Providing Fine-Grained Access at the Data Element Level
Edmond Scientific’s Security Labeling Service, or SLS (patent pending), is a standards-based, cloud-based service that helps you control the access and distribution of sensitive information based upon content. The SLS understands and interprets the security implications of data elements at runtime by examining the contents of the data stream and classifying elements according to various security classification systems, ontologies, or instructions before labeling the information for proper enforcement of RBAC or ABAC fine-grained access controls.
Data or documents enter the SLS workflow from different interfaces including manual processing, automatic processing invoked by external requests, or batch processing. The data is then parsed and interpreted by the SLS. There are two main SLS submodules for processing: the submodule that processes structured data elements of a document or data stream, and the submodule that processes unstructured, narrative or freeform data through a Natural Language Processing (NLP) engine. The parsers and the processing submodules record sufficient metadata for each sensitivity so that once detected, it can be traced back to the specific location in the document or data element for validation or reconstruction.
The parser processing output is an abstract data structure independent of the input formats which decouples the rest of the labeling workflow from any specific document format, making the core labeling service agnostic to the document format. This abstract data structure is then fed to the labeling service, where three important modules are invoked:
- Adding security classification, sensitivity and confidentiality labels based on the effective labeling rules,
- Optionally, invoking protective services to transform the document based on the access control rules and redact, mask, or annotate the document (or parts thereof) with handling instructions, and
- Computing the high-watermark labels based on the fine-grained labels assigned to underlying data elements or document sections. The high-water mark labels can be assigned to higher-level sections, an entire document, or the event/relationship (for RelBAC).
The labeling rules, including both security labeling rules and privacy protective rules can be modified and maintained via a user interface by administrators of the system.
The outcome of the workflow is a labeled and transformed document together with a labeling report. The report provides the quality assurance information needed to reconstruct and validate correct processing. It includes the processing steps and metadata such as labeling rationale and location within the document to trace back during a manual review and for quality assurance, any sensitive context and mapped code from unstructured text detected by the NLP, and rules that have been applied in the labeling process. This facilitates both verifying the labeling outcome by a manual reviewer for quality control or auditing purposes in case of complaints, and assists (cues) manual reviewers in case the SLS has detected questionable or uncertain results during automated processing
Core Features of the SLS include:
- Assigns security labels based on the structured codes that appear in the record by matching them against a set of rules, ontologies, or classification guides.
- Unlimited number of rules supported
- Integrated NLP for determining sensitivity in unstructured, narrative portion of document or resource.
- Integrated Protective Service able to redact, mask, or encrypt portion of document or record.
- Implemented either as a cloud-based on network-based service
- Localized UMLS concept data source
- API supporting multiple data streams.
Core Features of the NLP Engine include:
- Built on top of an open source, mature, robust search engine
- Flexibility for additional tuning
- Annotate explicit and implied clinical codes to unstructured text
- Model (rules) for understanding clinical narrative texts
- Sentence boundary detection
- Supports Acronyms and Abbreviation
- Support special medical dictionaries
- Contextual analysis to distinguish b/w common acronyms
- Negation and Conditional Detection
- Reference and Currency Detection
For more information about industry-specific applications, see:
SLS use in Finance and Administration