Dean Wiech, Managing Director at Tools4ever describes how role-based access control ensures extra security in healthcare, but the process doesn’t have to be daunting.
Traditionally, implementing RBAC for the care setting can be daunting, but there are efficient ways to bring a system on board that allow health system leaders to track, audit and allow who has access to what information and when.
While Role-based Access Control (RBAC) has uses in every industry, the healthcare provider can benefit enormously from a proper implementation. The potential to save exists not only by reducing potential fines in HIPAA and/or Sar-Box audits, but also from conceivable lawsuits if sensitive patient data is exposed to the wrong personnel.
RBAC Overview
RBAC is a technique for implementing authorization account management across organizations. This technique involves assigning access privileges to certain files and sets of data on the basis of an employee’s role rather than assigning access privileges to individual users. These roles in turn comprise the department, function, location and cost center associated with an employee, also allowing all of an employee’s interactions with the system to be captured, in essence creating an audit trail for the organization in case one is ever needed.
Implementation Difficulties
Typically, one of the difficulties in implementing RBAC is the enormous investment of time that can be required to populate the matrix. This task can be a daunting one as the combination of locations, departments, employee types and roles – and the access rights they should be entitled to — can require a tremendous initial effort to accurately define. However, there is an easier way to get started.
The human resources (HR) system is an excellent source for determining these combinations. This will pave the way for a role model on the organizational level. As an example, a hospital in Location “A” has a surgery department that includes the functional role of “nurse.” The organizational role can be created on the basis of the function, department and location found in the HR system. These are “nurse,” “nurse in Location A” and “surgery nurse,” respectively. After “nurse” and “surgery” have been defined, a nurse in the surgery department will automatically be identified as “nurse + surgery” and assigned the appropriate access privileges and applications.
Using this method, it becomes very easy to populate more than 80 percent of the RBAC table. A major benefit of this approach is that new employees can start being productive on their first day while time is freed up for the assignment of specific privileges on an application and system level.
A subsequent step is to translate these organizational roles into application or system roles, which will comprise the remaining 20 percent of the RBAC table. The basis for this is already present and now further stacking will take place. The assignment of the system roles can easily be handled by the relevant manager. After all, managers rather than HR personnel are responsible for the access privileges of their employees. On the basis of a workflow, the relevant manager will be prompted by an e-mail notification and/or web form to specify the access privileges and applications for the employee concerned.
The RBAC software can subsequently record the manager’s choices to further populate the empty sections of the RBAC table and eventually achieve a fully populated table. This means it is possible to have a manager handle all the translations of roles within her department, with an option to delegate tasks to a colleague. An action triggered by the manager may also result in a workflow notification to a license manager. This allows managers to exactly determine and manage what happens within their department or cost center.
Inevitably, an employee’s location, position or role will change over time. A properly implemented RBAC system allows for a transition of the access and application rights, as well. When the employee changes jobs within the organization, the RBAC matrix ensures he has the proper rights for his new role. The workflow component can notify the previous manager about the transition to insure access to systems and data no longer required are revoked in a timely manner, and also the new manager will be notified in case any special privileges are required for the new role.
By using the method described above, implementing RBAC does not have to be a long, painful and drawn out process. Implementation can be handled in weeks rather than years and the healthcare facility can start reaping the benefits of proper data access control quickly.
About the Author:
Dean Wiech is managing director at Tools4ever. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign on and access management, serving more than five million user accounts worldwide.
