Software Security Patent Helps Improve Health IT Privacy

A computer security invention patented a decade ago by the U.S. National Institute of Standards and Technology (NIST; Gaithersburg, MD, USA) is now poised to help safeguard patient privacy in hospitals.

The security patent involves a sequence managed by a workflow management system, which enacts each segment in the order specified by that process definition. Role-based access control (RBAC) is used to define membership of individuals in groups, and then to activate the roles with respect to the process at appropriate points in the sequence; any individual member belonging to the active role can perform the next step in the process. Changes in the duties and responsibilities of individuals as they change job assignments are greatly simplified, as their role memberships are simply reassigned; the workflow process is unaffected.

For example, at a hospital, the patient admission procedure involves a number of steps, and at each step, someone needs access to the patient's medical records for a specific purpose, such registering the patient or verifying their insurance information. Once admitted to the hospital, the admissions staff does not necessarily need further access to health records. However, in many hospitals, those staff members nonetheless continue to have access to every record on file; by using the algorithm, those staff members would only be able to access the patient record during admission processing. After that, patient information would be unavailable to them, although the attending physician would still have access to it.

"We think this software will provide dramatically improved security and privacy to patients,” said John Barkley, the algorithm's creator, who has retired from NIST's software and systems division and is now consulting for Virtual Global (Boston, MA, USA), the company, which is commercializing the product. "It solves the problem of overly broad access to patient information, which is widespread.”

"We didn't invent RBAC, but we wanted to systematize it and standardize it,” said Richard Kuhn of NIST's computer security division, and Barkley's former supervisor. "While we were working on this, John [Barkley] came up with a way to control access by using RBAC within the context of a lengthy, multistep task, and I suggested he patent it.”

Related Links:
U.S. National Institute of Standards and Technology
Virtual Global