METHOD AND APPARATUS GENERATING AND APPLYING SECURITY LABELS TO SENSITIVE DATA

US 20150020213A1
Filed: 06/02/2014
Published: 01/15/2015
Est. Priority Date: 06/04/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

tagging at runtime, by a computer, an electronic record or an electronic data stream with a security label that enables automated compliance and enforcement with each of a subject of record authorization, an organizational policy, and a government regulation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure comprises a method, an apparatus, and instructions for controlling a computer to implement a security labeling service (SLS) to tag an electronic record or data stream with security labels to ensure compliance with access restriction requirements. The SLS tags a record or data stream with security labels according to constraints including jurisdictional (government regulation), organizational policy, and authorization of a subject of record (e.g. patient consent). The SLS consumes a vocabulary dictionary to interpret the record and the constraints to generate rules for tagging the data. The original record or data stream is then tagged according to the rules. The tagged output is used to ensure compliance with the security labels.

Citations

29 Claims

1. A method comprising:
- tagging at runtime, by a computer, an electronic record or an electronic data stream with a security label that enables automated compliance and enforcement with each of a subject of record authorization, an organizational policy, and a government regulation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 29)
- - 2. The method according to claim 1, wherein the electronic record or the electronic data stream is indexed.
  - 3. The method according to claim 1, further comprising:
    - determining whether a receiving party ensures proper compliance with access restrictions according to the security label and organizational policy;
      
      transmitting the tagged electronic record or the tagged electronic data stream if the receiving party ensures compliance with the access restrictions; and
      
      redacting the tagged electronic record or the tagged electronic data stream according to the security label and organizational policy if the receiving party does not ensure proper compliance with the access restrictions, and transmitting the redacted tagged electronic record or the redacted tagged electronic data stream.
  - 4. The method according to claim 2, further comprising:
    - determining whether a receiving party ensures proper compliance with access restrictions according to the security label and organizational policy;
      
      transmitting the tagged indexed electronic record or the tagged indexed electronic data stream if the receiving party ensures compliance with the access restrictions; and
      
      redacting the tagged indexed electronic record or the tagged indexed electronic data stream according to the security label and organizational policy if the receiving party does not ensure proper compliance with the access restrictions, and transmitting the redacted tagged indexed electronic record or the redacted tagged indexed electronic data stream.
  - 5. A method according to claim 1, wherein the electronic record is a medical record.
  - 6. A method according to claim 1, wherein the electronic record is a record that contains sensitive or classified information.
  - 7. A method according to claim 1, wherein the electronic record is associated with the subject of record;
    - andwherein the tagging comprises;
      
      determining a rule for tagging the electronic record based on each of the subject of record authorization, the organizational policy and the government regulation;
      
      retrieving the electronic record from at least one repository;
      
      decomposing the electronic record into a decomposed data source;
      
      tagging the electronic record with the security label according to the determined rule and the decomposed data source; and
      
      determining an output mode of the tagged electronic record;
      
      wherein the output mode is at least one of storing and transmitting.
  - 8. A method according to claim 7, wherein the subject of record is a medical patient;
    - wherein the electronic record is a medical record; and
      
      wherein the organizational policy is provided by a health service provider, (HIPAA) covered entity or business associate, or record custodian.
  - 9. A method according to claim 8, wherein the determining of a rule for tagging utilizes a vocabulary dictionary and a purpose for requesting the medical record.
  - 10. A method according to claim 9, wherein the vocabulary dictionary comprises at least one of Snomed-CT, RxNorm, ICD, and HL7.
  - 11. A method according to claim 8, wherein at least one of the subject of record authorization, the organizational policy, and the government rule is expressed in a rule language, andwherein the rule language comprises at least one of Drool Rule Language (DRL) and RuIeML.
  - 12. A method according to claim 7, further comprising encrypting the tagged electronic record before transmitting.
  - 29. A non-transitory computer readable medium containing instructions for controlling one or more hardware processors to implement the method according to claim 1.

13. A method comprising:
- receiving a retrieval request to retrieve an electronic record associated with a subject of record;
  
  determining a rule, by a computer, for tagging the electronic record based on a vocabulary dictionary, an authorization constraint, an organizational policy constraint, and a government rule constraint;
  
  retrieving the electronic record from a repository;
  
  decomposing the electronic record into a decomposed data source;
  
  tagging the electronic record at runtime with a security label according to the determined rule and the decomposed data source; and
  
  transmitting the tagged electronic record;
  
  wherein the authorization constraint is provided by the subject of record.

14. A method according to claim 14, wherein the transmitting the tagged electronic record is transmitted within an XML stream.
- View Dependent Claims (15, 16, 18, 19, 20, 21)
- - 15. A method according to claim 14 wherein the subject of record is a medical patient;
    - andwherein the electronic record is a medical record of the medical patient.
  - 16. A method according to claim 14, wherein a user within an organization sends the retrieval request;
    - andwherein the organizational policy constraint is provided by the organization.
  - 18. A method according to claim 16, wherein the vocabulary dictionary comprises at least one of Snomed-CT, RxNorm, ICD, and HL7.
  - 19. A method according to claim 14, wherein at least one of the authorization constraint, the organizational policy constraint, and the government rule constraint is expressed in a rule language, andwherein the rule language comprises at least one of Drool Rule Language (DRL) and RuIeML.
  - 20. A method according to claim 14, further comprising encrypting the tagged electronic record before transmitting.
  - 21. A method according to claim 14, further comprising enforcing data security according to the security label by an entity sending the retrieval request.

17. A method according to claim 17, wherein the organization is a health service provider, andwherein the determining the rule is further based on a purpose for requesting the electronic record.

22. An apparatus comprising:
- a memory storing instruction;
  
  a processor executing the instructions to provide;
  
  a rule generation service configured to generate a rule from a vocabulary dictionary, rule constraints, and decision considerations;
  
  an extraction engine configured to transform a requested electronic record extracted from an original data source into a decomposed data source;
  
  a rules engine configured to generate a directive from a rule language, the rule generated by the rule generation service, and the decomposed data source; and
  
  a transformation engine configured to output an electronic record tagged with a security label using the original data source and the directive.
- View Dependent Claims (23, 24)
- - 23. An apparatus according to claim 22, further comprising an encryption engine configured to encrypt the electronic record tagged with the security label.
  - 24. An apparatus according to claim 23, wherein the rule constraints comprise an authorization of a subject of record, an organizational policy, and a government rule.

25. An apparatus according to claim 25 wherein the subject of record is a medical patient, andwherein the requested electronic record is a medical record associated with the medical patient.
- View Dependent Claims (26, 28)
- - 26. An apparatus according to claim 25, wherein the vocabulary dictionary comprises at least one of Snomed-CT, RxNorm, ICD, and HL7.
  - 28. An apparatus according to claim 26, wherein the rule language comprises at least one of Drool Rule Language (DRL) and RuIeML.

27. An apparatus according to claim 27, wherein the decision considerations comprise a purpose for requesting the medical record and a workflow consideration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Edmond Scientific Co.
Original Assignee
Edmond Scientific Co.
Inventors
DECOUTEAU, Duane, PITALE, John

Granted Patent

US 9,800,582 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

G06F 2221/2141   Access rights, e.g. capabil...

G06Q 50/265   Personal security, identity...

G16H 10/60   for patient-specific data, ...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/12   specially adapted for propr...

METHOD AND APPARATUS GENERATING AND APPLYING SECURITY LABELS TO SENSITIVE DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS GENERATING AND APPLYING SECURITY LABELS TO SENSITIVE DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links