The data protection concept of our software

2. October 2019

Below we would like to explain our data protection concept, which is applied in our software (the graphic is a very simplified representation of this process).
In principle, it must be noted that both data-processing and data-storing systems are used at physically different locations. Here we differentiate between the data sources, i.e. standard PC systems for data entry and data display, the central pseudonymization service (a web server) and the application server on which the medical data is stored (another independent server).

The pseudonymization server is upstream of the application server so that the browser can only request sensitive data via the pseudonymization server. HTML forms without sensitive data, on the other hand, are requested directly from the application server in order to achieve the highest possible processing speed of the overall system.

Using an example from medicine, the basic process is explained as follows:

The first pseudonymization takes place in the documenting center using a patient list. A center-specific patient ID (PID) with the patient-identifying data (IDAT) that is unique to the patient to be pseudonymised is stored in this list. This PID, in turn, is documented in the database together with the medical data (MDAT).

Before the data is saved, the browser-based application first generates a random character string, encrypts it using a public key, sends it to the database server and decrypts it using the private key available there.

This character string is now used on the client side to synchronously encrypt the medical data record – a encrypted medical data record (MDATcr) is created for the patient to be saved. This MDATcr – provided with the associated PID – is transmitted to a central pseudonymization server, which – again synchronously – carries out the conversion of the PID to the pseudonym (PSN). MDATcr and PSN are then forwarded to the central database server. This decodes the MDATcr with the help of the previously sent, randomly generated character string and saves the decoded medical data in connection with the PSN.

The presentation of the centrally stored medical data takes place by simply “reversing” the encryption path. When a patient is called up by entering the PID in the browser-based application, the PID is first converted into a PSN by the pseudonymization service. Using this PSN, the medical data is then identified in the central database, compiled, encrypted and sent back to the pseudonymization service, which decrypts the PSN to the PID but not the medical data record. This is converted into a readable format and displayed locally in the center.