Patent Issued for Secure compartmented access infrastructure for sensitive databases (USPTO 11977652): Evernorth Strategic Development Inc.
2024 MAY 23 (NewsRx) -- By a
The patent’s assignee for patent number 11977652 is
News editors obtained the following quote from the background information supplied by the inventors: “Modern information privacy laws-such as the Health Insurance Portability and Accountability Act (HIPAA)-provide consumers with wide ranging protections for their health data. In order to better protect consumers, HIPAA imposes a series of specific and stringent requirements for “covered entities,” such as health plans, health care clearinghouses, and health care providers for securely storing and transmitting electronic protected health information (EPHI). Generally, HIPAA requires covered entities to ensure the confidentiality, integrity, and availability of EPHI, protect against reasonably anticipated threats and hazards to the EPHI, protect against reasonably anticipated unnecessary disclosures of EPHI, and ensure compliance among their workforces.
“In the years following HIPAA’s enactment, the high-tech sector saw rapid advances in consumer electronics such as smart phones, tablets, and personal computers, as well as the network hardware and infrastructure supporting these new consumer electronic devices. As consumer electronics grew in their adoption and variety, so too did the service and content providers serving these new consumer devices. Initially, service and content providers were required to manage and configure their own physical servers (the “bare metal”). This model proved expensive in both time and treasure. Not only were service and content providers required to manage and configure the physical server hardware, but they were also required to maintain the software environment (e.g., the operating system) that the consumer-serving software applications would be deployed to.
“As more and more service and content providers entered the consumer market, innovative technological solutions were required to reduce the cost of entry for smaller entities. Initially, some service and content providers outsourced the “bare metal,” deploying their consumer-serving software applications to “virtual machines” hosted on another entity’s “bare metal.” Still, under this model, the service and content providers were required to maintain the software environment that the consumer-serving software applications were deployed on. Eventually, service and content providers shifted to the “containers” model. Under this model, the work of maintaining the software environment could also be outsourced to third party providers. However, given the variety and inconsistency of the software environments used by various third party providers (e.g., different versions of different operating systems), it became ever more challenging for service and content providers to maintain versions of their software that would be compatible across the wide range of operating systems. The development of “containers”-which are standard units of software packing the software code and all of its dependencies into a single “container”-ensured that software applications could be deployed quickly and reliably across a wide range of software environments.
“However, in order to provide persistent and reliable service to consumers under the “container” model, at least one instance of any given consumer-serving software application would need to be running at all times to provide the consumer electronic device constant, uninterrupted access to the consumer-serving software application. The advent of the “serverless” or function-as-a-service (FaaS) model of cloud computing addressed these inefficiencies. Under the FaaS model, single units of deployment of the consumer-serving software application code (referred to as the “function”) are run by “events” as needed. When the consumer electronic device needs access to the consumer-serving software application, the consumer electronic device can create an “event,” which calls on the cloud-hosted “function” and runs the consumer-serving software application code in real-time only when it is needed.
“While the FaaS model of cloud computing realizes significant cost-saving benefits for service and content providers as well as server resource optimization benefits for cloud service providers, the model nevertheless presents challenges to HIPAA “covered entities.” For example, any EPHI passing through the servers hosting the consumer-serving software application must be protected against reasonably anticipated threats and hazards, such as unnecessary and unauthorized disclosures. Thus, improved systems and methods allowing consumers to realize the cost-saving benefits of accessing their EPHI through FaaS cloud deployments while simultaneously protecting the EPHI against unnecessary and unauthorized disclosure are beneficial and desirable.
“The background description provided here is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.”
As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “A system for providing compartmented access to secure data assets is presented. The system may include a mobile device, a secure access platform, and a secure data storage platform. The mobile device may include a first processor, an input device, a data analysis application, and a first transceiver. The secure access platform may include an authentication module, a sandbox orchestrator, a second processor, and a second transceiver. The secure data storage platform may include a third processor, a secure data access module, a secure database including a secure data asset, and a third transceiver. The first processor, the input device, and the data analysis application may be configured to generate a user interface configured to allow a user to input credentials and a request for the secure data asset. The first processor, the data analysis application, and the first transceiver may be configured to transmit the credentials to the authentication module and the request for access to the sandbox orchestrator via the second transceiver.
“The second processor, the authentication module, and the second transceiver may be configured to transmit the credentials to the secure data access module via the third transceiver. The third processor and the secure data access module may be configured to transfer a copy of the secure data asset to the secure data access module. The second processor, the sandbox orchestrator, and the second transceiver may be configured to generate a virtualization instance, select an appling from the appling model catalog, and create an appling instance of the selected appling in the virtualization instance. The second processor, the sandbox orchestrator, the appling instance, and the second transceiver may be configured to receive the copy of the secure data asset from the secure data access module, format a response package based on the copy of the secure data asset, and transmit the response package to the data analysis application via the first transceiver.
“In other features, the secure database may include a plurality of unauthorized data assets. The secure data module may be configured to determine that the credentials do not provide access to each of the plurality of unauthorized data assets, and determine that the credentials provide access to the secure data asset. In other features, the third processor and the secure data access module may be configured to transfer a copy of the secure data asset to a secure storage partition.
“In other features, the second processor, the sandbox orchestrator, the appling instance, and the second transceiver may be configured to determine that the copy of the secure data asset contains a correct data type, and, in response to determining that the copy of the secure data asset contains the correct data type, format the response package to contain data extracted from the secure data asset. In other features, the response package may be formatted in a Fast Healthcare Interoperability Resource (FHIR) format.
“In other features, the second processor, the sandbox orchestrator, the appling instance, and the second transceiver may be configured to determine that the copy of the secure data asset does not contain a correct data type, and, in response to determining that the copy of the secure data asset does not contain the correct data type, format the response package to contain an error code. In other features, the second processor, the authentication module, and the sandbox orchestrator may be configured to close the appling instance in response to a condition. In other features, the second processor, the authentication module, and the sandbox orchestrator may be configured to close the virtualization instance in response to the condition.”
The claims supplied by the inventors are:
“1. A system for providing compartmented access to secure data assets, comprising: a mobile device, comprising: a first processor, an input device, a data analysis application, and a first transceiver; a secure access platform, comprising: an authentication module, a sandbox orchestrator, a second processor, an appling model catalog, and a second transceiver; and a secure data storage platform, comprising: a third processor, a secure data access module, a secure database comprising a secure data asset, and a third transceiver, wherein the first processor, the input device, and the data analysis application are configured to generate a user interface configured to allow a user to input credentials and a request for the secure data asset, wherein the first processor, the data analysis application, and the first transceiver are configured to: transmit the credentials to the authentication module via the second transceiver, and transmit the request for access to the sandbox orchestrator via the second transceiver, wherein the second processor, the authentication module, and the second transceiver are configured to transmit the credentials to the secure data access module via the third transceiver, wherein the third processor and the secure data access module are configured to transfer a copy of the secure data asset to the secure data access module, wherein the second processor, the sandbox orchestrator, and the second transceiver are configured to: generate a virtualization instance, select an appling from the appling model catalog, and create an appling instance of the selected appling in the virtualization instance, and wherein the second processor, the sandbox orchestrator, the appling instance, and the second transceiver are configured to: receive the copy of the secure data asset from the secure data access module, format a response package based on the copy of the secure data asset, and transmit the response package to the data analysis application via the first transceiver.
“2. The system of claim 1, wherein: the secure database comprises a plurality of unauthorized data assets; and the secure data access module is configured to: determine that the credentials do not provide access to each of the plurality of unauthorized data asset, and determine that the credentials provide access to the secure data asset.
“3. The system of claim 2, wherein the third processor and the secure data access module are configured to transfer a copy of the secure data asset to a secure storage partition.
“4. The system of claim 1, wherein the second processor, the sandbox orchestrator, the appling instance, and the second transceiver are configured to: determine that the copy of the secure data asset contains a correct data type; and in response to determining that the copy of the secure data asset contains the correct data type, format the response package to contain data extracted from the secure data asset.
“5. The system of claim 4, wherein the response package is formatted in a Fast Healthcare Interoperability Resources (FHIR) format.
“6. The system of claim 1, wherein the second processor, the sandbox orchestrator, the appling instance, and the second transceiver are configured to: determine that the copy of the secure data asset does not contain a correct data type; and in response to determining that the copy of the secure data asset does not contain the correct data type, format the response package to contain an error code.
“7. The system of claim 1, wherein the second processor, the authentication module, and the sandbox orchestrator are configured to close the appling instance in response to a condition.
“8. The system of claim 7, wherein the second processor, the authentication module, and the sandbox orchestrator are configured to close the virtualization instance in response to the condition.
“9. The system of claim 8, wherein the second processor, the authentication module, and the sandbox orchestrator are configured to send an erase signal to the secure data access module.
“10. The system of claim 9, wherein the third processor and the secure data access module are configured to purge the copy of the secure data asset from the secure data access module in response to the erase signal.
“11. The system of claim 7, wherein the condition comprises transmission, by the second processor, the sandbox orchestrator, the appling instance, and the second transceiver, of the response package.
“12. The system of claim 7, wherein the condition comprises a determination by the authentication module that a session of the data analysis application timed out.
“13. The system of claim 7, wherein the condition comprises a determination by the authentication module that a session of the data analysis application ended.
“14. The system of claim 1, wherein the second processor and the sandbox orchestrator are configured to: generate a second virtualization instance; select a second appling from the appling model catalog; and create a second appling instance of the selected second appling in the second virtualization instance.
“15. The system of claim 14, wherein: the virtualization instance is isolated from the second virtualization instance; and the appling instance is isolated from the second appling instance.
“16. The system of claim 15, wherein the mobile device is isolated from the second virtualization instance and the second appling instance.
“17. A method for providing compartmenting access to secure data assets, the method comprising: transmitting credentials from a mobile device to an authentication module on a secure access platform; transmitting a request for access from the mobile device to a sandbox orchestrator on the secure access platform; transmitting the credentials from the authentication module to a secure data access module on a secure data storage platform; determining, at the secure data access module, which of a plurality of secure data assets stored on a secure database the credentials provide access to; transferring, to the secure data access module, selected data assets, wherein the selected data assets are the secure data assets that the credentials provide access to; generating, at the secure access platform, a virtualization instance; running, at the secure access platform, an appling instance in the virtualization instance; receiving the selected data assets transmitted from the secure data access module using the appling instance; formatting the selected data assets using the appling instance; and transmitting the formatted selected data assets from the appling instance to the mobile device.
“18. The method of claim 17, wherein the formatted selected data assets are in a Fast Healthcare Interoperability Resources (FHIR) format.
“19. The method of claim 17, further comprising: closing the appling instance in response to transmitting the formatted selected data assets from the appling instance to the mobile device; and closing the virtualization instance in response to transmitting the formatted selected data assets from the appling instance to the mobile device.
“20. The method of claim 17, further comprising: generating, at the secure access platform, a second virtualization instance; and running, at the secure access platform, a second appling instance in the second virtualization instance, wherein: the virtualization instance is isolated from the second virtualization instance, and the appling instance is isolated from the second appling instance.”
For additional information on this patent, see: Magen, Jonathan E. Secure compartmented access infrastructure for sensitive databases.
(Our reports deliver fact-based news of research and discoveries from around the world.)
Patent Issued for Systems and methods for key logger prevention security techniques (USPTO 11979429): United Services Automobile Association
Last week's trivia answer
Advisor News
- Why you should discuss insurance with HNW clients
- Trump announces health care plan outline
- House passes bill restricting ESG investments in retirement accounts
- How pre-retirees are approaching AI and tech
- Todd Buchanan named president of AmeriLife Wealth
More Advisor NewsAnnuity News
- Great-West Life & Annuity Insurance Company Trademark Application for “EMPOWER READY SELECT” Filed: Great-West Life & Annuity Insurance Company
- Retirees drive demand for pension-like income amid $4T savings gap
- Reframing lifetime income as an essential part of retirement planning
- Integrity adds further scale with blockbuster acquisition of AIMCOR
- MetLife Declares First Quarter 2026 Common Stock Dividend
More Annuity NewsHealth/Employee Benefits News
- Far fewer people buy Obamacare coverage as insurance premiums spike
- MARKETPLACE 2026 OPEN ENROLLMENT PERIOD REPORT: NATIONAL SNAPSHOT, JANUARY 12, 2026
- Trump wants Congress to take up health plan
- Iowa House Democrats roll out affordability plan
- Husted took thousands from company that paid Ohio $88 million to settle Medicaid fraud allegations
More Health/Employee Benefits NewsLife Insurance News