AU2011100244A4 - Rotating Time-Based Authentication For Medical Data Card Security - Google Patents

Description

1 ROTATING TIME-BASED AUTHENTICATION FOR MEDICAL DATA CARD SECURITY FIELD OF THE INVENTION The present invention relates to a method for providing secure data access in 5 data storage, access, processing and communication systems, in general. The invention addresses issues of allowing secure access to a plurality of general data repositories by a trusted group of individuals. This invention is of particular but by no means exclusive application in the provision of widespread, secure access of medical data records by members of a registered medical body. 10 BACKGROUND OF THE INVENTION In many fields, such as the medical industry, defence industries and financial services industries to name but a few, data security is of prime importance. In the case of the medical industry, the patient record is one of the primary tools for diagnosis. The patient record is of the utmost privacy to the individual, 15 however it does not have the same security requirements as for example defence or financial services. Over a lifetime, an individual's medical records are often distributed over a range of locations often separated by large distances. Even though this medical information is regularly needed, its wide distribution over multiple locations does 20 not lend itself to efficient communication. Each time you change location or require medical attention away from your local health care provider, you are required to complete an information sheet providing such information as contact details and a medical history summary. This replication of information, stored by each health care provider each time 25 you change location, change name should you get married or each time you require medical attention poses a huge burden on the healthcare system. This also leads to the problem of not having up to date medical information on file at each of the above multitude of locations and different health providers. For example, if you were to attend a different medical health provider, your primary 2 healthcare provider (or general practitioner) would not receive any details of the treatment which was carried out by the alternate healthcare provider. The primary patient medical record would therefore be incomplete. Even when records are available between practitioners, they are primarily in the 5 form of paper-based charts or local computer databases which are structured and maintained by each health care provider. The combination of paper-based charts and incompatible computer database records contain voluminous handwritten encounter notes, test results, files, hospital discharge summaries, diagnostic evaluations, laboratory results, images, etc. The difficulty of 10 reviewing, extracting, and communicating vital information quickly from this disjoint patient record is daunting. Various industry bodies and medical associations around the world are attempting to move medical records into an electronic format. Electronic records offer the patient a more portable and potentially complete health care 15 record with associated benefits in patient care. There are enormous benefits to combining a patient's entire medical record from disparate providers across many disciplines into one central repository. Expedient access to a patient's entire healthcare record can often be life saving, not to mention the vast cost saving this method of data record offers the industry in day-to-day operational 20 expenses. In the case of medical imaging alone, the cost savings of electronic records can be huge. Consider one Magnetic Resonance Imaging (MRI) patient study. MRI studies offer a three dimensional view of the body. Such a study typically results in dozens or hundreds of images of individual 'slices' through the body. 25 Traditionally, this would have resulted in dozens of acetate film images at a substantial cost. An electronic method of record delivery would also allow sophisticated three dimensional rendering of the body which would allow a medical practitioner to view the internal structures of interest from multiple angles and rotate the image 30 in space to get a better view of the particular condition, be it a bone fracture, an 3 internal organ or indeed a tumour. Furthermore provision of the original copies on acetate film risks loss or accidental damage to the only medical record. On a broader scale, management of the entire patient record could be handled electronically. This would include among other things basic medical histories, 5 results of tests, treatment histories and medical imaging studies. If the entire patient healthcare record could be managed electronically in a standard format it would save money and allow efficient interchange of data between multiple healthcare providers. Health Level 7 (HL7) is an international community of healthcare subject matter 10 experts and information scientists collaborating to create standards for the exchange, management and integration of electronic healthcare information. HL7 promotes the use of such standards within and among healthcare organizations to increase the effectiveness and efficiency of healthcare delivery for the benefit of all. 15 Efforts such as the Health Level 7 initiative offer a positive step forward for records management at the highest level. Standardisation of patient information will allow disparate records of a patient to be stored in a central repository. Such standards also increase the portability of health care records. Portability of a medical record raises the additional serious issue of privacy and 20 security. In addition to the issue of security concerns, the centralised approach relies heavily on high speed Internet access. For some medical records, the current speed of internet connections makes centralised record management possible, while for other records such as medical imaging studies, internet bandwidth 25 remains a severe limitation to broad adoption. This is particularly the case where a clinician wishes to view electronically stored medical images in a timely manner or during surgery. In response to the lack of sufficient internet bandwidth, portable electronic storage devices have been proposed for healthcare records (Journal of the 30 National Cancer Institute, Volume 99, Number 4, Pp. 268-269) and 4 (http://en.wikipedia.org/wiki/Personalhealthrecord). There are many competing technologies, including medical cards with barcodes, magnetic stripes, optical and microprocessor chip technology. These competitive card technologies are competing for industry-wide acceptance. Some of these 5 devices require special electronic equipment to be installed in all locations for reading and writing to the various media, making them unattractive propositions both economically and logistically. One technology for portable medical record management is particularly attractive, the Universal Serial Bus (USB) flash drive. USB is the ubiquitous 10 peripheral connection standard for personal computers. Their compact size, plug-n-play operation, ease of use, ubiquity and ruggedness make them the stand out choice. The USB flash drive consists of a USB interface circuit and large scale flash memory. Such a device is automatically recognized by a computer's operating system once inserted in the front panel connector and the 15 records can be made available immediately. USB flash drives are now a commodity item, commonly available for just a few dollars including over a gigabyte of memory. They are available in a wide variety of shapes and sizes including credit-card sized devices that can easily be carried in the patient's wallet. 20 USB2.0 devices operate at 480Mb/s which provides adequate bandwidth for most applications. The new USB3.0 specification increases the bus speed to 5Gb/s providing all the bandwidth needed for medical records management for the foreseeable future. USB is a platform that has broad acceptance and strong industry support. New generations of the technology will be released as 25 bandwidth requirements increase offering a consistent upgrade path for the platform. This is the obvious platform of choice for a portable medical records device. The question of data security still remains. USB flash drives offer excellent performance, cost and ease of use, but that same ease of use typically means 30 data is accessible by anyone within seconds of the device being attached to the

PC.

5 The USB protocol is a standard in the computer industry, and modifying the USB protocol or architecture to provide security would remove the advantages of using a widely available and widely implemented architecture. The data on the USB bus is passed through an insecure USB software layer and this data is 5 also available to any device on the bus. Thus, there has been a need for a way to provide the benefits of USB connectivity and compatibility with existing USB devices and systems, while allowing for increased security. There are numerous inventions that disclose methods of securely accessing data stored on a variety of physical storage media. For example, Yen (US 10 Patent 7,467,407) discloses a USB memory card with encryption to enhance data security. The USB memory card of Yen's disclosure employs a random number generator and multiple layers of encryption using a symmetric algorithm. This disclosure aims to provide secure access to a given card by an individual who has access to a specific encryption key or password. 15 The invention of Ray et al. (US Patent 7,469,343) provides for encryption/decryption facilities in a security module to be provided for a USB device. Specifically, the present invention provides for communications between a device and a secure component, such as commands requesting data from the device, the data returned by that device back to the system and 20 setup commands for configuring the device to be securely handled, even where those commands and data are passing over insecure hardware and/or software to get to the secure component. The encryption/decryption of Ray's disclosure may be provided in a physically separate apparatus, for example, a piece of hardware (a "dongle") that is 25 placed in the connecting wire between the USB device and the host or hardware that a USB device plugs into or as a separate device into which an unmodified USB device plugs. Alternately, the encryption/decryption facilities may be built in to the device, for example, a keyboard with hardware encryption/decryption built in, or integrated into the functionality of the upstream 30 hub. This approach depends on a hardware "dongle" approach to security wherein a plurality of physical devices and secure software layer(s) act to 6 provide on-the-fly encryption and decryption of packets thereby providing a secure link over the insecure USB medium. England et al. take security yet a step further with their invention (US Patent 7,478,235). Typically, secure data is under threat to unauthorised access and 5 manipulation when it is transferred or moved about the computer. This is particularly the case when moving data across physical buses such as USB, in which the data propagates through a plurality of third party devices (such as hubs) before ending up on the destination device. England et al. describe a method of providing authenticated and confidential 10 messaging between software executing on a host (e.g. a secure software application or security kernel) and devices operating on a USB. This invention teaches secure encryption techniques to provide protection against observation and manipulation of data on the bus and through the driver stack. England et al. provide a secure data tunnel between the USB device and the secure 15 application/kernel operating on the host computer. In this scenario USB devices can be designated as "secure" and hence, data sent over the USB to and from such designated devices can be provided into protected memory. While this form of encryption is very secure it does not address the common requirement of a plurality of trusted users accessing a common plurality of data 20 sets. Wilson (US Patent Application 20070016452) discloses a method for managing patient medical records in a universal format, presumably according to some defined standard such as Health Level 7, using a USB Flash Drive. The invention of this disclosure teaches a method for providing a portable electronic 25 medical record to the patient on said USB Flash Drive. This invention includes the steps of installing a software on a primary care physicians computer system, wherein said software maps the primary care physician's electronic database records for the patient to said USB Flash Drive. The USB Flash Drive is also loaded with an HTML index page by said software for public (insecure) 7 viewing of the patient's general health information, being a subset of the entire medical record. Wilson teaches that in the case of a medical emergency, an emergency room staff member can display the patient's general health information but will not be 5 allowed to view the complete patient history without the patient's consent. If the patient is aware of the need for additional information, then he or she can grant access to information located on the USB Flash Drive. However if the patient is unable to authorise access to the additional information that may be required for proper treatment, the emergency room staff must contact the 10 patient's primary care physician, via the primary physician's contact information located in said HTML index page. When the health care service provider (emergency room) contacts the patient's primary care physician and appropriate security protocols have been adhered to, the primary care physician can provide an entire record (or relevant subset thereof) of the 15 patient's medical history to said emergency room healthcare provider. The process of patient approval for a new healthcare provider to access the medical record stored on the USB flash drive requires that the patient is conscious, cognisant of the request from access to the card and able to remember the access password. Each of these requirements places a severe 20 limit on the usefulness of the portable electronic medical record in times of critical need for information. Furthermore, if the primary healthcare provider is unable to be contacted in a timely fashion, potentially life saving healthcare information may be locked away from emergency healthcare providers, even though they physically have access to said USB flash drive storage media. 25 SUMMARY OF THE INVENTION In all of the prior art, methods, systems and apparatus are disclosed that allow a data repository to be secured with access only provided to authorised parties. Access to a particular party is only granted upon that party being provided a specific pass key, be that a password, encryption key or otherwise. These 30 disclosures usually also teach of applications that require ultra-secure data.

8 Thus, it is an object of the present invention to provide a method and system of providing secure access to a plurality of data repositories by a trusted group of individuals. Furthermore said data repositories do not generally require the highest levels of security due to the nature of the data. 5 In a first broad aspect the present invention provides a method and system of authenticating an individual, said individual being a member of a trusted group of users, and providing said individual with a password for access to a plurality of data repositories, the method comprising: said individual registering a plurality of pieces of information with an 10 authentication node; said authentication node creating a unique password from said information; and said authentication node transmitting said unique password to said individual. 15 Said plurality of pieces of information may contain both publicly available pieces of information, such as a unique medical provider number and private information such as a date of birth, driver's licence number, clinician's college of surgeon's membership number etc. In a preferred embodiment, a medical clinician accesses an authentication 20 node, which may be provided by a country's medical registration board. Said clinician authenticates themselves with said authentication node by providing their health system registration number (which is a unique but publicly available identifier) plus several pieces of private information, such as a date of birth, address, college of surgeon's membership number. Upon successful 25 authentication of the clinician's identity, said authentication node generates a unique password based purely on said unique identifier (or a combination of a plurality of identifiers) using a hash generator (or code generation algorithm) for said clinician and transmits said unique password to said clinician via a 9 predetermined secure pathway, such as e-mail or Short Message Service (SMS) on mobile phone. A hash generator is routinely used to obscure information. Common forms of hash generators are the 'md' series of generators, such as 'md5', 'sha' 5 generators such as 'sha256' and 'sha512', 'crc' generators such as 'crc32'. Custom hash generators or code generation algorithms are also intended for use with the present invention. Furthermore, said unique password may be encrypted before transmission. The key for decoding said encrypted password may be one of said pieces of 10 information provided to said authentication node. Said clinician accesses any given repository by entering their said unique identifier and password. Said plurality of data repositories contain the same said hash generator and can compare said unique identifier with said password for authentication. In this way a plurality of data repositories, namely portable 15 patient file systems (for example but not limited to, USB memory cards) may be accessed by any authenticated clinician by simply using said unique health system registration number and said unique password. Said portable patient file systems may contain their entire health record, a subset of their health record, digital imaging studies etc. 20 It is a further object of this invention that said plurality of portable patient file systems record access of their contents in a log file. In this way, a permanent and traceable record of clinician access to a given repository is maintained for patient privacy reasons. It is furthermore envisaged that said patient data repository may be a device 25 with connectivity provided by for example USB, BlueTooth, Firewire, Ethernet, Lightpeak, Thuderbolt, among other connectivity standards. It is also envisaged that said data repository may be contained in a mobile telephone. In this way, any authenticated clinician would be able to securely view patient records stored on said mobile telephone, possibly via a Bluetooth connection, 10 with a log file recording said clinician's access. This has significant advantages for emergency medicine and trauma patient care. It is a further object of the present invention to augment the security features of a secure data repository by utilising a rotational time code access algorithm. 5 According to this broad aspect, said unique password is only valid for a limited period of time, in preferably a date defined time window. By way of example, a different hash generator may be used in each defined time window as a way of providing secure access. In this case, said unique password is then generated using said unique identifier and said date window. 10 Said plurality of repositories may determine the date by accessing the date functions of the computer system to which they are attached and storing a 'last accessed time' record of said time within their structures or may preferably contain a real time clock. Furthermore, in the case of determining a current date using the system time of an attached computer system, a record may be 15 kept in said repository of the most recent chronologically valid time code retrieved. That is, a time code will only be updated in the repository's record of 'last accessed time' is the current time derived from the computer system is later than the recorded 'last accessed time'. This would prevent someone from fooling the system by setting their local computer system to a past date to gain 20 access using an old pass code. The clinician must renew their password periodically by connecting to said authentication node and retrieving said new password. In other words this is equivalent to retrieving the new hash of their previous password (which may in fact be their medical services provider number). This provides an additional 25 layer of security as passwords are generated periodically and only valid for a limited period of time. Furthermore, the authentication node may advise said clinician of an impending date for the end of the current password's window of acceptance. Advice may be by SMS or preferably e-mail, wherein said e-mail would preferably contain a 11 link to an online authentication node for regeneration of a password for the forthcoming period of time. Therefore in a second broad aspect the present invention provides a method and system of granting secure access to a data repository via a rotational time 5 code authentication, the method comprising: a user connecting to an authentication and password generation node; said user providing said authentication node with uniquely identifying information; said password generation node transforming said uniquely identifying 10 information according to a transformation algorithm based on a current date and time to provide a unique password; and delivering said unique password to said user, wherein said unique password provides access to said data repository for said user and is valid for a predetermined period of time. 15 In a preferred embodiment, said data repository also maintains a copy of said plurality of transformation algorithms. In this way, said data repository is able to calculate and authenticate the unique password for a given user at the particular date and time that said user is attempting to access said repository. In a particular preferable embodiment, said transformation algorithm changes 20 its cipher code periodically. For example, said cipher code changes every six months so that a valid code today would not be valid six months from now. This is an additional safety feature ensuring that old passwords expire after a certain period of time - the cipher code that the password related to is replaced periodically. 25 Preferably said data repository maintains a notion of the current date and time. Furthermore it is preferable for said repository to maintain said notion of time in a format that is unalterable. That is, it maintains a real-time register or counter that is independent of external influences and always maintains an accurate 12 notion of time to an arbitrary degree, preferably with a battery backup of said real time. The current embodiment of the present invention can apply equally to a plurality of repositories, whereby each of said repositories contains a copy of said 5 transformation algorithm and a notion of real time. In this way a plurality of patient health records can be accessed by a trusted group of clinicians using a generic password authorisation process, with additional security provided by the password's limited access window of time. When said window of time has expired, said password generation node is able to provide a new password for 10 the forthcoming period of time. It is also obvious that said new password may be generated before expiration of the previous time window. It should be noted that said clinician access of said plurality of repositories is in addition to the patient's own password access of their own medical history repository. 15 It is envisaged that said password generation node is accessible via the internet, and preferably via a secure shell layer. Said uniquely identifying information is preferably a plurality of GUIDs relating to the specific hardware configuration of said remote system. Personal computer component manufacturers provide a Globally Unique 20 Identifier (GUID) for each major component, such as hard drive, motherboard, graphics card, etc. This is equivalent to a serial number but generally takes the form of a unique string of characters, typically a 128-bit integer. The combination of several such GUIDs provides a very secure and robust way of identifying a particular personal computer. 25 A plurality of such GUIDs therefore provides a further level of security, guaranteeing that even if password security is breached, access to the repository can only be provided from a particular personal computer, which itself has both physical security of location and typically an additional layer of password protection.

13 Therefore in another embodiment of the second broad aspect the present invention provides a method and system of enabling a secure means of transmitting passwords from a host system to a remote system, comprising: a user connecting their local personal computer (PC) to a password 5 generation node; said user providing said authentication node with a uniquely identifying user information; said password generation node sending a query request to said local PC requesting unique identifying information; 10 said local PC reporting said uniquely identifying PC information to said password generation node; said password generation node creating record of said uniquely identifying information of said user's PC; said password generation node creating a password for said user which 15 relates only to said user's local PC; and said password generation node transmitting said password to said user. According to this embodiment, access to said repository is only provided to said user by delivering said user's said password from said user's local PC. Said repository also queries the PC from which access is sought for it's uniquely 20 identifying information. Said uniquely identifying PC information is combined with said password and said user's unique identifier by said repository and access is only granted when all information is correct (ie. the cipher is correct). In this way, said password is much more secure because it will only grant access to said repositories using said user's specifically authenticated local PC. 25 Therefore the cipher is unique to the PC. This provides an additional layer of security for the repositories. Passwords, which are occasionally transmitted across potentially insecure means, but are only applicable to repository access from the specifically authenticated PC.

14 Furthermore this multi-layer password/access mechanism may also be applied on top of a hardware-based security means (such as a silicon-based cipher chip) for increased security. Said uniquely identifying information is preferably a plurality of GUIDs relating 5 to the specific hardware configuration of said remote system. In a preferred embodiment said password generation node is accessible via the internet, and preferably via a secure shell or httpss layer. A further embodiment of this broad aspect of the invention is envisaged by the password generation node placing a cookie on said local PC which must be 10 used in combination with the cipher in order to successfully decrypt user ID and password to access the repository. In a third broad aspect the present invention provides a method and system of enabling a secure means of transmitting passwords from a host system to a remote system, comprising: 15 a user connecting said remote system to said host system; said user providing said host system with a uniquely identifying user information; said host system sending a query request to said remote system requesting uniquely identifying information; 20 said remote system reporting said uniquely identifying information to said host system; said host system creating a record of said uniquely identifying information of provided by said remote system, wherein said host system uses said uniquely identifying information to encode or encrypt said password prior 25 to transmission to said remote system; said host system creating and encoding a password for said user using said record of uniquely identifying information; and 15 said host system transmitting said encoded password to said remote system. Said uniquely identifying information is preferably a plurality of GUIDs relating to the specific hardware configuration of said remote system. 5 Said method of enabling a secure means of transmitting passwords from a host system to a remote system further comprising: said host system creating a generic password decoder algorithm; and said host system transmitting said generic password decoder algorithm to a plurality of similar remote systems for decoding passwords. 10 In a preferred embodiment, decoding said password by said generic password decoder algorithm on said remote system comprises: receiving an encoded password from said host system; querying said remote system for said uniquely identifying information; and running said generic password decoder algorithm, wherein said uniquely 15 identifying information and said encoded password are used as input data to generate said password. In this way, only the specific hardware of the remote system can decode said encoded password, providing extra security in password transmission across potentially insecure media. 20 Patient medical information is not as critical as other forms of information such as financial information and there are varying degrees of sensitivity. It is imperative that a patient's medical history, records or files be provided in a format that cannot be altered by a third party. General health information such as blood group or allergies is generally 25 regarded to be of greatest benefit to the patient if it is freely available. Patient test results and imaging studies are considered private and should only be 16 accessed by consent of the patient. However there are circumstances, such as medical emergencies, where the provision of this private information to the attending medical practitioner is very beneficial. Different types of files should only be able to be added to the patient record by 5 different medical disciplines. For example, only medical imaging providers such as radiologists should be able to add medical imaging files to a patient record. Furthermore if basic medical information is to be accessible by anyone then the patient must authorise its addition to this part of the medical record. It is prudent however for a medical practitioner to be jointly adding this information. 10 For example, if a patient wants to add their blood group to this part of the record it is important that a medical practitioner co-signs this data as accurate. It could be disastrous if a patient was given the wrong blood type based on said patient incorrectly adding their blood type record. In a fourth broad aspect the present invention provides a multi-layer secure 15 access for medical health information with various layers of access including: viewing basic health information only; adding basic health information; viewing medical imaging files; adding medical imaging files; 20 viewing video files; adding video files; viewing notes and test results; adding notes and test results; wherein the various levels of authorisation are not mutually exclusive. 25 17 It should be noted that the various features of each of the above aspects of the invention can be combined as desired and are specifically intended to be combined. In addition, apparatuses according to the invention can be embodied in various 5 ways. BRIEF DESCRIPTION OF THE DRAWINGS In order that the present invention may be more clearly ascertained, an embodiment will now be described, by way of example, with reference to the accompanying drawing, in which: 10 Figure 1 is schematic representation of an ideal workflow. An medical image (for example, x-ray or MRI) is transferred to a USB memory device, carried with the patient to their referring doctor or clinician, who views the images on a local personal computer; Figure 2 is a schematic representation or flowchart of a clinician password 15 generation process according to a first broad aspect of the present invention; Figure 3 is a schematic representation or flowchart of the process of clinician accessing a patient's medical health record, wherein said clinician can access any such medical health repository by virtue of being a 20 trusted clinician; Figure 4 is a schematic representation or flowchart of a further security measure wherein passwords are protected by a hash generator, said passwords and/or hash generator being modified periodically to increase security further; 25 Figure 5 is a schematic representation or flowchart of the process whereby a clinician member of said trusted group retrieves a password from a central authorisation node.

18 Modifications within the scope of the invention may be readily effected by those skilled in the art. It is to be understood, therefore, that this invention is not limited to the particular embodiments described by way of example hereinabove and that combinations of the various embodiments described herein are readily 5 apparent to those skilled in the art. In the preceding description of the invention, except where the context requires otherwise owing to express language or necessary implication, the word "comprise" or variations such as "comprises" or "comprising" is used in an inclusive sense, that is, to specify the presence of the stated features but not to 10 preclude the presence or addition of further features in various embodiments of the invention. Further, any reference herein to prior art is not intended to imply that such prior art forms or formed a part of the common general knowledge.

Claims (5)

1. A method of granting secure access to a plurality of portable data 5 repositories each having a notion of time via a rotating time-based authentication, comprising: a user accessing a password generation node; said user providing said password generation node with uniquely identifying information; 10 said password generation node validating the identity of said user; said password generation node using an algorithm to generate a unique password for said user, said algorithm using at least a current date parameter to generate said unique password; and delivering said unique password to said user; 15 wherein said unique password provides said user access to any of said plurality of portable data repositories for a predetermined period of time.

2. A system for providing secure access to a plurality of portable, secure, encrypted data cards containing private patient medical information with a periodically changing authentication algorithm, comprising: 20 a user accessing a password generation node; said user providing said password generation node with uniquely identifying information; said password generation node validating the identity of said user; 2 said password generation node using an algorithm to generate a unique password for said user, said algorithm using at least a current date parameter to generate said unique password; delivering said unique password to said user; 5 said user accessing any of said plurality of portable data repositories using at least said unique password; wherein said unique password provides said user access to any of said plurality of portable data repositories within a window of time allowed by said algorithm. 10

3. A method or system as claimed in claim 1 or claim 2 respectively wherein said password remains valid for a defined period of time and each of said portable data repositories maintain a notion of the current time.

4. A portable, secure, encrypted data card containing private patient medical information to which access is granted for a trusted group of individuals 15 such as qualified medical practitioners using a password generation and authentication system, wherein the algorithm for generation of said password uses at least a date-based parameter.

5. A portable, secure, encrypted data card as claimed in claim 4 wherein said data card maintains a notion of time, said notion of time being maintained 20 by either an on-board real-time clock or an on-board record of the most recent chronologically valid time derived from the computer system to which said data card was attached.