SECURE METHOD TO IDENTIFY AND RETRIEVE PATIENT INFORMATION
BACKGROUND OF THE INVENTION
The present invention relates in general to wireless access by medical providers to computerized data for medical patients, and, more specifically, to security methods for authenticating a person accessing a medical database and identification methods for choosing the records of a particular patient from the medical database.
Medical care of a patient depends greatly upon the generation, maintenance, and accessibility of medical records containing various patient information such as medical history, medical diagnostic data, treatments, dosages, allergic reactions, and many other types of patient data. Needed data must be readily retrievable at a moment's notice and should be easily transportable to where the medical provider needs it (e.g., in various rooms of a doctor's office or a hospital). Records have traditionally been kept in paper files that are normally stored in a central repository and are physically pulled from the repository when needed for use. Carrying large amounts of paper files around to different treatment areas would be inconvenient, so a subset of all the records of a particular patient may sometimes be extracted for immediate use. If not all the needed portions of the records are extracted then additional effort to return to the file repository and retrieve other records is required, thereby resulting in inefficient use of the time of the medical provider and their support staff.
Patient identification (e.g., patient's name) on paper records is typically entered manually. File sorting and filing of individual pages or documents in file folders is also done by hand. Both actions are subject to human errors so that information may be lost and/or associated with the wrong patient. Misidentifϊcations may lead to errors in treatment, while missing records may lead to wasteful duplication of effort.
Due in part to the foregoing disadvantages, medical records are increasingly being kept in electronic format (e.g., computer files stored on various kinds of disks). Electronic storage reduces human errors, decreases office space requirements, and speeds up retrieval and updating of patient information. Such record systems are, however, not free from human errors. A patient could still be misidentified so that records of another patient would be retrieved. Furthermore, since records are often printed out for use, the paper copies can get mixed up with other printed records and the wrong ones inadvertently consulted when treating a patient.
The increased accessibility of electronic records leads to various data security concerns. In the United States, the Health Insurance Portability and
Accountability Act (HIPP A) of 1996 is introducing security requirements related to the creation, use, storage, and transmission of patient information. Various safeguards are to be put in place to ensure privacy and to protect against unauthorized interception, dissemination, and alteration of patient records. Security standards include encryption standards, access and audit controls, and other requirements. As a result of such security considerations, however, electronic access to computerized records has yet to be realized in a convenient and freely-mobile solution.
SUMMARY OF THE INVENTION
The present invention has the advantages of making electronic records easily and securely accessible using a small handheld unit while eliminating patient misidentifϊcation errors and ensuring that only authorized personnel can access the records. In one aspect of the invention, a communication system for patient medical information comprises a wireless information appliance programmed to provide network encryption and browsing functions and including an information display and a wireless network transceiver. A biometric sensor is coupled to the wireless information appliance for collecting biometric data samples and transferring them to
the wireless information appliance. A network server communicates with the wireless information appliance and is programmed to provide network encryption, access security, and record retrieval functions. A caregiver database stores caregiver biometric templates. A patient database stores patient biometric templates. A patient medical information database stores patient data for a plurality of patients. The access security function includes performing a first biometric comparison of a first biometric data sample with at least one of the caregiver biometric templates for controlling access to the patient medical information database via the wireless information appliance. The record retrieval function includes performing a second biometric comparison of a second biometric data sample with at least one of the patient biometric templates for selecting corresponding patient data.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a block diagram showing a wireless patient record retrieval system according to one preferred embodiment of the present invention. Figure 2 is a front, plan view of a portable unit of the invention. Figure 3 is a block diagram showing a portable unit in greater detail. Figure 4 is a block diagram showing programming elements of a portable unit.
Figure 5 is a flowchart showing a preferred method of the present invention.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
Referring to Figure 1, a conventional database of patient records 10 resides within a computing device interconnected in a computer data network, such as a local area network (LAN) or a wide area network (WAN). A server 11 is coupled to database 10 for providing network access to the data for clients within the data network by means of a server and security application 12. Server 11 may reside on the
same computing device as patient records database 10 or may be on a separate device within the LAN or WAN, for example.
A wireless hub 13 is connected to server 11 for providing a network communication path to a wireless information appliance 14 such as a webpad, a mini- notebook, or other wireless PC in order to allow mobile access to patient records in database 10 via server and security application 12. A wireless network can be employed according to the IEEE 802.1 lb networking standard, for example, so that webpad 14 maintains a network connection to one or more wireless hubs throughout a doctors' office or hospital building. Server 11 and application 12 perform firewall and other security functions as known in the computer security art. In addition, a virtual private network (VPN) over a public data network such as the Internet can be used (such as a VPN based on health care VPN products from V-One Corporation).
Wireless information appliance 14 may be comprised of a WebPad available from Honeywell, Inc., a PenCentra or Stylistic pen tablet from Fujitsu PC Corporation, or an Airpanel wireless monitor from ViewSonic Corporation, among others. Client software, such as a database browser, executes on wireless appliance 14 allowing a user to remotely access patient records - provided the user can successfully authenticate within security application 12.
The present invention employs biometric identification for the dual purposes of authenticating the user that is accessing the patient records and determining the identity of the patient whose records are to be retrieved. This dual use of biometrics achieves a high level of security while eliminating potential errors of accessing records of the wrong patient.
A biometric sensor 15 is coupled to wireless appliance 14 and collects biometric samples for the biometric identifications. Biometric authentication involves the use of physical and/or behavioral characteristics of individuals to identify them and to control access to places or things. Biometric identification is highly reliable and accurate. Biometrics is also more convenient than other conventional authentication techniques (e.g., user IDs and passwords, PIN codes, and encoded identification cards)
since there is nothing to remember or to carry which might be discovered or tolen. Based on an original measurement of a biometric characteristic (i.e., an enrollment), a person's identity can thereafter be verified automatically during authentication by resampling the characteristic and comparing the biometric data with the enrollment data. If a sufficiently close match is found, then the identity is verified. In addition to verification of an identity, biometric systems can also be employed to compare biometric data from an unidentified person with a database of biometric samples of a group of individuals in order to identify that person from the group.
After a biometric sensor acquires raw data of a desired characteristic, the data is typically processed mathematically in order to extract and format the meaningful features and to compress the data. Comparison of the processed verification or identification data with previously processed and stored enrollment data typically involves a mathematical analysis to quantify the "closeness" of the two data samples. A sensitivity threshold is chosen to delineate how close the samples must be in order to call them a match.
Among the many biometric technologies that have become available are fingerprint analysis, hand geometry analysis, retina scanning, iris scanning, signature analysis, facial recognition, and voice analysis. Biometric sensor 15 may be comprised of a camera or other image sensor, for example, for performing facial recognition to identify or verify a medical caregiver or other user requesting access to patient records and then for performing a second facial recognition to identify or verify the target patient. It is possible that different types of biometrics could be used for the separate identifications. One sensor capable of multiple types of biometrics could be used (e.g., an image sensor for facial analysis, fingerprint analysis, or iris scanning), or multiple sensors could be deployed.
A caregiver biometric template database 16 may preferably be contained within server 11 for use by security application 12 when performing a biometric identification. Templates in database 16 are collected in advance in connection with the enrollment of each authorized caregiver to use the medical records system. Each
caregiver may be further associated with predetermined access levels for having various read and/or write access to portions of the patient records in database 10. A database 17 stores patient biometric templates and patient ID's. The patient ID's are the ones used in patient records database 10 to differentiate between individual patients. Each patient biometric template can be enrolled at the beginning of the provision of medical care to the patient (e.g., when registering at the beginning of a hospital stay). Database 17 preferably resides on the same device as patient records database 10, but may be on a different device within the data network.
Figure 2 shows an example of a mobile device of the present invention. Wireless information appliance 14 includes a touch-sensitive display screen 20, which may display patient information via a text window 21 and a graphics window 22, for example. Data input and program selections may be made by tapping screen 20 using a stylus (not shown) or by using push buttons 23, for example.
Sensor 15 is mounted to wireless appliance 14 for easy collection of biometric samples. For instance, a camera may be mounted for swiveling to allow a caregiver to first authenticate themselves using facial recognition and then pointing the camera toward a patient to quickly and accurately determine the correct patient ID for the patient's records. Once a biometric sample is collected, it is wirelessly transmitted to the system server for performing the biometric comparisons. Figure 3 shows functional elements of wireless appliance 14 including a microcontroller 25 coupled to a memory 26. An input/output (I/O) interface 27 couples microcontroller 25 to sensor 15, touch-sensitive display 20, and push buttons 23. Microcontroller 25 is further connected to a network interface/wireless transceiver 28 having an antenna 29. In connection with the biometric identifications, microcontroller 25 executes programming pre-stored in memory 26 (or dynamically loaded during interaction with the system server via Java byte code, for example) to operate sensor 15 to collect biometric samples that are sent to transceiver 28 for forwarding to the system server. As shown in Figure 4, programming of wireless appliance 14 preferably includes a browser application 30 which receives user requests
such as a record access requests (which initiate biometric identifications of the caregiver and the patient) and read or write requests within specific patient records, for example. A camera driver 31 (or other corresponding driver when using a different type of biometric sensor) interfaces with application 30 to collect a desired biometric sample for transmitting through application 30 to the system server for processing. Certain of the wireless communications (e.g., transmission of the patient records themselves) must be protected by encrypting at least the transmitted data portion of network packets. An encryption/decryption block 32 decrypts received data and encrypts sent data as necessary. A preferred method of the present invention shown in Figure 5 begins with the collection of caregiver biometric templates and storage of the templates within the data network in step 40. The authentication database of the database security application is preferably set-up with access permission levels associated with the caregiver enrolled with each biometric template. A patient biometric template is collected and stored in step 41. Each patient template is associated with a unique patient ID, preferably comprised of the same patient ID employed by the patient records database for the individual being biometrically enrolled.
When a caregiver desires to access a patient record using the mobile wireless information appliance, the database browser application is launched on the appliance. In step 44, a biometric scan of the caregiver is performed in order to collect a biometric sample. The caregiver may be prompted to enter or select an asserted identity (e.g., by inputting a caregiver ID name or number or selecting from a list) so that a biometric verification is performed. Alternatively, a biometric identification by comparing the biometric sample to all caregiver templates can be performed so that no asserted identity is needed. The biometric sample is transmitted to the system server and a check is made in step 45 to determine whether a matching caregiver template is found (i.e., either a 1 -to- 1 comparison for a verification or a 1 -to-many comparison for an identification). If no match is found then a return is made to step 44 to reacquire a biometric sample to try again.
Once a caregiver is authenticated, a biometric scan for a biometric sample of the patient is performed in step 46. Once again, the caregiver may be prompted to enter or select an asserted identity, but this time of the patient. Use of an asserted identity may increase confidence in the system identification. Furthermore, a verification can typically be performed in less time than a 1 -to-many identification. Alternatively, a biometric identification by comparing the biometric sample to all patient templates can be performed so that no asserted identity is needed. The biometric sample is transmitted to the system server and a check is made in step 47 to determine whether a matching patient template is found. If no match is found then a return is made to step 46 to reacquire a biometric sample to try again.
After a caregiver is authenticated and a patient ID has been determined as a result of the biometric comparisons, then in one preferred embodiment, a patient summary or other starting screen may be automatically transmitted to the wireless information appliance. In step 48, a check is made to determine whether the caregiver indicates a read request for specific information (e.g., a database field or group of fields or a stored report). Such an indication may be made by tapping an item label on a summary screen, for example. A check is made in step 50 to determine whether the authenticated caregiver has the appropriate permission level to access the patient information identified by the read request. If not, then an error message may be displayed and a return is made to step 48 to await further requests. If the caregiver has sufficient permission, then the requested data is encrypted and sent to the wireless appliance over the wireless link in step 51. 3DES encryption may preferably be used. At the receiving end, the transmitted data is decrypted by the wireless information appliance and then displayed to the caregiver in step 52. If there is no read request in step 48, then a check is made in step 53 to determine whether a write request has been made. If not, then a return is made to step 48 to continue to wait for requests. If a write request is detected, then a check is made in step 54 to determine whether the authenticated caregiver has sufficient authorization to perform the requested writing operation. If sufficient authority is lacking, then an
error message may be displayed and a return is made to step 48, otherwise the caregiver may be prompted for entering the new data in step 55. The new updated data is encrypted and sent over the wireless link in step 56. In step 57, the system server decrypts the wirelessly received data and then updates the corresponding patient record. Then a return is made to step 48.
Preferably, the access method of the present invention may be transactionally-based. In other words, the caregiver may continue to access patient information of the identified patient during one visitation (e.g., for a predetermined amount of time). To access patient records of another patient, both biometric comparisons (i.e., to reauthenticate the caregiver and to identify the new patient ID) would preferably be performed.