Patent Issued for Secure content sharing (USPTO 11520911): Imprivata Inc.
2022 DEC 27 (NewsRx) -- By a
The patent’s assignee for patent number 11520911 is
News editors obtained the following quote from the background information supplied by the inventors: “As computer systems become ubiquitous in both the home and industry, the ability for any one individual to access applications and data has increased dramatically. While such ease of access has streamlined many tasks such as paying bills, ordering supplies, and searching for information, it entails a the risk of providing the wrong data or functionality to the wrong person, which can be fatal to an organization. Instances of data breaches at many consumer-product companies and the need to comply with certain statutory measures (e.g., Health Insurance Portability and Accountability Act (HIPAA), Child Online Protection Act (COPA), Sarbanes-Oxley (SOX), etc.) have forced many companies and institutions to implement much stricter system access policies. Healthcare regulations, for example, mandate that “protected health information” (PHI) be accessible only by an authorized caregiver. Proper user authentication is required to access and alter PHI; this not only ensures patient privacy and safety, but also permits changes made to patient records to be audited later. Access restrictions are generally implemented, following user log-in to the system, by controlling access to applications with access to PHI.
“A persistent problem with data management in a healthcare environment is the disparate nature of patient information, which can originate with any of various applications. Clinical decision making may require access to patient data from different sources-patient records from the hospital’s main server, radiological information or lab results from other servers or an outside providers, prescription information from a pharmacopoeia, drug interactions from a specialized external resource-each of which may require a separate log-in. This inconvenience can be managed in the first instance using a “single sign-on” system, but sharing diversely sourced information remains cumbersome. A clinician who has retrieved various types of clinical data and wishes to consult remotely with a colleague or specialist has no easy way to provide this information directly. Even if the other clinician has already authenticated herself to the same applications as the referring clinician, she must typically retrieve each type of information separately. There is, at present, no easy way for an authorized user to efficiently generate and send disparately sourced information to another authorized user.”
As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “Embodiments of the present invention facilitate convenient and secure sharing of information among authorized network users in scenarios where data access is restricted. In some embodiments, an authorized user accessing multiple software applications at one workstation may send that information, or a user-selected portion thereof, in aggregate form to another authorized user at a another workstation or mobile phone, using, e.g., a secure messaging service (e.g., a texting service enhanced with image, audio, and video support). For example, at the sender’s workstation, a screen-sharing service may generate a replica of the display contents, optionally including the sender’s annotations, which may then be transmitted to the selected recipient’s device in the form of an image file or video stream (e.g., as an attachment to a text message) and/or blended into the aggregate form as an editable overlay. Similarly, a virtual-printing service may transmit a replica of documents opened in applications on the sender’s workstation to the recipient, either separately for each application or, preferably, within a single message. Data from one or more applications may, alternatively, be exported using an application programming interface (API) or an open network protocol, facilitating a broader range of content formats for the data to be shared. In some embodiments, e.g., in a healthcare context, a “case builder” application allows the workstation user to integrate, organize, and annotate content from disparate sources into one multi-media file.
“To implement any applicable data-access restrictions, the contents transmitted between users may include metadata (e.g., in the form of headers within image files, or as separate files) that identify the sending user, the application from which the information originates, and/or other relevant information (e.g., in a medical context, the patient to which the information pertains). The message containing the screen/document replica or exported-data file may be transmitted via a secure messaging server that, prior to forwarding the message, checks the recipient’s authorization to access all of its contents; the messaging server may, for instance, consult a database storing, for each authorized system user, the applications and type of information (e.g., organized by patients) which that user is permitted to access. The messaging server may also excise any portions that the recipient is not permitted to see. In some embodiments, the replica or exported file is stored in a central repository, and the recipient of the information is provided with a link thereto; again, the recipient’s authorization may be checked prior to facilitating access to the stored data. The metadata associated with the transmitted contents may also be used by the recipient to verify the authenticity and integrity of the received information as well as the audit history of modifications or annotations made to the content. As used herein, the term “metadata” broadly connotes any identifying information associated with the image, text, audio, or other content files shared, regardless of the manner in which this identifying information is formatted, stored, and linked to the content files.
“In various embodiments, the functionality described above is implemented in a server-centric network architecture that includes authentication, desktop/application-hosting, and secure messaging servers in communication with workstations, mobile devices, or other client devices. Via terminal-emulation services executing on the client devices, users may access and interact with applications remotely running on the hosting server. Communications between users may be facilitated by the messaging server. Authentication prior to allowing access to the hosted applications and/or sharing of accessed content with other network users may be handled by the authentication server. As used herein, the term “server” generally refers to hardware and/or software providing a particular server functionality, irrespective of how this functionality is distributed. Thus, a “server” for a particular functionality may, in fact, include multiple intercommunicating computers and, conversely, a single computer may provide different server functionalities. For example, different applications may be provided on different hosting servers, or the applications running on the hosting server may pull in data from a separate central data repository. Application data may also be pulled from cloud-based content servers and mobile devices directly into a client device. Further, authentication and message-management functionality may be integrated on one server, or distributed between two or more servers in various ways.
“In one aspect, embodiments of the invention provide a method for sharing accessed content between authorized users within a network-managed user group. The method involves, at a first user device, authenticating a first user via communication with an authentication server and providing access to multiple software applications. The first user, using the first user device, then selects a second user within the user group as well as contents from the multiple accessed software applications for transmission to the second user. The selected contents are exported (e.g., by converting at least a portion of the screen display into an image file, virtually printing the contents of selected ones of the applications, or using an application programming interface associated with one of the software applications) and transmitted to a server. The exported contents may be displayable or, in some embodiments, at least a part thereof may be in a format unsuitable for display. They may be static or dynamic, and may, in various embodiments, include a selectable web link, an image sequence displayable as video, and/or audio content. In some embodiments, the exported contents are integrated into a multi-media case file and/or annotated prior to transmission to the server.
“At the server, it is determined whether the second user (i) has access privileges permitting access to at least a portion of the selected contents and (ii) has been authenticated by the authentication server via a second user device, and if so, transmission of only the portion to which the second user has access privileges to the second user device occurs. If the second user has not been authenticated by the authentication server via the second user device, the method may include facilitating authentication of the second user to the authentication server, and upon successful authentication, causing transmission to the second user device of the portion to which the second user has access privileges. In some embodiments, the method further involves redacting the exported contents by excising therefrom, by the server, portions to which the second user does not have access privileges, and thereafter causing transmission of the redacted exported contents.”
The claims supplied by the inventors are:
“1. A method for integrating data from a mobile device connected to a workstation with data from at least one application accessed at the workstation, the method comprising the steps of: a. logging a user onto the workstation; b. in response to logon of the user, obtaining, by an auto-connection service executed on the workstation, an identity of a mobile device belonging to the user and automatically connecting, by the auto-connection service, the workstation to the identified mobile device; c. accessing at least one application at the workstation and exporting contents from the at least one application to a case file maintained on the workstation; d. transmitting, by an auto-binding service executed on the workstation, an identifier associated with the case file to the mobile device; e. transmitting data from the mobile device to the workstation, the data being tagged with the identifier; and f. integrating the data transmitted from the mobile device into the case file.
“2. The method of claim 1, further comprising automatically deleting the data from the mobile device after the data is transmitted to the workstation.
“3. The method of claim 1, wherein, when the at least one application is accessed at the workstation, the at least one application automatically accesses specific contents based on a location of the workstation.
“4. The method of claim 3, wherein the specific contents relate to a patient located proximate the workstation.
“5. The method of claim 4, further comprising automatically communicating an identity of the patient to the mobile device.
“6. The method of claim 3, further comprising automatically communicating to the mobile device a second identifier associated with the specific contents.
“7. The method of claim 1, further comprising: receiving, from the user, identities of second and third recipient users, wherein the second and third recipient users have different access privileges permitting access to contents from the case file; combining only portions of the case file to which the access privileges of the second recipient user permit access into a first compilation; combining only portions of the case file to which the access privileges of the third recipient user permit access into a second compilation, wherein the first and second compilations include different portions of the case file; causing transmission of only the first compilation to the second user; and causing transmission of only the second compilation to the third user.
“8. The method of claim 1, wherein the data transmitted from the mobile device is integrated into the case file by a case builder application locally hosted on the workstation.
“9. The method of claim 1, wherein the data transmitted from the mobile device is integrated into the case file by a case builder application remotely hosted on a server communicating with the workstation.
“10. The method of claim 1, wherein the transmitted data is automatically tagged with the identifier and transmitted automatically from the mobile device to the workstation, without additional action from the user.
“11. The method of claim 1, wherein all data transmitted from the mobile device to the workstation is automatically tagged with the identifier.
“12. A workstation facilitating integration of data received from a mobile device connected thereto with data from at least one application accessed at workstation, the workstation comprising: a network interface; a processor; and memory storing (i) a case file, and (ii) processor-executable instructions comprising: a. a user-authentication service which, when executed by the processor, manages user authentication and logon to the workstation; b. an auto-connection service which, when executed by the processor and in response to logon of the user, obtains an identity of a mobile device belonging to the user and automatically connects the workstation to the identified mobile device; c. means for accessing at least one application at the workstation; d. an auto-binding service which, when executed by the processor and following connection of the workstation to the mobile device, sends an identifier associated with the case file to the mobile device and causes the mobile device to tag data transmitted therefrom to the workstation with the identifier; and e. a case builder which, when executed by the processor, integrates content exported from the at least one application and tagged data received from the mobile device into the case file.
“13. The workstation of claim 12, wherein the means for accessing at least one application at the workstation comprises a terminal emulation service.
“14. The workstation of claim 12, wherein the at least one application is hosted locally on the workstation.
“15. The workstation of claim 12, further comprising one or more authentication devices connected to the workstation and responsive to the user-authentication service.
“16. The workstation of claim 15, wherein the one or more authentication devices comprise at least one of a proximity card reader, fingerprint reader, or radio-frequency identification reader.
“17. The workstation of claim 12, further comprising, coupled to the workstation, one or more medical devices configured to acquire patient data.
“18. The workstation of claim 15, wherein the memory stores processor-executable instructions comprising a walk-away service configured to (i) monitor the workstation for the presence or absence of the logged-in user and (ii) enforce a security policy to secure the workstation when the user is absent.”
For additional information on this patent, see: Gage, John. Secure content sharing.
(Our reports deliver fact-based news of research and discoveries from around the world.)
Patent Issued for Valence profiling of virtual interactive objects (USPTO 11521719): Verily Life Sciences LLC
Study Findings on Autism Reported by Researchers at University of Western Australia (Perceived Support Needs of School-Aged Young People on the Autism Spectrum and Their Caregivers): Developmental Diseases and Conditions – Autism
Advisor News
- Social cultivation: How to talk with wealthy prospects
- How important is a written financial plan?
- Coalition wants to advise people impacted by policy changes in new administration
- Diagnosing miscommunication in retirement planning
- Election creates an opportunity for advisor/client dialogue
More Advisor NewsAnnuity News
Health/Employee Benefits News
- ‘Especially disgusting’: Former workers, patients, level accusations at addiction treatment empire
- Doctor’s bills often come with sticker shock
- Covering weight loss drugs driving Virginia Medicaid costs higher
- Generations
- Vermont Dept. of Financial Regulation warns of potential health insurance scams
More Health/Employee Benefits NewsLife Insurance News