Method and apparatus generating and applying security labels to sensitive data
First Claim
1. A method comprising:
- by at least one hardware computer;
receiving, at runtime, a request for an electronic record or electronic data stream from a receiving party;
receiving the electronic record or electronic data stream from at least one repository in response to the received request;
dynamically generating, at runtime, a security label according to the electronic record or electronic data stream, information included in the received request, a subject of record authorization, an organizational policy, and a government regulation, the security label corresponding to at least one item included in the received electronic record or electronic data stream and indicating one or a combination of redaction, restriction, and encryption of at least one item included in the received electronic record or electronic data stream;
inserting, at runtime, the dynamically generated security label into the received electronic record or electronic data stream to generate a tagged electronic record or electronic data stream including the security label and the at least one item corresponding to the security label, thereby enabling automated compliance and enforcement of data handling for each of the subject of record authorization, the organizational policy, and the government regulation according to the information included in the received request, andoutputting the tagged electronic record or electronic data stream with the inserted security label and the at least one item corresponding to the inserted security label.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosure comprises a method, an apparatus, and instructions for controlling a computer to implement a security labeling service (SLS) to tag an electronic record or data stream with security labels to ensure compliance with access restriction requirements. The SLS tags a record or data stream with security labels according to constraints including jurisdictional (government regulation), organizational policy, and authorization of a subject of record (e.g. patient consent). The SLS consumes a vocabulary dictionary to interpret the record and the constraints to generate rules for tagging the data. The original record or data stream is then tagged according to the rules. The tagged output is used to ensure compliance with the security labels.
-
Citations
29 Claims
-
1. A method comprising:
by at least one hardware computer; receiving, at runtime, a request for an electronic record or electronic data stream from a receiving party; receiving the electronic record or electronic data stream from at least one repository in response to the received request; dynamically generating, at runtime, a security label according to the electronic record or electronic data stream, information included in the received request, a subject of record authorization, an organizational policy, and a government regulation, the security label corresponding to at least one item included in the received electronic record or electronic data stream and indicating one or a combination of redaction, restriction, and encryption of at least one item included in the received electronic record or electronic data stream; inserting, at runtime, the dynamically generated security label into the received electronic record or electronic data stream to generate a tagged electronic record or electronic data stream including the security label and the at least one item corresponding to the security label, thereby enabling automated compliance and enforcement of data handling for each of the subject of record authorization, the organizational policy, and the government regulation according to the information included in the received request, and outputting the tagged electronic record or electronic data stream with the inserted security label and the at least one item corresponding to the inserted security label. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
14. A method comprising:
by at least one computer; receiving, at runtime, a retrieval request to retrieve an electronic record associated with a subject of record; determining a rule for dynamically tagging, at runtime, the electronic record based on the electronic record, information included in the retrieval request, a vocabulary dictionary, an authorization constraint, an organizational policy constraint, and a government rule constraint, to enable automated compliance and enforcement of data handling; retrieving the electronic record from a repository according to the retrieval request; decomposing the electronic record into a decomposed data source; tagging the electronic record at runtime with a security label corresponding to at least one item in the decomposed data source and according to a correspondence between the determined rule and the at least one item in the decomposed data source by inserting the security label into the electronic record to generate a tagged electronic record including the security label and the at least one item corresponding to the security label, the security label indicating one or a combination of redaction, restriction, and encryption of the at least one item as the compliance and enforcement of the data handling according to the information included in the retrieval request; and outputting the tagged electronic record with the inserted security label and the at least one item corresponding to the inserted security label; wherein the authorization constraint is provided by the subject of record. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
23. An apparatus comprising:
-
a memory storing instructions; at least one hardware processor, wherein upon executing the instructions, the at least one hardware processor implements; a rule generation service configured to dynamically generate, at runtime, a rule from a vocabulary dictionary, rule constraints, decision considerations included in information included in a runtime request to retrieve an electronic record from an original data source, and the electronic record; an extraction engine configured to transform the electronic record into a decomposed data source; a rules engine configured to generate, at runtime, a directive from a correspondence between the rule generated by the rule generation service and at least one item in the decomposed data source, the directive indicating how to transform the rule into a security label corresponding to the at least one item in the decomposed data source and indicating where to insert the security label into the electronic record, and the security label indicating at least one of redaction, restriction, and encryption of the at least one item in the decomposed data source according to the rule constraints and the decision considerations included in the information included in the request to retrieve the electronic record from an original data source; and a transformation engine configured to output an electronic record tagged with the security label by inserting the security label at runtime into the electronic record according to the directive to enable automated compliance and enforcement of data security according to the rule constraints and the decision considerations included in the information included in the request to retrieve the electronic record from an original data source, the tagged electronic record including the security label and a portion of the electronic record corresponding to the at least one item in the decomposed data source corresponding to the security label. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
Specification