Update

1
Role-Based Access ControlforHealthcare
Applications

• Update
• January 2005

2
Role-Based Access Control

• Role-Based Access Control (RBAC) is a type of
  policy based access control where entity access
  is granted based upon membership in a group
  (role) and where rights and privileges are
  bestowed upon the role rather than the entity
  directly.

3
Background

• Useful in healthcare environments with user roles
  and access requirements, including separation of
  duties.
• Must define roles and permissions before RBAC can
  be used within an enterprise.
• Must define standard permission sets before
  inter-organization interchange can be supported.

4
Goals

• Mechanism for scalable management of user
  permissions in the form of operations and
  objects.
• Support interoperability among healthcare and
  non-healthcare partners.
• Provide information accessibility on a
  need-to-know basis.

5
RBAC Benefits

• Assignment of users to roles can be done by
  administrative/clerical personnel vice security.
• Reduces excessive assignment of permissions.
• Fine-grained access control from improved
  management of permission assignment.
• The annual administrative cost savings ranges can
  be 692,471 per 100,000 employees.
• Average savings related to improved employee
  productivity with RBAC are estimated at 7.4
  million per 100,000 employees.

Source Research Triangle Institute
6
Healthcare RBAC Task Force

• Collaboration of Department of Defense (DoD),
  Department of Veterans Affairs (VA), and Indian
  Health Service (IHS).
• Purpose
• Define a harmonized set of standard healthcare
  permissions (access control tasks and
  operations).
• Lay groundwork for work within HL7 to define
  standard healthcare permissions.

7
Healthcare RBAC Task Force Activities

• Peer review Healthcare RBAC Role Engineering
  Process - completed
• Use of Healthcare RBAC Role Engineering Process -
  underway
• Review and approve set of basic roles to support
  interoperability - completed
• Transfer standardization efforts to HL7 -
  underway

8
VHA/IHS RBAC TF Objectives

• Define a healthcare industry-wide standard
  permission catalog
• Define the healthcare permission content for the
  VA OCIS Authentication and Authorization
  Infrastructure Project (AAIP)
• Integrate RBAC model into HealtheVet-VistA
• Teach the RBAC Role Engineering Process to new
  VHA software projects and identify permissions
  during development
• Collaborate with IHS and Standards Development
  Organizations (SDOs) such as HL7 and ASTM to
  support interoperability
• Collaborate with other interested enterprises,
  including DoD, Kaiser Permanente, and
  international organizations

9
VHA/IHS RBAC TF Activities

• Developed Healthcare Scenario Roadmap, a
  spreadsheet depicting role-to-scenario mapping -
  uses an enhanced ASTM E-1986 list of licensed
  provider and non-licensed personnel roles.
• Developing role permission definitions with VHA
  and other RBAC TF enterprises to support
  interoperability.
• Associating permissions and clinical activities
  to VHA VistA system menus and options.
• Including role engineering process in new
  projects to identify roles and permissions during
  the development process.
• Incorporating RBAC into pilot projects.

10
RBAC Accomplishments

• May 2004 HL7 WGM - Approval of the RBAC
  permission catalog standardization activities by
  HL7 Board of Directors as part of the HL7 family
  of standards.
• May 2004 - ASTM E31 Committee acceptance of ASTM
  E-1986 recommended modifications to list of
  licensed health care providers. Changes will be
  balloted.
• Applied ASTM E-1986 set of basic roles as
  prerequisite to a users connection to a
  protected resource.
• Modeling of clinical scenarios.
• Building a draft catalog of healthcare
  permissions.

11
RBAC Role Engineering Process

• The VHA RBAC TF first developed a scenario-driven
  RBAC Role Engineering Process, which is actively
  used by the VHA/IHS RBAC TF. The process has
  also been applied, proven and approved by the
  Healthcare RBAC TF.
• Currently being revised to work within the HL7
  HDF.
• Adapted from A Scenario-driven Role Engineering
  Process for Functional RBAC Roles, G. Neumann and
  M. Strembeck. June 2002.

12
Interpretation of Roadmap
13
Healthcare Scenario Roadmap Update

• RBAC TF currently finalizing Roadmap V1.0
  (licensed healthcare personnel)
• Roadmap being vetted through VHA departments
  throughout the U.S
• Issues database created to track issues and
  changes to the Roadmap
• Roadmap V2.0 will include non-licensed healthcare
  personnel

14
Scenario Development

• 4 draft scenarios available (1 for each task
  area)
• Each task area will have enough scenarios written
  to cover permissions within that task area
• Task areas for licensed healthcare personnel in
  a clinical setting include Order Entry, Perform
  Documentation, Review Documentation, and
  Scheduling

15
How They All Fit Together
Dr. Joe Smith is an Oncologist
ROLE Physician PERMISSION Write Medication
Order BUSINESS RULE Oncologists may Write
Chemotherapy Medication Orders CONSTRAINT
1st year Oncology Residents need Chemotherapy
Medication Orders co-signed by an
Attending Physician
16
Roles are Built from Permissions
Enterprises create roles from HL7 standard
permissions.
17
Permissions
Permissions
Physician
useridSmithJ
Adapted from ANSI INCITS 359-2004
18
Role of HL7 for RBAC

• Review and adopt standard role engineering
  process.
• Standardize healthcare permission set.
• Identify permission constraints.
• Derive preliminary role hierarchy.
• Define guidelines for developing RBAC models,
  e.g., for assigning role names and for
  engineering role-role constraints.
• Coordinate with other SDOs, e.g., W3C, OASIS, to
  provide an implementation path.

19
Summary of Proposed HL7 Activities

• Review, comment and approve healthcare role
  engineering process, then integrate it into the
  HDF.
• Validate previously developed (within HL7 and in
  RBAC Task Forces) healthcare scenarios.
• Develop and model additional healthcare
  scenarios.
• Define role permissions and objects.
• Integrate RBAC permission catalog with the HL7
  RIM, RMIMs and DMIMs.
• Define guidelines for developing RBAC models.

20
Current HL7 TC SIG Involvement

• Security Accountability SIG Tracks
  security-related RBAC work item to be the
  collector and maintainer of the permission
  catalog and roles.
• Personnel Management TC Currently the owner of
  the RBAC work item historically, the PM TC has
  owned the definitions for the security-related
  domain in HL7.
• Modeling and Methodology TC Owner of the HDF
  which is affected by the RBAC work item the
  scope of the HDF will be expanded to support
  permission definitions through role engineering.
• Control Query TC Owner of the messaging control
  structure which could be affected by the RBAC
  work item.
• Government SIG Receives RBAC updates at each WG
  meeting as DoD, VA and IHS federal enterprises
  support RBAC.

21
Contact Information

• Website
• http//www.va.gov/RBAC/
• Points-of-Contact

Robert OHara, MD VHA/IHS RBAC TF
Chair Robert.OHara_at_med.va.gov (708) 202-8387
x22759
Mike Davis, CISSP VHA Security Architect Mike.Davi
s_at_med.va.gov (760) 632-0294
Dawn Bollmann, RN VHA/IHS RBAC TF Functional
Analyst Lead Dawn.Rota_at_med.va.gov (858) 826-7496
Amy Page VHA/IHS RBAC TF Project
Lead Amy.Page_at_med.va.gov (619) 741-7587