Presentation is loading. Please wait.

Presentation is loading. Please wait.

Role Based Access Control Update HL7 Working Group Meeting San Diego, CA - January 2007 Presented by: Suzanne Gonzales-Webb, CPhT VHA Office of Information.

Published byClaud Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "Role Based Access Control Update HL7 Working Group Meeting San Diego, CA - January 2007 Presented by: Suzanne Gonzales-Webb, CPhT VHA Office of Information."— Presentation transcript:

1 Role Based Access Control Update HL7 Working Group Meeting San Diego, CA - January 2007 Presented by: Suzanne Gonzales-Webb, CPhT VHA Office of Information Standards

2 2 Agenda  Constraints  Emergency Access  RBAC Quarterly Newsletter  HL7 RBAC Documentation  RBAC Website  Q&A

3 3 Constraint Catalog Constraints are restrictions that are enforced upon access permissions. Supporting the central ideas of constraints on an RBAC model will allow for higher flexibility. -Neumann Strembeck

4 4 Constraint Types Cardinality - Occurs when there is a limit of a certain number of users (persons, roles) who may be holding the permission at any one time.

5 5 Constraint Types cont’d. Separation of duties - Occurs when the same user cannot hold two related permissions at the same time:  A user may be in one role, but not in another mutually exclusive.  Prevents a person from submitting and approving his or her own request.

6 6 Constraint Catalog Separation of duties - (continued) Sensitive combination duties are partitioned between different individual in order to prevent the violation of business rules

7 7 Constraint Types cont’d. Time-dependency - Creates a time of day/time dependence on the person/role holding the permission.

8 8 Constraint Types cont’d. Location - Creates a location requirement for the person holding the permission.

9 9. ..

10 10 Constraint Catalog - Process STEP 1  Review each permission and identify applicable obstacle or constraint(s). Note that not all permissions will have an applicable constraint. STEP 2  For each permission, record the associated constraint(s) if applicable (verify ‘constraint’ vs ‘business rule’, constraint conditions and brief description) include factors which make it differ from a business rule. STEP 3  Identify Constraint Type (cardinality, separation of duty, time, location). STEP 4  Assign a Constraint ID.

11 11 Constraint Table  ID (xy-nnn) Legend: x=P (permission) y=C (constraint identifier) nnn=Sequential number starting at 001  Unique Permission ID - refers to the identifier assigned to the abstract permission name  Unique Permission-Constraint ID – refers to the identifier assigned to the permission constraint  Constraint Type – refers to the constraint definition as described in Table 1

12 12 Constraint Table - Example Unique Permission Constraint ID Permission Constraint Description Constraint Type Permission IDPermission Name PC-002 (incomplete Permission_ID, Names) A Resident may operate in ER as an Attending Location POE-005New/Renew Outpatient Prescription Order POE-006Change/Discontinue/Refill Outpatient Prescription Order POE-017New Verbal and Telephone Order PC-006 Only one (1) physician may be acting as Chief of Medical Records at any given time Cardinality POE-028Release Orders PC-007 In the event that a Hospital or Clinic Pharmacy does not have 24 hour service. A Charge Nurse may have access to some of the pharmacy override privileges. (i.e. verify orders) During regular pharmacy hours, the Charge Nurse would normally not have these permission (s) Time- Dependency POE-005New/Renew Outpatient Prescription Order POE-006Change/Discontinue/Refill Outpatient Prescription Order POE-007New Inpatient Medication Order POE-008Change/Discontinue Inpatient Medication Order POE-028Release Orders

13 13 Emergency Access Granting of user rights and authorizations to permit access to Protected Health Information (PHI) and application in emergency conditions.

14 14 Emergency Access* Security Environment Primary need is to address a lack of sufficient authorization for legitimate care providers where the situation requires immediate delegation. * There are no established standards for emergency access.

15 15 Emergency Access Enforce security constraints which:  Audit (at each step, indicate use of Emergency Access)  Notification of local and work security officers  User review Be cautious of (tight) security constraints which lead to:  Ineffective use of the Healthcare Information system  Risk to patient health, treatment, safety

16 16 RBAC Newsletter Abstract reviews of Role Based Access Control documentation from around the world. Released Quarterly. Includes Security/RBAC related meeting updates and RBAC Task Force meeting briefs. http://www.va.gov/RBAC/newsletters.asp

17 17 HL7 RBAC Documentation Latest Versions of:  HL7 RBAC Healthcare Permission Catalog  HL7 RBAC Role Engineering Process  HL7 RBAC Role Engineering Process – Applied Example  HL7 RBAC Healthcare Scenarios  HL7 Healthcare Scenario Roadmap

18 18 RBAC Website The RBAC Website provides authoritative documentation on:  RBAC Engineering Processes  RBAC Task Force Artifacts  RBAC Newsletters  HL7 RBAC Collaborative and Balloted Documentation  Archived RBAC Presentations  Other SDO, VHA RBAC Collaborative Papers and Links http://www.va.gov/RBAC/index.asp

19 Role Based Access Control (RBAC) Q & A

20 20 Constraint  Other constraints  Neumann-Strembeck:  X1  X2  X3  Ahn-Shin  Crampton…?

Download ppt "Role Based Access Control Update HL7 Working Group Meeting San Diego, CA - January 2007 Presented by: Suzanne Gonzales-Webb, CPhT VHA Office of Information."

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
Medication Management

Medication Management
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.

The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
And the finer details of patient privacy TCH Confidential Understanding HIPAA.

And the finer details of patient privacy TCH Confidential Understanding HIPAA.
System Security & Patient Confidentiality General Lesson 1.

System Security & Patient Confidentiality General Lesson 1.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Westbrook Technologies from Document Management’s Role in HIPAA.

Westbrook Technologies from Document Management’s Role in HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Access Control RBAC Database Activity Monitoring.

Access Control RBAC Database Activity Monitoring.
Project Update : Claims/Clinical Linkage Project MHDO Board of Directors June 6, 2013.

Project Update : Claims/Clinical Linkage Project MHDO Board of Directors June 6, 2013.
Medical Restraints. Purpose Medical Surgical restraints should be used to create a physical and cultural environment promoting comfort, safety, and the.

Medical Restraints. Purpose Medical Surgical restraints should be used to create a physical and cultural environment promoting comfort, safety, and the.
FERPA 2008 New regulations enact updates from over a decade of interpretations.

FERPA 2008 New regulations enact updates from over a decade of interpretations.
Definition of Purpose of the Patient Record

Definition of Purpose of the Patient Record
1.  Incident reports should be written only when you are sure that a persons rights have been violated. True False  Full names of consumers should never.

1.  Incident reports should be written only when you are sure that a persons rights have been violated. True False  Full names of consumers should never.

Similar presentations

Ads by Google