HEALTHCARE PRIVACY BREACH PREVENTION THROUGH INTEGRATED AUDIT AND ACCESS CONTROL

US 20130326579A1
Filed: 03/13/2013
Published: 12/05/2013
Est. Priority Date: 05/30/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for compliance with a privacy requirement, the method comprising:

analyzing, using one or more processors, an access log related to a history of users accessing records;

deriving a plurality of roles assigned to the users and a plurality of accesses reflecting actions taken by the users;

deriving from the access log a mapped log comprising a plurality of mapping records including a plurality of mapped role-access pairs;

generating, using the one or more processors, a reduced log including a plurality of reduced records comprising a mapped role-access pair and statistics that are associated with the mapped role-access pair, the statistics being derived from a subset of the mapping records that include the mapped role-access pair; and

deriving an access policy based on the reduced log, wherein the access policy includes a plurality of proposed role-access pairs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for compliance with a privacy requirement. The method comprises analyzing, using one or more processors, an access log related to a history of users accessing records; deriving a plurality of roles assigned to the users and a plurality of accesses reflecting actions taken by the users; and deriving from the access log a mapped log comprising a plurality of mapping records including a plurality of mapped role-access pairs. The method further comprises generating, using the one or more processors, a reduced log including a plurality of reduced records comprising a mapped role-access pair and statistics that are associated with the mapped role-access pair, the statistics being derived from a subset of the mapping records that include the mapped role-access pair; and deriving an access policy based on the reduced log, wherein the access policy includes a plurality of proposed role-access pairs.

30 Citations

View as Search Results

22 Claims

1. A computer-implemented method for compliance with a privacy requirement, the method comprising:
- analyzing, using one or more processors, an access log related to a history of users accessing records;
  
  deriving a plurality of roles assigned to the users and a plurality of accesses reflecting actions taken by the users;
  
  deriving from the access log a mapped log comprising a plurality of mapping records including a plurality of mapped role-access pairs;
  
  generating, using the one or more processors, a reduced log including a plurality of reduced records comprising a mapped role-access pair and statistics that are associated with the mapped role-access pair, the statistics being derived from a subset of the mapping records that include the mapped role-access pair; and
  
  deriving an access policy based on the reduced log, wherein the access policy includes a plurality of proposed role-access pairs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, further comprising:
    - storing, in a storage device, a default access policy related to existing access permissions for the users, the default access policy including a plurality of default role-access pairs including at least one role of the roles and one or more of the accesses permitted to the one role; and
      
      performing a comparison of the default access policy with the mapped log, wherein deriving the access policy includes deriving a new access policy using a result of the comparison.
  - 3. The computer-implemented method of claim 2, further comprising deriving the default access policy from the access log.
  - 4. The computer-implemented method of claim 2, further comprising receiving the default access policy as an explicit default policy.
  - 5. The computer-implemented method of claim 1, wherein the access log includes a plurality of log entries, and wherein at least one of the mapped role-access pairs includes one role of the roles and one access of the accesses that is associated with the one role via one of the log entries.
  - 6. The computer-implemented method of claim 1, further comprising using the reduced log to derive a compliance score indicating a level of compliance with the privacy requirement.
  - 7. The computer-implemented method of claim 2, wherein performing the comparison includes deriving an unutilized role-access pair that is included in the default role-access pairs and is not included the mapped role-access pairs, and wherein deriving the new access policy includes removing from the default access policy the unutilized role-access pair.
  - 8. The computer-implemented method of claim 1, wherein the statistics include an average access per user for the mapped role-access pair derived from the subset of the mapping records.
  - 9. The computer-implemented method of claim 8, wherein deriving the access policy comprises assigning to the mapped role-access pair a flag indicating underutilization if the average access per user for the mapped role-access pair is less than or equal to a threshold.
  - 10. The computer-implemented method of claim 8, wherein the statistics further include an identification of a user associated with the mapped role-access pair and an access count for the identification indicating a number of mapping records including the mapped role-access pair and the identification, and wherein deriving the access policy comprises assigning a flag indicating abnormal frequent utilization to the identification if the access count for the identification exceeds a sum of the average access per user for the mapped role-access pair and an increase tolerance.
  - 11. The computer-implemented method of claim 8, wherein the statistics further include an identification of a user associated with the mapped role-access pair and an access count for the identification indicating a number of mapping records including the mapped role-access pair and the identification, and wherein deriving the access policy comprises assigning a flag indicating abnormal infrequent utilization to the identification if the access count for the identification is less than the average access per user for the mapped role-access pair minus a decrease tolerance.

12. A system for compliance with a privacy requirement, the system comprising:
- a mapper module configured to analyze an access log related to a history of users accessing records, to derive a plurality of roles assigned to the users and a plurality of accesses reflecting actions taken by the users, and to derive a mapped log comprising a plurality of mapping records including a plurality of mapped role-access pairs;
  
  a reducer module configured to generate a reduced log including a plurality of reduced records comprising a mapped role-access pair; and
  
  an analyzer module configured to derive statistics that are associated with the mapped role-access pair, the statistics being derived from a subset of the mapping records that include the mapped role-access pair.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The system of claim 12, wherein the analyzer module is further configured to derive an access policy based on the reduced log, wherein the access policy includes a plurality of proposed role-access pairs.
  - 14. The system of claim 13, further comprising a storage device for storing a default access policy related to existing access permissions for the users, the default access policy including a plurality of default role-access pairs including at least one role of the roles and one or more of the accesses permitted to the one role, wherein the analyzer module is further configured to:
    - perform a comparison of the default access policy with the mapped log; and
      
      derive a new access policy as the access policy using a result of the comparison.
  - 15. The system of claim 14, wherein the analyzer module is further configured to derive the default access policy from the access log.
  - 16. The system of claim 14, wherein performing the comparison includes deriving an unutilized role-access pair that is included in the default role-access pairs and is not included the mapped role-access pairs, and wherein deriving the new access policy includes removing from the default access policy the unutilized role-access pair.
  - 17. The system of claim 12, wherein the analyzer module is further configured to use the reduced log to derive a compliance score indicating a level of compliance with the privacy requirement.
  - 18. The system of claim 12, wherein the statistics include an average access per user for the mapped role-access pair derived from the subset of the mapping records.
  - 19. The system of claim 18, wherein deriving the access policy comprises assigning to the mapped role-access pair a flag indicating underutilization if the average access per user for the mapped role-access pair is less than or equal to a threshold.
  - 20. The system of claim 18, wherein the statistics further include an identification of a user associated with the mapped role-access pair and an access count for the identification indicating a number of mapping records including the mapped role-access pair and the identification, and wherein deriving the access policy comprises assigning a flag indicating abnormal frequent utilization to the identification if the access count for the identification exceeds a sum of the average access per user for the mapped role-access pair and an increase tolerance.
  - 21. The system of claim 18, wherein the statistics further include an identification of a user associated with the mapped role-access pair and an access count for the identification indicating a number of mapping records including the mapped role-access pair and the identification, and wherein deriving the access policy comprises assigning a flag indicating abnormal infrequent utilization to the identification if the access count for the identification is less than the average access per user for the mapped role-access pair minus a decrease tolerance.

22. A non-transitory computer-readable medium storing a computer program, wherein the computer program, when executed by one or more processors, causes the one or more processors to perform a method for compliance with a privacy requirement, the method comprising:
- analyzing, using one or more processors, an access log related to a history of users accessing records;
  
  deriving a plurality of roles assigned to the users and a plurality of accesses reflecting actions taken by the users;
  
  deriving from the access log a mapped log comprising a plurality of mapping records including a plurality of mapped role-access pairs;
  
  generating, using the one or more processors, a reduced log including a plurality of reduced records comprising a mapped role-access pair and statistics that are associated with the mapped role-access pair, the statistics being derived from a subset of the mapping records that include the mapped role-access pair; and
  
  deriving an access policy based on the reduced log, wherein the access policy includes a plurality of proposed role-access pairs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Bhatti, Rafae, Martin, Paul D.

Granted Patent

US 8,984,583 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/45   Structures or tools for the...

G06F 21/62   Protecting access to data v...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2101   Auditing as a secondary aspect

G06Q 10/06   Resources, workflows, human...

G16H 10/60   for patient-specific data, ...

G16H 50/70   for mining of medical data,...

G16Z 99/00   Subject matter not provided...

H04L 63/20   for managing network securi...

HEALTHCARE PRIVACY BREACH PREVENTION THROUGH INTEGRATED AUDIT AND ACCESS CONTROL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

HEALTHCARE PRIVACY BREACH PREVENTION THROUGH INTEGRATED AUDIT AND ACCESS CONTROL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links