“Systems And Methods For Managing Workflow Transactions Including Protected Personal Data In Regulated Computing Environments” in Patent Application Approval Process (USPTO 20200267134)

2020 SEP 03 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent application by the inventors Bartucca, James (Bristol, CT); Leach, Jeffrey Alan (Meriden, CT), filed on February 20, 2019, was made available online on August 20, 2020, according to news reporting originating from Washington, D.C., by NewsRx correspondents.

This patent application is assigned to Aetna Inc. (Hartford, Connecticut, United States).

The following quote was obtained by the news editors from the background information supplied by the inventors: “Privacy laws and regulations in the United States and abroad require organizations to ensure that access to personal data be limited to those needing to act out the processing of the data. In addition, the European Union General Data Protection Regulation (EU GDPR) mandates that organizations must track and report on their compliance with personal data protections.

“One particular area where legal requirements such as these create challenges is with the logging of machine data (data that is created by the activity of computers). Machine data from servers and applications are logged to allow for analysis and support operations. In many instances, this data is needed by support personnel to resolve system issues as well as issues with individual transactions. Having access to the data that was flowing through a system at the time of an error or failure is critical to the support process.

“Protected personal data (PPD) includes personally identifying information (PII) and protected health information (PHI), among other types of information. When an application is processing PPD, that personal data may be included in published logs, which could be a violation of personal data protection laws and/or regulations. Alternatively, the personal data may be redacted in the published logs, which would impede support activities.”

In addition to the background information obtained for this patent application, NewsRx journalists also obtained the inventors’ summary information for this patent application: “In an exemplary embodiment, the invention provides a method for managing workflow transactions including protected personal data (PPD) in a regulated computing environment. The method includes determining, by a first application, that a workflow transaction record of a first network group includes PPD. The first network group includes users authorized to view PPD. The method includes transmitting, by the first application, a packet to an encryption logging service application in response to determining that the workflow transaction record includes PPD. The packet includes: a data identification record, a header, and a PPD payload including PPD associated with the workflow transaction record. The encryption logging service application is uniquely subscribed to by the first application. The method includes encrypting, by the encryption logging service application, the PPD payload and the data identification record. The method includes transmitting, by the encryption logging service application and to a system log database: an encrypted PPD payload, an encrypted data identification record, and the unencrypted header. The method includes decrypting, by the encryption logging service application, the encrypted PPD payload in response to a query of the system log database by a second network group for data contained in the unencrypted header. The second network group includes users not authorized to view PPD. The encryption logging service application is uniquely subscribed to by the second network group. The method includes transmitting, by the encryption logging service application, a decrypted PPD payload to the second network group.

“In another exemplary embodiment, the invention provides a method for managing workflow transactions including PPD in a regulated computing environment. The method includes registering a first network group for a first application. The first network group includes users authorized to view PPD. The method includes determining, by the first application, that a workflow transaction record of the first network group includes PPD. The method includes transmitting, by the first application, a packet to a second application. The packet includes: a data identification record, a header, and a PPD payload including PPD associated with the workflow transaction record. The second application is uniquely subscribed to by the first application. The method includes encrypting, by the second application, the PPD payload and the data identification record. The encrypting step includes stateless key management. The method includes transmitting, by the second application and to a system log database: an encrypted PPD payload, an encrypted data identification record, and the unencrypted header. The method includes querying, by a second network group including users not authorized to view the PPD, the system log database for data contained in the unencrypted header. The method includes decrypting, by a third application, the encrypted PPD payload in response to the query by the second network group. The third application is uniquely subscribed to by the second network group. The decrypting step includes assigning a security definition to a decrypted PPD payload for subsequent viewing thereof by the second network group. The method includes transmitting, by the third application, the decrypted PPD payload to the second network group.

“In yet another exemplary embodiment, the invention provides a non-transitory computer-readable medium including processor-executable instructions stored as software therein to manage workflow transactions including PPD in a regulated computing environment. When executed by one or more processors, the processor-executable instructions cause the processor(s) to determine, by a first application of the processor-executable instructions, that a workflow transaction record of a first network group includes PPD. The first network group includes users authorized to view PPD. When executed by the processor(s), the processor-executable instructions cause the processor(s) to transmit, by the first application and in response to determining that the workflow transaction record includes PPD, a packet to a second application of the processor-executable instructions. The packet includes: a data identification record, a header, and a PPD payload including PPD associated with the workflow transaction record. When executed by the processor(s), the processor-executable instructions cause the processor(s) to encrypt, by the second application, the PPD payload and the data identification record. When executed by the processor(s), the processor-executable instructions cause the processor(s) to transmit, by the second application and to a system log database: an encrypted PPD payload, an encrypted data identification record, and the unencrypted header. When executed by the processor(s), the processor-executable instructions cause the processor(s) to decrypt, by a third application of the processor-executable instructions and in response to a query of the system log database by a second network group for data contained in the unencrypted header, the encrypted PPD payload. The second network group includes users not authorized to view PPD. When executed by the processor(s), the processor-executable instructions cause the processor(s) to transmit, by the third application, a decrypted PPD payload to the second network group.”

The claims supplied by the inventors are:

“1. A method for managing workflow transactions including protected personal data (PPD) in a regulated computing environment, the method comprising: determining, by a first application, that a workflow transaction record of a first network group includes the PPD, wherein the first network group includes users authorized to view the PPD; in response to determining that the workflow transaction record includes the PPD, transmitting, by the first application, a packet to an encryption logging service application, wherein: the packet includes: a data identification record, a header, and a PPD payload including the PPD associated with the workflow transaction record; and the encryption logging service application is uniquely subscribed to by the first application; encrypting, by the encryption logging service application, the PPD payload and the data identification record; transmitting, by the encryption logging service application: an encrypted PPD payload, an encrypted data identification record, and the unencrypted header, to a system log database; in response to a query of the system log database by a second network group for data contained in the unencrypted header, decrypting, by the encryption logging service application, the encrypted PPD payload, wherein: the second network group includes users not authorized to view the PPD; and the encryption logging service application is uniquely subscribed to by the second network group; and transmitting, by the encryption logging service application, the decrypted PPD payload to the second network group.

“2. The method of claim 1, further comprising ascertaining, by the first application, an occurrence of a workflow transaction error, wherein determining that the workflow transaction record includes the PPD includes determining that the workflow transaction record is associated with the workflow transaction error.

“3. The method of claim 1, further comprising, in response to the query of the system log database, verifying, by the encryption logging service application and prior to decrypting the encrypted PPD payload, that a user making the query is authorized to view the PPD.

“4. The method of claim 1, further comprising securing, by the encryption logging service application, the decrypted PPD payload using token-based authentication technology.

“5. The method of claim 1, wherein decrypting the encrypted PPD payload includes assigning a security definition to the decrypted PPD payload for subsequent viewing thereof by the second network group.

“6. The method of claim 1, further comprising transmitting, by the encryption logging service application and in response to the query, a query data record to an audit application, wherein the query data record includes: a time/date stamp of the query, a user identifier for the querying user, and the data identification record.

“7. The method of claim 1, wherein determining that the workflow transaction record includes the PPD includes determining, by the first application, that the workflow transaction record includes at least one of: personally identifying information, and protected health information.

“8. A method for managing workflow transactions including protected personal data (PPD) in a regulated computing environment, the method comprising: registering a first network group for a first application, wherein the first network group includes users authorized to view the PPD; determining, by the first application, that a workflow transaction record of the first network group includes the PPD; transmitting, by the first application, a packet to a second application, wherein: the packet includes: a data identification record, a header, and a PPD payload including the PPD associated with the workflow transaction record; and the second application is uniquely subscribed to by the first application; encrypting, by the second application, the PPD payload and the data identification record, wherein the encrypting includes stateless key management; transmitting, by the second application: an encrypted PPD payload, an encrypted data identification record, and the unencrypted header, to a system log database; querying, by a second network group including users not authorized to view the PPD, the system log database for data contained in the unencrypted header; decrypting, by a third application and in response to the query by the second network group, the encrypted PPD payload, wherein: the third application is uniquely subscribed to by the second network group; and the decrypting includes assigning a security definition to a decrypted PPD payload for subsequent viewing thereof by the second network group; and transmitting, by the third application: the decrypted PPD payload to the second network group.

“9. The method of claim 8, further comprising ascertaining, by the first application, an occurrence of a workflow transaction error, wherein determining that the workflow transaction record includes the PPD includes determining that the workflow transaction record is associated with the workflow transaction error.

“10. The method of claim 8, further comprising, in response to the query of the system log database, verifying, by the third application and prior to the decrypting, that a user making the query is authorized to view the PPD.

“11. The method of claim 8, further comprising securing, by the third application, the decrypted PPD payload using token-based authentication technology.

“12. The method of claim 8, wherein assigning the security definition to the decrypted PPD payload includes assigning at least one of: a predetermined authorization, and a predetermined token end point scope, to the decrypted PPD payload.

“13. The method of claim 8, further comprising transmitting, by the third application and in response to the query, a query data record to a fourth application, wherein the query data record includes at least one of: a time/date stamp of the query, a user identifier for the querying user, and the data identification record.

“14. The method of claim 8, wherein determining that the workflow transaction record includes the PPD includes determining, by the first application, that the workflow transaction record includes at least one of: personally identifying information, and protected health information.

“15. The method of claim 8, wherein the second and third applications together compose an encryption logging service application.

“16. A non-transitory computer-readable storage medium including processor-executable instructions stored as software therein to manage workflow transactions including protected personal data (PPD) in a regulated computing environment, which, when executed by one or more processors, cause the one or more processors to: determine, by a first application of the processor-executable instructions, that a workflow transaction record of a first network group includes the PPD, wherein the first network group includes users authorized to view the PPD; in response to determining that the workflow transaction record includes the PPD, transmit, by the first application, a packet to a second application of the processor-executable instructions, wherein the packet includes: a data identification record, a header, and a PPD payload including the PPD associated with the workflow transaction record; encrypt, by the second application, the PPD payload and the data identification record; transmit, by the second application: an encrypted PPD payload, an encrypted data identification record, and the unencrypted header, to a system log database; decrypt, by a third application of the processor-executable instructions and in response to a query of the system log database by a second network group for data contained in the unencrypted header, the encrypted PPD payload, wherein the second network group includes users not authorized to view the PPD; and transmit, by the third application, a decrypted PPD payload to the second network group.

“17. The non-transitory computer-readable storage medium of claim 16, wherein, when executed by the one or more processors, the processor-executable instructions cause the one or more processors to encrypt the PPD payload and the data identification record using stateless key management.

“18. The non-transitory computer-readable storage medium of claim 16, wherein, when executed by the one or more processors, the processor-executable instructions further cause the one or more processors to: subscribe, by the first application, the second application uniquely to the first application; and subscribe, by the second application, the third application uniquely to the second network group.

“19. The non-transitory computer-readable storage medium of claim 16, wherein, when executed by the one or more processors, the processor-executable instructions further cause the one or more processors to assign, by the third application, a security definition to the decrypted PPD payload for subsequent viewing thereof by the second network group.

“20. The non-transitory computer-readable storage medium of claim 19, wherein, when executed by the one or more processors to assign the security definition to the decrypted PPD payload, the processor-executable instructions further cause the one or more processors to assign at least one of: a predetermined authorization, and a predetermined token end point scope, to the decrypted PPD payload.”

URL and more information on this patent application, see: Bartucca, James; Leach, Jeffrey Alan. Systems And Methods For Managing Workflow Transactions Including Protected Personal Data In Regulated Computing Environments. Filed February 20, 2019 and posted August 20, 2020. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220200267134%22.PGNR.&OS=DN/20200267134&RS=DN/20200267134

(Our reports deliver fact-based news of research and discoveries from around the world.)