A computer security invention patented* a decade ago at the
National Institute of Standards and Technology (NIST) is now poised to
help safeguard patient privacy in hospitals.
 |
|
Photo courtesy GWImages/Shutterstock |
The invention—an algorithm that can be built into a larger piece of
software—is designed to control access to information systems, and it
has attracted the attention of a company that is putting it to use in
the health care field. John Barkley, the algorithm’s creator, says the
idea could solve one of the pervasive issues in the country’s health
care system.
“We think this software will provide dramatically improved security
and privacy to patients,” says Barkley, now retired from NIST’s Software
and Systems Division and now consulting with Virtual Global, which is
commercializing the product. “It solves the problem of overly broad
access to patient information, which is widespread.”
Barkley’s efforts stretch back to the 1980s, when the computer tools
available for protecting electronic information were poor. Generally,
access to information was available to anyone whose name was on a
specific list of authorized users, but a large organization might have
thousands of restricted files, each with its own access list—making
security management awkward. Help came with the creation of Role-Based
Access Control (RBAC), in which a person’s job function, not name, was
the key to accessing a particular file. However, even RBAC could allow
large numbers of people to have unlimited access to information—a
particular problem in health care, where it is crucial but difficult to
guarantee patient privacy.
“We didn’t invent RBAC, but we wanted to systematize it and
standardize it,” says Richard Kuhn of NIST’s Computer Security Division
and Barkley’s former supervisor. “While we were working on this, John
[Barkley] came up with a way to control access by using RBAC within the
context of a lengthy, multistep task, and I suggested he patent it.”
In essence, the patent covers a method of ensuring that access to
information is available to those who need it, but only when necessary.
For example, at a hospital, the patient admission procedure involves a
number of steps, and in each step someone needs access to the patient’s
medical records for a specific purpose, like registering the patient or
verifying their insurance information.
“Once you’ve been admitted to the hospital, the admissions staff
doesn’t necessarily need access to your records anymore. But in many
hospitals, those staff members nonetheless continue to have access to
every record on file,” Barkley explains. “Using the algorithm we
patented, those staffers would only be able to access your record during
admission processing. After that, they would find your information
unavailable—though the doctor who was treating you would still have
access to it.”
NIST released a Small Business Innovation Research solicitation in an
effort to find a company to develop a product from the patent in 2008,
which happened to be when Virtual Global, Inc., was searching for a way
to protect electronic records for its clients. The company purchased the
rights to it shortly thereafter and integrated the invention into its
“HealthCapsule” cloud platform. Virtual Global is now using
HealthCapsule to create a pilot security system for LIFE Pittsburgh, a
long-term care facility.
* J. Barkley. “Workflow Management Employing Role-Based Access
Control,” U.S. Patent No. 6,088,679. July 11, 2000. Available at http://www.itl.nist.gov/div897/staff/barkley/6088679.pdf
Media Contact: Chad Boutin, boutin@nist.gov, 301-975-4261
