Security Program Boosts Healthcare Privacy

Wednesday, July 7, 2010 @ 01:07 PM gHale


Sometimes good ideas work in specific areas, get stored away for a while and then come back to help in other areas.
Take computer security for example. A computer security invention patented a decade ago at the National Institute of Standards and Technology (NIST) is now making a comeback to help safeguard patient privacy in hospitals.
The invention, which is an algorithm that can build into a larger piece of software, helps control access to information systems.


John Barkley, the algorithm’s creator, said the idea could solve one of the pervasive issues in the country’s health care system.
“We think this software will provide dramatically improved security and privacy to patients,” said Barkley, now retired from NIST’s Software and Systems Division and now consulting with Virtual Global, which is commercializing the product. “It solves the problem of overly broad access to patient information, which is widespread.”
Barkley’s efforts stretch back to the 1980s, when the computer tools available for protecting electronic information were poor. Generally, access to information was available to anyone whose name was on a specific list of authorized users, but a large organization might have thousands of restricted files, each with its own access list, which made security management awkward. Help came with the creation of Role-Based Access Control (RBAC), in which a person’s job function, not name, was the key to accessing a particular file. However, even RBAC could allow large numbers of people to have unlimited access to healthcare information, where it is crucial but difficult to guarantee patient privacy.
“We didn’t invent RBAC, but we wanted to systematize it and standardize it,” said Richard Kuhn of NIST’s Computer Security Division and Barkley’s former supervisor. “While we were working on this, John [Barkley] came up with a way to control access by using RBAC within the context of a lengthy, multistep task, and I suggested he patent it.”
In essence, the patent covers a method of ensuring that access to information is available to those who need it, but only when necessary. For example, at a hospital, the patient admission procedure involves a number of steps, and in each step someone needs access to the patient’s medical records for a specific purpose, like registering the patient or verifying their insurance information.
“Once you’ve been admitted to the hospital, the admissions staff doesn’t necessarily need access to your records anymore. But in many hospitals, those staff members nonetheless continue to have access to every record on file,” Barkley said. “Using the algorithm we patented, those staffers would only be able to access your record during admission processing. After that, they would find your information unavailable, though the doctor who was treating you would still have access to it.”
Virtual Global purchased the rights to the program and integrated it into its “HealthCapsule” cloud platform. Virtual Global is now using HealthCapsule to create a pilot security system for LIFE Pittsburgh, a long-term care facility.



Leave a Reply

You must be logged in to post a comment.