The increasing specialization and complexity of medical care has vastly increased the paperwork and record keeping that must be maintained by doctors, nurses, and other hospital staff persons. This has created an interest in performing routine record keeping, such as that of statistics generated by patient monitoring instruments or of medication dispensed for a patient's care that is typically performed by staff persons, in a more efficient, automatic, and reliable way. The rapid growth of network technologies has also created an interest in using the tools of the Internet to create a hospital Intranet, to link discrete hospital databases and make their data, images, and video records commonly accessible through a remote Internet/Intranet browser. The ease, however, with which electronically stored information may be intercepted and reproduced for illicit purposes has prompted increasing concerns regarding the privacy and authenticity of electronic information. Privacy and authenticity of patient information are particularly important concerns in a hospital.
Gombrich, U.S. Pat. No. 4,916,441 discloses an electronic health care management system using a portable handheld pocket terminal for use by medical staff personnel to upload data from medical instruments and monitoring devices, document and track observations and treatment, display scheduling information, and transmit stored information to the hospital's patient care database. Gombrich et al., U.S. Pat. No. 4,857,716 further discloses the use of barcodes on patient bracelets and patient-specific medical items such as drugs, blood samples, and IVs to be read by a portable handheld pocket terminal with a barcode reader used to provide an audit trail and automatic billing when drugs, therapy, or procedures are administered to patients. However, the pocket terminal of Gombrich is a general-purpose, not user-specific, device and does not automatically enable information exchange. In order to gain access, a caregiver is required to slide a separate card into a separate base unit connected to a base station in order to access the device. Therefore, the pocket terminal is not well-suited as a personal security and identification badge for a particular caregiver. The information gathering capabilities of the Gombrich device are also limited. The Gombrich system contemplates the use of a barcode reading wand to provide access, upload information, and authorize the administration of treatments and use of medical devices. Further, the Gombrich system lacks secure decryption and digital signature means. Even if it were adapted so that the public and private keys of a cryptographic system were encoded upon a user's access card, the user would have to slide the card through the base unit every time a message was to be decoded, encrypted, or digitally signed, or in the alternative, compromise the security of the cryptographic system by uploading the user's public and private key rings onto the pocket terminal.
What is needed is a comprehensive data collection, management, and security system where information that is stored by a variety of hospital devices, such as patient monitors and bedside patient charting systems, would transmit information to an electronic "security badge" worn by a doctor or nurse authorized to care for the patient with whom the hospital device is related. The information exchange would take place automatically when the doctor or nurse came into proximity with the patient and pressed an activation button, and would be downloaded, automatically, to the hospital computer network when the doctor or nurse logged on to a computer terminal.
A data collection and management system further needs means for limiting and monitoring access by a multitude of users to a hospital computer network including a multitude of computer workstations and personal computers. Virtually all data regarding a patient's treatment in a hospital, clinic, or doctor's office is thought to be private. The problem of access control and data security is particularly acute in hospitals. Because hospitals operate around the clock, with multiple shifts and staff persons moving from one floor or one wing of the hospital to another, hospitals are unlikely to assign a computer terminal to a particular user. Further, a hospital presents an almost unique problem of having computer terminals or workstations with sensitive personal data in an unsecured environment. Computer terminals or workstations may be placed in unsupervised patient rooms, conference rooms, or nurse stations. Each such device may be able to retrieve all the records for any patient who has been in the hospital. Standard password protection presents only a small amount of security, as many password choices are easily guessed. If the password is complex users often write their password and leave it near a computer terminal or workstation where others may easily discover the password.
Restricted access systems today range from the simple to the sophisticated. It is typical for multiuser network systems to require a user to log on by entering a name and password to gain access to system information. The user is typically admonished to logout when leaving the workstation environment to prevent unauthorized access. The system may automatically log a user off after a predetermined period of inactivity. For users who must access the system frequently but intermittently, short inactivity periods for automatic logout will be a source of constant inconvenience. Alternatively, if long inactivity periods are used, another user may inadvertently use the terminal under the previous person's security authorization. Moreover, some users may frequently choose obvious or easily ascertainable passwords that can easily be broken. Others may write them down and store them where they may be easily intercepted. While this may not be a significant problem with personal computers in one's home or locked office, stronger and more reliable security is appropriate for sensitive information where computer terminals are shared by many or are located in open locations where others could eavesdrop.
Another restricted access system involves the use of user-specific password-generating devices. Typically, a user seeking access to a secure system is presented a code or instruction on a system terminal screen. The user enters the code or the information demanded by the instruction, via manual entry or optical coupling, into his own password generating device. The password generating device then calculates a second code based upon the user's input and an encryption algorithm stored by the device, and displays this second code to the user for entry into the computer terminal or workstation. After the user enters the second code, the computer terminal or workstation then performs a verification check on it to confirm its creation by the password calculator of an authorized user of the computer terminal or workstation. If confirmed, the user is granted access in accordance with the user's system access privileges.
Yet another restricted access system requires a user to insert an authorization card, e.g. a PCMCIA card, into a computer card reader to authorize access and to authenticate information entered at the computer terminal with the user's digital signature. One potential weakness of such a system is that a hidden program could present documents for signature without the proper control of the user. Another weakness with these implementations is the relatively high risk that an authorized user will forget to or fail to remove his card in the card reader before he leaves the terminal--a risk that is particularly acute for a nurse or doctor who may have to leave a terminal in emergency situations to attend to a patient's care. Also, the loss of the card will result in a significant inconvenience to the owner and the system administrator.
Lemelson, in U.S. Pat. No. 5,202,929 and U.S. Pat. No. 5,548,660, discloses an access control system utilizing detection devices such as speech recognition equipment and fingerprint scanners to analyze one or more physical characteristics of a person attempting access to a computer. The system also incorporates physical presence sensors such as motion detectors and limit switches embedded in seat cushions to track the presence of an authorized user so as to prevent continued access to the system when the authorized user leaves or is absent. This system is primarily directed to accessing desktop computer terminals on a sensitive computer network and is not easily adaptable, however, for restricting access to laptops, portable instruments, medical equipment such as respirators, or electronically-controlled medication dispensers. Moreover, the implementation of the Lemelson invention requires a significant amount of detection equipment and analysis software, which may not be adaptable to the cost, space, and portability requirements of many devices for which restricted access and auditing control is desired.
There is also a need, for purposes of patient protection, quality control, record keeping, billing, and forensics, to monitor, control, and record access to the dispensation and administration of medicine, IVs, blood transfusions, and other treatments as well as the collection, administration, and testing of blood and tissue samples.
Gorman, U.S. Pat. No. 5,272,318 discloses a locked container bearing a barcode which can only be opened by means of a combination that is stored in the memory of a portable barcode scanning device. In order to ascertain this combination, the medical administrator must scan his own administrator code, the barcode on a patient's bracelet, and the barcode on the locked container within a preset time period. If the patient and treatment codes match, the combination is displayed so the administrator may inlock the container and apply the medication stored in the container. However, the access control of the Gorman invention could easily be subverted by writing down the combination that is displayed and opening the container at a later time. As soon as the combination was provided, the inventory sought to be controlled could be tampered with or misappropriated for illegitimate purposes without detection. Also, the container itself is not enablingly disposed with both read and write capabilities. Consequently, it does not perform any record keeping of its own, because the invention as disclosed does not record access, attempted or otherwise, to the container. Better inventory control would be provided if auditing could be performed on the containers themselves as they are returned for recycling. Moreover, an improvement could be made through the use of internal codes such as public and private keys rather than visible barcodes to inhibit attempts to overcome the limited access safeguards of the system.