Systems and methods for preventing an attack on healthcare data processing resources in a hospital information system

US 20050066061A1
Filed: 04/07/2004
Published: 03/24/2005
Est. Priority Date: 09/19/2003
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

healthcare data processing resources;

non-healthcare data processing resources;

a switching entity disposed between the healthcare data processing resources and the non-healthcare data processing resources;

a communication link connected to the switching entity and connectable to an end user device;

the switching entity being operative to alternatively support, over the communication link, either a healthcare session between the end user device and the healthcare data processing resources, or a non-healthcare session between the end user device and the non-healthcare data processing resources;

the switching entity being configured to prevent the healthcare data processing resources and the non-healthcare data processing resources from communicating with each other via the switching entity.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system comprising a switching entity disposed between healthcare data processing resources and non-healthcare data processing resources. The switching entity is capable of operation in a first state in which an end user device is communicatively coupled to the healthcare data processing resources to support a healthcare session and a second state in which the end user device is communicatively coupled to the non-healthcare data processing resources to support a non-healthcare session. If the authentication request message is received while the switching entity is operating in the second state and a particular non-healthcare session is in progress, and the selected authentication entity is the healthcare authentication entity, initiating a memory purge at the end user device. Attacks on the healthcare data processing resources, both from the non-healthcare resources directly and via the end user device, are thus prevented.

75 Citations

View as Search Results

81 Claims

1. A system, comprising:
- healthcare data processing resources;
  
  non-healthcare data processing resources;
  
  a switching entity disposed between the healthcare data processing resources and the non-healthcare data processing resources;
  
  a communication link connected to the switching entity and connectable to an end user device;
  
  the switching entity being operative to alternatively support, over the communication link, either a healthcare session between the end user device and the healthcare data processing resources, or a non-healthcare session between the end user device and the non-healthcare data processing resources;
  
  the switching entity being configured to prevent the healthcare data processing resources and the non-healthcare data processing resources from communicating with each other via the switching entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 2. The system defined in claim 1, wherein each healthcare session and each non-healthcare session is implemented as a virtual connection.
  - 3. The system defined in claim 1, further comprising a healthcare authentication entity for authenticating users claiming to be healthcare users and a non-healthcare authentication entity for authenticating users claiming to be non-healthcare users.
  - 4. The system defined in claim 3, wherein the switching entity is capable of operation in a first state in which the end user device is communicatively coupled to the healthcare data processing resources to support a healthcare session and a second state in which the end user device is communicatively coupled to the non-healthcare data processing resources to support a non-healthcare session.
  - 5. The system defined in claim 4, further comprising a control entity for controlling the state in which the switching entity operates.
  - 6. The system defined in claim 5, further comprising a session monitoring functional entity operative to:
    - receive an authentication request message from a user along the communication link;
      
      determine, from the authentication request message, whether the user is claiming to be a healthcare user or a non-healthcare user;
      
      send the authentication request message to a selected one of the healthcare authentication entity and the non-healthcare authentication entity in dependence upon whether it has been determined that the user is claiming to be a healthcare user or a non-healthcare user.
  - 7. The system defined in claim 6, the session monitoring functional entity being further operative to send to the control entity an indication of the selected authentication entity.
  - 8. The system defined in claim 7, each of the healthcare authentication entity and the non-healthcare authentication entity being operative to send to the control entity an indication of successful or unsuccessful authentication.
  - 9. The system defined in claim 8, the control entity having an operation defined by:
    - responsive to successful authentication by the healthcare authentication entity, causing the switching entity to operate in the first state.
  - 10. The system defined in claim 9, the control entity having an operation further defined by:
    - responsive to successful authentication by the non-healthcare authentication entity, causing the switching entity to operate in the second state.
  - 11. The system defined in claim 8, the control entity having an operation defined by:
    - if the authentication request message is received while the switching entity is operating in the first state, and the selected authentication entity is the non-healthcare authentication entity, then responsive to successful authentication by the non-healthcare authentication entity, causing the switching entity to operate in the second state.
  - 12. The system defined in claim 11, the control entity having an operation defined by:
    - if the authentication request message is received while the switching entity is operating in the second state, and the selected authentication entity is the healthcare authentication entity, then responsive to successful authentication by the healthcare authentication entity, causing the switching entity to operate in the first state.
  - 13. The system defined in claim 12, wherein the switching entity is implemented in hardware.
  - 14. The system defined in claim 12, wherein the switching entity is implemented in software.
  - 15. The system defined in claim 8, the control entity having an operation defined by:
    - if the authentication request message is received while the switching entity is operating in the second state and a particular non-healthcare session is in progress, and the selected authentication entity is the healthcare authentication entity, initiating a memory purge at the end user device.
  - 16. The system defined in claim 15, the control entity having an operation further defined by:
    - if the authentication request message is received while the switching entity is operating in the second state and a particular non-healthcare session is in progress, and the selected authentication entity is the healthcare authentication entity, initiating a context saving operation by the non-healthcare data processing resources.
  - 17. The system defined in claim 15, the control entity having an operation further defined by:
    - subsequent to initiating a memory purge at the end user device, and responsive to successful authentication by the healthcare authentication entity, causing the switching entity to operate in the first state.
  - 18. The system defined in claim 17, the control entity having an operation further defined by:
    - responsive to successful authentication by the non-healthcare authentication entity, causing the switching entity to operate in the second state.
  - 19. The system defined in claim 15, wherein initiating a memory purge at the end user device comprises:
    - releasing a command towards the end user device to cause the end user device to purge data loaded into the end user device during the particular non-healthcare session.
  - 20. The system defined in claim 15, wherein initiating a memory purge at the end user device comprises:
    - releasing a command towards the end user device to cause the end user device to purge all data loaded into the end user device during the particular non-healthcare session.
  - 21. The system defined in claim 5, further comprising a session monitoring functional entity operative to:
    - receive a message indicative of termination of an ongoing session;
      
      send to the control entity a second message indicative of termination of the session.
  - 22. The system defined in claim 21, the control entity being operative to respond to receipt of the second message to initiate a memory purge at the end user device.
  - 23. The system defined in claim 22, wherein initiating a memory purge at the end user device comprises:
    - releasing a command towards the end user device to cause the end user device to purge data loaded into the end user device during the terminated session.
  - 24. The system defined in claim 6, the session monitoring functional entity being operative to:
    - receive a message indicative of termination of an ongoing session;
      
      send to the control entity a second message indicative of termination of the session.
  - 25. The system defined in claim 24, the control entity being operative to respond to receipt of the second message to initiate a memory purge at the end user device.
  - 26. The system defined in claim 25, wherein initiating a memory purge at the end user device comprises:
    - releasing a command towards the end user device to cause the end user device to purge data loaded into the end user device during the terminated session.
  - 27. The system defined in claim 8, the session monitoring functional entity being operative to:
    - receive a message indicative of termination of an ongoing session;
      
      send to the control entity a second message indicative of termination of the session.
  - 28. The system defined in claim 27, the control entity being operative to respond to receipt of the second message to initiate a memory purge at the end user device.
  - 29. The system defined in claim 28, wherein initiating a memory purge at the end user device comprises:
    - releasing a command towards the end user device to cause the end user device to purge data loaded into the end user device during the terminated session.
  - 30. The system defined in claim 1, wherein the healthcare data processing resources comprise a plurality of healthcare application servers for running clinical software.
  - 31. The system defined in claim 30, wherein the healthcare session allows the delivery of a computerized physician order entry service.
  - 32. The system defined in claim 1, wherein the non-healthcare data processing resources comprise a digital entertainment head end for controlling delivery to the end user device of received digital entertainment services.
  - 33. The system defined in claim 32, wherein the non-healthcare session allows the delivery of patient entertainment services.
  - 34. The system defined in claim 32, wherein the non-healthcare session allows the delivery of personal video recorder services.
  - 35. The system defined in claim 1, wherein the non-healthcare data processing resources comprise an Internet gateway.
  - 36. The system defined in claim 1, wherein the non-healthcare data processing resources comprise a patient information server for allowing access to patient information services.
  - 37. The system defined in claim 1, wherein the communication link is at least partly wireless.
  - 38. The system defined in claim 1, wherein the communication link is at least partly fixed-wire.
  - 39. The system defined in claim 1, wherein the communication link comprises point-to-point telephony wiring.

40. An access controller, disposed between healthcare data processing resources and non-healthcare data processing resources, and connectable to an end user device via a communication link, the access controller comprising:
- a switching entity capable of operation in a first state in which the end user device is communicatively coupled to the healthcare data processing resources to support a healthcare session and a second state in which the end user device is communicatively coupled to the non-healthcare data processing resources to support a non-healthcare session; and
  
  a control entity for controlling the state in which the switching entity operates.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 41. The access controller defined in claim 40, further comprising a session monitoring functional entity operative to:
    - receive an authentication request message from a user along the communication link;
      
      determine, from the authentication request message, whether the user is claiming to be a healthcare user or a non-healthcare user;
      
      send the authentication request message to a selected one of the healthcare authentication entity and the non-healthcare authentication entity in dependence upon whether it has determined that the user is claiming to be a healthcare user or a non-healthcare user.
  - 42. The access controller defined in claim 41, the session monitoring functional entity being further operative to send to the control entity an indication of the selected authentication entity.
  - 43. The access controller defined in claim 42, the control entity having an operation defined by:
    - responsive to an indication of successful authentication by a healthcare authentication entity in the healthcare data processing resources, causing the switching entity to operate in the first state.
  - 44. The access controller defined in claim 43, the control entity having an operation further defined by:
    - responsive to successful authentication by a non-healthcare authentication entity in the non-healthcare data processing resources, causing the switching entity to operate in the second state.
  - 45. The system defined in claim 42, the control entity having an operation defined by:
    - if the authentication request message is received while the switching entity is operating in the first state, and the selected authentication entity is the non-healthcare authentication entity, then responsive to successful authentication by the non-healthcare authentication entity, causing the switching entity to operate in the second state.
  - 46. The system defined in claim 45, the control entity having an operation defined by:
    - if the authentication request message is received while the switching entity is operating in the second state, and the selected authentication entity is the healthcare authentication entity, then responsive to successful authentication by the healthcare authentication entity, causing the switching entity to operate in the first state.
  - 47. The system defined in claim 42, the control entity having an operation defined by:
    - if the authentication request message is received while the switching entity is operating in the second state, and the selected authentication entity is the healthcare authentication entity, initiate a memory purge at the end user device.
  - 48. The system defined in claim 47, the control entity having an operation further defined by:
    - responsive to successful authentication by the healthcare authentication entity, causing the switching entity to operate in the first state.
  - 49. The system defined in claim 48, the control entity having an operation further defined by:
    - responsive to successful authentication by the non-healthcare authentication entity, causing the switching entity to operate in the second state.
  - 50. The system defined in claim 47, wherein initiating a memory purge at the end user device comprises:
    - releasing a command towards the end user device to cause the end user device to purge data loaded into the end user device during the non-healthcare session.
  - 51. The system defined in claim 47, wherein initiating a memory purge at the end user device comprises:
    - releasing a command towards the end user device to cause the end user device to purge all data loaded into the end user device during the non-healthcare session.
  - 52. The system defined in claim 40, further comprising a session monitoring functional entity operative to:
    - receive a message indicative of session termination;
      
      send to the control entity a second message indicative of session termination.
  - 53. The system defined in claim 52, the control entity being operative to respond to receipt of the second message to initiate a memory purge at the end user device.
  - 54. The system defined in claim 53, wherein initiating a memory purge at the end user device comprises:
    - releasing a command towards the end user device to cause the end user device to purge data loaded into the end user device during the non-healthcare session.
  - 55. The system defined in claim 40, the session monitoring functional entity being operative to:
    - receive a message indicative of session termination;
      
      send to the control entity a second message indicative of session termination.
  - 56. The system defined in claim 55, the control entity being operative to respond to receipt of the second message to initiate a memory purge at the end user device.
  - 57. The system defined in claim 56, wherein initiating a memory purge at the end user device comprises:
    - releasing a command towards the end user device to cause the end user device to purge data loaded into the end user device during the non-healthcare session.

58. A method, comprising:
- receiving an authentication request message from a user along a communication link;
  
  determining, from the authentication request message, whether the user is claiming to be a healthcare user or a non-healthcare user;
  
  sending the authentication request message to a selected one of a healthcare authentication entity and a non-healthcare authentication entity in dependence upon the determining;
  
  responsive to successful authentication by the selected authentication entity, controlling the state in which a switching entity operates, wherein the switching entity is capable of operation in a first state in which the end user device is communicatively coupled to healthcare data processing resources to support a healthcare session and a second state in which the end user device is communicatively coupled to non-healthcare data processing resources to support a non-healthcare session.
- View Dependent Claims (59)
- - 59. The method defined in claim 58, further comprising:
    - if the authentication request message is received while the switching entity is operating in the second state, and the selected authentication entity is the healthcare authentication entity, initiating a memory purge at the end user device.

60. A computer-readable storage medium containing a program element for execution by a computing device to implement an access controller, said access controller including:
- a switching entity capable of operation in a first state in which an end user device is communicatively coupled to healthcare data processing resources to support a healthcare session and a second state in which the end user device is communicatively coupled to non-healthcare data processing resources to support a non-healthcare session; and
  
  a control entity for controlling the state in which the switching entity operates.
- View Dependent Claims (61)
- - 61. The computer-readable storage medium defined in claim 60, further including a session monitoring functional entity operative to:
    - receive an authentication request message from a user along the communication link;
      
      determine, from the authentication request message, whether the user is claiming to be a healthcare user or a non-healthcare user;
      
      send the authentication request message to a selected one of the healthcare authentication entity and the non-healthcare authentication entity in dependence upon whether it has determined that the user is claiming to be a healthcare user or a non-healthcare user.

62. An end user device, comprising:
- a processing unit operative to support, during non-overlapping time periods, distinct communications sessions with corresponding data processing resources in a network, the communications session supported during each of the time periods being one of a healthcare session and a non-healthcare session;
  
  a memory for storing data exchanged between the processing unit and the network during the communications sessions;
  
  the memory being responsive to termination of communications sessions that are non-healthcare sessions to purge data stored into the memory during said sessions.
- View Dependent Claims (63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80)
- - 63. The end user device defined in claim 62, wherein the memory comprises volatile memory.
  - 64. The end user device defined in claim 63, wherein the volatile memory is capable of being reset and wherein purging data stored into the memory during a particular communications session comprises erasing, deleting, over-writing, scrambling and resetting the volatile memory.
  - 65. The end user device defined in claim 62, wherein the memory comprises non-volatile memory.
  - 66. The end user device defined in claim 65, wherein purging data stored into the memory during a particular communications session comprises at least one of erasing, deleting, over-writing, scrambling and resetting said data in the non-volatile memory.
  - 67. The end user device defined in claim 62, further comprising:
    - a network interface connected to the processing unit and to the memory, and connectable to a communication link with the network.
  - 68. The end user device defined in claim 67, the network interface being operative to implement a first channel for exchanging data between the data processing resources in the network and the processing unit.
  - 69. The end user device defined in claim 68, the network interface further being operative to implement a second channel for delivering messages to the memory indicative of session termination and instrumental in causing the memory to purge said data stored into the memory during said sessions.
  - 70. The end user device defined in claim 69, the network interface further being operative to maintain isolation between the first and second channels.
  - 71. The end user device defined in claim 62, further comprising:
    - an authentication device for receiving authentication primitives from a user;
      
      a message formulator communicatively coupled to the authentication device, the message formulator being operative to generate an authentication message based on the authentication primitives received by the authentication device.
  - 72. The end user device defined in claim 71, wherein the authentication device comprises at least one of a bar code scanner, a biometric reader, a magnetic card reader and a radio frequency badge reader.
  - 73. The end user device defined in claim 71, further the processing unit and the message formulator being configured such that the processing unit is capable of receiving data from the message formulator and is prevented from sending data to the message formulator.
  - 74. The end user device defined in claim 71, the message formulator being further operative to verify compliance of the authentication primitives with a set of user class-agnostic requirements and to generate the authentication message only in response to positive compliance.
  - 75. The end user device defined in claim 71, further comprising a network interface connected to the processing unit, to the memory and to the message formulator, and connectable to a communication link with the network.
  - 76. The end user device defined in claim 75, the network interface being operative to implement a first channel for receiving the authentication request message from the message formulator and releasing it towards the network along the communication link for authentication of the user.
  - 77. The end user device defined in claim 76, the network interface being operative to implement a second channel for exchanging data between the data processing resources in the network and the processing unit.
  - 78. The end user device defined in claim 77, the network interface further being operative to maintain isolation between the first and second channels.
  - 79. The end user device defined in claim 77, the network interface further being operative to implement a third channel for delivering messages to the memory indicative of session termination and instrumental in causing the memory to purge said data stored into the memory during said sessions.
  - 80. The end user device defined in claim 79, the network interface further being operative to maintain isolation between the first, second and third channels.

81. A computer-readable storage medium containing a program element for execution by a computing device to implement an end user device, said end user device including:
- a processing entity operative to support, during non-overlapping time periods, distinct communications sessions with corresponding data processing resources in a network, the communications session supported during each of the time periods being one of a healthcare session and a non-healthcare session;
  
  a memory entity for storing data exchanged between the processing entity and the network during the communications sessions;
  
  the memory entity being responsive to termination of communications sessions that are non-healthcare sessions to purge data stored into the memory entity during said sessions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Clearinghouse LLC (RPX Corporation)
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Sylvain, Dany, Watkins, John, Graves, Alan Frank, Fitchett, Jeffrey, Elliott, Stephen

Granted Patent

US 7,376,836 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/249
CPC Class Codes

G06Q 90/00   Systems or methods speciall...

G06Q 99/00   Subject matter not provided...

G16H 10/60   for patient-specific data, ...

G16H 40/20   for the management or admin...

G16Z 99/00   Subject matter not provided...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/1441   Countermeasures against mal...

H04L 9/40   Network security protocols

H04M 11/066   Telephone sets adapted for ...

Systems and methods for preventing an attack on healthcare data processing resources in a hospital information system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

81 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for preventing an attack on healthcare data processing resources in a hospital information system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

81 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others