Algorithm could improve hospital records security

Published 9 July 2010

An algorithm secures patients’ records by ensuring that access to information is available to those who need it, but only when necessary; for example, once a patient has been admitted to hospital, the admissions staff do not necessarily need access to the patient’s records anymore; in many hospitals, those staff members nonetheless continue to have access to every record on file; using the algorithm, those staffers would only be able to access the patient’s record during admission processing; after that, they would find your information unavailable

A computer security invention patented a decade ago at the U.S. National Institute of Standards and Technology (NIST) is now poised to help safeguard patient privacy in hospitals.

The invention — an algorithm that can be built into a larger piece of software — is designed to control access to information systems and has attracted the attention of a company that is putting it to use in the healthcare field.

John Barkley, the algorithm’s creator, said the idea could solve one of the pervasive issues in the healthcare system. “We think this software will provide dramatically improved security and privacy to patients,” added Barkley, now retired from NIST’s Software and Systems Division and consulting with Boston, Massachusetts-based Virtual Global, which is commercializing the product. “It solves the problem of overly broad access to patient information, which is widespread.”

The Engineer reports that, in essence, the patent covers a method of ensuring that access to information is available to those who need it, but only when necessary. For example, at a hospital, the patient admission procedure involves a number of steps, and in each step someone needs access to the patient’s medical records for a specific purpose, such as registering the patient or verifying their insurance information.

Once you’ve been admitted to hospital, the admissions staff don’t necessarily need access to your records anymore. But in many hospitals, those staff members nonetheless continue to have access to every record on file,” Barkley said.

Using the algorithm we patented, those staffers would only be able to access your record during admission processing. After that, they would find your information unavailable — though the doctor who was treating you would still have access to it.”

NIST released a Small Business Innovation Research (SBIR) solicitation in an effort to find a company to develop a product from the patent in 2008, which happened to be when Virtual Global was searching for a way to protect electronic records for its clients.

The company purchased the rights to it shortly thereafter and integrated the invention into its HealthCapsule cloud platform. Virtual Global is now using HealthCapsule to create a pilot security system for LIFE Pittsburgh, a long-term care facility.