Role Based Access Control Update

HL7 Working Group Meeting San Diego, CA - January 2007

Presented by:

Suzanne Gonzales-Webb, CPhTVHA Office of Information

Standards

2

Agenda

Constraints

Emergency Access

RBAC Quarterly Newsletter

HL7 RBAC Documentation

RBAC Website

Q&A

3

Constraint Catalog

Constraints are restrictions that are enforced upon access permissions.

Supporting the central ideas of constraints on an RBAC model will allow for higher flexibility. -Neumann Strembeck

4

Constraint Types

Cardinality -

Occurs when there is a limit of a certain number of users (persons, roles) who may be holding the permission at any one time.

5

Constraint Types cont’d.

Separation of duties -

Occurs when the same user cannot hold tworelated permissions at the same time:

A user may be in one role, but not in another mutually exclusive.

Prevents a person from submitting and approving his or her own request.

6

Constraint Catalog

Separation of duties - (continued)

Sensitive combination duties are partitioned between different individual in order to prevent the violation of business rules

7

Constraint Types cont’d.

Time-dependency -

Creates a time of day/time dependence on the person/role holding the permission.

8

Constraint Types cont’d.

Location -

Creates a location requirement for the person holding the permission.

9

.

.

10

Constraint Catalog - Process

STEP 1 Review each permission and identify applicable obstacle or constraint(s). Note that not all permissions will have an applicable constraint.

STEP 2 For each permission, record the associated constraint(s) if applicable (verify ‘constraint’ vs ‘business rule’, constraint conditions and brief description) include factors which make it differ from a business rule.

STEP 3 Identify Constraint Type (cardinality, separation of duty, time, location).

STEP 4 Assign a Constraint ID.

11

Constraint Table

ID (xy-nnn) Legend:x = P (permission)y = C (constraint identifier)nnn = Sequential number starting at

001

Unique Permission ID - refers to the identifier assigned to the abstract permission name

Unique Permission-Constraint ID – refers to the identifier assigned to the permission constraint

Constraint Type – refers to the constraint definition as described in Table 1

12

Constraint Table - Example

UniquePermission

Constraint ID

Permission ConstraintDescription

ConstraintType

PermissionID Permission Name

PC-002 (incomplete Permission_ID, Names)

A Resident may operate in ERas an Attending

Location POE-005 New/Renew Outpatient PrescriptionOrder

POE-006 Change/Discontinue/Refill OutpatientPrescription Order

POE-017 New Verbal and Telephone Order

PC-006 Only one (1) physician may beacting as Chief of Medical Recordsat any given time

Cardinality POE-028 Release Orders

PC-007 In the event that a Hospital orClinic Pharmacy does not have 24 hour service. A Charge Nursemay have access to some of thepharmacy override privileges. (i.e.verify orders) During regular pharmacy hours, the ChargeNurse would normally not havethese permission (s)

Time-Dependency

POE-005 New/Renew Outpatient PrescriptionOrder

POE-006 Change/Discontinue/Refill OutpatientPrescription Order

POE-007 New Inpatient Medication Order

POE-008 Change/Discontinue InpatientMedication Order

POE-028 Release Orders

13

Emergency Access

Granting of user rights and authorizations to permit access to Protected Health Information (PHI) and application in emergency conditions.

14

Emergency Access*

Security Environment

Primary need is to address a lack of sufficientauthorization for legitimate care providerswhere the situation requires immediatedelegation.

*There are no established standards for emergency access.

15

Emergency Access

Enforce security constraints which: Audit (at each step, indicate use of Emergency Access) Notification of local and work security officers User review

Be cautious of (tight) security constraints which lead to:

Ineffective use of the Healthcare Information system Risk to patient health, treatment, safety

16

RBAC Newsletter

Abstract reviews of Role Based Access

Control documentation from around the

world. Released Quarterly. Includes

Security/RBAC related meeting updates and

RBAC Task Force meeting briefs.

http://www.va.gov/RBAC/newsletters.asp

17

HL7 RBAC Documentation

Latest Versions of:

HL7 RBAC Healthcare Permission Catalog HL7 RBAC Role Engineering Process HL7 RBAC Role Engineering Process –

Applied Example HL7 RBAC Healthcare Scenarios HL7 Healthcare Scenario Roadmap

18

RBAC Website

The RBAC Website provides authoritativedocumentation on:

RBAC Engineering Processes RBAC Task Force Artifacts RBAC Newsletters HL7 RBAC Collaborative and Balloted Documentation Archived RBAC Presentations Other SDO, VHA RBAC Collaborative Papers and Links

http://www.va.gov/RBAC/index.asp

Role Based Access Control (RBAC)

Q & A

20

Constraint

Other constraints Neumann-Strembeck:

X1 X2 X3

Ahn-Shin

Crampton…?