DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 7/6/2022.
Claims 1-18 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed on 7/6/22 have been fully considered but they are not persuasive. 
Applicant argues on pages 8-9 of the Remarks that Sipola reference fails to disclose “authorizing, by the server, the client device to access the plurality of data streams including specific patient biometric data of each of a specific set of patients using at least one Access Control List (ACL) Group, wherein the ACL group comprises a member list with a client ID of the client device, a permission description, and a resource name associated with the permission description” as recited by the amended claim 1 and other cited references fail to provide for the deficiency of Sipola.
In response to the above argument, Examiner respectfully disagrees.  Powell reference discloses authorizing, by the server, the client device to access the plurality of data streams including specific patient biometric data of each of a specific set of patients using at least one Access Control List (ACL) Group (Powell: paragraphs 0052, 0054, 0058-0059, 0063 and 0067, “By using custom business rule logic to intelligently determine which patient data and/or information should be synchronized, and which patient data and/or information should be synchronized, the DMS 60, 60' functions more efficiently and can service an increased number of clients and configurations. By way of non-limiting example, prior to a user logging on to the DMS 60, 60' via the mobile device 12, no specific patient data and/or information is synchronized. Instead, only a patient census list and specific data elements corresponding to particular patients 50 are synchronized between the DMS 60, 60' and the information system(s) 42. Once the user logs on, and selects a particular patient 50 to review, the synchronization services begin synching all of the available patient data and/or information for that particular patient 50. Consequently, subsequent reviews of the particular patient 50 are much faster, because the patient data and/or information has been synchronized”).  As can be seen in the above cited paragraphs and texts, in order for a user to access the DMS server, a secure connection between a mobile device associated with the user and  DMS server must be established and authorized.  Once, the mobile device is authorized, it can access to a particular patient’s data from a patient list which captures variety of information and/or data that is associated with each one or more monitored patients is mapped to authorizing, by the server, the client device to access the plurality of data streams including specific patient biometric data of each of a specific set of patients using at least one Access Control List (ACL) Group.  Furthermore, the patient data is further defined as physiological data which is mapped to patient biometric data recited in the claims (Powell: paragraphs 0041 and 0057, “the term patient data refers to physiological data that can be obtained from the patient monitoring device(s), and/or physiological patient data that is input into the information system 42 by a local healthcare provider (e.g., a nurse, or physician). The term patient information refers to information corresponding to a particular patient that is input into the information system 42 by the local healthcare provider.”).  Therefore, Powell does disclose the disputed limitation.  
Sipola reference discloses wherein the ACL group comprises (Sipola: see figure 1 
    PNG
    media_image1.png
    892
    651
    media_image1.png
    Greyscale
; and paragraphs 0034-0035 and 0040, see web service 106 with user accounts, ID lists, authorization data and exercise data associated with a specific user) a member list with a client ID of the client device, a permission description, and a resource name associated with the permission description (Sipola: figure 1, and paragraphs 0034-0035, 0038, 0040 and 0051, “the web service 106 may require that the user of the user terminal 140 provides user credentials, such as the user name and the password, before allowing the exercise application 150 to access the specific user account of the web service 106. Let us assume that the user terminal 140 belongs to user #1 and the exercise application 150 tries to access the user account (UA #1) of the user #1. In case correct user credentials are provided, the web service 106 may allow the access and assume that the user of the user terminal 140 is the user #1”).  In conclusion, Sipola does disclose the disputed limitation.  The 103 rejection is maintained based on the at least reasons above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-12 and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Powell et al. (US 20110246235) (hereinafter Powell) in view of TRAN (US 20130231574) (hereinafter Tran), and further in view of Sipola et al. (US 20150081763) (hereinafter Sipola).
Regarding claim 1, Powell teaches a method for securely transmitting a plurality of data streams between a client device and a server that are in communication via standard Internet protocols (Powell: see abstract, “authenticating a mobile device and a user of the mobile device to receive patient data from a clinical information system of a medical facility”), the method comprising: detecting the plurality of data streams using a (Powell: paragraphs 0039 and 0057, “Each patient monitoring device 46 monitors physiological characteristics of a particular patient 50, and generates data signals based thereon. Exemplar patient monitoring devices include, but are not limited to, maternal/fetal heart rate monitors, blood pressure monitors, respiratory monitors, vital signs monitors, electrocardiogram monitors, oximetry and/or anesthesia monitors. Exemplar patient monitoring devices can include, but are not limited to the Corometric Series Monitors, DINAMAP Series Monitors, DASH Series Monitors, and/or Solar Series monitors provided by GE Healthcare, IntelliVue and/or SureSigns Series patient monitors, and/or Avalon Series Fetal Monitors provided by Royal Philips Electronics, and/or Infinity Series patient monitors provided by Draeger Medical. The data signals are communicated to the information system 42, which collects patient data based thereon, and stores the data to a patient profile that is associated with the particular patient”); transmitting, by the  (Powell: see figure 1; and paragraphs 0039, 0041-0042 and 0057, “The data signals are communicated to the information system 42, which collects patient data based thereon, and stores the data to a patient profile that is associated with the particular patient”… “each information system 42 stores patient data that can be collected from the patient monitoring devices 46, as well as additional patient information, that can include information that is input by a healthcare provider. The information system 46 communicates the patient data and/or the additional patient data to a data management system (DMS) 60. The DMS 60 can be provided as a server, or a virtual server”); 
    PNG
    media_image2.png
    956
    1396
    media_image2.png
    Greyscale

authenticating, by the server, the client device to create a session (Powell: paragraphs 0052, 0054 and 0058, “prior to a user logging on to the DMS 60, 60' via the mobile device 12, no specific patient data and/or information is synchronized. …. Once the user logs on, and selects a particular patient 50 to review, the synchronization services begin synching all of the available patient data and/or information for that particular patient”); authorizing, by the server, the client device to access the plurality of data streams including specific patient biometric data of each of a specific set of patients using at least one Access Control List (ACL) Group (Powell: paragraphs 0052, 0054, 0058-0059, 0063 and 0067, “By using custom business rule logic to intelligently determine which patient data and/or information should be synchronized, and which patient data and/or information should be synchronized, the DMS 60, 60' functions more efficiently and can service an increased number of clients and configurations. By way of non-limiting example, prior to a user logging on to the DMS 60, 60' via the mobile device 12, no specific patient data and/or information is synchronized. Instead, only a patient census list and specific data elements corresponding to particular patients 50 are synchronized between the DMS 60, 60' and the information system(s) 42. Once the user logs on, and selects a particular patient 50 to review, the synchronization services begin synching all of the available patient data and/or information for that particular patient 50. Consequently, subsequent reviews of the particular patient 50 are much faster, because the patient data and/or information has been synchronized”), wherein a WebSocket connection is created by the server once the client device is both authenticated and authorized (Powell: paragraphs 0057-0058, 0063-0064 and 0067-0069, “A census, or patient list is provided to the mobile device 12, which captures a variety of the information and/or data described herein that is associated with each of one or more monitored patients 50”… “an authentication process for authenticating, or validating, the user of a mobile device and the mobile device itself. Specifically, the authentication process authenticates the user and the mobile device before establishing a session between the mobile device and a CIS and enabling user access to information and data provided”… “The logon request is transmitted to the DMS 60, 60' from the mobile device 12 over the network 16. For example, the logon request can be transmitted using hypertext transfer protocol secure (HTTPS), which includes the hypertext transfer protocol (HTTP) with the secure sockets layer (SSL) or the transport layer security (TLS) protocol to provide encryption and secure identification of the server 506. The server 506 checks the technical factor of the device against data provided in the validation server 504. Specifically, the validation database 504 stores technical factor information corresponding to mobile devices that have been registered using the registration server 504. For example, the device ID and/or telephone number are checked against device IDs and telephone numbers of registered mobile devices stored in the validation database”); and transmitting, by the server the plurality of data streams to the client device via the WebSocket connection (Powell: paragraphs 0063, 0069 and 0073, “If the credentials are deemed valid, a session is established to provide patient information and data from the information system to the mobile device in step 614, and the steps end”).
Powell teaches a monitoring device that generates physiological data of a particular patient, Powell does not explicitly teach the monitoring device is a wearable device as recited the claim.  However, Tran from the analogous technical field teaches a wearable device that comprises sensors for monitoring vital signs are enclosed in a wrist-watch sized case supported on a wrist band (Tran: paragraphs 0056 and 0061, “The server 20 also executes one or more software modules to analyze data from the patient or wearer. A module 50 monitors the patient or wearer's vital signs such as ECG/EKG and generates warnings should problems occur. In this module, vital signs can be collected and communicated to the server 20 using wired or wireless transmitters”).  
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Powell and Tran before him or her, to modify the system of Powell to incorporate Tran’s teaching, which discloses the wearable device that collects vital signs, into the teaching of Powell which discloses multi-factor authentication for accessing medical patient data and/or information from a device, to result in the aforementioned limitations of the claimed invention.  The suggestion/motivation for doing so would be to provide significant benefits in helping to capture adverse events sooner, reduce hospital admissions, and improve the effectiveness of medications, hence, lowering patient or wearer care costs and improving the overall quality of care (Tran: paragraph 0027).  In addition, Powell and Tran teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, monitoring of physiological data or vital signs of an individual in a secure manner.
Powell in view of Tran does not explicitly disclose the following limitation which is disclosed by Sipola, wherein the ACL group (Sipola: see figure 1 
    PNG
    media_image1.png
    892
    651
    media_image1.png
    Greyscale
; and paragraphs 0034-0035 and 0040, see web service 106 with user accounts, ID lists, authorization data and exercise data associated with a specific user) comprises a member list with a client ID of the client device, a permission description, and a resource name associated with the permission description (Sipola: figure 1, and paragraphs 0034-0035, 0038, 0040 and 0051, “the web service 106 may require that the user of the user terminal 140 provides user credentials, such as the user name and the password, before allowing the exercise application 150 to access the specific user account of the web service 106. Let us assume that the user terminal 140 belongs to user #1 and the exercise application 150 tries to access the user account (UA #1) of the user #1. In case correct user credentials are provided, the web service 106 may allow the access and assume that the user of the user terminal 140 is the user #1”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Powell in view of Tran and Sipola before him or her, to modify the system of Powell in view of Tran to incorporate Sipola’s teaching, which discloses the whitelist that verifies a request from a particular device, into the teaching of Powell in view of Tran which discloses access protection for accessing medical patient data and/or information from a device, to result in the aforementioned limitations of the claimed invention.  The suggestion/motivation for doing so would be to ensure secure connection (Sipola: paragraph 0051).  In addition, Powell in view of Tran and Sipola teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, data protection using an access control list or a whitelist to make sure data is access by an authorized device.
Regarding claim 12, claim 12 discloses a system claim that is substantially equivalent to the method of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 12 and rejected for the same reasons.
Regarding claim 5, Powell as modified further teaches wherein the client device is any of a web services client server and a web services client browser (Powell: paragraphs 0065 and 0066-0067, “The server 506 handles communication between external networks and the DMS 60, 60'. For example, the server 506 can execute the client services 80 discussed above with reference to FIGS. 3 and 4. The server 508 handles communication between the DMS 60, 60' and one or more information systems 42 associated with one or more facilities 40. For example, the application server 508 can execute the integration services 82, the adapter services 84, and/or the connectivity mechanism 76 discussed above with respect to FIGS. 3 and 4”).
Regarding claims 6 and 15, Powell as modified further teaches wherein the plurality of data streams comprises a group stream that includes a plurality of individual vital sign data streams (Powell: paragraph 0039, “Each patient monitoring device 46 monitors physiological characteristics of a particular patient 50, and generates data signals based thereon.  Each patient monitoring device 46 monitors physiological characteristics of a particular patient 50, and generates data signals based thereon. Exemplar patient monitoring devices include, but are not limited to, maternal/fetal heart rate monitors, blood pressure monitors, respiratory monitors, vital signs monitors, electrocardiogram monitors, oximetry and/or anesthesia monitors”).
Regarding claims 7 and 16, Powell as modified further teaches wherein the session includes a Session ID and identity information that is used on subsequent authentication requests by the client device (Powell: paragraphs 0052, 0058, 0063 and 0073, “The secure sign-on authenticates the identity of the user of the mobile device 12 based on a unique user ID and password combination. Both the user ID and the password must be correct in order to establish the secure communication between the mobile device 12 and the DMS 60, 60'. Implementations of sign-on and authentication processes are described in further detail below”… “Once the user logs on, and selects a particular patient 50 to review, the synchronization services begin synching all of the available patient data and/or information for that particular patient 50. Consequently, subsequent reviews of the particular patient 50 are much faster, because the patient data and/or information has been synchronized”).
Regarding claim 8, Powell as modified further teaches wherein the authenticating utilizes any of HTTP basic authentication, HTTP digest authentication, OpenID authentication, and OAuth authentication (Powell: paragraph 0066, “the logon request can be transmitted using hypertext transfer protocol secure (HTTPS), which includes the hypertext transfer protocol (HTTP) with the secure sockets layer (SSL) or the transport layer security (TLS) protocol to provide encryption and secure identification of the server 506. The server 506 checks the technical factor of the device against data provided in the validation server 504. Specifically, the validation database 504 stores technical factor information corresponding to mobile devices that have been registered using the registration server”).
Regarding claim 9, Powell as modified further teaches wherein the authenticating further comprises: receiving, by the server, an authentication request from the client device, wherein the authentication request includes a username and password (Powell: paragraph 0058, “The secure sign-on authenticates the identity of the user of the mobile device 12 based on a unique user ID and password combination. Both the user ID and the password must be correct in order to establish the secure communication between the mobile device 12 and the DMS 60, 60'. Implementations of sign-on and authentication processes are described in further detail below”); authenticating, by the server, the username and password (Powell: paragraphs 0064 and 0073, “it is determined whether the credentials are valid. The credentials include the username and password provided in the logon request. In some implementations, the DMS (e.g., the application server of the DMS) can retrieve authentication information from the information system, and can determine whether the credentials are valid.”); creating and storing, by the server, a Session ID associated with the session (Powell: paragraph 0073, “If the credentials are deemed valid, a session is established to provide patient information and data from the information system to the mobile device in step 614, and the steps end.”); and transmitting, by the server, the Session ID to the client device (Powell: paragraph 0073, “a session is established to provide patient information and data from the information system to the mobile device in step 614, and the steps end.”).
Regarding claims 10 and 17, Powell as modified further teaches further comprising: creating, by the client device, the at least one ACL Group, wherein the at least one ACL Group (Powell: paragraphs 0057-0058, 0063-0064 and 0067, “A census, or patient list is provided to the mobile device 12, which captures a variety of the information and/or data described herein that is associated with each of one or more monitored patients 50”… “an authentication process for authenticating, or validating, the user of a mobile device and the mobile device itself. Specifically, the authentication process authenticates the user and the mobile device before establishing a session between the mobile device and a CIS and enabling user access to information and data provided”). 
Regarding claims 11 and 18, Powell as modified further teaches wherein the authorizing further comprises: receiving, by the server, a WebSocket request from the client device (Powell: paragraphs 0057-0058, 0063-0064 and 0067-0069, “A census, or patient list is provided to the mobile device 12, which captures a variety of the information and/or data described herein that is associated with each of one or more monitored patients 50”… “an authentication process for authenticating, or validating, the user of a mobile device and the mobile device itself. Specifically, the authentication process authenticates the user and the mobile device before establishing a session between the mobile device and a CIS and enabling user access to information and data provided”… “The logon request is transmitted to the DMS 60, 60' from the mobile device 12 over the network 16. For example, the logon request can be transmitted using hypertext transfer protocol secure (HTTPS), which includes the hypertext transfer protocol (HTTP) with the secure sockets layer (SSL) or the transport layer security (TLS) protocol to provide encryption and secure identification of the server 506. The server 506 checks the technical factor of the device against data provided in the validation server 504. Specifically, the validation database 504 stores technical factor information corresponding to mobile devices that have been registered using the registration server 504. For example, the device ID and/or telephone number are checked against device IDs and telephone numbers of registered mobile devices stored in the validation database”); and checking, by the server, whether each of the plurality of data streams associated with the WebSocket request is authorized by the at least one ACL Group (Powell: paragraphs 0057-0058, 0063-0064 and 0067-0069, “A census, or patient list is provided to the mobile device 12, which captures a variety of the information and/or data described herein that is associated with each of one or more monitored patients 50”… “an authentication process for authenticating, or validating, the user of a mobile device and the mobile device itself. Specifically, the authentication process authenticates the user and the mobile device before establishing a session between the mobile device and a CIS and enabling user access to information and data provided”… “The logon request is transmitted to the DMS 60, 60' from the mobile device 12 over the network 16. For example, the logon request can be transmitted using hypertext transfer protocol secure (HTTPS), which includes the hypertext transfer protocol (HTTP) with the secure sockets layer (SSL) or the transport layer security (TLS) protocol to provide encryption and secure identification of the server 506. The server 506 checks the technical factor of the device against data provided in the validation server 504. Specifically, the validation database 504 stores technical factor information corresponding to mobile devices that have been registered using the registration server 504. For example, the device ID and/or telephone number are checked against device IDs and telephone numbers of registered mobile devices stored in the validation database”).

Claims 2-4 and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Powell in view of Tran and Sipola, and further in view of Hensley et al, (US 9473506) (hereinafter Hensley).
Regarding claim 2, Powell in view of Tran and Sipola does not explicitly teach the following limitation which is disclosed by Hensley, wherein the WebSocket connection includes a unique URL that is based on the plurality of data streams (Hensley: column 10 lines 57-67, “a message that requests that each group member receive a notification to establish a secure connection with the server 122 to receive a packet created by the packet creation module 332 discussed below. In one embodiment, the notification request identifies the group members. For example, in one embodiment, the group management module 328 sends a notification request including the GUIDs associated with the members to be notified”).  Powell in view of Tran and Sipola and Hensley are analogous art because they are from the same field of endeavor, access protection.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Powell in view of Tran and Sipola and Hensley before him or her, to modify the system of Powell in view of Tran and Sipola to include the request including the GUIDS associated with the members of Hensley.  The suggestion/motivation for doing so would have been to use a secure connection for the transfer of files (Hensley: column 1 lines 36-37).
Regarding claim 3, Powell as modified teaches wherein a path component of the unique URL comprises a Type4 Globally Unique Identifier (GUID) (Hensley: column 10 lines 57-67; and column 11 lines 45-61, “a message that requests that each group member receive a notification to establish a secure connection with the server 122 to receive a packet created by the packet creation module 332 discussed below. In one embodiment, the notification request identifies the group members. For example, in one embodiment, the group management module 328 sends a notification request including the GUIDs associated with the members to be notified”).  The same motivation to modify Powell in view of Tran and Sipola and Hensley, as applied in claim 2 above, applies here.
Regarding claims 4 and 14, Powell as modified teaches maintaining, by the server, a look-up table of a plurality of GUIDs that are each associated with a specific data stream request by each client device (Hensley: column 11 lines 45-61, “the notification module 330 receives GUIDs of group members and sends a notification to the client device 106 associated with that GUID. In one embodiment, the notification module 330 sends the same notification regardless of what group a member belongs to. Such an embodiment may be advantageous in the context of a notification server 142 discussed below with reference to FIGS. 5-7, because the notification module 330 need not use resources tracking what GUIDs belong to what group and receive what message”).  The same motivation to modify Powell in view of Tran and Sipola and Hensley, as applied in claim 2 above, applies here.
Regarding claim 13, this claims recite the steps as recited by the method of claims 2 and 3, and has limitations that are similar to those of claims 2 and 3, thus is rejected with the same rationale applied against claims 2 and 3.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.	
Poltorak (US 9215075): provides systems and methods for supporting encrypted communications with a medical device, such as an implantable device, through a relay device to a remote server, and may employ cloud computing technologies.
Fallows et al. (US 9154485): A WebSocket connection is established. The WebSocket connection was established with a requester of the connection. The authentication of the requester is configured to expire. A request to revalidate the authentication is provided. An update of the authentication is received. The update of the authentication is received without disconnecting the WebSocket connection.
Muhsin et al. (US 20130162433):  A method of storing streaming physiological information obtained from a medical patient in a multi-patient monitoring environment includes receiving identification information, retrieving parameter descriptors, creating a round-robin database file, receiving a data stream, and using a predetermined data rate to map the data stream to locations in the round-robin database file
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TRANG T DOAN/Primary Examiner, Art Unit 2431