US20070239998A1 - Dynamic binding of access and usage rights to computer-based resources - Google Patents

Dynamic binding of access and usage rights to computer-based resources Download PDF

Info

Publication number
US20070239998A1
US20070239998A1 US11/786,485 US78648507A US2007239998A1 US 20070239998 A1 US20070239998 A1 US 20070239998A1 US 78648507 A US78648507 A US 78648507A US 2007239998 A1 US2007239998 A1 US 2007239998A1
Authority
US
United States
Prior art keywords
content
user
security
access
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/786,485
Inventor
Michael E. Beck
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
MEDOX TECHNOLOGIES Inc
Original Assignee
Medox Exchange Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Medox Exchange Inc filed Critical Medox Exchange Inc
Priority to US11/786,485 priority Critical patent/US20070239998A1/en
Assigned to MEDOX EXCHANGE, INC. reassignment MEDOX EXCHANGE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BECK, MICHAEL E.
Publication of US20070239998A1 publication Critical patent/US20070239998A1/en
Assigned to MEDOX TECHNOLOGIES, INC. reassignment MEDOX TECHNOLOGIES, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: MEDOX EXCHANGE, INC.
Priority to US15/586,519 priority patent/US20180019990A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H50/00ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics
    • G16H50/20ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics for computer-aided diagnosis, e.g. based on medical expert systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6272Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database by registering files or documents with a third party
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H10/00ICT specially adapted for the handling or processing of patient-related medical or healthcare data
    • G16H10/60ICT specially adapted for the handling or processing of patient-related medical or healthcare data for patient-specific data, e.g. for electronic patient records
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H70/00ICT specially adapted for the handling or processing of medical references
    • G16H70/20ICT specially adapted for the handling or processing of medical references relating to practices or guidelines
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H80/00ICT specially adapted for facilitating communication between medical practitioners or patients, e.g. for collaborative diagnosis, therapy or health monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Definitions

  • the present disclosure relates to data processing by digital computer, and more particularly to dynamic binding of access and usage rights to computer-based resources.
  • content may be secured at a computer system, such as a personal computer or server computer system of a landscape of computers, using different techniques and/or mechanisms.
  • a computer system such as a personal computer or server computer system of a landscape of computers
  • an electronic document may be secured using encryption such that the document might not be viewed unless the document is decrypted.
  • Different types of access and usage rights may be associated with different credentials for access to content and usage of that content.
  • a non-administrative user may have access and usage rights that include viewing a document but not modifying the document; whereas, an administrative user may have access and usage rights to view and modify the document and each of those users may have different credentials.
  • Securing of content generally occurs at a content-level and removing of security generally occurs by a user who desires to access the content.
  • a document may be encrypted and the document may be decrypted by a user desiring to access the document.
  • the subject matter disclosed herein provides methods and apparatus, including computer program products, that implement techniques related to dynamic binding of access and usage rights to a computer-based resource.
  • data characterizing a request for content is received, a determination as to whether first security credentials authenticate a user is made, and, if so and the user is authorized to use the content, first security of the content is replaced with second security where replacing the first security includes removing the first security from the content in accordance with second security credentials.
  • the replacing of security may enable the user to perform actions to the content.
  • data characterizing a request for content is received at a server from a client; a determination is made as to whether first security credentials authenticate a user of the client; and, if the user is authenticated by the first security credentials and authorized to use the content, a first security of the content is replaced with a second security, where the replacing includes removing the first security from the content in accordance with second security credentials and the user is authorized to perform at least one action associated with the user at the server.
  • the subject matter may be implemented as, for example, computer program products (e.g., as source code or compiled code), computer-implemented methods, and systems.
  • Variations may include one or more of the following features.
  • the actions may be performed in accordance with terms and conditions for content use.
  • the user may be a person or a program.
  • Receiving data may be performed by a server application receiving the data from a client application performing the request, and the server application may perform replacing the security to move the content from a first trusted environment to a second trusted environment, where the second trusted environment includes a secure server session between the server and client applications.
  • Actions may include one or more types of actions authorized to be performed at a client of the user.
  • the content may be secured against access in accordance with a decryption scheme.
  • Removing the first security may include decrypting the content with the second security credentials not being available to the user.
  • Transmission of the content to the user may be initiated in accordance with a secure server session.
  • a determination may be made as to whether a user is authorized to perform the actions and the actions may only be performed if the user is authorized.
  • the determination may include determining whether a relationship exists with another user with whom a relationship indicates that authorization is to be provided.
  • the relationship may be explicit or implicit.
  • An existence of a relationship or attributes associated with a relationship may indicate whether authorization is to be provided.
  • a user may be authorized without regard to a relationship. For example, a user may be authorized based on a combination of a role of the user and a data content subject, and associated preferences.
  • authorization may be based on a set of roles and rules. For example, a doctor may be authorized based on the doctor having a doctor role and a rule declaring that authorization be granted in an emergency healthcare setting.
  • Authorization may be granted based on whether a user has access rights, usage rights, usage right conditions, or a combination of those rights. For example, a user may have rights to view and print clinical test results on a hospital computer, but not other computers, associated with a relationship. Usage rights and conditions for usage may be considered a subset of access rights.
  • a determination may be made as to whether the user is associated with rights to perform the access or use the content, and replacing the first security may include replacing the security if the user has the rights to perform the access.
  • the user may have rights to perform the access or use at a first time but not have the rights to perform the access or use at a second time later or earlier than the first time based on a modification of a policy of the user (e.g., preferences of usage rights of a relationship between a data content subject and data content recipient may be changed). For example, content may be issued such that access is granted and a user downloads secure content. And, at a later time, a data content subject may desire to revoke permission and the user is unable to use the content (e.g., denied viewing rights when requesting usage of the content).
  • a modification of a policy of the user e.g., preferences of usage rights of a relationship between a data content subject and data content recipient may be changed.
  • content may be issued such that access is granted and a user downloads secure content.
  • a data content subject may desire to revoke permission and the user is unable to use the content (e.g., denied viewing rights when requesting usage of the content).
  • Access of the content may be limited to a number of accesses or uses (e.g., a limit of printing five times).
  • the content may be medical health information, such as a secure electronic health record.
  • the content may be a component of an electronic medical record including multiple components, where the user is authorized for the content but not authorized for at least one other component.
  • the actions may include one or more of causing the content to be viewed, printed, copied, modified, or exported (e.g., removed from a security container).
  • the user may be authorized for at least one type of action but not other types of actions.
  • the user may be authorized for a set of actions different from actions authorized for another user.
  • Access and usage rights to secure content may be dynamically bound such that access and usage rights may change independent of security of content.
  • Access and usage rights may be considered dynamically bound as, for example, the rights need not be included with secured content and may be bound at a later time.
  • a client may need to request access and use of a secure document from a server, where access and usage rights may be changed from time to time.
  • access to secure content may be disabled even after it has been received by an intended recipient.
  • Documents may be secured such that security may only be removed by a server remote from clients and continuous data protection may be provided to documents.
  • Access logging may be performed at the server that grants access and usage rights, which may take advantage of the server's role in receiving requests for access and usage rights from a variety of sources and a requirement to use a server to request access and usage rights, such that the logging may be accurate.
  • Documents may be transportable and security may be maintained. For example, documents may be stored in a secure structure. By having a distributed architecture of secure content that is transportable, additional costs need not be incurred for storage of data in a centralized repository, for data to be specifically secured for each identified data content recipient, or for specific use of secure content that a data content recipient may require. In addition, in the health care environment such decentralized data ownership may assist in removing potential risk associated with storage of vast amounts of patient information.
  • FIG. 1 is a diagram of a system to provide dynamic binding of access and usage rights to computer-based resources.
  • FIG. 2 is a diagram of a system to provide generation of secure content, and dynamic binding of access and usage rights with a credential server.
  • FIG. 3 is a diagram of a structure for a secure document.
  • FIG. 4 is a flowchart illustrating a process of dynamic binding of access and usage rights.
  • the systems 100 , 200 of FIGS. 1 , 2 may provide a client access and use of secure data with authorization from a server.
  • there may be a number of relevant party roles and a user may have one or more of the roles.
  • the roles may be implicitly or explicitly assigned. For example, a doctor requesting information about a patient may be implicitly assigned a role as a data content recipient.
  • the roles may include: data content subject, a role describing a party about-whom data is being shared (e.g.
  • data content recipient a role describing a party who is seeking access to information regarding one or more data content subjects (the data may be packaged in a ‘secure container’ or ‘secure container holding’ as will be described later); data custodian, a role describing an owner of a source of information regarding a data content subject (e.g., in a health information environment, a doctor's office, hospital, or insurance company may have this role), which may be required by regulation or responsibility to log or control access to that information; data publisher, a role describing an aggregator of information regarding one or more data content subjects, who may additionally be a data publisher; relationship administrator, a role describing someone who represents a governing entity responsible for maintaining, or creating data content subject, data content recipient, and data custodian accounts (e.g., in a health information environment, an employer's group benefit's administrator or an insurance company's product contract group); and, a role describing a system administrator, who at a more supreme
  • party roles may have variances.
  • a data content owner may be a data content owner, and a data content custodian may have care over content or information of the data content owner.
  • an insured party may be a data content subject and data content owner, where an insurance company of the insured party is the data content owner; however, in another system, an insured party may be a data content subject but not a data content owner, and, an insurance party may be the data content owner and data content custodian.
  • FIG. 1 is a diagram of a system 100 to provide dynamic binding of access and usage rights.
  • the system 100 includes a client 110 , a server 120 , and a repository 130 of secure documents.
  • the client 1 10 may request access to components of secure documents in the repository 130 by requesting access from the server 120 .
  • the server 120 may authenticate the user and authorize access, use, or both at the client 110 .
  • Authorizing access or use may include sending to the client 110 a version of a component of a secure document having first type of security removed in lieu of a second type of security that can be removed by the client 110 .
  • a secure document may be a secure container for computer-based resources, or content, such as a secure container structure 300 of FIG. 3 and each of the components of a secure document may be one of secure holdings 310 , which contain computer-based resources.
  • Components of the secure documents at the repository 130 may be electronic documents or references to resources, such as electronic documents.
  • components of secure documents may include such computer-based resources, or content, such as audio, image, binary, and text files; these types of content and other computer-based resources, either singularly or in the aggregate collectively also referred to as computer files or documents.
  • a reference to a computer-based resource such as a uniform resource indicator (URI)
  • URI uniform resource indicator
  • the repository 130 may be shared among a number of potential recipients (e.g., a file server, and the like), shared between a number of potential recipients and data content subjects (e.g., a mobile phone, personal digital assistant, UNIVERSAL SERIAL BUS drive, and the like), or represent the attachment of the secure format to another secure or insecure format (e.g., as an email attachment, a multimedia mobile message service communication, network message, peer-to-peer computing communication, and the like).
  • a number of potential recipients e.g., a file server, and the like
  • data content subjects e.g., a mobile phone, personal digital assistant, UNIVERSAL SERIAL BUS drive, and the like
  • represent the attachment of the secure format to another secure or insecure format e.g., as an email attachment, a multimedia mobile message service communication, network message, peer-to-peer computing communication, and the like.
  • electronic medical records of a data subject may be stored in an encrypted format at the repository 130 of a data recipient.
  • the data recipient may request access from the server 120 to view a medical record through the client 110 by sending credentials, the medical record, and description of the action desired to be performed at the client 110 to the server 120 .
  • the server 120 may decrypt the record and re-encrypt the record in accordance with a session key negotiated with the client 110 .
  • the record, encrypted with the session key may be sent back to the client 110 by the server 120 . Then, the client 110 may allow usage of the record in accordance with the requested action.
  • Access and usage of the record may be in accordance with terms and conditions specified in the secure document, or the component of the secure document.
  • components of a secure document, rather than an entire secure document may be requested for access, sent to the server 120 , and decrypted.
  • the client 110 may allow for access and usage of components of secure documents of the repository 130 .
  • the types of access and usage may include viewing, copying (e.g., copying and pasting of text, screen captures, and the like), modifying, printing, exporting (e.g., exported from a security container or the client 110 ), and the like.
  • the client 110 includes a document viewer 140 .
  • the document viewer 140 may present documents to a user for which the client 110 has access and usage rights and allow for types of access and usage other than viewing to be performed depending on access and usage rights granted to the client 110 .
  • a user of the client 110 may be prevented from any type of access, in which case, a document might not be viewable.
  • a user of the client 110 may be allowed to view and print documents, but, might not be allowed to copy or modify documents.
  • the document viewer 140 may accept plug-ins.
  • a trusted extension may be a plug-in and the trusted extension may allow specific types of components of documents to be viewed.
  • a plug-in may perform optical character recognition of image files in the document viewer 140 .
  • the client 110 may be required to be a trusted client.
  • the client 110 may be authenticated by the server 120 as a client that ensures enforcement.
  • the client 110 may send authentication information to the server 120 to indicate the client 110 is a proper client for authorizing access or use of secure documents.
  • the client 110 may be proprietary to ensure enforcement of security (and, prevention of unauthorized access) or may be certified as following a specification for clients (or, client environments).
  • the client 110 may be a tool in a suite of software tools that make up an application and the tool may be certified as a client complying with a specification for security enforcement.
  • the client 110 may be a suite of software tools or programming interfaces that ensure enforcement of access and usage rights.
  • the client 110 may request access and usage rights from the server 120 by, as examples, establishing a secure server session, sending an application to application message, and the like.
  • the request may include different types of information.
  • a request may include metadata for a document and a secure version of the document.
  • other information may include, as example, a version of a client or the component of the secure document, key specifications (e.g., a reference or description of a key used for the component), or cryptography algorithms enforced or required for document security and access/use.
  • a document as part of a request may allow for distributed storage of documents and may facilitate transport of documents, as the server 120 need not store secure documents and users need not contact the server 120 to receive documents (e.g., secure, encrypted documents may be transferred or accessed via electronic mail, a UNIVERSAL SERIAL BUS-compliant memory key, mobile phone, personal digital assistant, and the like).
  • the document may be signed (e.g., cryptographically signed) such that the client 110 or server 120 may authenticate the document (e.g., to indicate a document has not been altered).
  • secure documents or portions of secure documents may be cached or stored at the server 120 and a request from client 110 may simply identify a secure document or portion of a secure document to be accessed without including that content along with user credentials and proposed action for usage at client 110 , such that the secure document or portion of secure document, which may be accessible only to server 120 , may have first security removed and second security added, and secure document or portion of secure document with second security is sent back to client 110 .
  • the document viewer 140 of the client 110 may allow for exploring of secure documents or components of secure documents of the repository 130 .
  • a user of the client 110 may browse a list of secure documents and may select a secure document to view, which may cause the document viewer 140 to request access for viewing the selected secure document.
  • the repository 130 may be remote (e.g., not proximal) from the client 110 such that secure documents or components of secure document may be accessed by browsing using protocols including FTP (File Transfer Protocol), WebDAV (Web Distributed Authoring And Versioning), HTTP/SHTTP (HyperText Transfer Protocol/Secure HyperText Transfer Protocol), and the like.
  • the client 110 may be embedded in other application or called by another application as a plug-in or helper to assist with the content type associated with the secure document or component of secure document type used for communication between client 110 and server 120 in a specific computing or operating environment. This association may occur by mechanisms including Internet Engineering Taskforce (IETF) specification compliant MIME (Multipurpose Internet Mail Extensions) type or operating system extension.
  • IETF Internet Engineering Taskforce
  • MIME Multipurpose Internet Mail Extensions
  • Some metadata of the secure documents may be viewed. For example, a name of a computer-based resource stored as a component of a secure document or a short description of that component of a secure document might be used and need not be secured from viewing by a user who has not been authenticated.
  • the server 120 may authorize access and use of secure documents of the repository 130 by authenticating a user with an authentication tool 160 and authorizing the user by removing security of a document with a security tool 170 .
  • the security tool 170 may be used to apply security to the document.
  • a user may request access to a document by sending a request from the client 110 to the server 120 and the server 120 may authenticate the user of the client 110 with the authentication tool 160 .
  • the security tool 170 may be used to remove the security from a secure document, and, the document may be sent to the client 110 with a different, second security for the document.
  • This second security may be specific to the client 110 , the user of client 110 , or negotiated as a characteristic of the specific use or request.
  • the server 120 may move a secure document from a first trusted environment to a second trusted environment by removing a first security and adding a second security.
  • the server 120 may also remove first security and add a second security for reasons other than changing trusted environments, including updating security with a type of security considered more secure, updating security with a type of security of varying strength or algorithm characteristic, or updating security with security supported with credentials that are issued to replace credentials that have expired with regard to previous security (e.g., a different set of credentials to be used to decrypt components of secure documents), or changing security as may be necessitated for distribution of content (e.g., for security supported by another platform).
  • the first security and the second security may use same or different techniques, mechanism, or a combination of the two.
  • the first security may use a same encryption technique as the second security but may require different credentials.
  • the secure documents of the repository 130 may be encrypted using a first security technique and the security tool 170 may be used to remove the encryption. Then, the security tool 170 may use a second type of security, such as a secure server session between the client 110 and server 120 to send the secure document or part of the secure document to the client 110 .
  • the first security of secure documents might only be removable at the server 120 to enhance security of the secure documents and the computer-based resources they contain (e.g., to avoid having to send a cryptographic private key to the client 110 to decrypt secure documents, which might jeopardize a trusted use of that private key if the key is intercepted or otherwise obtained by an unauthorized party).
  • secure documents of the repository 130 are secured to prevent access and use of their content.
  • each component of a secure document may be encrypted using an encryption scheme and the client 110 might not have a decryption engine, resources, or necessary credentials to decrypt the documents.
  • the server 120 may replace security of the documents with a security that can be removed by the client 110 (e.g., as a form of granting access).
  • multiple clients may share a same authentication and security tool of the server 120 .
  • multiple clients may request access to a component of a secure document from the server 120 and each client 110 may obtain access to that component using a negotiated second security that is different from the first security, but unique to itself, such that content may be accessed.
  • Separate credentials presented by client 110 to server 120 on behalf of a specific user of client 110 may be used as criteria for which a negotiated second security that allows for access to content of a secure document or component of a secure document to be obtained.
  • Access and usage rights may have a variety of properties, in addition to there being different types of access and usage rights.
  • access and usage rights may have temporal properties.
  • access and usage rights may be granted for a period of time, for as long as a client is in use, or as long as a negotiated, secure session between the client 110 and server 120 exists.
  • the document viewer 140 may present content to an authorized user until a secure session with the server 120 ends.
  • the system 100 of FIG. 1 includes a certain combination of features, additional, different, or fewer features may be included.
  • the authentication tool 160 may be a same tool as the security tool 170 .
  • components of documents, such as secure holdings or components of secure holdings, which are described with reference to FIG. 3 are granted access, access may be granted for entire documents.
  • the client 110 may have credentials in addition to user credentials by which the server may establish trust of the client (e.g., code signing of the client), such that the server 120 is able to verify that the client 110 adheres to established standards for governing user access and usage to data by the articulated authorization policy granted by the server 120 .
  • the server may establish trust of the client (e.g., code signing of the client), such that the server 120 is able to verify that the client 110 adheres to established standards for governing user access and usage to data by the articulated authorization policy granted by the server 120 .
  • FIG. 2 is a block diagram of a system 200 to provide generation of secure content (e.g., documents or components of documents), and dynamic binding of access and usage rights with a credential server 205 .
  • the system 200 includes many features of the system 100 of FIG. 1 and features having a same name may operate the same or similarly.
  • both systems 100 , 200 include a client 110 , 210 and a server 120 , 220 ; where the clients 110 , 210 may contact the servers 120 , 220 to obtain access and usage rights to content for which actions may be performed using the document viewers 140 , 240 .
  • the system 200 includes a credential server 205 , a relationship repository 225 , a secure document generation server 215 , information repository 235 , and log repository 250 .
  • information from the information repository 235 may be secured as a secure document such that the client 210 may only perform actions with the content of the secure document (e.g., a component of a secure document or an entire secure document) after obtaining authorization from the server 220 .
  • the sequence may be as follows.
  • Information from the information repository 235 may be packaged and secured in a document by the secure document generation server 215 in accordance with a specification for organizing the content and a policy of maintaining security (e.g., terms and conditions).
  • a policy or policies for organizing the content and maintaining security may be determined by preferences of a data content owner or data content subject as identified by a query of the credential server 205 (e.g., based on preferences associated with a relationship of a data content subject and data content recipient).
  • the information repository 235 appears paired with the secure document generation server 215 , that need not be the case.
  • the information repository 235 may reside on one or more servers remote from the secure document generation server 215 .
  • the secure document generation server 215 need not contact the information repository 235 directly to receive information.
  • a component may act as a data broker, and the data broker may include a tool that facilitates synchronous or asynchronous ETML (Extraction, Transformation, Move, and Load of data e.g., data need not be available when requested); or data-level, process-level, or service-level integration between the secure document generation server 215 and the information repository 235 where the data broker allows for aggregation and integration of content remote from the secure document generation server 215 .
  • ETML Extension, Transformation, Move, and Load
  • the client 210 may request content from a website 270 , which requests content from the secure document generation server 215 .
  • the client 210 may be authorized for downloading of content by the website 270 , which receives secure documents or components of secure documents from the secure document generation server 215 .
  • the secure document generation server 215 need not publish back to the website 270 .
  • secure documents or components of secure documents may be sent to a user in an electronic mail message, published to the repository 230 of secure documents (which, for example, may be shared by multiple clients), and the like.
  • a user need not use the client 210 to request content from the website 270 (e.g., the requesting of content and its viewing need not be combined features of the client 210 ).
  • the website 270 may receive credentials, such as a user name and password, from the client 210 .
  • credentials such as a user name and password
  • a user may request content directly from the website 270 .
  • the website 270 may contact the secure document generation server 215 for content.
  • the secure document generation server 215 may contact the credential server 205 to determine a policy of usage of the content (e.g., terms and conditions to be packaged with the content) and policy of generating the data (e.g., specification of a format for the data; e.g., a layout or specification of filtering of data).
  • the content that is requested by a potential data content recipient need not have a one to one cardinality between a data content subject and a data content recipient.
  • content may be requested for a number of data content subjects by a data content recipient.
  • content related to multiple data content subjects may be necessarily or, for convenience, packaged in a single secure document.
  • panel data that may be distributed in the interest of public health may be requested and that panel data may be based on multiple data content subjects.
  • the secure document generation server 215 may be able to generate a secure document with components that respect terms and conditions of use associated with each of the multiple data content subjects mentioned therein (e.g., a variety of policies may specify different terms and conditions for different data content subjects, and terms and conditions of those policies may be embedded in a secure document and adhered to by the client 210 ).
  • Policies for generating secure documents may depend on a data content recipient (e.g., for a recipient of a certain insurance company in Massachusetts, insurance companies in Massachusetts may have certain requirements different from other states or that company may have preferences that differ from other companies), relationship of data content subject and data content recipient, and the like.
  • the secure document generation server 215 may package the requested content in accordance with policies provided by the credential server 205 . Then, the user of client 210 may download the content as part of a secure document. In some implementations, access for downloading of content may be restricted and the secure document generation server 215 may contact the credential server 205 to determine whether content may be downloaded by an authenticated user or accessed by the an authenticated user using client 210 .
  • the client 210 may request access from the server 220 by sending the secure content and credentials for the user. Then, the server 220 may determine the user of client 210 is authorized based on the presented credentials, the server 220 may determine whether the client 210 is an authorized mechanism by which the authorized user is able to access the content (e.g., both of which may be occur with assistance of the credential server 205 ), and, the server 220 may decrypt the content and send the content to the client 210 . To send the content to the client 210 , the server 220 may secure the content in accordance with a session key negotiated with the client 210 or using other techniques or mechanisms that enable the client 210 to access the content.
  • a session key negotiated with the client 210 or using other techniques or mechanisms that enable the client 210 to access the content.
  • the server 220 may receive an indication of a type of access or usage requested and the server 220 may approve or deny a specific action.
  • Types of access and usage rights may depend on a user of the client 210 (e.g., different access and usage rights may be associated with different relationships of data content recipients and a data content subject), and the client 210 may enforce those access and usage rights and prevent unauthorized access.
  • access and usage rights may be restricted based on terms and conditions of a secure document or component of secure document that are included in a secure document. Access and usage rights may also be restricted based on capabilities of the client 210 to provide security or reliably restrict access or use by the data content recipient.
  • the terms and conditions may differ depending on a role of a data content recipient.
  • a system that accesses content as the client 210 may have a role as a research institution, and terms and conditions for usage of the content may be enforced based on that role (e.g., terms and conditions may differ across different roles).
  • terms and conditions may differ across different roles.
  • different conflict resolution procedures may be adhered (e.g., a broadest or most restrictive set of terms and conditions may be adhered).
  • the packaging and securing of content by the secure document generation server 215 may occur in response to a request for content from the client 210 or in response to other stimulus. For example, in a medical environment, a doctor may request results of an exam and that information may be packaged in a particular format and secured at the secure document generation server 215 . Documents may be encrypted using a cryptographic public key that corresponds to a cryptographic private key that is necessary for decryption at the server 220 . In some implementations, any number or types of security may be applied at the secure document generation server 215 .
  • the format for generating a secure document may be the format described with reference to FIG. 3 and preferences of the format of content of the holdings may be determined with reference to policies provided by the credential server 205 .
  • a number of formats may be supported (e.g., for different systems that use different formats).
  • Many different types of computer-based resources, or content may be in the information repository 235 .
  • the information may include insurance claims, bills, x-rays, test results, signed waivers, doctor observations, a medical history summary, and the like.
  • secure document generation servers such as the secure document generation server 215 may be deployed for distributed secure data generation.
  • a number of secure document generation servers may be distributed across different insurance companies and hospitals for generating secure versions of their respective information.
  • changes may be required to be performed at a source, such that a secure document generation server, such as the secure document generation server 215 , packages and secures updated content.
  • a secure document generation server such as the secure document generation server 215
  • access to secure documents in circulation may be disabled (e.g., a request of the server 220 to view a secure document or component of the secure document may be denied) and parties seeking access to changed content may be notified that updates may be retrieved.
  • status or awareness of updates may be published.
  • the secure document generation server 215 may publish updates to the client 220 or the website 270 .
  • the credential server 205 manages polices for access and usage of content that may be stored in a secure document such as the structure 300 of FIG. 3 , including specifications or policies of packaging of information in secure documents and usage of secure documents.
  • the credential server 205 may manage authentication and authorization of users (e.g., users of the website 270 or users who make requests for usage through the server 220 may be authenticated by the credential server 205 using combinations of security information managed by the credential server 205 ; e.g., the credential server 205 may issue credentials to the client 220 ).
  • the credential server 205 may provide for specification of preferences (e.g., preferences for terms and conditions of a secure document) and relationships (e.g., relationships among users and users, organizations and users, organizations and users, and organizations and organizations), in addition to generation, distribution, and revocation of policies (e.g., policies for generation of a secure document or terms and conditions of a secure document) and digital credentials.
  • preferences e.g., preferences for terms and conditions of a secure document
  • relationships e.g., relationships among users and users, organizations and users, organizations and users, and organizations and organizations
  • policies e.g., policies for generation of a secure document or terms and conditions of a secure document
  • digital credentials e.g., policies for generation of a secure document or terms and conditions of a secure document
  • the secure document generation server 215 may retrieve necessary key information from the credential server 205 to package a secure document that may take the form of a secure electronic health record, according to a specification that has been predefined with an insurance company for that specific insurance
  • the credential server 205 may use a relationship repository 225 to store relationships of individuals and organizations, and information about those individuals, organizations, and relationships. For example, a relationship between an insured party and an insurance company may be stored with preferences for access and usage of patient information of the insured party by the insurance company. For example, a relationship between a patient and a research institution may indicate that the research institution may view some types of medical information but not others (e.g., some types of secure holdings but not others).
  • the relationship repository 225 may be implemented as a hierarchical or relational directory, identity management repository, or custom repository or product where individual and organization references are associated with credentials for access to resources and other attributes.
  • Attributes may include types of access and usage rights for a relationship (e.g., view, print, copy, modify, and the like), access and usage conditions (e.g., restricting viewing by Internet Protocol address, a geography defined by an Internet Protocol address, a time period (e.g., authorization may be valid for ninety days), and the like), types of authorized information (e.g., in a health care environment claims information may be authorized for view by an insurance company but not a research institution), roles (e.g., in a health care environment, a data content recipient having a doctor role may have different access and usage rights than a data content recipient being a hospital administrator), or some combination of the above or other attributes.
  • types of authorized information e.g., in a health care environment claims information may be authorized for view by an insurance company but not a research institution
  • roles e.g., in a health care environment, a data content recipient having a doctor role may have different access and usage rights than a data content recipient being a hospital administrator
  • information about a component of a secure document may be used to classify the component such that it may be compared against attributes (e.g., metadata of a secure holding may indicate the holding includes claims information and an attribute of a relationship may indicate access and usage of the claims information is allowed).
  • access and usage rights need not be based on relationships between parties.
  • data content recipients may be associated with content that has access and usage rights attributes.
  • preferences for access of information may be based on a component level (e.g., in the structure 300 of FIG. 3 , on the granularity of a secure holding, such as a classification of secure holdings).
  • access and usage rights need not be associated with relationships between parties, but may be implicit or explicit preferences of a party.
  • access and usage rights may be implicit or explicit preferences of a data content subject or data content custodian.
  • a data content subject may have a general preference of sharing health plan membership information with any inquiring doctor, independent of an explicit relationship with that doctor or knowledge or trust (e.g., a direct or indirect relationship) of any of the doctor's know affiliates (e.g., staff, partners, locations of practice, and the like).
  • the credential server 205 may process a request for authorization (e.g., from a data content subject or data content custodian). Such a request may be forwarded to a data content subject or data content custodian, such that authorization may be permitted by user interaction. For example, a text message stating that a doctor is requesting access to a certain type of medical data may request a response for authorization being yes or no. Additional policies may be generated in response to such a request or may be considered a one-time exception to typical authorization processing. For example, a new relationship may be generated at the relationship repository 225 and that relationship may include attributes authorizing the data content recipient.
  • the server 220 may maintain a log of events in the log repository 250 . Different events may be logged. For example, the log may include an entry for each access, or attempted access, to a document by a client. Logged events may include varying granularities of detail. To ensure security of a log, the log may be encrypted, not include information that may easily be used to identify a person or company of which information is logged, or a combination of techniques and mechanisms may be implemented.
  • a log may be used to monitor access to and use of secure documents, parts of secure documents, or components of those parts that may assist ensuring security. For example, a data content subject may review log access to content distributed in secure documents which may provide assurance that unauthorized users have not accessed that content. In a health care environment, some users may be required to monitor medical information and a log may be used as a compliance verification tool to determine if someone is monitoring information. Logging may include both accesses that are approved and denied. In some implementations, logging of approvals may include limited information whereas denials may include detailed information (e.g., to assist in showing a policy prevented access to information).
  • an entry of an approval may include metadata about content approved and a data content recipient
  • a denial may further include a description of a policy of a user (e.g., a policy of a relationship of a data content subject and data content recipient) that led to a denial.
  • the log may be viewed by, as examples, a user of the website 270 (e.g., to data content subjects, data content recipients, data content custodians, and the like) or a system administrator of the server 220 .
  • Authorization to view the log may be provided based on attributes associated relationships in the relationship repository 225 (e.g., and governed by the credential server 205 ).
  • Contents or changes of a log may be distributed, or accessed as part of a secure or otherwise distributed communication to authorized parties that may have interest or requirements to observe the log and its changes.
  • a log may be distributed across different portions of one or more computer systems.
  • updates about access to a patient's medical history may be communicated to the patient in the form of a secure document, an electronic mail notification, a text message, and the like.
  • access to a patient's treatment eligibility or coverage information may be communicated to that patient's insurance company or payer, such that the organization may be notified of potential opportunity for investigating an incident that may be of interest.
  • system 200 of FIG. 2 includes a certain number and type of components, implementations may differ. For example, a number of clients, secure document generation servers, and servers may exist.
  • an interface for providing access or usage of data to a user need not be a website, such as the website 270 and the interface of the client 210 may differ.
  • a suite of web-accessible services such as services that might be accessed via SMS (Short Message Service), MMS (Multimedia Messaging Service), or IVR (Interactive Voice Response) system may be provided.
  • the services may be exposed by an underlying application programming interface that may communicate with the secure document generation server 215 , the credential server 205 , and the server 220 .
  • the client 210 may be a mobile phone that accepts and composes text messages, a telephone, personal data assistant, and the like.
  • the hosting and granularity of features may differ.
  • the server 220 , the website 270 , and the credential server 250 may be hosted at a same site, different sites, or some combination of hosting may be performed.
  • the hosting of repositories need not be paired with servers and intermediate components may exist.
  • the relationship repository 225 need not be paired with the credential server 205 and a server may be used to interface with the relationship repository 225 .
  • FIGS. 1 and 2 include a separation between a client 110 , 210 and a server 120 , 220 , such a division need not exist.
  • client and server may refer to client and server application programs, although, they may refer to client and server computer systems.
  • a client and server are generally remote from each other and typically interact through a communication network; however, a client and server need not have a dedicated connection.
  • the relationship of client and server may arise by virtue of one computer program, referred to as a server, providing a service to another computer program, referred to as a client.
  • the servers 220 , 120 may be referred to as a “clearing server,” and a combination of the credential server 205 and the server 220 may be referred to as a “policy server,” “identity management tool,” or “policy management tool.”
  • FIG. 3 is a diagram of a structure 300 for a secure document.
  • the structure 300 may be referred to as a secure container and includes the secure holdings 310 , metadata 320 , and a rights management specification 330 .
  • the structure 300 may be a structure of the secure documents of the repositories 130 , 230 of systems 100 , 200 of FIGS. 1 , 2 .
  • each of the secure holdings 310 may be one of the secure documents of the repository 130 of FIG. 1 .
  • the structure 300 in a health care environment the structure 300 may be a secure electronic health record of a data subject and each of the secure holdings 310 may be portions of a health record, such as a set of test results, an x-ray image, and the like.
  • the secure holdings 310 are components of the structure 300 and each of them may be secure from access.
  • each of the secure holdings 310 may be encrypted.
  • Each of the secure holdings 310 may have separate types of security or require separate credentials; a uniform type of security may be applied to the secure holdings 310 ; or some commonality of security may exist.
  • claims may be secured using a same protocol for their secure holdings while a different security protocol may be used for secure holdings of medical results, such as x-rays.
  • the secure holdings 310 may include information in addition to content. For example, terms and conditions of use of content of the secure holdings 310 may be encrypted with each of the secure holdings 310 .
  • terms and conditions may include a specification requiring the use of a specific issuing root public key certificate that is trusted to facilitate clearing of the content.
  • Each of the secure holdings 310 may further include a unique identifier that allows the secure holdings 310 to be tracked, along with the structure 300 that was used at the time the structure 300 was constructed.
  • the metadata 320 may include information about the structure 300 and the secure holdings.
  • the metadata 320 may include an index of the secure holdings 310 in the structure 300 and a general description of the structure 300 .
  • the metadata 320 may include non-sensitive biographical information about a patient and short descriptions of secure holdings 310 that may be searched on the basis of non-sensitive diagnosis and procedure codes. For example, information identifying a data content subject in one of the systems 100 , 200 of FIGS.
  • 1 , 2 may be included without identifying an individual outside of the system (e.g., an identifier of a patient used in the systems 100 , 200 but not related to a social security number), and that information may be used to identify the data content subject when determining whether a data content recipient is authorized to view secure holdings.
  • the rights management specification 330 may include a specification of data from a secure document generation server, such as the secure document generation server 215 , that details security for the secure holdings 310 .
  • a secure document generation server such as the secure document generation server 215
  • details security for the secure holdings 310 For example, in the health care environment, information about the building of a secure electronic health record may be included.
  • information for a client to access the secure holdings may be included in the rights management specification 330 .
  • information identifying a location of a server for providing authorization which may be referred to as a clearing server, and a specification of roles and credentials that are eligible for requesting content access.
  • the rights management specification 330 may be articulated in a declarative format (e.g., RFC 822 compliant file, eXtensible Markup Language dialect, runtime compiled scripting language, and the like) or programmatic format (e.g., application programming interface, and the like) used by a programmatic subsystem that encrypts data to generate a secure container.
  • a declarative format e.g., RFC 822 compliant file, eXtensible Markup Language dialect, runtime compiled scripting language, and the like
  • programmatic format e.g., application programming interface, and the like
  • FIG. 3 includes a certain number and type of features, additional, fewer, or different features may be included.
  • the rights management specification 330 may be combined with the metadata 320 .
  • FIG. 3 shows a first level of nesting of secure holdings 310 of the structure 300
  • a secure holding may have multiple secure sub-holdings.
  • the secure sub-holdings themselves may be documents that are separately encrypted or an entire secure holding of a secure document may be encrypted.
  • the security applied to sub-holdings may either be dependent or independent of the security applied to the secure holding of which it is apart.
  • different terms and conditions may be applied to different secure sub-holdings of the secure holding of a secure document.
  • content for multiple data content subjects may be organized into individual sub-holdings of a parent secure holding that represents a specific classification of population information (e.g., diagnosis or disease identification information) while each secure sub-holding is independently governed by access and usage policies appropriate for each respective data content subject.
  • population information e.g., diagnosis or disease identification information
  • FIG. 4 is a flowchart illustrating a process 400 of dynamic binding of access and usage rights.
  • the process 400 may be performed by the systems 100 , 200 of FIGS. 1 , 2 , or another system.
  • the process involves replacing security of secured content based on credentials that are different from credentials that may be used to remove the security.
  • Content may include secure holdings or portions of secure holdings of the structure 300 of FIG. 3 .
  • Data characterizing a request for secure content is received ( 410 ).
  • the request may be received at a server that services requests for authorizing access to content, such as the servers 120 , 200 of FIGS. 1 , 2 .
  • the request may have been generated by a client attempting to access secure content, such as the clients 110 , 210 of FIGS. 1 , 2 .
  • the data characterizing the request may be a message including the secure content and metadata for the secure content. For example, a secure holding of a medical record may be sent with an identifier of a data content subject.
  • the request may be generated by a user of a client or as part of a program. For example, a request may be generated when a program attempts to access secure content as part of performing a task that uses the content.
  • the request may further include one or more actions (e.g., types of actions) requested to be performed or authorized.
  • the first security credentials may be sent as part of a login procedure for authenticating a user (e.g., a person or a program) that attempts to access secure content. For example, as part of starting a secure server session with the server 120 of FIG. 1 , a user of the client 110 may enter a username and password to identify an account of the user.
  • the first security credentials may be used to identify an account associated with the credentials to determine whether the user is authorized to access or use the content.
  • the security of the content is replaced which includes removing the security of the content in accordance with second security credentials to enable actions to the content ( 430 ).
  • Removing the security may involve determining whether a user or account associated with the first security credentials is authorized to access the content.
  • the process may involve determining the types of access and usage rights allowed. For example, access right attributes may be associated with a relationship among any combination of users and organizations.
  • the process may involve determining whether a client is trusted for access or usage of content.
  • the first credentials may be used to identify an account of a data content recipient.
  • Metadata of a secure document that is sent with a request to access the document may be used to determine an account of the data content subject.
  • a logical structure capturing relationships such as a table of a database or configuration file, may be queried to determine if the data content subject and data content recipient have a direct or indirect relationship. If a relationship does not exist, the data content recipient might not be granted access. If a relationship does exist, the relationship may include access right preferences that may be used to determine access and usage rights to grant to a data content recipient (e.g., a user attempting to access content).
  • Default preferences of a data content subject or the preferences of their relationships may also be used to determine outcomes for authorization. For example, a patient might not have an express relationship regarding the ability to provide access to treatment eligibility information, but a relationship between the patient's employer and the patient's current insurance company may have specified this setting for the patient's authorization of this information by default.
  • the server 220 of FIG. 2 may decrypt a component of a document using a private key stored at the clearing center 205 and then encrypt the component of the document using a session key negotiated in a secure server session between the client 210 and the server 220 .
  • the purpose of having such a combination of removing security in lieu of other security may move a secure document from a first trusted environment to a second trusted environment.
  • security may be improved.
  • a client need not receive a key that may be used at any computer to decrypt an easily transportable version of the document, which may prevent exposure of security mechanisms; and, exposure of a session key of a single document that is expected to be in a second trusted environment for the length of a session might be considered a less significant security risk.
  • the content may be transmitted to a data content recipient that requested access.
  • transmission of the data may also include a specification of rights to be adhered to by the requestor. For example, access right preferences, such as authorizing viewing and printing but not copying content may be sent to the client 110 and enforced by the client 110 .
  • FIG. 4 has a certain combination of sub-processes in a certain order, additional, fewer, or different sub-processes may be used and the order may differ.
  • the determination of 420 may be made prior to receiving the request for access to content of 410 .
  • FIGS. 1-4 are discussed with references to examples in a health care environment, similar techniques and mechanisms may be employed in other environments.
  • a user generally refers to a person who manipulates an input device to interact with a computer; however, the term user need not be so limited.
  • a user may be a computer program that acts as a user.
  • the client 110 of FIG. 1 may be used by a program and such a client may include, for example, an application programming interface in lieu of a graphical user interface.
  • the subject matter described herein can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structural means disclosed in this specification and structural equivalents thereof, or in combinations of them.
  • the subject matter described herein can be implemented as one or more computer program products, i.e., one or more computer programs tangibly embodied in an information carrier, e.g., in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers.
  • a computer program (also known as a program, software, software application, or code) can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
  • a computer program does not necessarily correspond to a file.
  • a program can be stored in a portion of a file that holds other programs or data, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).
  • a computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
  • processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer.
  • a processor will receive instructions and data from a read-only memory or a random access memory or both.
  • the essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data.
  • a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks.
  • Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
  • semiconductor memory devices e.g., EPROM, EEPROM, and flash memory devices
  • magnetic disks e.g., internal hard disks or removable disks
  • magneto-optical disks e.g., CD-ROM and DVD-ROM disks.
  • the processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
  • the subject matter described herein can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer.
  • a display device e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor
  • a keyboard and a pointing device e.g., a mouse or a trackball
  • Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
  • the subject matter described herein can be implemented in a computing system that includes a back-end component (e.g., a data server), a middleware component (e.g., an application server), or a front-end component (e.g., a client computer having a graphical user interface or a web browser through which a user can interact with an implementation of the subject matter described herein), or any combination of such back-end, middleware, and front-end components.
  • the components of the system can be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (“LAN”) and a wide area network (“WAN”), e.g., the Internet.
  • LAN local area network
  • WAN wide area network
  • the computing system can include clients and servers.
  • a client and server are generally remote from each other in a logical sense and typically interact through a communication network.
  • the relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.

Abstract

Methods and apparatus, including computer program products, related to dynamic binding of access and usage rights to a computer-based resource. In general, data characterizing a request for content is received, a determination as to whether first security credentials authenticate a user is made, and, if so and the user is authorized to access or use the content, security is of the content is replaced. Replacing security may involve removing the security from the content in accordance with second security credentials. The removal of security may enable the user to perform actions to the content. The removal of security may be followed with an addition of security of a second type such that content is moved from a first trusted environment to a second trusted environment.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • This application claims the benefit of U.S. Provisional Patent Application entitled “Trusted Third Party Authorization”, filed Apr. 11, 2006, Application Ser. No. 60/791,289, the contents of which are hereby fully incorporated by reference.
    • BACKGROUND
  • The present disclosure relates to data processing by digital computer, and more particularly to dynamic binding of access and usage rights to computer-based resources.
  • In general, content may be secured at a computer system, such as a personal computer or server computer system of a landscape of computers, using different techniques and/or mechanisms. For example, an electronic document may be secured using encryption such that the document might not be viewed unless the document is decrypted.
  • Different types of access and usage rights may be associated with different credentials for access to content and usage of that content. For example, a non-administrative user may have access and usage rights that include viewing a document but not modifying the document; whereas, an administrative user may have access and usage rights to view and modify the document and each of those users may have different credentials.
  • Securing of content generally occurs at a content-level and removing of security generally occurs by a user who desires to access the content. For example, a document may be encrypted and the document may be decrypted by a user desiring to access the document.
    • SUMMARY
  • The subject matter disclosed herein provides methods and apparatus, including computer program products, that implement techniques related to dynamic binding of access and usage rights to a computer-based resource.
  • In one aspect, data characterizing a request for content is received, a determination as to whether first security credentials authenticate a user is made, and, if so and the user is authorized to use the content, first security of the content is replaced with second security where replacing the first security includes removing the first security from the content in accordance with second security credentials. The replacing of security may enable the user to perform actions to the content.
  • In a related aspect, data characterizing a request for content is received at a server from a client; a determination is made as to whether first security credentials authenticate a user of the client; and, if the user is authenticated by the first security credentials and authorized to use the content, a first security of the content is replaced with a second security, where the replacing includes removing the first security from the content in accordance with second security credentials and the user is authorized to perform at least one action associated with the user at the server.
  • The subject matter may be implemented as, for example, computer program products (e.g., as source code or compiled code), computer-implemented methods, and systems.
  • Variations may include one or more of the following features.
  • The actions may be performed in accordance with terms and conditions for content use. For example, terms and conditions in the content specified by a data content custodian, data content subject, or the like.
  • The user may be a person or a program.
  • Receiving data may be performed by a server application receiving the data from a client application performing the request, and the server application may perform replacing the security to move the content from a first trusted environment to a second trusted environment, where the second trusted environment includes a secure server session between the server and client applications.
  • Actions may include one or more types of actions authorized to be performed at a client of the user.
  • The content may be secured against access in accordance with a decryption scheme. Removing the first security may include decrypting the content with the second security credentials not being available to the user. Transmission of the content to the user may be initiated in accordance with a secure server session.
  • A determination may be made as to whether a user is authorized to perform the actions and the actions may only be performed if the user is authorized. The determination may include determining whether a relationship exists with another user with whom a relationship indicates that authorization is to be provided. The relationship may be explicit or implicit. An existence of a relationship or attributes associated with a relationship may indicate whether authorization is to be provided. A user may be authorized without regard to a relationship. For example, a user may be authorized based on a combination of a role of the user and a data content subject, and associated preferences. As another example, authorization may be based on a set of roles and rules. For example, a doctor may be authorized based on the doctor having a doctor role and a rule declaring that authorization be granted in an emergency healthcare setting. Authorization may be granted based on whether a user has access rights, usage rights, usage right conditions, or a combination of those rights. For example, a user may have rights to view and print clinical test results on a hospital computer, but not other computers, associated with a relationship. Usage rights and conditions for usage may be considered a subset of access rights.
  • A determination may be made as to whether the user is associated with rights to perform the access or use the content, and replacing the first security may include replacing the security if the user has the rights to perform the access.
  • The user may have rights to perform the access or use at a first time but not have the rights to perform the access or use at a second time later or earlier than the first time based on a modification of a policy of the user (e.g., preferences of usage rights of a relationship between a data content subject and data content recipient may be changed). For example, content may be issued such that access is granted and a user downloads secure content. And, at a later time, a data content subject may desire to revoke permission and the user is unable to use the content (e.g., denied viewing rights when requesting usage of the content).
  • Access of the content may be limited to a number of accesses or uses (e.g., a limit of printing five times).
  • The content may be medical health information, such as a secure electronic health record.
  • The content may be a component of an electronic medical record including multiple components, where the user is authorized for the content but not authorized for at least one other component.
  • The actions may include one or more of causing the content to be viewed, printed, copied, modified, or exported (e.g., removed from a security container).
  • The user may be authorized for at least one type of action but not other types of actions.
  • The user may be authorized for a set of actions different from actions authorized for another user.
  • The subject matter described herein can be implemented to realize one or more of the following advantages. Access and usage rights to secure content may be dynamically bound such that access and usage rights may change independent of security of content. Access and usage rights may be considered dynamically bound as, for example, the rights need not be included with secured content and may be bound at a later time. For example, a client may need to request access and use of a secure document from a server, where access and usage rights may be changed from time to time. For example, access to secure content may be disabled even after it has been received by an intended recipient. Documents may be secured such that security may only be removed by a server remote from clients and continuous data protection may be provided to documents. Access logging may be performed at the server that grants access and usage rights, which may take advantage of the server's role in receiving requests for access and usage rights from a variety of sources and a requirement to use a server to request access and usage rights, such that the logging may be accurate. Documents may be transportable and security may be maintained. For example, documents may be stored in a secure structure. By having a distributed architecture of secure content that is transportable, additional costs need not be incurred for storage of data in a centralized repository, for data to be specifically secured for each identified data content recipient, or for specific use of secure content that a data content recipient may require. In addition, in the health care environment such decentralized data ownership may assist in removing potential risk associated with storage of vast amounts of patient information.
  • Details of one or more implementations are set forth in the accompanying drawings and in the description below. Further features, aspects, and advantages will become apparent from the description, the drawings, and the claims.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram of a system to provide dynamic binding of access and usage rights to computer-based resources.
  • FIG. 2 is a diagram of a system to provide generation of secure content, and dynamic binding of access and usage rights with a credential server.
  • FIG. 3 is a diagram of a structure for a secure document.
  • FIG. 4 is a flowchart illustrating a process of dynamic binding of access and usage rights.
    •
  • Like reference numbers and designations in the various drawings indicate like elements.
    • DETAILED DESCRIPTION
  • In general, the systems 100, 200 of FIGS. 1, 2 may provide a client access and use of secure data with authorization from a server. In the systems 100, 200, there may be a number of relevant party roles, and a user may have one or more of the roles. The roles may be implicitly or explicitly assigned. For example, a doctor requesting information about a patient may be implicitly assigned a role as a data content recipient. The roles may include: data content subject, a role describing a party about-whom data is being shared (e.g. in a health information environment, it may be a patient); data content recipient, a role describing a party who is seeking access to information regarding one or more data content subjects (the data may be packaged in a ‘secure container’ or ‘secure container holding’ as will be described later); data custodian, a role describing an owner of a source of information regarding a data content subject (e.g., in a health information environment, a doctor's office, hospital, or insurance company may have this role), which may be required by regulation or responsibility to log or control access to that information; data publisher, a role describing an aggregator of information regarding one or more data content subjects, who may additionally be a data publisher; relationship administrator, a role describing someone who represents a governing entity responsible for maintaining, or creating data content subject, data content recipient, and data custodian accounts (e.g., in a health information environment, an employer's group benefit's administrator or an insurance company's product contract group); and, a role describing a system administrator, who at a more supreme level may manage relationships (e.g., relationships between data subjects and data content recipients) and accounts (e.g., information about a data content subject or data custodian) in the systems 100, 200. In some implementations a program may be a user that has one or more roles. For example, a program may be a data content recipient and may request data in either of the systems 100, 200 of FIGS. 1 and 2.
  • In some implementations party roles may have variances. For example, there may be a distinction between a data content owner and data content custodian. For example, a data content subject may be a data content owner, and a data content custodian may have care over content or information of the data content owner. For example, in one system an insured party may be a data content subject and data content owner, where an insurance company of the insured party is the data content owner; however, in another system, an insured party may be a data content subject but not a data content owner, and, an insurance party may be the data content owner and data content custodian.
  • FIG. 1 is a diagram of a system 100 to provide dynamic binding of access and usage rights. The system 100 includes a client 110, a server 120, and a repository 130 of secure documents. In general, the client 1 10 may request access to components of secure documents in the repository 130 by requesting access from the server 120. Then, the server 120 may authenticate the user and authorize access, use, or both at the client 110. Authorizing access or use may include sending to the client 110 a version of a component of a secure document having first type of security removed in lieu of a second type of security that can be removed by the client 110.
  • In general, a secure document may be a secure container for computer-based resources, or content, such as a secure container structure 300 of FIG. 3 and each of the components of a secure document may be one of secure holdings 310, which contain computer-based resources. Components of the secure documents at the repository 130 may be electronic documents or references to resources, such as electronic documents. For example, components of secure documents may include such computer-based resources, or content, such as audio, image, binary, and text files; these types of content and other computer-based resources, either singularly or in the aggregate collectively also referred to as computer files or documents. As another example, a reference to a computer-based resource, such as a uniform resource indicator (URI), may be encrypted in a component of the secure document, the component may be decrypted, and the uniform resource indicator may be used to download and access the computer-based resource referred to by the uniform resource indicator.
  • The repository 130 may be shared among a number of potential recipients (e.g., a file server, and the like), shared between a number of potential recipients and data content subjects (e.g., a mobile phone, personal digital assistant, UNIVERSAL SERIAL BUS drive, and the like), or represent the attachment of the secure format to another secure or insecure format (e.g., as an email attachment, a multimedia mobile message service communication, network message, peer-to-peer computing communication, and the like).
  • As an example of operation of the system 100, electronic medical records of a data subject may be stored in an encrypted format at the repository 130 of a data recipient. The data recipient may request access from the server 120 to view a medical record through the client 110 by sending credentials, the medical record, and description of the action desired to be performed at the client 110 to the server 120. Based on the credentials authenticating the client 110 and authorization of usage of the record, the server 120 may decrypt the record and re-encrypt the record in accordance with a session key negotiated with the client 110. The record, encrypted with the session key, may be sent back to the client 110 by the server 120. Then, the client 110 may allow usage of the record in accordance with the requested action. Access and usage of the record may be in accordance with terms and conditions specified in the secure document, or the component of the secure document. In some implementations, components of a secure document, rather than an entire secure document, may be requested for access, sent to the server 120, and decrypted.
  • The client 110 may allow for access and usage of components of secure documents of the repository 130. The types of access and usage may include viewing, copying (e.g., copying and pasting of text, screen captures, and the like), modifying, printing, exporting (e.g., exported from a security container or the client 110), and the like.
  • The client 110 includes a document viewer 140. The document viewer 140 may present documents to a user for which the client 110 has access and usage rights and allow for types of access and usage other than viewing to be performed depending on access and usage rights granted to the client 110. For example, a user of the client 110 may be prevented from any type of access, in which case, a document might not be viewable. As another example, a user of the client 110 may be allowed to view and print documents, but, might not be allowed to copy or modify documents.
  • The document viewer 140 may accept plug-ins. For example, a trusted extension may be a plug-in and the trusted extension may allow specific types of components of documents to be viewed. As another example, a plug-in may perform optical character recognition of image files in the document viewer 140.
  • To ensure enforcement of access and usage rights, the client 110 may be required to be a trusted client. For example, the client 110 may be authenticated by the server 120 as a client that ensures enforcement. For example, the client 110 may send authentication information to the server 120 to indicate the client 110 is a proper client for authorizing access or use of secure documents. For example, the client 110 may be proprietary to ensure enforcement of security (and, prevention of unauthorized access) or may be certified as following a specification for clients (or, client environments). For example, the client 110 may be a tool in a suite of software tools that make up an application and the tool may be certified as a client complying with a specification for security enforcement. As another example, the client 110 may be a suite of software tools or programming interfaces that ensure enforcement of access and usage rights.
  • The client 110 may request access and usage rights from the server 120 by, as examples, establishing a secure server session, sending an application to application message, and the like. The request may include different types of information. For example, a request may include metadata for a document and a secure version of the document. In addition to metadata, other information may include, as example, a version of a client or the component of the secure document, key specifications (e.g., a reference or description of a key used for the component), or cryptography algorithms enforced or required for document security and access/use.
  • Advantageously, including a document as part of a request may allow for distributed storage of documents and may facilitate transport of documents, as the server 120 need not store secure documents and users need not contact the server 120 to receive documents (e.g., secure, encrypted documents may be transferred or accessed via electronic mail, a UNIVERSAL SERIAL BUS-compliant memory key, mobile phone, personal digital assistant, and the like). In addition, the document may be signed (e.g., cryptographically signed) such that the client 110 or server 120 may authenticate the document (e.g., to indicate a document has not been altered). In some implementations, to reduce network bandwidth consumption or unnecessary storage by data content recipients, secure documents or portions of secure documents may be cached or stored at the server 120 and a request from client 110 may simply identify a secure document or portion of a secure document to be accessed without including that content along with user credentials and proposed action for usage at client 110, such that the secure document or portion of secure document, which may be accessible only to server 120, may have first security removed and second security added, and secure document or portion of secure document with second security is sent back to client 110.
  • The document viewer 140 of the client 110 may allow for exploring of secure documents or components of secure documents of the repository 130. For example, a user of the client 110 may browse a list of secure documents and may select a secure document to view, which may cause the document viewer 140 to request access for viewing the selected secure document. The repository 130 may be remote (e.g., not proximal) from the client 110 such that secure documents or components of secure document may be accessed by browsing using protocols including FTP (File Transfer Protocol), WebDAV (Web Distributed Authoring And Versioning), HTTP/SHTTP (HyperText Transfer Protocol/Secure HyperText Transfer Protocol), and the like. The client 110 may be embedded in other application or called by another application as a plug-in or helper to assist with the content type associated with the secure document or component of secure document type used for communication between client 110 and server 120 in a specific computing or operating environment. This association may occur by mechanisms including Internet Engineering Taskforce (IETF) specification compliant MIME (Multipurpose Internet Mail Extensions) type or operating system extension. To allow for management of secure documents before access and usage rights have been granted, some metadata of the secure documents may be viewed. For example, a name of a computer-based resource stored as a component of a secure document or a short description of that component of a secure document might be used and need not be secured from viewing by a user who has not been authenticated.
  • The server 120 may authorize access and use of secure documents of the repository 130 by authenticating a user with an authentication tool 160 and authorizing the user by removing security of a document with a security tool 170. In addition to removing security, the security tool 170 may be used to apply security to the document. For example, a user may request access to a document by sending a request from the client 110 to the server 120 and the server 120 may authenticate the user of the client 110 with the authentication tool 160. Then, if authenticated and authorized, the security tool 170 may be used to remove the security from a secure document, and, the document may be sent to the client 110 with a different, second security for the document. This second security may be specific to the client 110, the user of client 110, or negotiated as a characteristic of the specific use or request.
  • In some implementations, the server 120 may move a secure document from a first trusted environment to a second trusted environment by removing a first security and adding a second security. The server 120 may also remove first security and add a second security for reasons other than changing trusted environments, including updating security with a type of security considered more secure, updating security with a type of security of varying strength or algorithm characteristic, or updating security with security supported with credentials that are issued to replace credentials that have expired with regard to previous security (e.g., a different set of credentials to be used to decrypt components of secure documents), or changing security as may be necessitated for distribution of content (e.g., for security supported by another platform).
  • The first security and the second security may use same or different techniques, mechanism, or a combination of the two. For example, the first security may use a same encryption technique as the second security but may require different credentials. As another example, the secure documents of the repository 130 may be encrypted using a first security technique and the security tool 170 may be used to remove the encryption. Then, the security tool 170 may use a second type of security, such as a secure server session between the client 110 and server 120 to send the secure document or part of the secure document to the client 110. Advantageously, the first security of secure documents might only be removable at the server 120 to enhance security of the secure documents and the computer-based resources they contain (e.g., to avoid having to send a cryptographic private key to the client 110 to decrypt secure documents, which might jeopardize a trusted use of that private key if the key is intercepted or otherwise obtained by an unauthorized party).
  • In general, secure documents of the repository 130 are secured to prevent access and use of their content. For example, each component of a secure document may be encrypted using an encryption scheme and the client 110 might not have a decryption engine, resources, or necessary credentials to decrypt the documents. To access the content of the documents, as described above, the server 120 may replace security of the documents with a security that can be removed by the client 110 (e.g., as a form of granting access). In some implementations, multiple clients may share a same authentication and security tool of the server 120. For example, multiple clients may request access to a component of a secure document from the server 120 and each client 110 may obtain access to that component using a negotiated second security that is different from the first security, but unique to itself, such that content may be accessed. Separate credentials presented by client 110 to server 120 on behalf of a specific user of client 110 may be used as criteria for which a negotiated second security that allows for access to content of a secure document or component of a secure document to be obtained.
  • Access and usage rights may have a variety of properties, in addition to there being different types of access and usage rights. For example, access and usage rights may have temporal properties. For example, access and usage rights may be granted for a period of time, for as long as a client is in use, or as long as a negotiated, secure session between the client 110 and server 120 exists. For example, in response to receiving access and usage rights, the document viewer 140 may present content to an authorized user until a secure session with the server 120 ends.
  • Although the system 100 of FIG. 1 includes a certain combination of features, additional, different, or fewer features may be included. For example, the authentication tool 160 may be a same tool as the security tool 170. As another example, although components of documents, such as secure holdings or components of secure holdings, which are described with reference to FIG. 3, are granted access, access may be granted for entire documents.
  • The client 110 may have credentials in addition to user credentials by which the server may establish trust of the client (e.g., code signing of the client), such that the server 120 is able to verify that the client 110 adheres to established standards for governing user access and usage to data by the articulated authorization policy granted by the server 120.
  • FIG. 2 is a block diagram of a system 200 to provide generation of secure content (e.g., documents or components of documents), and dynamic binding of access and usage rights with a credential server 205. The system 200 includes many features of the system 100 of FIG. 1 and features having a same name may operate the same or similarly. For example, both systems 100, 200 include a client 110, 210 and a server 120, 220; where the clients 110, 210 may contact the servers 120, 220 to obtain access and usage rights to content for which actions may be performed using the document viewers 140, 240. In addition to the features of the system 100 of FIG. 1, the system 200 includes a credential server 205, a relationship repository 225, a secure document generation server 215, information repository 235, and log repository 250.
  • In general, in the system 200, information from the information repository 235 may be secured as a secure document such that the client 210 may only perform actions with the content of the secure document (e.g., a component of a secure document or an entire secure document) after obtaining authorization from the server 220. From the generation of a secure content to its viewing, the sequence may be as follows. Information from the information repository 235 may be packaged and secured in a document by the secure document generation server 215 in accordance with a specification for organizing the content and a policy of maintaining security (e.g., terms and conditions). A policy or policies for organizing the content and maintaining security may be determined by preferences of a data content owner or data content subject as identified by a query of the credential server 205 (e.g., based on preferences associated with a relationship of a data content subject and data content recipient).
  • Although the information repository 235 appears paired with the secure document generation server 215, that need not be the case. For example, the information repository 235 may reside on one or more servers remote from the secure document generation server 215. Also, the secure document generation server 215 need not contact the information repository 235 directly to receive information. For example, a component may act as a data broker, and the data broker may include a tool that facilitates synchronous or asynchronous ETML (Extraction, Transformation, Move, and Load of data e.g., data need not be available when requested); or data-level, process-level, or service-level integration between the secure document generation server 215 and the information repository 235 where the data broker allows for aggregation and integration of content remote from the secure document generation server 215.
  • The client 210 may request content from a website 270, which requests content from the secure document generation server 215. The client 210 may be authorized for downloading of content by the website 270, which receives secure documents or components of secure documents from the secure document generation server 215. In some implementations, the secure document generation server 215 need not publish back to the website 270. For example, secure documents or components of secure documents may be sent to a user in an electronic mail message, published to the repository 230 of secure documents (which, for example, may be shared by multiple clients), and the like. In some implementations, a user need not use the client 210 to request content from the website 270 (e.g., the requesting of content and its viewing need not be combined features of the client 210).
  • As an example of the client 210 requesting content, the website 270 may receive credentials, such as a user name and password, from the client 210. As another example, a user may request content directly from the website 270. In either case, if the user is authenticated and authorized, the content may be downloaded. Following the examples, the website 270 may contact the secure document generation server 215 for content. Then, the secure document generation server 215 may contact the credential server 205 to determine a policy of usage of the content (e.g., terms and conditions to be packaged with the content) and policy of generating the data (e.g., specification of a format for the data; e.g., a layout or specification of filtering of data).
  • The content that is requested by a potential data content recipient need not have a one to one cardinality between a data content subject and a data content recipient. For example, content may be requested for a number of data content subjects by a data content recipient. In some cases, content related to multiple data content subjects may be necessarily or, for convenience, packaged in a single secure document. For example, panel data that may be distributed in the interest of public health may be requested and that panel data may be based on multiple data content subjects. To accommodate for multiple secure content subjects, the secure document generation server 215 may be able to generate a secure document with components that respect terms and conditions of use associated with each of the multiple data content subjects mentioned therein (e.g., a variety of policies may specify different terms and conditions for different data content subjects, and terms and conditions of those policies may be embedded in a secure document and adhered to by the client 210).
  • Policies for generating secure documents may depend on a data content recipient (e.g., for a recipient of a certain insurance company in Massachusetts, insurance companies in Massachusetts may have certain requirements different from other states or that company may have preferences that differ from other companies), relationship of data content subject and data content recipient, and the like. The secure document generation server 215 may package the requested content in accordance with policies provided by the credential server 205. Then, the user of client 210 may download the content as part of a secure document. In some implementations, access for downloading of content may be restricted and the secure document generation server 215 may contact the credential server 205 to determine whether content may be downloaded by an authenticated user or accessed by the an authenticated user using client 210.
  • To view or otherwise access the content, the client 210 may request access from the server 220 by sending the secure content and credentials for the user. Then, the server 220 may determine the user of client 210 is authorized based on the presented credentials, the server 220 may determine whether the client 210 is an authorized mechanism by which the authorized user is able to access the content (e.g., both of which may be occur with assistance of the credential server 205), and, the server 220 may decrypt the content and send the content to the client 210. To send the content to the client 210, the server 220 may secure the content in accordance with a session key negotiated with the client 210 or using other techniques or mechanisms that enable the client 210 to access the content. In implementations involving different types of access and usage rights, the server 220 may receive an indication of a type of access or usage requested and the server 220 may approve or deny a specific action. Types of access and usage rights may depend on a user of the client 210 (e.g., different access and usage rights may be associated with different relationships of data content recipients and a data content subject), and the client 210 may enforce those access and usage rights and prevent unauthorized access. In some implementations, access and usage rights may be restricted based on terms and conditions of a secure document or component of secure document that are included in a secure document. Access and usage rights may also be restricted based on capabilities of the client 210 to provide security or reliably restrict access or use by the data content recipient. In addition, the terms and conditions may differ depending on a role of a data content recipient. For example, a system that accesses content as the client 210 may have a role as a research institution, and terms and conditions for usage of the content may be enforced based on that role (e.g., terms and conditions may differ across different roles). For users having multiple roles, different conflict resolution procedures may be adhered (e.g., a broadest or most restrictive set of terms and conditions may be adhered).
  • The packaging and securing of content by the secure document generation server 215 may occur in response to a request for content from the client 210 or in response to other stimulus. For example, in a medical environment, a doctor may request results of an exam and that information may be packaged in a particular format and secured at the secure document generation server 215. Documents may be encrypted using a cryptographic public key that corresponds to a cryptographic private key that is necessary for decryption at the server 220. In some implementations, any number or types of security may be applied at the secure document generation server 215. Different types of security may have different strengths (e.g., one cryptographic algorithm strength may be inherently stronger than another, or alternatively the same cryptographic algorithm may be made stronger by altering the keys or other inputs to the algorithm used). The format for generating a secure document may be the format described with reference to FIG. 3 and preferences of the format of content of the holdings may be determined with reference to policies provided by the credential server 205. In some implementations, a number of formats may be supported (e.g., for different systems that use different formats). Many different types of computer-based resources, or content, may be in the information repository 235. For example, in a health care environment, the information may include insurance claims, bills, x-rays, test results, signed waivers, doctor observations, a medical history summary, and the like.
  • Any number of secure document generation servers, such as the secure document generation server 215 may be deployed for distributed secure data generation. For example, in a health care environment, a number of secure document generation servers may be distributed across different insurance companies and hospitals for generating secure versions of their respective information.
  • To deal with updates to data, changes may be required to be performed at a source, such that a secure document generation server, such as the secure document generation server 215, packages and secures updated content. Once changes have been made, access to secure documents in circulation may be disabled (e.g., a request of the server 220 to view a secure document or component of the secure document may be denied) and parties seeking access to changed content may be notified that updates may be retrieved. In some implementations, status or awareness of updates may be published. For example, the secure document generation server 215 may publish updates to the client 220 or the website 270.
  • In general, the credential server 205 manages polices for access and usage of content that may be stored in a secure document such as the structure 300 of FIG. 3, including specifications or policies of packaging of information in secure documents and usage of secure documents. In addition, the credential server 205 may manage authentication and authorization of users (e.g., users of the website 270 or users who make requests for usage through the server 220 may be authenticated by the credential server 205 using combinations of security information managed by the credential server 205; e.g., the credential server 205 may issue credentials to the client 220). For example, the credential server 205 may provide for specification of preferences (e.g., preferences for terms and conditions of a secure document) and relationships (e.g., relationships among users and users, organizations and users, organizations and users, and organizations and organizations), in addition to generation, distribution, and revocation of policies (e.g., policies for generation of a secure document or terms and conditions of a secure document) and digital credentials. For example, the secure document generation server 215 may retrieve necessary key information from the credential server 205 to package a secure document that may take the form of a secure electronic health record, according to a specification that has been predefined with an insurance company for that specific insurance group. For example, different states or different companies may have different requirements for providing access or use of content to data content recipients, necessitating that generation of secure documents to be used as secure electronic health records may need to differ depending on a location of a data content subject's primary residence or the place where a data content recipient (e.g., a physician) is providing care such that content of a secure electronic health record is required. For example, policy preferences, such as a duration or location of access, may be part of terms and conditions of usage of content that are provided by the credential server 205.
  • The credential server 205 may use a relationship repository 225 to store relationships of individuals and organizations, and information about those individuals, organizations, and relationships. For example, a relationship between an insured party and an insurance company may be stored with preferences for access and usage of patient information of the insured party by the insurance company. For example, a relationship between a patient and a research institution may indicate that the research institution may view some types of medical information but not others (e.g., some types of secure holdings but not others). The relationship repository 225 may be implemented as a hierarchical or relational directory, identity management repository, or custom repository or product where individual and organization references are associated with credentials for access to resources and other attributes.
  • Attributes may include types of access and usage rights for a relationship (e.g., view, print, copy, modify, and the like), access and usage conditions (e.g., restricting viewing by Internet Protocol address, a geography defined by an Internet Protocol address, a time period (e.g., authorization may be valid for ninety days), and the like), types of authorized information (e.g., in a health care environment claims information may be authorized for view by an insurance company but not a research institution), roles (e.g., in a health care environment, a data content recipient having a doctor role may have different access and usage rights than a data content recipient being a hospital administrator), or some combination of the above or other attributes.
  • To determine whether access and usage rights are allowed for a relationship, information about a component of a secure document (e.g.; information about a secure holding) may be used to classify the component such that it may be compared against attributes (e.g., metadata of a secure holding may indicate the holding includes claims information and an attribute of a relationship may indicate access and usage of the claims information is allowed).
  • In alternative implementations, access and usage rights need not be based on relationships between parties. For example, data content recipients may be associated with content that has access and usage rights attributes. In general, preferences for access of information may be based on a component level (e.g., in the structure 300 of FIG. 3, on the granularity of a secure holding, such as a classification of secure holdings).
  • In alternative implementations, access and usage rights need not be associated with relationships between parties, but may be implicit or explicit preferences of a party. For example, access and usage rights may be implicit or explicit preferences of a data content subject or data content custodian. For example, a data content subject may have a general preference of sharing health plan membership information with any inquiring doctor, independent of an explicit relationship with that doctor or knowledge or trust (e.g., a direct or indirect relationship) of any of the doctor's know affiliates (e.g., staff, partners, locations of practice, and the like).
  • In scenarios involving a denial of access by the credential server 205, the credential server 205 may process a request for authorization (e.g., from a data content subject or data content custodian). Such a request may be forwarded to a data content subject or data content custodian, such that authorization may be permitted by user interaction. For example, a text message stating that a doctor is requesting access to a certain type of medical data may request a response for authorization being yes or no. Additional policies may be generated in response to such a request or may be considered a one-time exception to typical authorization processing. For example, a new relationship may be generated at the relationship repository 225 and that relationship may include attributes authorizing the data content recipient.
  • The server 220 may maintain a log of events in the log repository 250. Different events may be logged. For example, the log may include an entry for each access, or attempted access, to a document by a client. Logged events may include varying granularities of detail. To ensure security of a log, the log may be encrypted, not include information that may easily be used to identify a person or company of which information is logged, or a combination of techniques and mechanisms may be implemented.
  • A log may be used to monitor access to and use of secure documents, parts of secure documents, or components of those parts that may assist ensuring security. For example, a data content subject may review log access to content distributed in secure documents which may provide assurance that unauthorized users have not accessed that content. In a health care environment, some users may be required to monitor medical information and a log may be used as a compliance verification tool to determine if someone is monitoring information. Logging may include both accesses that are approved and denied. In some implementations, logging of approvals may include limited information whereas denials may include detailed information (e.g., to assist in showing a policy prevented access to information). For example, an entry of an approval may include metadata about content approved and a data content recipient, whereas a denial may further include a description of a policy of a user (e.g., a policy of a relationship of a data content subject and data content recipient) that led to a denial. The log may be viewed by, as examples, a user of the website 270 (e.g., to data content subjects, data content recipients, data content custodians, and the like) or a system administrator of the server 220. Authorization to view the log may be provided based on attributes associated relationships in the relationship repository 225 (e.g., and governed by the credential server 205).
  • Contents or changes of a log may be distributed, or accessed as part of a secure or otherwise distributed communication to authorized parties that may have interest or requirements to observe the log and its changes. For example, a log may be distributed across different portions of one or more computer systems. As another example, updates about access to a patient's medical history may be communicated to the patient in the form of a secure document, an electronic mail notification, a text message, and the like. Similarly, for example, access to a patient's treatment eligibility or coverage information may be communicated to that patient's insurance company or payer, such that the organization may be notified of potential opportunity for investigating an incident that may be of interest.
  • Although the system 200 of FIG. 2 includes a certain number and type of components, implementations may differ. For example, a number of clients, secure document generation servers, and servers may exist.
  • As another example, an interface for providing access or usage of data to a user need not be a website, such as the website 270 and the interface of the client 210 may differ. For example, a suite of web-accessible services, such as services that might be accessed via SMS (Short Message Service), MMS (Multimedia Messaging Service), or IVR (Interactive Voice Response) system may be provided. The services may be exposed by an underlying application programming interface that may communicate with the secure document generation server 215, the credential server 205, and the server 220. The client 210, as examples, may be a mobile phone that accepts and composes text messages, a telephone, personal data assistant, and the like.
  • As another example, the hosting and granularity of features may differ. For example, the server 220, the website 270, and the credential server 250 may be hosted at a same site, different sites, or some combination of hosting may be performed. Similarly, the hosting of repositories need not be paired with servers and intermediate components may exist. For example, the relationship repository 225 need not be paired with the credential server 205 and a server may be used to interface with the relationship repository 225.
  • Although FIGS. 1 and 2 include a separation between a client 110, 210 and a server 120, 220, such a division need not exist. In general, the terms client and server may refer to client and server application programs, although, they may refer to client and server computer systems. A client and server are generally remote from each other and typically interact through a communication network; however, a client and server need not have a dedicated connection. The relationship of client and server may arise by virtue of one computer program, referred to as a server, providing a service to another computer program, referred to as a client. The servers 220, 120 may be referred to as a “clearing server,” and a combination of the credential server 205 and the server 220 may be referred to as a “policy server,” “identity management tool,” or “policy management tool.”
  • FIG. 3 is a diagram of a structure 300 for a secure document. The structure 300 may be referred to as a secure container and includes the secure holdings 310, metadata 320, and a rights management specification 330. The structure 300 may be a structure of the secure documents of the repositories 130, 230 of systems 100, 200 of FIGS. 1, 2. For example, each of the secure holdings 310 may be one of the secure documents of the repository 130 of FIG. 1. For example, in a health care environment the structure 300 may be a secure electronic health record of a data subject and each of the secure holdings 310 may be portions of a health record, such as a set of test results, an x-ray image, and the like.
  • The secure holdings 310 are components of the structure 300 and each of them may be secure from access. For example, each of the secure holdings 310 may be encrypted. Each of the secure holdings 310 may have separate types of security or require separate credentials; a uniform type of security may be applied to the secure holdings 310; or some commonality of security may exist. For example, in health care environment, claims may be secured using a same protocol for their secure holdings while a different security protocol may be used for secure holdings of medical results, such as x-rays. In some implementations, the secure holdings 310 may include information in addition to content. For example, terms and conditions of use of content of the secure holdings 310 may be encrypted with each of the secure holdings 310. For example, terms and conditions may include a specification requiring the use of a specific issuing root public key certificate that is trusted to facilitate clearing of the content. Each of the secure holdings 310 may further include a unique identifier that allows the secure holdings 310 to be tracked, along with the structure 300 that was used at the time the structure 300 was constructed.
  • The metadata 320 may include information about the structure 300 and the secure holdings. In particular, the metadata 320 may include an index of the secure holdings 310 in the structure 300 and a general description of the structure 300. For example, in a health care environment, the metadata 320 may include non-sensitive biographical information about a patient and short descriptions of secure holdings 310 that may be searched on the basis of non-sensitive diagnosis and procedure codes. For example, information identifying a data content subject in one of the systems 100, 200 of FIGS. 1, 2 may be included without identifying an individual outside of the system (e.g., an identifier of a patient used in the systems 100, 200 but not related to a social security number), and that information may be used to identify the data content subject when determining whether a data content recipient is authorized to view secure holdings.
  • The rights management specification 330 may include a specification of data from a secure document generation server, such as the secure document generation server 215, that details security for the secure holdings 310. For example, in the health care environment, information about the building of a secure electronic health record may be included. In addition, information for a client to access the secure holdings may be included in the rights management specification 330. For example, information identifying a location of a server for providing authorization, which may be referred to as a clearing server, and a specification of roles and credentials that are eligible for requesting content access. The rights management specification 330 may be articulated in a declarative format (e.g., RFC 822 compliant file, eXtensible Markup Language dialect, runtime compiled scripting language, and the like) or programmatic format (e.g., application programming interface, and the like) used by a programmatic subsystem that encrypts data to generate a secure container.
  • Although the structure of FIG. 3 includes a certain number and type of features, additional, fewer, or different features may be included. For example, the rights management specification 330 may be combined with the metadata 320.
  • As another example, although FIG. 3 shows a first level of nesting of secure holdings 310 of the structure 300, there may be any number of levels of nesting of sub-components or sub-holdings. For example, a secure holding may have multiple secure sub-holdings. The secure sub-holdings themselves may be documents that are separately encrypted or an entire secure holding of a secure document may be encrypted. The security applied to sub-holdings may either be dependent or independent of the security applied to the secure holding of which it is apart. Similarly, different terms and conditions may be applied to different secure sub-holdings of the secure holding of a secure document. For example, in the generation of a secure document to reflect population-specific information, content for multiple data content subjects may be organized into individual sub-holdings of a parent secure holding that represents a specific classification of population information (e.g., diagnosis or disease identification information) while each secure sub-holding is independently governed by access and usage policies appropriate for each respective data content subject.
  • FIG. 4 is a flowchart illustrating a process 400 of dynamic binding of access and usage rights. The process 400 may be performed by the systems 100, 200 of FIGS. 1, 2, or another system. In general, the process involves replacing security of secured content based on credentials that are different from credentials that may be used to remove the security. Content may include secure holdings or portions of secure holdings of the structure 300 of FIG. 3.
  • Data characterizing a request for secure content is received (410). The request may be received at a server that services requests for authorizing access to content, such as the servers 120, 200 of FIGS. 1, 2. The request may have been generated by a client attempting to access secure content, such as the clients 110, 210 of FIGS. 1, 2. The data characterizing the request may be a message including the secure content and metadata for the secure content. For example, a secure holding of a medical record may be sent with an identifier of a data content subject. The request may be generated by a user of a client or as part of a program. For example, a request may be generated when a program attempts to access secure content as part of performing a task that uses the content. The request may further include one or more actions (e.g., types of actions) requested to be performed or authorized.
  • A determination is made as to whether first security credentials authenticate a user and the user is authorized (420). The determination may be made by the same component that receives the request for access to content (410; e.g., the server 120 of FIG. 1). The first security credentials may be sent as part of a login procedure for authenticating a user (e.g., a person or a program) that attempts to access secure content. For example, as part of starting a secure server session with the server 120 of FIG. 1, a user of the client 110 may enter a username and password to identify an account of the user. The first security credentials may be used to identify an account associated with the credentials to determine whether the user is authorized to access or use the content.
  • If the first security credentials authenticate a user and the user is authorized to use the content, the security of the content is replaced which includes removing the security of the content in accordance with second security credentials to enable actions to the content (430). Removing the security may involve determining whether a user or account associated with the first security credentials is authorized to access the content. In addition, the process may involve determining the types of access and usage rights allowed. For example, access right attributes may be associated with a relationship among any combination of users and organizations. In addition, the process may involve determining whether a client is trusted for access or usage of content.
  • For example, the first credentials may be used to identify an account of a data content recipient. Metadata of a secure document that is sent with a request to access the document may be used to determine an account of the data content subject. Then, a logical structure capturing relationships, such as a table of a database or configuration file, may be queried to determine if the data content subject and data content recipient have a direct or indirect relationship. If a relationship does not exist, the data content recipient might not be granted access. If a relationship does exist, the relationship may include access right preferences that may be used to determine access and usage rights to grant to a data content recipient (e.g., a user attempting to access content). Default preferences of a data content subject or the preferences of their relationships may also be used to determine outcomes for authorization. For example, a patient might not have an express relationship regarding the ability to provide access to treatment eligibility information, but a relationship between the patient's employer and the patient's current insurance company may have specified this setting for the patient's authorization of this information by default.
  • As part of replacing security, other types of security may be added. For example, the server 220 of FIG. 2 may decrypt a component of a document using a private key stored at the clearing center 205 and then encrypt the component of the document using a session key negotiated in a secure server session between the client 210 and the server 220. The purpose of having such a combination of removing security in lieu of other security may move a secure document from a first trusted environment to a second trusted environment. In addition, by preventing security of a transportable container from being removable at a client, security may be improved. For example, a client need not receive a key that may be used at any computer to decrypt an easily transportable version of the document, which may prevent exposure of security mechanisms; and, exposure of a session key of a single document that is expected to be in a second trusted environment for the length of a session might be considered a less significant security risk.
  • In addition to the process 400, the content may be transmitted to a data content recipient that requested access. In some implementations, rather than approving or denying a type of access, transmission of the data may also include a specification of rights to be adhered to by the requestor. For example, access right preferences, such as authorizing viewing and printing but not copying content may be sent to the client 110 and enforced by the client 110.
  • Although FIG. 4 has a certain combination of sub-processes in a certain order, additional, fewer, or different sub-processes may be used and the order may differ. For example, the determination of 420 may be made prior to receiving the request for access to content of 410.
  • Although FIGS. 1-4 are discussed with references to examples in a health care environment, similar techniques and mechanisms may be employed in other environments.
  • A user, as discussed with reference to FIGS. 1-4 generally refers to a person who manipulates an input device to interact with a computer; however, the term user need not be so limited. For example, a user may be a computer program that acts as a user. For example, the client 110 of FIG. 1 may be used by a program and such a client may include, for example, an application programming interface in lieu of a graphical user interface.
  • The subject matter described herein can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structural means disclosed in this specification and structural equivalents thereof, or in combinations of them. The subject matter described herein can be implemented as one or more computer program products, i.e., one or more computer programs tangibly embodied in an information carrier, e.g., in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program (also known as a program, software, software application, or code) can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program does not necessarily correspond to a file. A program can be stored in a portion of a file that holds other programs or data, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code). A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
  • The processes and logic flows described in this specification, including the method steps of the subject matter described herein, can be performed by one or more programmable processors executing one or more computer programs to perform functions of the subject matter described herein by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus of the subject matter described herein can be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
  • Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
  • To provide for interaction with a user, the subject matter described herein can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer. Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
  • The subject matter described herein can be implemented in a computing system that includes a back-end component (e.g., a data server), a middleware component (e.g., an application server), or a front-end component (e.g., a client computer having a graphical user interface or a web browser through which a user can interact with an implementation of the subject matter described herein), or any combination of such back-end, middleware, and front-end components. The components of the system can be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (“LAN”) and a wide area network (“WAN”), e.g., the Internet.
  • The computing system can include clients and servers. A client and server are generally remote from each other in a logical sense and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
  • The subject matter described herein has been described in terms of particular embodiments, but other embodiments can be implemented and are within the scope of the following claims. For example, operations can differ and still achieve desirable results. In certain implementations, multitasking and parallel processing may be preferable. Other embodiments are within the scope of the following claims.

Claims (20)

1. A computer program product, tangibly embodied in a computer-readable media, the computer program product comprising instructions to cause data processing apparatus to perform operations comprising:
receiving data characterizing a request for content, the content being secured with a first security against access by a user;
determining whether first security credentials authenticate the user; and
replacing the first security of the content with a second security if the user is authenticated by the first security credentials and authorized to use the content, the replacing comprising removing the first security in accordance with second security credentials and the replacing to enable the user to perform actions to the content.
2. The computer program product of claim 1, wherein the receiving data is performed by a server application receiving the data from a client application performing the request, and the server application performs the replacing the first security to move the content from a first trusted environment to a second trusted environment, the second trusted environment comprising a secure session between the server and client applications.
3. The computer program product of claim 1, wherein the actions comprise one or more types of actions authorized to be performed at a client of the user.
4. The computer program product of claim 1, wherein the content is secured against access in accordance with a decryption scheme, the removing security comprises decrypting the content with the second security credentials not being available to the user, and the operations further comprise initiating transmission of the content to the user in accordance with a secure server session.
5. The computer program product of claim 1, further comprising determining whether the user is associated with rights to perform the access, and wherein the replacing the first security comprises replacing the first security if the user has the rights to perform the access.
6. The computer program product of claim 5, wherein the user is authorized to access or use the content at a first time but is not authorized to access or use the content at a second time later than the first time or earlier than the first time based on a modification of a policy of the user.
7. The computer program product of claim 1, wherein the content is medical health information.
8. The computer program product of claim 7, wherein the content is a component of an electronic medical record comprising a plurality of components, the user being authorized for the content but not being authorized for at least one other of the components.
9. The computer program product of claim 1, wherein the actions comprise at least one or more of causing the content to be viewed, printed, copied, modified, or exported.
10. The computer program product of claim 1, wherein the user is authorized for at least one type of action but not other types of actions.
11. The computer program product of claim 1, wherein the user is authorized for a set of actions different from actions authorized for another user.
12. A computer-implemented method comprising:
receiving data characterizing a request for content, the content being secured with a first security against access by a user;
determining whether first security credentials authenticate the user; and
replacing the first security of the content with a second security if the user is authenticated by the first security credentials and authorized to use the content, the replacing comprising removing security from the content in accordance with second security credentials and the replacing to enable the user to perform actions to the content.
13. The method of claim 12, wherein the receiving data is performed by a server application receiving the data from a client application performing the request, and the server application performs the replacing the first security to move the content from a first trusted environment to a second trusted environment, the second trusted environment comprising a secure session between the server and client applications.
14. The method of claim 12, wherein the content is secured against access in accordance with a decryption scheme, the removing security comprises decrypting the content with the second security credentials not being available to the user, and the method further comprises initiating transmission of the content to the user in accordance with a secure server session.
15. The method of claim 12, wherein the user is authorized to access or use the content at a first time but is not authorized to access or use the content at a second time later than or earlier than the first time based on a modification of a policy of the user.
16. The method of claim 12, wherein the content is medical health information.
17. The method of claim 16, wherein the content is a component of an electronic medical record comprising a plurality of components, the user being authorized for the content but not being authorized for at least one other of the components.
18. A computer program product, tangibly embodied in a computer-readable media, the computer program product comprising instructions to cause data processing apparatus to perform operations comprising:
receiving at a server data characterizing a request for content, the content being secured with a first security against access by a client of a user;
determining whether first security credentials authenticate the user; and
if the user is authenticated by the first security credentials and authorized to use the content,
replacing the first security of the content with a second security, the replacing comprising removing security from the content in accordance with second security credentials; and
authorizing the user to perform at least one action of a plurality of types of actions, the at least one action being associated with the user at the server.
19. The computer program product of claim 18, wherein the content is medical health information.
20. The computer program product of claim 18, wherein the user is authorized to access or use the content at a first time but is not authorized to access or use the content at a second time later than the first time or earlier than the first time.
US11/786,485 2006-04-11 2007-04-11 Dynamic binding of access and usage rights to computer-based resources Abandoned US20070239998A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US11/786,485 US20070239998A1 (en) 2006-04-11 2007-04-11 Dynamic binding of access and usage rights to computer-based resources
US15/586,519 US20180019990A1 (en) 2006-04-11 2017-05-04 Dynamic Binding Of Access And Usage Rights To Computer-Based Resources

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US79128906P 2006-04-11 2006-04-11
US11/786,485 US20070239998A1 (en) 2006-04-11 2007-04-11 Dynamic binding of access and usage rights to computer-based resources

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/586,519 Continuation US20180019990A1 (en) 2006-04-11 2017-05-04 Dynamic Binding Of Access And Usage Rights To Computer-Based Resources

Publications (1)

Publication Number Publication Date
US20070239998A1 true US20070239998A1 (en) 2007-10-11

Family

ID=38610164

Family Applications (8)

Application Number Title Priority Date Filing Date
US11/786,486 Expired - Fee Related US8793768B2 (en) 2006-04-11 2007-04-11 Relationship-based authorization
US11/786,482 Expired - Fee Related US8041749B2 (en) 2006-04-11 2007-04-11 Systems and methods of managing specification, enforcement, or auditing of electronic health information access or use
US11/786,485 Abandoned US20070239998A1 (en) 2006-04-11 2007-04-11 Dynamic binding of access and usage rights to computer-based resources
US14/444,142 Active US9325692B2 (en) 2006-04-11 2014-07-28 Relationship-based authorization
US15/072,797 Active US9608978B2 (en) 2006-04-11 2016-03-17 Relationship-based authorization
US15/467,767 Expired - Fee Related US10038684B2 (en) 2006-04-11 2017-03-23 Relationship-based authorization
US15/586,519 Abandoned US20180019990A1 (en) 2006-04-11 2017-05-04 Dynamic Binding Of Access And Usage Rights To Computer-Based Resources
US16/023,087 Expired - Fee Related US10530760B2 (en) 2006-04-11 2018-06-29 Relationship-based authorization

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US11/786,486 Expired - Fee Related US8793768B2 (en) 2006-04-11 2007-04-11 Relationship-based authorization
US11/786,482 Expired - Fee Related US8041749B2 (en) 2006-04-11 2007-04-11 Systems and methods of managing specification, enforcement, or auditing of electronic health information access or use

Family Applications After (5)

Application Number Title Priority Date Filing Date
US14/444,142 Active US9325692B2 (en) 2006-04-11 2014-07-28 Relationship-based authorization
US15/072,797 Active US9608978B2 (en) 2006-04-11 2016-03-17 Relationship-based authorization
US15/467,767 Expired - Fee Related US10038684B2 (en) 2006-04-11 2017-03-23 Relationship-based authorization
US15/586,519 Abandoned US20180019990A1 (en) 2006-04-11 2017-05-04 Dynamic Binding Of Access And Usage Rights To Computer-Based Resources
US16/023,087 Expired - Fee Related US10530760B2 (en) 2006-04-11 2018-06-29 Relationship-based authorization

Country Status (2)

Country Link
US (8) US8793768B2 (en)
WO (3) WO2007120738A2 (en)

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080058105A1 (en) * 2006-08-31 2008-03-06 Combs Fredrick C Casino Management
US20080263060A1 (en) * 2007-04-23 2008-10-23 Benantar Messaoud B Policy-Based Access Control Approach to Staff Activities of a Business Process
US20090327739A1 (en) * 2008-06-30 2009-12-31 Verizon Data Services, Llc Key-based content management and access systems and methods
US20100088232A1 (en) * 2008-03-21 2010-04-08 Brian Gale Verification monitor for critical test result delivery systems
US20110061101A1 (en) * 2009-09-09 2011-03-10 Samsung Electronics Co., Ltd. Computer system and method of controlling the same
US20120155381A1 (en) * 2010-12-17 2012-06-21 Motorola-Mobility, Inc. Method and apparatus for using a wireless device with multiple radios
US20120163598A1 (en) * 2010-12-22 2012-06-28 Sap Ag Session secure web content delivery
US20130111606A1 (en) * 2011-11-02 2013-05-02 Microsoft Corporation Mapping identities to documents to enable multiple user logins
US8627403B1 (en) * 2007-07-31 2014-01-07 Hewlett-Packard Development Company, L.P. Policy applicability determination
US20140075551A1 (en) * 2012-09-07 2014-03-13 Samsung Electronics Co., Ltd. Method and apparatus to manage user account of device
KR20140050995A (en) * 2012-10-22 2014-04-30 삼성전자주식회사 Method and appartus for managing a user account of a device
US20150149209A1 (en) * 2013-11-27 2015-05-28 General Electric Company Remote/local reference sharing and resolution
US20150178502A1 (en) * 2013-12-24 2015-06-25 Samsung Electronics Co., Ltd. Method of controlling message of electronic device and electronic device thereof
US9292661B2 (en) * 2007-12-20 2016-03-22 Adobe Systems Incorporated System and method for distributing rights-protected content
US20170083560A1 (en) * 2015-09-18 2017-03-23 Fuji Xerox Co., Ltd. Information supply apparatus, operation terminal, information processing system, and non-transitory computer readable media
US20170099297A1 (en) * 2015-10-01 2017-04-06 Lam Research Corporation Virtual collaboration systems and methods
US9722974B1 (en) * 2014-12-18 2017-08-01 AbeBooks Inc. Automated data re-encryption process in multi-tiered encryption system
US20190281035A1 (en) * 2012-04-11 2019-09-12 Comcast Cable Communications, Llc System and Method for Processing User Rights
US10452855B2 (en) 2014-08-12 2019-10-22 Hewlett Packard Development Company, L.P. Composite document access
US10614914B2 (en) * 2017-10-27 2020-04-07 Welch Allyn, Inc. Secure patient data in medical environments
US20210250362A1 (en) * 2018-08-28 2021-08-12 Cobalt Iron, Inc. Dynamic authorization control system and method

Families Citing this family (168)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8725537B2 (en) * 2005-09-12 2014-05-13 Mymedicalrecords, Inc. Method and system for providing online records
US8117045B2 (en) 2005-09-12 2012-02-14 Mymedicalrecords.Com, Inc. Method and system for providing online medical records
US8121855B2 (en) 2005-09-12 2012-02-21 Mymedicalrecords.Com, Inc. Method and system for providing online medical records
US20090055222A1 (en) * 2006-03-29 2009-02-26 Mymedicalrecords.Com, Inc. Method and system for providing online medical records with emergency password feature
WO2007120738A2 (en) 2006-04-11 2007-10-25 Medox Exchange, Inc. Systems and methods of managing specification, enforcement, or auditing of electronic health information access or use
US20070294302A1 (en) * 2006-06-19 2007-12-20 Cerner Innovation, Inc. Defining privileges in association with the automated configuration, implementation and/or maintenance of a healthcare information system
US7664022B2 (en) 2006-08-29 2010-02-16 Cingular Wireless Ii, Llc Policy-based service management system
US11170879B1 (en) 2006-09-26 2021-11-09 Centrifyhealth, Llc Individual health record system and apparatus
HU0700409D0 (en) * 2007-06-11 2007-08-28 3D Histech Kft Method and system for accessing a slide from a remote workstation
US7979711B2 (en) * 2007-08-08 2011-07-12 International Business Machines Corporation System and method for privacy preserving query verification
JP4989431B2 (en) * 2007-11-30 2012-08-01 株式会社富士通ビー・エス・シー Security management program, security management method, and portable terminal device
US9430660B2 (en) * 2008-01-31 2016-08-30 International Business Machines Corporation Managing access in one or more computing systems
FR2930390B1 (en) * 2008-04-21 2010-04-16 Etsem Ltd METHOD FOR SECURE DIFFUSION OF DIGITAL DATA TO AN AUTHORIZED THIRD PARTY
US20090320092A1 (en) * 2008-06-24 2009-12-24 Microsoft Corporation User interface for managing access to a health-record
US20090326980A1 (en) * 2008-06-27 2009-12-31 Microsoft Corporation Flagging to control access to health information
JP2010026766A (en) * 2008-07-18 2010-02-04 Canon Inc Information processing apparatus, information processing method and program
WO2010015063A1 (en) * 2008-08-08 2010-02-11 International Business Machines Corporation System and method for privacy preserving query verification
US20100269157A1 (en) * 2009-04-20 2010-10-21 Bettina Experton System and Method for User Control of Authorizing and Tracking Access to Electronic Records
US20110046981A1 (en) * 2009-07-06 2011-02-24 Onerecovery, Inc. Goals and progress tracking for recovery based social networking
US20110224933A1 (en) * 2010-02-03 2011-09-15 Infinite Enzymes, Llc Method and system for data collection and analysis to assist in facilitating regulatory approval of a product
WO2011149453A1 (en) * 2010-05-26 2011-12-01 Hewlett-Packard Development Company, L.P. Graph authorization
EP2577446A4 (en) * 2010-05-27 2014-04-02 Varonis Systems Inc Automation framework
US9467448B2 (en) * 2010-06-28 2016-10-11 Fujitsu Limited Consigning authentication method
US20120030122A1 (en) * 2010-07-27 2012-02-02 Sap Ag Agile workflow modeling and execution based on document
US20130204398A1 (en) * 2010-10-04 2013-08-08 Nec Corporation Access control device, access control system, access control method, and computer readable medium
US9626725B2 (en) 2010-12-23 2017-04-18 Facebook, Inc. Using social graph for account recovery
US9727886B2 (en) 2010-12-23 2017-08-08 Facebook, Inc. Predicting real-world connections based on interactions in social networking system
WO2012094330A1 (en) * 2011-01-03 2012-07-12 Planetary Data LLC Community internet drive
US8949427B2 (en) 2011-02-25 2015-02-03 International Business Machines Corporation Administering medical digital images with intelligent analytic execution of workflows
US9704207B2 (en) 2011-02-25 2017-07-11 International Business Machines Corporation Administering medical digital images in a distributed medical digital image computing environment with medical image caching
US9836485B2 (en) * 2011-02-25 2017-12-05 International Business Machines Corporation Auditing database access in a distributed medical computing environment
US10095848B2 (en) 2011-06-16 2018-10-09 Pasafeshare Llc System, method and apparatus for securely distributing content
US9455961B2 (en) * 2011-06-16 2016-09-27 Pasafeshare Lcc System, method and apparatus for securely distributing content
US9615116B2 (en) * 2011-06-16 2017-04-04 Pasafeshare Llc System, method and apparatus for securely distributing content
US8818944B2 (en) 2011-06-30 2014-08-26 Microsoft Corporation Data change tracking and event notification
US9779376B2 (en) 2011-07-13 2017-10-03 International Business Machines Corporation Dynamically allocating business workflows
US9104985B2 (en) 2011-08-17 2015-08-11 International Business Machines Corporation Processing system using metadata for administering a business transaction
US9053338B2 (en) * 2011-09-20 2015-06-09 Mckesson Financial Holdings Methods, apparatuses, and computer program products for exception handling
US20130133054A1 (en) * 2011-09-24 2013-05-23 Marc E. Davis Relationship Based Trust Verification Schema
US9348985B2 (en) 2011-11-23 2016-05-24 Elwha Llc Behavioral fingerprint controlled automatic task determination
US9825967B2 (en) 2011-09-24 2017-11-21 Elwha Llc Behavioral fingerprinting via social networking interaction
US9621404B2 (en) 2011-09-24 2017-04-11 Elwha Llc Behavioral fingerprinting with social networking
US9729549B2 (en) 2011-09-24 2017-08-08 Elwha Llc Behavioral fingerprinting with adaptive development
US9767254B2 (en) 2012-01-09 2017-09-19 Mymedicalrecords, Inc. Prepaid card for services related to personal health records
JP5825118B2 (en) * 2012-01-25 2015-12-02 富士通株式会社 Release range determination method, release range determination apparatus and program
US9251313B2 (en) * 2012-04-11 2016-02-02 Intouch Technologies, Inc. Systems and methods for visualizing and managing telepresence devices in healthcare networks
US8902278B2 (en) 2012-04-11 2014-12-02 Intouch Technologies, Inc. Systems and methods for visualizing and managing telepresence devices in healthcare networks
US8984583B2 (en) 2012-05-30 2015-03-17 Accenture Global Services Limited Healthcare privacy breach prevention through integrated audit and access control
CN104737195A (en) 2012-08-15 2015-06-24 惠普发展公司,有限责任合伙企业 Metadata tree with key rotation information
US20140122875A1 (en) * 2012-10-31 2014-05-01 Ubs Ag Container-based management at a user device
US9213833B2 (en) 2012-11-07 2015-12-15 Ebay Inc. Methods and systems for detecting an electronic intrusion
US20140164022A1 (en) * 2012-12-10 2014-06-12 Atlantic Health System, Inc., a NJ non-profit corporation Patient Directed Healthcare System
US9836551B2 (en) * 2013-01-08 2017-12-05 International Business Machines Corporation GUI for viewing and manipulating connected tag clouds
US10055418B2 (en) * 2014-03-14 2018-08-21 Highspot, Inc. Narrowing information search results for presentation to a user
US9406236B1 (en) * 2013-06-06 2016-08-02 The Boeing Company Multi-user disparate system communications manager
US20150012568A1 (en) * 2013-07-05 2015-01-08 Scott Rens Hierarchical content management and presentation application
US9298933B2 (en) * 2013-07-18 2016-03-29 Sybase, Inc. Autonomous role-based security for database management systems
US9467450B2 (en) * 2013-08-21 2016-10-11 Medtronic, Inc. Data driven schema for patient data exchange system
US9021024B1 (en) * 2013-10-14 2015-04-28 Xueming Tang Method and apparatus for controlling access to information and applications between clients in a telecommunications network
US9438597B1 (en) * 2013-10-22 2016-09-06 Microstrategy Incorporated Regulating credential information dissemination
JP6193491B2 (en) * 2014-06-18 2017-09-06 株式会社日立製作所 Computer system
US10454970B2 (en) * 2014-06-30 2019-10-22 Vescel, Llc Authorization of access to a data resource in addition to specific actions to be performed on the data resource based on an authorized context enforced by a use policy
US10740447B2 (en) 2014-09-08 2020-08-11 Tessera Advanced Technologies, Inc. Using biometric user-specific attributes
US9740841B2 (en) * 2014-09-08 2017-08-22 Tessera Advanced Technologies, Inc. Using biometric user-specific attributes
CN105404828A (en) * 2014-09-12 2016-03-16 国际商业机器公司 Method and system for data security
JP5768922B1 (en) * 2014-09-24 2015-08-26 富士ゼロックス株式会社 Document processing system, program, and document processing apparatus
US9313193B1 (en) 2014-09-29 2016-04-12 Amazon Technologies, Inc. Management and authentication in hosted directory service
US9984310B2 (en) * 2015-01-23 2018-05-29 Highspot, Inc. Systems and methods for identifying semantically and visually related content
US10547599B1 (en) * 2015-02-19 2020-01-28 Amazon Technologies, Inc. Multi-factor authentication for managed directories
JP6551510B2 (en) * 2015-03-09 2019-07-31 富士通クライアントコンピューティング株式会社 Information processing apparatus, device cooperation authentication program, and device cooperation authentication method
US20160292453A1 (en) * 2015-03-31 2016-10-06 Mckesson Corporation Health care information system and method for securely storing and controlling access to health care data
US20180075219A1 (en) * 2015-04-02 2018-03-15 Click Therapeutics, Inc. Therapeutic system and remote patient monitoring device
US11503035B2 (en) * 2017-04-10 2022-11-15 The University Of Memphis Research Foundation Multi-user permission strategy to access sensitive information
JP2017058928A (en) 2015-09-16 2017-03-23 富士ゼロックス株式会社 Apparatus and program for information processing
US10389846B2 (en) 2015-11-10 2019-08-20 Click Therapeutics, Inc. System and methods for improving efficiency of a remote computing device
US10810644B2 (en) 2015-11-18 2020-10-20 At&T Intellectual Property I, L.P. Mitigation method, system and non-transitory computer-readable device
US10178058B2 (en) * 2016-01-28 2019-01-08 International Business Machines Corporation Expanding captured portions of references in instant messaging systems
US20220164840A1 (en) 2016-04-01 2022-05-26 OneTrust, LLC Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design
US10200372B2 (en) * 2016-06-02 2019-02-05 Microsoft Technology Licensing, Llc Principal access determination in an enviroment
US11410106B2 (en) 2016-06-10 2022-08-09 OneTrust, LLC Privacy management systems and methods
US11336697B2 (en) 2016-06-10 2022-05-17 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US11301796B2 (en) 2016-06-10 2022-04-12 OneTrust, LLC Data processing systems and methods for customizing privacy training
US11727141B2 (en) 2016-06-10 2023-08-15 OneTrust, LLC Data processing systems and methods for synching privacy-related user consent across multiple computing devices
US11295316B2 (en) 2016-06-10 2022-04-05 OneTrust, LLC Data processing systems for identity validation for consumer rights requests and related methods
US11416590B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US11586700B2 (en) 2016-06-10 2023-02-21 OneTrust, LLC Data processing systems and methods for automatically blocking the use of tracking tools
US10592648B2 (en) 2016-06-10 2020-03-17 OneTrust, LLC Consent receipt management systems and related methods
US11227247B2 (en) 2016-06-10 2022-01-18 OneTrust, LLC Data processing systems and methods for bundled privacy policies
US10909488B2 (en) 2016-06-10 2021-02-02 OneTrust, LLC Data processing systems for assessing readiness for responding to privacy-related incidents
US10510031B2 (en) 2016-06-10 2019-12-17 OneTrust, LLC Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques
US11562097B2 (en) 2016-06-10 2023-01-24 OneTrust, LLC Data processing systems for central consent repository and related methods
US11544667B2 (en) 2016-06-10 2023-01-03 OneTrust, LLC Data processing systems for generating and populating a data inventory
US11343284B2 (en) 2016-06-10 2022-05-24 OneTrust, LLC Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance
US11188862B2 (en) 2016-06-10 2021-11-30 OneTrust, LLC Privacy management systems and methods
US10909265B2 (en) 2016-06-10 2021-02-02 OneTrust, LLC Application privacy scanning systems and related methods
US10878127B2 (en) 2016-06-10 2020-12-29 OneTrust, LLC Data subject access request processing systems and related methods
US11520928B2 (en) 2016-06-10 2022-12-06 OneTrust, LLC Data processing systems for generating personal data receipts and related methods
US11636171B2 (en) 2016-06-10 2023-04-25 OneTrust, LLC Data processing user interface monitoring systems and related methods
US11438386B2 (en) 2016-06-10 2022-09-06 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US10678945B2 (en) 2016-06-10 2020-06-09 OneTrust, LLC Consent receipt management systems and related methods
US10318761B2 (en) 2016-06-10 2019-06-11 OneTrust, LLC Data processing systems and methods for auditing data request compliance
US10949565B2 (en) 2016-06-10 2021-03-16 OneTrust, LLC Data processing systems for generating and populating a data inventory
US11222142B2 (en) 2016-06-10 2022-01-11 OneTrust, LLC Data processing systems for validating authorization for personal data collection, storage, and processing
US11392720B2 (en) 2016-06-10 2022-07-19 OneTrust, LLC Data processing systems for verification of consent and notice processing and related methods
US11651104B2 (en) 2016-06-10 2023-05-16 OneTrust, LLC Consent receipt management systems and related methods
US11651106B2 (en) 2016-06-10 2023-05-16 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US11418492B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing systems and methods for using a data model to select a target data asset in a data migration
US11294939B2 (en) 2016-06-10 2022-04-05 OneTrust, LLC Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software
US11461500B2 (en) 2016-06-10 2022-10-04 OneTrust, LLC Data processing systems for cookie compliance testing with website scanning and related methods
US11403377B2 (en) 2016-06-10 2022-08-02 OneTrust, LLC Privacy management systems and methods
US11481710B2 (en) 2016-06-10 2022-10-25 OneTrust, LLC Privacy management systems and methods
US10685140B2 (en) 2016-06-10 2020-06-16 OneTrust, LLC Consent receipt management systems and related methods
US11328092B2 (en) 2016-06-10 2022-05-10 OneTrust, LLC Data processing systems for processing and managing data subject access in a distributed environment
US11222139B2 (en) 2016-06-10 2022-01-11 OneTrust, LLC Data processing systems and methods for automatic discovery and assessment of mobile software development kits
US10997318B2 (en) 2016-06-10 2021-05-04 OneTrust, LLC Data processing systems for generating and populating a data inventory for processing data access requests
US11416589B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US11416109B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Automated data processing systems and methods for automatically processing data subject access requests using a chatbot
US11341447B2 (en) 2016-06-10 2022-05-24 OneTrust, LLC Privacy management systems and methods
US11188615B2 (en) 2016-06-10 2021-11-30 OneTrust, LLC Data processing consent capture systems and related methods
US11277448B2 (en) 2016-06-10 2022-03-15 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US10846433B2 (en) 2016-06-10 2020-11-24 OneTrust, LLC Data processing consent management systems and related methods
US10740487B2 (en) 2016-06-10 2020-08-11 OneTrust, LLC Data processing systems and methods for populating and maintaining a centralized database of personal data
US11354435B2 (en) 2016-06-10 2022-06-07 OneTrust, LLC Data processing systems for data testing to confirm data deletion and related methods
US11675929B2 (en) 2016-06-10 2023-06-13 OneTrust, LLC Data processing consent sharing systems and related methods
US11366909B2 (en) 2016-06-10 2022-06-21 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US11134086B2 (en) 2016-06-10 2021-09-28 OneTrust, LLC Consent conversion optimization systems and related methods
US11366786B2 (en) 2016-06-10 2022-06-21 OneTrust, LLC Data processing systems for processing data subject access requests
US11475136B2 (en) 2016-06-10 2022-10-18 OneTrust, LLC Data processing systems for data transfer risk identification and related methods
US11625502B2 (en) * 2016-06-10 2023-04-11 OneTrust, LLC Data processing systems for identifying and modifying processes that are subject to data subject access requests
US11354434B2 (en) 2016-06-10 2022-06-07 OneTrust, LLC Data processing systems for verification of consent and notice processing and related methods
US10514854B2 (en) 2016-11-04 2019-12-24 Microsoft Technology Licensing, Llc Conditional authorization for isolated collections
US10924467B2 (en) * 2016-11-04 2021-02-16 Microsoft Technology Licensing, Llc Delegated authorization for isolated collections
US10412095B2 (en) * 2016-12-22 2019-09-10 Atlassian Pty Ltd Method, apparatus, and computer program product for managing access permissions for a searchable enterprise platform
US20180204215A1 (en) * 2017-01-17 2018-07-19 Hung-Tzaw Hu Detecting electronic intruders via updatable data structures
US20180278552A1 (en) * 2017-03-21 2018-09-27 Paypal, Inc. Accessing chat sessions via chat bots for multi-user authorization of transactions
US10915376B2 (en) * 2017-04-06 2021-02-09 Smartsheet Inc. Systems and methods for increasing efficiency of application programming interface calls
US10454941B2 (en) * 2017-05-05 2019-10-22 Bank Of America Corporation Person-to-person network architecture for secure authorization and approval
US10491584B2 (en) * 2017-05-22 2019-11-26 General Electric Company Role-based resource access control
US10013577B1 (en) 2017-06-16 2018-07-03 OneTrust, LLC Data processing systems for identifying whether cookies contain personally identifying information
MX2020002594A (en) * 2017-09-14 2020-07-13 Sony Corp Information processing device, information processing method, and program.
US20190228179A1 (en) * 2018-01-24 2019-07-25 International Business Machines Corporation Context-based access to health information
US11226996B2 (en) * 2018-08-03 2022-01-18 Kilpatrick Townsend & Stockton Llp Identifying and graphically representing multiple parent nodes of a child node
US11392627B2 (en) 2018-08-03 2022-07-19 Kilpatrick Townsend & Stockton Llp Identifying missing nodes within a graphically represented family
US11222050B2 (en) 2018-08-03 2022-01-11 Kilpatrick Townsend & Stockton Llp Graphically representing related patent families using a phantom parent node
US10803202B2 (en) 2018-09-07 2020-10-13 OneTrust, LLC Data processing systems for orphaned data identification and deletion and related methods
US11544409B2 (en) 2018-09-07 2023-01-03 OneTrust, LLC Data processing systems and methods for automatically protecting sensitive data within privacy management systems
CN109583159B (en) * 2018-11-30 2021-05-18 北京车和家信息技术有限公司 Vehicle authority management method, system and computer readable storage medium
US20200218817A1 (en) * 2019-01-07 2020-07-09 Shenzhen Mindray Bio-Medical Electronics Co., Ltd. Systems and methods for medical device authorization
US11714961B2 (en) 2019-02-24 2023-08-01 Wrethink, Inc. Methods and apparatus for suggesting and/or associating tags corresponding to identified image content and/or storing said image content in association with tags to facilitate retrieval and use
US11748509B2 (en) * 2019-02-24 2023-09-05 Wrethink, Inc. Methods and apparatus for automatically controlling access to stored data, a storage location of stored data, and/or ownership of stored data based on life event information
US11741699B2 (en) 2019-02-24 2023-08-29 Wrethink, Inc. Methods and apparatus for detecting features of scanned images, associating tags with images and/or using tagged images
US11281662B2 (en) * 2019-04-03 2022-03-22 Unitedhealth Group Incorporated Managing data objects for graph-based data structures
US10757574B1 (en) * 2019-12-26 2020-08-25 Capital One Services, Llc Multi-factor authentication providing a credential via a contactless card for secure messaging
US11531724B2 (en) 2020-03-28 2022-12-20 Dataparency, LLC Entity centric database
US11797528B2 (en) 2020-07-08 2023-10-24 OneTrust, LLC Systems and methods for targeted data discovery
US11444976B2 (en) 2020-07-28 2022-09-13 OneTrust, LLC Systems and methods for automatically blocking the use of tracking tools
WO2022032072A1 (en) 2020-08-06 2022-02-10 OneTrust, LLC Data processing systems and methods for automatically redacting unstructured data from a data subject access request
US11436373B2 (en) 2020-09-15 2022-09-06 OneTrust, LLC Data processing systems and methods for detecting tools for the automatic blocking of consent requests
US20230334158A1 (en) 2020-09-21 2023-10-19 OneTrust, LLC Data processing systems and methods for automatically detecting target data transfers and target data processing
EP4241173A1 (en) 2020-11-06 2023-09-13 OneTrust LLC Systems and methods for identifying data processing activities based on data discovery results
WO2022170047A1 (en) 2021-02-04 2022-08-11 OneTrust, LLC Managing custom attributes for domain objects defined within microservices
US20240111899A1 (en) 2021-02-08 2024-04-04 OneTrust, LLC Data processing systems and methods for anonymizing data samples in classification analysis
WO2022173912A1 (en) 2021-02-10 2022-08-18 OneTrust, LLC Systems and methods for mitigating risks of third-party computing system functionality integration into a first-party computing system
WO2022178089A1 (en) 2021-02-17 2022-08-25 OneTrust, LLC Managing custom workflows for domain objects defined within microservices
WO2022178219A1 (en) 2021-02-18 2022-08-25 OneTrust, LLC Selective redaction of media content
US11533315B2 (en) 2021-03-08 2022-12-20 OneTrust, LLC Data transfer discovery and analysis systems and related methods
US11562078B2 (en) 2021-04-16 2023-01-24 OneTrust, LLC Assessing and managing computational risk involved with integrating third party computing functionality within a computing system
US11620142B1 (en) 2022-06-03 2023-04-04 OneTrust, LLC Generating and customizing user interfaces for demonstrating functions of interactive user environments

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5495533A (en) * 1994-04-29 1996-02-27 International Business Machines Corporation Personal key archive
US20020010679A1 (en) * 2000-07-06 2002-01-24 Felsher David Paul Information record infrastructure, system and method
US6449721B1 (en) * 1999-05-28 2002-09-10 Authentica Security Technologies, Inc. Method of encrypting information for remote access while maintaining access control
US20030046564A1 (en) * 1995-11-07 2003-03-06 Tatsuro Masuda Storage medium and method for storing data decrypting algorithm
US20030167392A1 (en) * 2000-06-16 2003-09-04 Fransdonk Robert W. Method and system to secure content for distribution via a network
US20030216943A1 (en) * 2002-05-15 2003-11-20 Mcphee Ron Interactive system and method for collecting and reporting health and fitness data
US20040122790A1 (en) * 2002-12-18 2004-06-24 Walker Matthew J. Computer-assisted data processing system and method incorporating automated learning
US6775382B1 (en) * 1997-06-30 2004-08-10 Sun Microsystems, Inc. Method and apparatus for recovering encryption session keys
US20050165627A1 (en) * 2003-03-10 2005-07-28 Medem, Inc. Electronic personal health record system
US20050197860A1 (en) * 2004-02-23 2005-09-08 Rademr, Inc. Data management system
US20060004588A1 (en) * 2004-06-30 2006-01-05 Mohan Ananda Method and system for obtaining, maintaining and distributing data
US20060010324A1 (en) * 2004-07-09 2006-01-12 Guido Appenzeller Secure messaging system with derived keys
US7100206B1 (en) * 1998-06-03 2006-08-29 Paul Pere Method for secured access to data in a network
US20060229911A1 (en) * 2005-02-11 2006-10-12 Medcommons, Inc. Personal control of healthcare information and related systems, methods, and devices
US20070005396A1 (en) * 2005-06-29 2007-01-04 Lee Keat J Method and device for maintaining and providing access to electronic clinical records
US20070006322A1 (en) * 2005-07-01 2007-01-04 Privamed, Inc. Method and system for providing a secure multi-user portable database
US7181017B1 (en) * 2001-03-23 2007-02-20 David Felsher System and method for secure three-party communications
US20070143215A1 (en) * 2004-02-06 2007-06-21 Willems Serge Clement D Device, system and method for storing and exchanging medical data
US7921292B1 (en) * 2003-04-04 2011-04-05 Voltage Security, Inc. Secure messaging systems

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5926624A (en) * 1996-09-12 1999-07-20 Audible, Inc. Digital information library and delivery system with logic for generating files targeted to the playback device
WO2000026750A1 (en) 1998-11-05 2000-05-11 NEUVIS, Inc Method for controlling access to information
US7504213B2 (en) * 1999-07-09 2009-03-17 Agilent Technologies, Inc. Methods and apparatus for preparing arrays comprising features having degenerate biopolymers
TWI230473B (en) * 2003-03-10 2005-04-01 Sanken Electric Co Ltd Semiconductor light emitting device and manufacturing method thereof
WO2007120738A2 (en) 2006-04-11 2007-10-25 Medox Exchange, Inc. Systems and methods of managing specification, enforcement, or auditing of electronic health information access or use

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5495533A (en) * 1994-04-29 1996-02-27 International Business Machines Corporation Personal key archive
US20030046564A1 (en) * 1995-11-07 2003-03-06 Tatsuro Masuda Storage medium and method for storing data decrypting algorithm
US6775382B1 (en) * 1997-06-30 2004-08-10 Sun Microsystems, Inc. Method and apparatus for recovering encryption session keys
US7100206B1 (en) * 1998-06-03 2006-08-29 Paul Pere Method for secured access to data in a network
US6449721B1 (en) * 1999-05-28 2002-09-10 Authentica Security Technologies, Inc. Method of encrypting information for remote access while maintaining access control
US20030167392A1 (en) * 2000-06-16 2003-09-04 Fransdonk Robert W. Method and system to secure content for distribution via a network
US20020010679A1 (en) * 2000-07-06 2002-01-24 Felsher David Paul Information record infrastructure, system and method
US7181017B1 (en) * 2001-03-23 2007-02-20 David Felsher System and method for secure three-party communications
US20030216943A1 (en) * 2002-05-15 2003-11-20 Mcphee Ron Interactive system and method for collecting and reporting health and fitness data
US20040122790A1 (en) * 2002-12-18 2004-06-24 Walker Matthew J. Computer-assisted data processing system and method incorporating automated learning
US20050165627A1 (en) * 2003-03-10 2005-07-28 Medem, Inc. Electronic personal health record system
US7921292B1 (en) * 2003-04-04 2011-04-05 Voltage Security, Inc. Secure messaging systems
US20070143215A1 (en) * 2004-02-06 2007-06-21 Willems Serge Clement D Device, system and method for storing and exchanging medical data
US20050197860A1 (en) * 2004-02-23 2005-09-08 Rademr, Inc. Data management system
US20060004588A1 (en) * 2004-06-30 2006-01-05 Mohan Ananda Method and system for obtaining, maintaining and distributing data
US20060010324A1 (en) * 2004-07-09 2006-01-12 Guido Appenzeller Secure messaging system with derived keys
US20060229911A1 (en) * 2005-02-11 2006-10-12 Medcommons, Inc. Personal control of healthcare information and related systems, methods, and devices
US20070005396A1 (en) * 2005-06-29 2007-01-04 Lee Keat J Method and device for maintaining and providing access to electronic clinical records
US20070006322A1 (en) * 2005-07-01 2007-01-04 Privamed, Inc. Method and system for providing a secure multi-user portable database

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SANS Institute, InfoSec Reading Room, "Encrypted E-mail: Close One Door, Open Another”, 2001, 11 pages, obtained from https://www.sans.org/reading-room/whitepapers/malicious/encrypted-e-mail-close-door-open-105 *

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080058105A1 (en) * 2006-08-31 2008-03-06 Combs Fredrick C Casino Management
US20080263060A1 (en) * 2007-04-23 2008-10-23 Benantar Messaoud B Policy-Based Access Control Approach to Staff Activities of a Business Process
US8904391B2 (en) * 2007-04-23 2014-12-02 International Business Machines Corporation Policy-based access control approach to staff activities of a business process
US8627403B1 (en) * 2007-07-31 2014-01-07 Hewlett-Packard Development Company, L.P. Policy applicability determination
US9292661B2 (en) * 2007-12-20 2016-03-22 Adobe Systems Incorporated System and method for distributing rights-protected content
US20100088232A1 (en) * 2008-03-21 2010-04-08 Brian Gale Verification monitor for critical test result delivery systems
US8787579B2 (en) * 2008-06-30 2014-07-22 Verizon Patent And Licensing Inc. Key-based content management and access systems and methods
US20090327739A1 (en) * 2008-06-30 2009-12-31 Verizon Data Services, Llc Key-based content management and access systems and methods
US9231952B2 (en) * 2008-06-30 2016-01-05 Verizon Patent And Licensing Inc. Key-based content management and access systems and methods
US20140321650A1 (en) * 2008-06-30 2014-10-30 Verizon Patent And Licensing Inc. Key-based content management and access systems and methods
US8701203B2 (en) * 2009-09-09 2014-04-15 Samsung Electronics Co., Ltd. Computer system and method of controlling the same
US20110061101A1 (en) * 2009-09-09 2011-03-10 Samsung Electronics Co., Ltd. Computer system and method of controlling the same
US20120155381A1 (en) * 2010-12-17 2012-06-21 Motorola-Mobility, Inc. Method and apparatus for using a wireless device with multiple radios
US20120163598A1 (en) * 2010-12-22 2012-06-28 Sap Ag Session secure web content delivery
US8813249B2 (en) * 2011-11-02 2014-08-19 Microsoft Corporation Mapping identities to documents to enable multiple user logins
US20130111606A1 (en) * 2011-11-02 2013-05-02 Microsoft Corporation Mapping identities to documents to enable multiple user logins
US10785202B2 (en) * 2012-04-11 2020-09-22 Comcast Cable Communications, Llc System and method for processing user rights
US20190281035A1 (en) * 2012-04-11 2019-09-12 Comcast Cable Communications, Llc System and Method for Processing User Rights
US20140075551A1 (en) * 2012-09-07 2014-03-13 Samsung Electronics Co., Ltd. Method and apparatus to manage user account of device
US9529982B2 (en) * 2012-09-07 2016-12-27 Samsung Electronics Co., Ltd. Method and apparatus to manage user account of device
KR20140050995A (en) * 2012-10-22 2014-04-30 삼성전자주식회사 Method and appartus for managing a user account of a device
KR101961348B1 (en) * 2012-10-22 2019-07-17 휴렛-팩커드 디벨롭먼트 컴퍼니, 엘.피. Method and Appartus for managing a user account of a device
US20150149209A1 (en) * 2013-11-27 2015-05-28 General Electric Company Remote/local reference sharing and resolution
US20150178502A1 (en) * 2013-12-24 2015-06-25 Samsung Electronics Co., Ltd. Method of controlling message of electronic device and electronic device thereof
US10452855B2 (en) 2014-08-12 2019-10-22 Hewlett Packard Development Company, L.P. Composite document access
US9722974B1 (en) * 2014-12-18 2017-08-01 AbeBooks Inc. Automated data re-encryption process in multi-tiered encryption system
US20170083560A1 (en) * 2015-09-18 2017-03-23 Fuji Xerox Co., Ltd. Information supply apparatus, operation terminal, information processing system, and non-transitory computer readable media
US10097557B2 (en) * 2015-10-01 2018-10-09 Lam Research Corporation Virtual collaboration systems and methods
US20170099297A1 (en) * 2015-10-01 2017-04-06 Lam Research Corporation Virtual collaboration systems and methods
US10614914B2 (en) * 2017-10-27 2020-04-07 Welch Allyn, Inc. Secure patient data in medical environments
US20210250362A1 (en) * 2018-08-28 2021-08-12 Cobalt Iron, Inc. Dynamic authorization control system and method
US11902285B2 (en) * 2018-08-28 2024-02-13 Cobalt Iron, Inc. Dynamic authorization control system and method

Also Published As

Publication number Publication date
US10530760B2 (en) 2020-01-07
US9325692B2 (en) 2016-04-26
WO2007120799A2 (en) 2007-10-25
WO2007120738A2 (en) 2007-10-25
US10038684B2 (en) 2018-07-31
US9608978B2 (en) 2017-03-28
US8041749B2 (en) 2011-10-18
US20170201508A1 (en) 2017-07-13
WO2007120738A3 (en) 2008-10-16
WO2007120799A3 (en) 2008-10-16
US8793768B2 (en) 2014-07-29
US20160205104A1 (en) 2016-07-14
US20140337936A1 (en) 2014-11-13
US20180324164A1 (en) 2018-11-08
WO2007120754A2 (en) 2007-10-25
US20070240203A1 (en) 2007-10-11
US20180019990A1 (en) 2018-01-18
US20070282843A1 (en) 2007-12-06
WO2007120754A3 (en) 2008-08-28

Similar Documents

Publication Publication Date Title
US20180019990A1 (en) Dynamic Binding Of Access And Usage Rights To Computer-Based Resources
Seol et al. Privacy-preserving attribute-based access control model for XML-based electronic health record system
Zhang et al. Security models and requirements for healthcare application clouds
US9621357B2 (en) System and method for providing consent management
US20070192140A1 (en) Systems and methods for extending an information standard through compatible online access
US20130006865A1 (en) Systems, methods, apparatuses, and computer program products for providing network-accessible patient health records
KR101925322B1 (en) Method for providing medical counseling service including digital certification, digital signature, and forgery prevention
JP2013537669A (en) Anonymous healthcare and record system
Jafari et al. A rights management approach to protection of privacy in a cloud of electronic health records
Al-Hamdani Cryptography based access control in healthcare web systems
Ghayvat et al. Sharif: Solid pod-based secured healthcare information storage and exchange solution in internet of things
Weaver et al. Federated, secure trust networks for distributed healthcare it services
Ma et al. OpenID Connect as a security service in cloud-based medical imaging systems
US20210019436A1 (en) Communicating content over a communications network
Pohlmann et al. Rights management technologies: A good choice for securing electronic health records?
Samet et al. Privacy-preserving personal health record (p3hr) a secure android application
Khan et al. Security in healthcare informatics: design and implementation of a robust authentication and a hybrid access control mechanism
Pujari et al. Identity resilience in the digital health ecosystem: A key recovery-enabled framework
Sharma SHARIF: Solid Pod based Secured Healthcare Information Storage and Exchange Solution
Chandramoorthy BeACon: Blockchain-enabled consent management for healthcare applications
Ajayi Dynamic trust negotiation for decentralised e-health collaborations
Hussain et al. Maintaining the integrity of XML signatures by using the manifest element
Künzi et al. Data-centric protection in DICOM
YANJIANG Ensuring Data Security and Individual Privacy in Health Care Systems
Sucurovic MEDIS–A WEB BASED HEALTH INFORMATION SYSTEM-Implementing Integrated Secure Electronic Health Record

Legal Events

Date Code Title Description
AS Assignment

Owner name: MEDOX EXCHANGE, INC., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BECK, MICHAEL E.;REEL/FRAME:019243/0493

Effective date: 20070411

AS Assignment

Owner name: MEDOX TECHNOLOGIES, INC., NEW YORK

Free format text: CHANGE OF NAME;ASSIGNOR:MEDOX EXCHANGE, INC.;REEL/FRAME:034638/0763

Effective date: 20141125

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION