Role-Based Access Control Project Healthcare Partners Association Role-Based Access Control Project GBA 573 – IT Project Management Amy Page 12 July 2004

Overview Role-Based Access Control (RBAC) is a method to control access to resources on an information system. The Health Insurance Portability and Accountability Act (HIPAA) is requiring that organizations secure patient data and limit access to patient data. Healthcare organizations need to ensure patient privacy by limiting the access to healthcare applications and patient records to qualified personnel on a “need-to-know” basis. RBAC is critically important to the security aspects of healthcare organizations. “Should this person (or a person who performs this job function) typically be allowed to access this type of data?” 12 July 2004 GBA 573 Final Project

Problem Statement Healthcare Partners Association, with $20 billion a year in revenues and 100,000 employees, must comply with the HIPAA regulations by June 2006 by implementing an access control technology such as role-based access control. As such, Healthcare Partners Association has formed the Authorization Infrastructure Program to implement an RBAC mechanism within its current health information systems. 12 July 2004 GBA 573 Final Project

Project Overview Supports the definition of healthcare functional roles and permissions within the Authorization Infrastructure Program Analysis-based Composed of individuals knowledgeable in healthcare workflows Creation of a harmonized list of healthcare permissions along with associated work profiles Derivation of healthcare roles for authorization use within the Healthcare Partners Association health information systems Gotcha - Implementation within healthcare is very challenging with a vast array of healthcare personnel roles and tasks Never been accomplished before 12 July 2004 GBA 573 Final Project

Project Analysis: Project Objectives The targeted objectives are: Adopt a role engineering process to accomplish defining roles and permissions Identify and model healthcare workflows of licensed, non-licensed and non-caregiver healthcare personnel Define healthcare functional roles and permissions for use in the access control portions of Healthcare Partners Association health information systems 12 July 2004 GBA 573 Final Project

ROI Analysis: Cost/Benefit Analysis Costs Definition of the healthcare functional roles and permissions Implementation of the Authorization Infrastructure Program will cost $30 million, $1.2 million allocated to this project Tangible Benefits Measured against the overarching Authorization Infrastructure Program Annual administrative cost savings ranges can be $6.92 per employee Average annual savings related to improved employee productivity are estimated at $74 per employee Intangible Benefits More fine-grained access control due to improved management of assignment of permissions using roles Reduces excessive assignment of permissions Assignment of users to roles can be done by administrative/clerical personnel vice security 12 July 2004 GBA 573 Final Project

ROI Analysis: Cost/Benefit Analysis   Setup $18,600 Licensed HC Personnel $516,300 NonLicensed HC Personnel $106,500 NonCaregiver HC Personnel $502,560 Delivery to Authorization Infra Program $2,400 Authorization Infrastructure Program $28,853,640 Total Cost $30,000,000 Benefits Administration savings ($6.92/employee per year) $692,000 Increase in employee productivity ($74/employee per year) $74,000,000 Total Benefits $74,692,000 ROI  4.8 months! 12 July 2004 GBA 573 Final Project

Project Design: Requirements Analysis The Healthcare RBAC Project has the following requirements: Perform analysis of the workflows of licensed healthcare personnel (e.g. physician, registered nurse) Perform analysis of the workflows of non‑licensed healthcare personnel (e.g. nurse’s aide, phlebotomist) Perform analysis of the workflows of non‑caregiver healthcare personnel (e.g. clergy, admission clerk) Create a healthcare scenario roadmap detailing the functional roles and permissions associated with healthcare personnel Use a database for all data collection 12 July 2004 GBA 573 Final Project

Project Design: Risk Management Plan A comprehensive analysis of all risks with an assessment of their likelihood of occurrence and expected consequences A mitigation plan is established for each item identified as a risk. Developed and implemented under the leadership of the RBAC Project Manager Risks continuously tracked and reported on at each monthly Progress Review 12 July 2004 GBA 573 Final Project

Project Design: Risk Assessment Risk Description/Text Description Risk Exposure Risk Evaluation Trigger Mitigation R1 Licensed subteam will not meet schedule due to regular job duties. 108 5 Some project team members are not dedicated personnel. Line up alternates. R2 Non-licensed subteam will not meet schedule due to regular job duties. 12 1 R3 Non-caregiver subteam will not meet schedule due to regular job duties. 41 Total 161 12 July 2004 GBA 573 Final Project

Project Design: Communications Plan E-Mail Used as needed Weekly Conference Calls Used for management updates and technical interchange Monthly Progress Reviews Used for top-level management review and update Groove Collaboration Tool Used for collaborative work and development of artifacts RBAC Website The RBAC website is located on the Internet at http://www.va.gov/RBAC/. Issues Database GUI-based tool created in Groove for issues tracking 12 July 2004 GBA 573 Final Project

Project Development: WBS 12 July 2004 GBA 573 Final Project

Project Development: WBS (cont.) 12 July 2004 GBA 573 Final Project

Project Development: Staffing Project is unique in that – Primarily an analysis of healthcare workflows Domain experts from various healthcare disciplines are required Healthcare personnel greatly vary in cost 12 July 2004 GBA 573 Final Project

Project Development: Implementation Method The Healthcare RBAC Project will use a role engineering process based upon the scenario-driven process as defined by Neumann and Strembeck. The role engineering process is defined as: Identify and Model Usage Scenarios Derive Permissions from Scenarios Refine the Scenario Model (Iterative), as necessary Define Tasks and Work Profiles Derivation of a Preliminary Role-hierarchy Define the RBAC Model G. Neumann and M. Strembeck. A Scenario-driven Role Engineering Process for Functional RBAC Roles, June 2002. 12 July 2004 GBA 573 Final Project

Project Development: Implementation Method 12 July 2004 GBA 573 Final Project

Testing/Documentation No testing is required since this is an analysis project Peer reviews and approval of all deliverables is required Mandatory that the licensed, non-licensed and non-caregiver domain experts review all other deliverables, such as the Healthcare Scenario Roadmap Deliverable peer reviews will be accomplished using the Peer Review Process as defined by the organization 12 July 2004 GBA 573 Final Project

Final Analysis The Healthcare RBAC Project… Is critical to the success of the Authorization Infrastructure Program Will enable the Authorization Infrastructure Program to complete its integration with the health info systems Return on investment within 4.8 months and will continue to have cost savings associated with the implementation of RBAC for years to come But… High-risk item  completing the analysis of the licensed healthcare personnel Imperative that the RBAC Project Manager continuously monitor the progress of the project and proactively recruit alternates for the licensed healthcare subteam 12 July 2004 GBA 573 Final Project

Questions? 12 July 2004 GBA 573 Final Project