12 and permission / denial of access are determined based on the latitude information and longitude information of the maintenance terminal 30, but access permission / denial is determined based on information indicating the moving speed and altitude of the maintenance terminal 30. You may determine permission. Also in this case, information indicating the movement speed and altitude permitting access to the medical device 10 is registered in advance in the access-permitted position information management means 12, information indicating the current movement speed and altitude of the maintenance terminal 30, By comparing the pre-registered information, permission / non-permission of access to the medical device 10 is determined. In this way, by determining whether access is permitted or not based on the moving speed and altitude, security to the medical device 10 is ensured even when the user ID or password of the remote access tool or file transfer tool is leaked. It becomes possible.

  Note that the access location information search means 13, the access permission determination means 14, the control means 15, the access permission determination means 18, the port monitoring means 19, and the remote access means 21 may be configured by hardware or software. May be. In the case of software, for example, the CPU installed in the medical device 10 executes a program stored in a storage device (not shown), whereby the access position information search means 13 and access permission determination The function of the means 14, the control means 15, the access permission judgment means 18, the port monitoring means 19, and the remote access means 21 is executed.

  Further, the position information acquisition unit 32, the access permission application creation unit 33, and the remote access unit 36 may be configured by hardware or software. In the case of software, for example, the CPU installed in the maintenance terminal 30 executes a program stored in a storage device (not shown), so that the location information acquisition means 32, access permission application creation The functions of the means 33 and the remote access means 36 are executed.

[Second Embodiment]
(Constitution)
Next, the configuration of the security management system for medical equipment according to the second embodiment of the present invention will be described with reference to FIG. FIG. 10 is a functional block diagram showing a schematic configuration of a security management system for a medical device according to the second embodiment of the present invention.

  The medical device security management system according to the second embodiment includes a medical device 50, a maintenance terminal 60, and a maintenance service company 70. The medical device 50 is installed in a medical institution. For example, the maintenance terminal 60 is installed in the maintenance service company 70 or is carried outside and used outside the maintenance service company 70.

  The medical device security management system according to the second embodiment permits / denies access to the medical device 50 from the maintenance terminal 60 based on the permit issued by the maintenance service company 70 and the authentication key. Judging.

<Issuance of permit and authentication key at maintenance service company 70>
First, a configuration for issuing a permit and an authentication key for permitting access to the medical device 50 in the maintenance service company 70 will be described.

  The permit issuing means 71 of the maintenance service company 70 issues a permit for permitting access to the medical device 50 and an authentication key. For example, when a secret code (such as a password), a password, and an expiration date are input by an input unit installed in the maintenance service company 70, the permit issuing means 71 includes information indicating the secret code and the expiration date. To create a permit. This permit is composed of a character string in which a secret code and information indicating an expiration date are separated by a comma. The license data is stored in a recording medium. The permit issuing means 71 combines the secret code and the password as a character string, obtains a hash value of the character string, and uses the hash value as an authentication key. The authentication key data is also stored in the recording medium. The permit may be encrypted using a common key, a public key, or a secret key. Moreover, since the information indicating the expiration date is not essential, the expiration date may not be input and may not be included in the permit. The secret code corresponds to “predetermined information” of the present invention.

  Alternatively, a license issuance screen may be displayed on a UI display device (not shown) installed in the maintenance service company 70, and a secret code, a password, and an expiration date may be input on the permit issuance screen. . FIG. 11 shows an example of a permit issuance screen displayed on the display device. By pressing (clicking) the “issue button” on this certificate issuance screen, an instruction to issue a permit is given.

  As described above, the maintenance service company 70 issues a permit and an authentication key for permitting access to the medical device 50.

  The permit and authentication key data issued by the permit issuing means 71 are recorded on a recording medium such as a CD-R, DVD-R, or HDD, and then the authentication key is installed in the medical device 50. The permit is installed in the maintenance terminal 60.

<Installation of permit and authentication key>
The permit registration means 61 of the maintenance terminal 60 installs the permit recorded on the recording medium in the maintenance terminal 60. At this time, the permit registration means 61 installs the permit with the file name in the designated registration destination. For example, as shown in FIG. 12, a permit registration screen is displayed on the display means 31B of the UI 31, and the permit registration means 61 is designated by the operator specifying a registration destination on the permit registration screen. Install the permit at the registered location. By pressing (clicking) the “registration button” on this permit registration screen, the permit is installed at the specified registration destination.

  The authentication key registration unit 51 of the medical device 50 installs the authentication key recorded on the recording medium in the medical device 50. At this time, the authentication key registration means 51 installs the authentication key with the file name in the designated registration destination. For example, as shown in FIG. 13, an authentication key registration screen is displayed on a UI display device (not shown), and the operator designates a registration destination on the authentication key registration screen. Install the authentication key in the specified registration destination. By pressing (clicking) the “registration button” on this authentication key registration screen, the authentication key is installed in the designated registration destination.

  As described above, the permit issued by the maintenance service company 70 is installed in the maintenance terminal 60, and the authentication key is installed in the medical device 50. The permit registration unit 61 and the authentication key registration unit 51 correspond to the “registration unit” of the present invention.

<Application for access permission on the maintenance terminal 60>
Next, a configuration for obtaining permission for access from the maintenance terminal 60 to the medical device 50 on the maintenance terminal 60 will be described.

  The operator inputs information for specifying a connection destination (medical device 50), a user ID, a license file name, and a password by using the input unit 31A of the UI 31 installed in the maintenance terminal 60. An example of an application screen for applying for access to the medical device 50 is shown in FIG. On this application screen, information for specifying a connection destination (medical device 50), a user ID, a file name of a permit, and a password can be input. Further, the connection unit (medical device 50), the user ID, and the file name of the permit may be displayed on the display unit 61B so as to be selectable. An application for access is made by pressing (clicking) the “apply button” on this application screen.

  The permit acquisition unit 62 reads the permit with the file name designated by the input unit 31A from the registration destination and outputs it to the access permission application creation unit 63. When the permit is encrypted, the permit acquisition unit 62 performs decryption using a key that is not used for encryption among the common key, the public key, and the secret key. In order to decrypt, it is necessary to copy the common key, public key, or secret key to a predetermined storage destination.

  The access permission application creating unit 63 creates an application message for requesting access permission based on the user ID and password input by the input unit 31A and the secret code included in the permit acquired by the permit acquiring unit 62. To do.

  In order to create this application message, the access permission application creating means 63 first extracts a secret code from the permit. Then, the access permission application creating unit 63 combines the secret code and the password input by the input unit 31A as a character string, and obtains a hash value of the combination.

  Then, the access permission application creating unit 63 creates an application message for requesting access permission using the user ID input by the input unit 31A, the secret code included in the permit, and the hash value. This application message is composed of a character string in which a user ID, a secret code, and a hash value are separated by a colon.

  The access permission application creating unit 63 may compare the time of the clock installed in the maintenance terminal 60 with the expiration date included in the permit to determine whether or not the expiration date has expired. If the expiration date has not expired, the access permission application creation means 63 creates an application message. On the other hand, when the expiration date has expired, the access permission application creation unit 63 cancels the creation of the application message, and displays the message indicating the cancellation on the display unit 31B of the UI 31.

  As a countermeasure against fraud, the access permission application creating unit 63 may create a signature using a public key or a private key, and add the signature data to the application message.

  The transmission unit 34 transmits the application message generated by the access permission application generation unit 63 to the connection destination (medical device 50) input by the input unit 31A. For example, when the information indicating the connection destination is an IP address, the transmission unit 34 transmits an application message to the IP address. If the host name is specified as information indicating the connection destination, the transmission unit 34 acquires an IP address from the host and transmits an application message to the IP address. Since the communication protocol is the same as that of the transmission unit 34 in the first embodiment, description thereof is omitted here.

  As described above, the application message including the secret code and the password is transmitted from the maintenance terminal 60 to the medical device 50.

<Access permission determination on medical device 50>
Next, a configuration for determining permission of access from the maintenance terminal 60 to the medical device 50 on the medical device 50 will be described.

  The receiving unit 16 of the medical device 50 receives the application message transmitted from the maintenance terminal 60 and sends the application message to the access permission determining unit 53. If a signature is added to the application message, the receiving means 16 creates signature data using a key that is not used in the maintenance terminal 60, and checks whether or not there is a misrepresentation, as in the first embodiment. Check.

  The authentication key acquisition unit 52 reads the authentication key from the registration destination in the medical institution 50 and outputs it to the access permission determination unit 53.

  The access permission determination unit 53 compares the authentication key with the hash value included in the application message. The authentication key contains the secret code and password, and the hash value is created based on the secret code and the password character string, so it is possible to compare the authentication key and the hash value included in the application message. Permission / non-permission of access can be determined.

  The access permission determination unit 53 permits access to the medical device 50 when the secret code and password included in the authentication key match the secret code and password constituting the hash value, and when they do not match, access Is not allowed. When permitting access, the access permission determination unit 53 outputs the user ID included in the application message to the control unit 15. Further, the access permission determination unit 53 outputs a determination result indicating permission or non-permission of access to the transmission unit 17.

  Upon receiving the determination result from the access permission determination unit 53, the transmission unit 17 transmits the determination result to the maintenance terminal 60.

  The control unit 15 applies the user authentication information provided by each tool so that only the user ID permitted to be accessed by the access permission determination unit 53 can use the remote access tool or the file transfer tool provided by the medical device 50. Only the user ID is valid. If the user authentication information is managed as a file, the control unit 15 updates the user authentication file and validates only the user ID. For example, the control unit 15 updates the user authentication file 20 in FIG. 10 and validates only the user ID permitted to access.

  When access is permitted by the access permission determination unit 53, the control unit 15 activates the port monitoring unit 19 that can activate the remote access tool and the file transfer tool. That is, when access from the maintenance terminal 60 to the medical device 50 is permitted based on the permit and the authentication key, the control unit 15 activates the port monitoring unit 19. On the other hand, when access is not permitted by the access permission determination unit 53, the control unit 15 does not activate the port monitoring unit 19. As a result, the port monitoring means 19 is activated only when access is permitted based on the permit and the authentication key. When the access is not permitted, the port monitoring means 19 is not activated.

  As described above, when access is not permitted by the access permission determination unit 53, the port monitoring unit 19 is not activated. Therefore, even if a connection request is transmitted from the remote access unit 36 of the maintenance terminal 60 to the medical device 50. The remote access means 21 of the medical device 50 does not respond to the connection request. As a result, even if the user authentication information (user ID or password) of the remote access tool or the file transfer tool is leaked, if the permit and the authentication key are different, access is denied, so the security of the medical device 50 is ensured. can do.

  When the port monitoring unit 19 is activated and the connection request is transmitted from the remote access unit 36 of the maintenance terminal 30 to the medical device 10, the access permission determination unit 18 determines the user ID included in the connection request. Is determined to be valid in the user authentication file 20. When the user ID is valid in the user authentication file 20, the access permission determination means 18 permits access, and when it is not valid, denies access.

  When the access by the user ID is permitted, the activated port monitoring means 19 activates the remote access means 21 associated with the designated port, and the remote access means 21 that activates the subsequent communication. take over.

  As a result, the remote access means 21 of the medical device 50 and the remote access means 36 of the maintenance terminal 60 enable remote operation from the maintenance terminal 60 to the medical device 50. In the case of the file transfer tool, the same processing as that of the remote access tool is executed, so that the file can be transferred between the medical device 50 and the maintenance terminal 60.

  As described above, when the user authentication is performed based on the permit and the authentication key and access to the medical device 50 is not permitted, the port monitoring unit 19 itself is not activated so that the remote operation by the remote access unit 21 can be performed. Therefore, even if the user ID or password of the remote access tool or file transfer tool is leaked, the security of the medical device 50 can be ensured.

  Further, when the remote operation through the remote access means 21 is finished, the control means 15 finishes the port monitoring means 19. As a result, unless the access permission determination based on the permit and the authentication key is performed again, the remote operation through the remote access means 21 becomes impossible, and thus the security of the medical device 50 can be ensured. Become.

<Confirmation of access application result on maintenance terminal 60>
The reception unit 35 of the maintenance terminal 60 receives the determination result transmitted from the transmission unit 17 of the medical device 50, and outputs the determination result to the display unit 31B of the UI 31. The determination result is displayed on the display means 31B. FIG. 15 shows a display example when access is permitted. In this example, the display means 31B displays that the access application is permitted. When the access application is not permitted, a message indicating that the application is not permitted is displayed on the display unit 31B.

  The authentication key registration unit 51, the authentication key acquisition unit 52, the access permission determination unit 53, the access permission determination unit 18, the port monitoring unit 19, and the remote access unit 21 may be configured by hardware or software. It may be configured. In the case of software, for example, the CPU installed in the medical device 50 executes a program stored in a storage device (not shown), whereby an authentication key registration unit 51, an authentication key acquisition unit 52, the function of the access permission determination means 53, the access permission determination means 18, the port monitoring means 19, and the remote access means 21 is executed.

  Further, the permit registration means 61, the permit acquisition means 62, the access permission application creation means 63, and the remote access means 36 may be configured by hardware or software. In the case of software, for example, a CPU installed in the maintenance terminal 60 executes a program stored in a storage device (not shown), thereby permit registration means 61, permit acquisition means. 62, the function of the access permission application creation means 63 and the remote access means 36 is executed.

  The permit issuing means 71 may be configured by hardware or software. In the case of software, for example, the computer (CPU) in the maintenance service company 70 executes the function of the permit issuing means 71 by executing a program stored in a storage device (not shown). To do.

(Operation)
Next, a series of operations (security management method) performed by the security management system for a medical device according to the second embodiment of the present invention will be described with reference to FIG. FIG. 16 is a flowchart showing a series of operations by the security management system for a medical device according to the second embodiment of the present invention.

(Step S20)
First, in the maintenance service company 70, the permit issuing means 71 issues a permit and an authentication key for permitting access to the medical device 50. For example, a permit issuance screen shown in FIG. 11 is displayed on a display device (not shown), and a secret code, a password, and an expiration date are input on the permit issuance screen. Upon receiving the input, the permit issuing means 71 creates a permit using the secret code and information indicating the expiration date, and stores the permit data in a storage device (not shown). The permit issuing means 71 combines the secret code and the password as a character string, obtains a hash value of the character string, and uses the hash value as an authentication key. This authentication key data is also stored in a storage device (not shown).

(Step S21)
Next, installation of a permit and an authentication key is performed. The permit registration means 61 of the maintenance terminal 60 installs the permit recorded on the recording medium in the maintenance terminal 60. At this time, the permit registration means 61 installs the permit with the file name in the designated registration destination. Further, the authentication key registration unit 51 of the medical device 50 installs the authentication key recorded on the recording medium in the medical device 50. At this time, the authentication key registration means 51 installs the authentication key with the file name in the designated registration destination.

(Step S22)
The operator inputs information for specifying the connection destination (medical device 50), the user ID, the file name of the permit, and the password using the input means 31A of the UI 31 installed in the maintenance terminal 60, and permits access. Apply for. For example, the application screen shown in FIG. 14 is displayed on the display means 31B, and an application for access permission is made on the application screen. When an application for access permission is made, the permit acquisition means 62 reads the permit with the file name designated by the input means 32A from the registration destination and outputs it to the access permission application creation means 63.

(Step S23)
The access permission application creating unit 63 extracts a secret code from the permit acquired by the permit acquiring unit 62, combines the secret code and the password input by the input unit 31A as a character string, and hashes of the combination Find the value. Then, the access permit application creating unit 63 creates an application message for requesting access permission using the user ID input by the input unit 31A, the secret code included in the permit, and the hash value.

(Step S24)
Next, the transmission unit 34 transmits the application message created by the access permission application creation unit 63 to the connection destination (medical device 50) input by the input unit 31A. For example, when the information indicating the connection destination is an IP address, the transmission unit 34 transmits an application message to the IP address.

(Step S25)
The receiving unit 16 of the medical device 50 receives the application message transmitted from the maintenance terminal 60 and sends the application message to the access permission determining unit 53. The authentication key acquisition unit 52 reads the authentication key from the registration destination in the medical institution 50 and outputs it to the access permission determination unit 53. Then, the access permission determination unit 53 compares the secret code and password included in the authentication key with the secret code and password included in the hash value included in the application message. If access does not match, access is denied. When permitting access, the access permission determination unit 53 outputs the user ID included in the application message to the control unit 15. Further, the access permission determination unit 53 outputs the determination result to the transmission unit 17.

(Step S26)
Next, when receiving the determination result from the access permission determination unit 53, the transmission unit 17 transmits the determination result to the maintenance terminal 60.

(Step S27)
The reception unit 35 of the maintenance terminal 60 receives the determination result transmitted from the transmission unit 17 of the medical device 50, and outputs the determination result to the display unit 31B of the UI 31. For example, as shown in FIG. 15, the display unit 31B displays that access is permitted.

(Step S28)
When the access is permitted, the control unit 15 of the medical device 50 updates the user authentication file 20 provided by each tool so that only the user ID permitted to access can use the remote access tool or the file transfer tool. Only the user ID is valid.

(Step S29)
The control unit 15 activates the port monitoring unit 19 when access is permitted by the access permission determining unit 53, and does not activate the port monitoring unit 19 when access is not permitted. That is, the port monitoring unit 19 is activated only when access is permitted based on the permit and the authentication key, and when the access is not permitted, the port monitoring unit 19 is not activated. When the port monitoring unit 19 is activated, the port monitoring unit 19 waits for a connection request from the remote access tool or file transfer tool of the maintenance terminal 60.

  If the access is not permitted by the access permission determination unit 53, the port monitoring unit 19 is not activated. Therefore, even if a connection request is transmitted from the remote access unit 36 of the maintenance terminal 60 to the medical device 50, the medical device 50 The remote access means 21 does not respond to the connection request. As a result, even if the user authentication information (user ID or password) of the remote access tool or the file transfer tool is leaked, if the permit and the authentication key are different, access is denied, so the security of the medical device 50 is ensured. It becomes possible to do.

(Step S30)
Next, in order to perform remote operation from the maintenance terminal 60 to the medical device 50, the remote access means 36 of the maintenance terminal 60 transmits a connection request including the user ID of the operator to the medical device 50.

(Step S31)
When the connection request is transmitted to the medical device 50 in step S30, the access permission determination unit 18 determines whether or not the user ID included in the connection request is valid in the user authentication file 20. When the user ID is valid in the user authentication file 20, the access permission determination means 18 permits access from the maintenance terminal 60, and when not valid, denies access.

(Step S32)
When the access is permitted, the port monitoring unit 19 takes over subsequent communication to the remote access unit 21 associated with the designated port. As a result, the remote access means 21 of the medical device 50 and the remote access means 36 of the maintenance terminal 60 enable remote operation of the medical device 50 from the maintenance terminal 60.

  As described above, when the user authentication is performed based on the permit and the authentication key and access to the medical device 50 is not permitted, the port monitoring unit 19 itself is not activated so that the remote operation by the remote access unit 21 can be performed. Since this becomes impossible, the security of the medical device 50 can be ensured.

It is a functional block diagram which shows schematic structure of the security management system of the medical device which concerns on 1st Embodiment of this invention. It is a figure which shows an example of the registration screen for registering the place which permits access. It is a figure for demonstrating the information which pinpoints a place. It is a figure for demonstrating the structure of the data for management which the access permission position management means manages. It is a figure which shows an example of the application screen for applying for access to a medical device. It is a block diagram which shows a maintenance terminal and a GPS receiver. It is a figure which shows the structure of the data output from a GPS receiver. It is a figure which shows the example of a display of the determination result of access. It is a flowchart which shows a series of operation | movement by the security management system of the medical device which concerns on 1st Embodiment of this invention. It is a functional block diagram which shows schematic structure of the security management system of the medical device which concerns on 2nd Embodiment of this invention. It is a figure which shows one example of a permit issue screen. It is a figure which shows an example of the screen for designating the registration destination of permit. It is a figure which shows an example of the screen for designating the registration destination of an authentication key. It is a figure which shows an example of the application screen for applying for access to a medical device. It is a figure which shows the example of a display of the determination result of access. It is a flowchart which shows a series of operation | movement by the security management system of the medical device which concerns on 2nd Embodiment of this invention. It is a block diagram which shows schematic structure of the network for accessing a medical device from a maintenance service company remotely. It is a figure which shows the X-ray CT apparatus as an example of medical equipment. It is a figure which shows the screen for user authentication.

Explanation of symbols

10, 50 Medical device 11, 31 UI
12 access permission position management means 13 access position information search means 14, 18, 53 access permission determination means 15 control means 19 port monitoring means 20 user authentication file 21, 36 remote access means 30, 60 maintenance terminal 32 position information acquisition means 33, 63 Access permission application creation means 40 GPS receiver 51 Authentication key registration means 52 Authentication key acquisition means 61 Permit registration means 62 Permit acquisition means 70 Maintenance service company 71 Permit issuance means

Claims (11)

A medical device security management system in which a medical device and a terminal are connected via a network,
Position information acquisition means for acquiring position information of the terminal;
Access permission determination means for permitting access from the terminal to the medical device via the network according to the acquired position information;
A security management system for medical equipment, comprising:   The access permission determination means permits the access when a location indicated by the acquired location information is included in a predetermined range including a location indicated by preset location information. The security management system for medical equipment according to 1. The medical device and the terminal are connected via a network,
First access permission determination means for determining permission / non-permission of access from the terminal to the medical device based on operator identification information for identifying an operator;
Remote access means for enabling access to the medical device from a terminal whose access is permitted by the first access permission determination means;
A security management system for medical equipment comprising:
Registration means for pre-registering authentication information for determining permission / non-permission of access from the terminal to the medical device;
A second access permission determination unit that receives an application message including authentication information from the terminal and determines whether or not authentication information included in the application message is registered in the registration unit;
Control means for causing the first access permission determination means to determine permission / non-permission of the access when the second access permission determination means determines that the authentication information is registered in the registration means. When,
A security management system for medical equipment, comprising: The application message includes operator identification information input at a terminal attempting to access the medical device,
The second access permission determination means receives the application message from the terminal, determines whether authentication information included in the application message is registered in the registration means,
When it is determined that the authentication information is registered in the registration unit, the control unit registers the operator identification information included in the application message as accessible identification information, and the first access Let the permission determination means determine permission / denial of the access,
The first access permission determination means permits access to the medical device for a terminal that has sent an application message including operator identification information registered as identification information accessible by the control means. The medical device security management system according to claim 3. It further has position information acquisition means for acquiring position information of the terminal,
The registration unit registers access-permitted position information indicating a place where access to the medical device is permitted as the authentication information,
The second access permission determination means receives an application message including the position information acquired by the position information acquisition means from the terminal, and the acquired position information is registered as access permission position information in the registration means. Whether or not
The control unit causes the first access permission determination unit to determine permission / non-permission of the access when it is determined that the acquired position information is registered in the registration unit. The medical device security management system according to claim 3. The second access permission determination unit determines whether or not the location indicated by the acquired location information is included in a predetermined range including the location indicated by the access permission location information registered in the registration unit. And
When it is determined that the location indicated by the acquired position information is included in the predetermined range, the control unit determines whether the access is permitted or not permitted to the first access permission determination unit. The medical device security management system according to claim 5, wherein: An issuing unit that issues a permit including predetermined information and an authentication key including the predetermined information as the authentication information;
The registration means registers the permit in the terminal, registers the authentication key in the medical device,
The second access permission determination means receives an application message including predetermined information included in the permit from the terminal, and the same information as the predetermined information included in the application message in the registration means. Whether or not an authentication key containing is registered,
When it is determined that an authentication key including the same information as the predetermined information is registered in the registration unit, the control unit allows the first access permission determination unit to permit / deny the access. The medical device security management system according to claim 3, wherein: A medical device connected to a terminal via a network,
A medical device comprising access permission determination means for permitting access from the terminal in accordance with position information of the terminal. Connected to the device via the network,
First access permission determination means for determining permission / non-permission of access from the terminal based on operator identification information for identifying an operator;
Remote access means for enabling access from a terminal whose access is permitted by the first access permission determination means;
A medical device comprising:
Registration means for pre-registering authentication information for determining permission / non-permission of access from the terminal;
A second access permission determination unit that receives an application message including authentication information from the terminal and determines whether or not authentication information included in the application message is registered in the registration unit;
Control means for causing the first access permission determination means to determine permission / non-permission of the access when the second access permission determination means determines that the authentication information is registered in the registration means. When,
A medical device characterized by comprising: A medical device security management method in which a medical device and a terminal are connected via a network,
A location information acquisition step of acquiring location information of the terminal;
An access permission determination step for permitting access from the terminal to the medical device via the network according to the acquired position information;
A security management method for medical equipment, comprising: A medical device security management method in which a medical device and a terminal are connected via a network,
A registration step of pre-registering authentication information for determining permission / non-permission of access from the terminal to the medical device in the medical device;
A first determination step in which the medical device receives an application message including authentication information from the terminal and determines whether the authentication information included in the application message is registered;
When it is determined in the first determination step that the authentication information is registered, access permission / access to the medical device from the terminal is determined based on operator identification information for identifying an operator. A second determination step for determining non-permission;
Starting the connection from the terminal permitted to access to the medical device by the second determination step;
A security management method for medical equipment, comprising:

Images