METHOD AND APPARATUS GENERATING AND APPLYING SECURITY LABELS TO SENSITIVE DATA
First Claim
1. A method comprising:
- tagging at runtime, by a computer, an electronic record or an electronic data stream with a security label that enables automated compliance and enforcement with each of a subject of record authorization, an organizational policy, and a government regulation.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosure comprises a method, an apparatus, and instructions for controlling a computer to implement a security labeling service (SLS) to tag an electronic record or data stream with security labels to ensure compliance with access restriction requirements. The SLS tags a record or data stream with security labels according to constraints including jurisdictional (government regulation), organizational policy, and authorization of a subject of record (e.g. patient consent). The SLS consumes a vocabulary dictionary to interpret the record and the constraints to generate rules for tagging the data. The original record or data stream is then tagged according to the rules. The tagged output is used to ensure compliance with the security labels.
-
Citations
29 Claims
-
1. A method comprising:
tagging at runtime, by a computer, an electronic record or an electronic data stream with a security label that enables automated compliance and enforcement with each of a subject of record authorization, an organizational policy, and a government regulation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 29)
-
13. A method comprising:
-
receiving a retrieval request to retrieve an electronic record associated with a subject of record; determining a rule, by a computer, for tagging the electronic record based on a vocabulary dictionary, an authorization constraint, an organizational policy constraint, and a government rule constraint; retrieving the electronic record from a repository; decomposing the electronic record into a decomposed data source; tagging the electronic record at runtime with a security label according to the determined rule and the decomposed data source; and transmitting the tagged electronic record; wherein the authorization constraint is provided by the subject of record.
-
- 14. A method according to claim 14, wherein the transmitting the tagged electronic record is transmitted within an XML stream.
-
17. A method according to claim 17, wherein the organization is a health service provider, and
wherein the determining the rule is further based on a purpose for requesting the electronic record.
-
22. An apparatus comprising:
-
a memory storing instruction; a processor executing the instructions to provide; a rule generation service configured to generate a rule from a vocabulary dictionary, rule constraints, and decision considerations; an extraction engine configured to transform a requested electronic record extracted from an original data source into a decomposed data source; a rules engine configured to generate a directive from a rule language, the rule generated by the rule generation service, and the decomposed data source; and a transformation engine configured to output an electronic record tagged with a security label using the original data source and the directive. - View Dependent Claims (23, 24)
-
-
25. An apparatus according to claim 25 wherein the subject of record is a medical patient, and
wherein the requested electronic record is a medical record associated with the medical patient.
-
27. An apparatus according to claim 27, wherein the decision considerations comprise a purpose for requesting the medical record and a workflow consideration.
Specification