Text data and image data, particularly data having a medical relevance, such as findings, diagnostic images or patient data, are increasingly being stored and handled electronically. Electronic handling requires particular measures for making data access operations and data alterations reconstructable. Particularly in the health sector, a large amount of electronic data can be classified as confidential and requires data protection provisions to the effect that any user of electronic data is clearly identified and authenticated. Any data access or any use of the data needs to be clearly documented with an indication of the user (“auditing”), and access to data connected with patients must be granted only to authenticated users (“access control”).
Thus, identification represents explicit, individual identification of the user, while authentication refers to the approval of particular data access rights for the user. Authentication thus means authorization of the user for particular data access rights. Authentication fundamentally presupposes identification.
This gives rise to the following demands: for clear documentation, it is necessary for every user to be individually identifiable. To protect the data against unauthorized access, mechanisms on different software levels are conceivable, with the ability to bypass these mechanisms being dependent on the respective depth of the software level. Mechanisms executed on lower software levels, that is to say at operating system level in the extreme case, permit few opportunities for bypass and therefore ensure more secure access protection.
Therefore, access rights when handling security-critical or medically relevant data, particularly personal data and patient data, are implemented at operating system level as far as possible. This requires that a user who is intended to enjoy comprehensive access rights be logged onto a system which is able to grant access to the data as an operating system user. By contrast, a user who is intended to enjoy less comprehensive access rights needs to be logged on merely as an application user in the application software.
One possible system for handling electronic data might be a medical workstation, for example a “modality” which is able to record and edit findings data and image data. Typically, such a workstation is used by a plurality of people at short intervals of time, and these people respectively alternate quickly between looking after the patient and using the appliance. Hence, one and the same workstation is used by a plurality of users in quick succession who look after a plurality of patients. It is obvious that, from the point of view of rationalization and economy of work operations, changing between various users and various patients should take place as quickly as possible.
Other systems for handling confidential electronic data are used, by way of example, in research, in the financial sector, in law or in demographic matters. In principle, personal data and data requiring secrecy need to be regarded as confidential to the same degree.
Since the data in question are generally regarded as being needy of protection to a particular degree, it is demanded that the users be authenticated as securely as possible. On the basis of what has been said above, authentication should thus be implemented at operating system level. The result of this is that it is possible to change between different users only by logging on to the operating system again.
In the systems used today, however, logging onto the operating system again is very time-consuming, since it requires that the operating system be restarted every time and, in addition, that the application program used to edit the data be terminated and restarted every time as well. The time-consuming restart makes implementing the greatest possible access security on workstations which are to be used on a frequently and rapidly changing basis too time-consuming and therefore unacceptable in practical applications which are frequently confronted by time pressure.
Conventional medical workstations and other workstations operating with confidential data therefore have data protection systems which usually either prevent multiple use of the workstation from the outset or provoke deliberate bypassing of the security system in daily use under time pressure by inducing various users to dispense with respectively logging onto the system again by using one and the same common system logon. The use of a common system logon also has the effect that it becomes more difficult to document user data in connection with access operations to the security-critical data, since the system cannot individually identify different users using the same system logon.