Method and system for access control
First Claim
1. A method for providing access to data stored in a repository forming part of a network, said access being requested from a node also forming part of said network, said method comprising:
- receiving at an access control node user identification, user password and node identification data, said access control node interposed between said node and said repository;
said access control node transmitting over said network said user identification, user password and node identification requesting authentication for said access request;
said access control node receiving control signals responsive to said authentication request; and
responsive to said received control signals, selectively providing access to a subset of the functionality provided by said node.
1 Assignment
0 Petitions
Accused Products
Abstract
In one aspect of the invention, embodiments of the invention can superimposed upon the existing framework of network which includes a number of nodes interconnected by the underlying communications network. In one embodiment, an access control node is interposed between each node and the remainder of the network. The access control node is adapted to transmit information about the node and the user attempting to access the node to a server used for maintaining security and audit information. This information may take the form of node identification data (thus identifying the node) and user identification data (to ensure that the user is associated with an active account and the user has entered the correct password thus authenticating the user). If the node is not recognised by the server, then no access to protected information (e.g., PHI) is allowed. If, however, the node is recognised, then access to PHI requires that the user also be authenticated. Assuming both conditions exist, aspects of the invention will determine (based on a repository of information about users) the data each user is entitled to access and the functionality of the node that is to be made available to the user. Aspects of the invention may place limitations on the functionality offered by the node to which the user should be granted access. That is, although a user may be attempting to access data from a node which has a set of functions (e.g., printing, storing data to a removable media, displaying video signals, etc.), aspects of the invention enable only a subset of these functions to be made available depending on the rights which have been granted to a user.
-
Citations
61 Claims
-
1. A method for providing access to data stored in a repository forming part of a network, said access being requested from a node also forming part of said network, said method comprising:
-
receiving at an access control node user identification, user password and node identification data, said access control node interposed between said node and said repository;
said access control node transmitting over said network said user identification, user password and node identification requesting authentication for said access request;
said access control node receiving control signals responsive to said authentication request; and
responsive to said received control signals, selectively providing access to a subset of the functionality provided by said node. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for providing access to data stored in a repository forming part of a network, said access being requested from a node forming part of said network, said method comprising:
-
receiving user identification, user password and node identification data from an access control node associated with said node; and
transmitting control signals to said access control node, said control signals indicating limitations on the type of functionality to be provided to the user by said node, said user associated with said user identification and password. - View Dependent Claims (9, 10, 21, 22, 23, 24, 25)
-
-
11. The method of 8 further comprising
intercepting messages transmitted to said node from other parts of said network; - and
transmitting to a security repository a log event corresponding to each activity described by said intercepted messages. - View Dependent Claims (12, 13)
- and
-
14. The method of 13 wherein said intercepted messages conform with at least one of the DICOM and HL7 data formats and wherein said audit log record comprises data in the extensible mark-up language.
-
15. The method of 8 further comprising:
-
intercepting messages transmitted from said node to a repository forming part of said network; and
transmitting to a security repository a log event corresponding to each activity described by said intercepted messages. - View Dependent Claims (16, 17, 19, 20)
-
-
18. The method of 17 wherein said intercepted messages conform with at least one of the DICOM and HL7 data formats and wherein said audit log record comprises data in the extensible mark-up language.
-
26. A device for providing control of a node, said node forming part of a network, said device comprising:
-
an input for receiving user identification, user password and node identification data, said device interposed between said node and the remainder of said network;
an output adapted to transmit over said network said user identification, user password and node identification and data requesting authentication of the user identification, user password and node identification and, responsive thereto, receive control signals responsive to said authentication request; and
a switching device for selectively providing access to a subset of the functionality provided by said node. - View Dependent Claims (27, 28, 29, 30, 31, 32, 34, 35, 45, 46, 47, 48, 49)
-
-
33. A computer readable media storing data and instructions, said data and instructions when executed by a general purpose computer adapt said computer to provide access to data stored in a repository forming part of a network, said access being requested from a node forming part of said network, said data and instructions adapting said general purpose computer to:
-
receive user identification, user password and node identification data from an access control node associated with said node; and
transmit control signals to said access control node, said control signals indicating limitations on the type of functionality to be provided to the user by said node, said user associated with said user identification and password. - View Dependent Claims (36, 37, 38, 39, 40, 41, 43, 44)
-
-
42. The computer readable media of 41 wherein said intercepted messages conform with at least one of the DICOM and HL7 data formats and wherein said audit log record comprises data in the extensible mark-up language.
-
50. A method for generating audit logs for a network, said network comprising a plurality of nodes interconnected by way of a communications network, said method comprising:
-
upon initial access by any user of a plurality of users, generating a login event record from user identification and password data received from an access control point from a plurality access control points, each of said plurality of access control points associated with one of said plurality of nodes;
intercepting all messages transmitted to or from each of said plurality of nodes; and
storing an audit log event in a repository for each activity identified in said intercepted messages. - View Dependent Claims (51, 54, 55, 56, 57)
-
-
52. The method of claim S1 wherein said analysing comprises:
-
identifying the format of the intercepted messages;
for each format identified, passing a subset of intercepted messages conforming to the format identified to a decoder for processing that format;
each decoder capturing activity and audit information from said subset of intercepted messages passed. - View Dependent Claims (53)
-
-
58. A method for providing access to data for a plurality of users, said to data stored on a network, said network comprising a plurality of nodes, each of said plurality nodes associated with an access control node, each of said access control nodes interposed between its associated node and the network, said method comprising:
-
defining a plurality of roles to which users will associated;
for each role defined, identifying the data for which access is to be granted and the type of functionality at each of said plurality of nodes that is to be made available to a user associated with a role; and
associating each of said plurality of users with at least one of said defined roles. - View Dependent Claims (59, 60, 61)
-
Specification