Patent number 8627103 is assigned to
The following quote was obtained by the news editors from the background information supplied by the inventors: "Advances in information and communication technologies bring with all their benefits also concerns with respect to security issues. Data no longer reside on mainframes physically isolated and located within an organization, where physical security measures can be taken to defend the data and the system. Modern solutions are heading towards open, interconnected environment where storage outsourcing and operations on untrusted servers happen frequently. The old server-centric protection model locks the data in a database server and uses a traditional access control model to permit access to data. To resolve this security problem, which is emphasized in the field of enterprise data management systems, grid computing, or other distributed/peer-to-peer data management systems, a data-centric protection (DRM-like) model is proposed where data is cryptographically protected and allowed to be outsourced or even freely float on the network. Rather than relying on different networks to provide the confidentiality, integrity and authenticity of data, insecure networks are assumed and data is protected at the end points of communication channel. Data will be encrypted and only authorized users which need to access the data will receive the decryption keys which in turn will allow them to decrypt the data. The DRM system ensures end-to-end confidentiality which from security point of view is a great improvement regarding control over data distribution and privacy of the different users, in particular in the medical healthcare world.
"In healthcare, however, access to data is very often given on an ad-hoc basis, e.g. in emergency situations. For the above describe solution to be accepted by the medical world, it is imperative to include an emergency access possibility: the life of patients sometimes depends on the ability of care providers to access data. Even if security is an important feature, it is still less important than patient's safety. Any healthcare provider that is treating a patient must get access to the relevant data. In the data-centric protection models, this means he needs the keys that are used for encrypting the data. A previously suggested solution is based on the use of a trusted agent which releases data keys for medical data in the emergency cases.
"Normally, published DRM-protected data is encrypted and a License Server only issues licenses, i.e. decryption keys, to requesting users if they have enough rights for accessing the data. An emergency access is therefore difficult to handle in the sense that it represents an exception in the normal behavior of the system: the emergency care provider should be granted a license for decoding the data he wants to access even if he has no normal legitimate right on it. Legitimateness of access must consequently be proved later such that data privacy is eventually still ensured. Logging of emergency accesses is then required.
"In a previously suggested solution the emergency access control problem is how to issue emergency licenses and log such events. An infrastructure of trusted agents is deployed to issue an emergency license upon a request for emergency access. A new trusted and available component responsible for handling emergency situations, still enforcing data secrecy, is therefore needed. It will in fact consist of a parallel infrastructure that can be deployed at the same time as an existing DRM system.
"The emergency authority generates new emergency key pairs which are transmitted to all its emergency agents. In addition to that, only the public keys are sent to license servers, such that they can create emergency licenses for newly protected data. In addition to encrypting the content key the intended user's public key, the license sever will encrypt the content key also with emergency key. All the private emergency keys must be known by every emergency agent such that data availability is ensured.
"However, the solution described above has several problems. First of all, if one of the emergency keys is compromised, a number of data items are affected, i.e. they are compromised too. In order to reduce the consequences the number of emergency keys could be increased (till using one emergency key per data item), which will consequently increase the number of keys the trusted agents have to manage and store (up to a key per data item). Obviously, this approach does not scale.
"Another problem is that at the time of establishing data protection and creation of emergency license the (supposedly secret) emergency key has to be known.
"Hence, an improved and simplified method for managing encrypted data items would be advantageous, and in particular a more simplified and/or reliable method of issuing decryption keys to healthcare providers in emergency situations would be advantageous."
In addition to the background information obtained for this patent, VerticalNews journalists also obtained the inventors' summary information for this patent: "Accordingly, the invention preferably seeks to mitigate, alleviate or eliminate one or more of the above mentioned disadvantages singly or in any combination. In particular, it may be seen as an object of the present invention to provide a method for encrypting and/or decrypting data items such as healthcare documents that solves the above mentioned problems of the prior art.
"This object and several other objects are obtained in a first aspect of the invention by providing a method of encrypting a data item having an identifier identifying the data item, the method comprising encrypting, using a symmetric encryption key, the data item to obtain an encrypted data item, and encrypting, using the identifier of the data item as an encryption key, the symmetric encryption key to obtain an encrypted encryption key.
"In an aspect of the invention there is provided a method of decrypting an encrypted data item, the encrypted data item being encrypted using an encryption key, the encryption key being encrypted, the method comprising providing a decryption key for decrypting the encrypted encryption key, sing the provided decryption key for decrypting the encrypted encryption key to obtain the encryption key, and using the obtained encryption key for decrypting the encrypted data item to obtain the data item.
"The invention is particularly, but not exclusively, advantageous for use in healthcare for protecting patient related healthcare data items such as records, images etc.
"In an aspect, the invention relates to a computer program product being adapted to enable a computer system comprising at least one computer having data storage means associated therewith to control the encryption and decryption of data items and the management of the associated keys and licenses. Such a computer program product may be provided on any kind of computer readable medium, e.g. magnetically or optically based medium, or through a computer based network, e.g. the Internet.
"The aspects of the present invention may each be combined with any of the other aspects. These and other aspects of the invention will be apparent from and elucidated with reference to the embodiments described hereinafter."
URL and more information on this patent, see: Katzenbeisser, Stefan; Petkovic,
Keywords for this news article include: Information Technology,
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- Obama Administration Releases Proposal to Regulate For-Profit Colleges
- Apple, HP, Intel May Take a Hit from Slowdown in Smartphone Sales Growth
- Elizabeth Vargas' Husband Marc Cohn Addresses Rumors
- Keurig Adds Peet's coffee, Alters Starbucks deal
- U.S. to Relinquish Gov't Control Over Internet
- Motley Crue's Nikki Sixx Marries Model Courtney Bingham
- Quiznos Files for Chapter 11
- Chinese e-Commerce Giant Alibaba Gears for IPO in U.S.
- FDIC Files Lawsuit on Behalf of Banks Allegedly Hurt by Libor Scandal
- Some California Cities Seeking Water Independence