Role-Based Access Control Project
GBA 573 – IT Project ManagementAmy Page
12 July 2004
12 July 2004GBA 573 Final Project
2
Overview
• Role-Based Access Control (RBAC) is a method to control access to resources on an information system.
• The Health Insurance Portability and Accountability Act (HIPAA) is requiring that organizations secure patient data and limit access to patient data. – Healthcare organizations need to ensure patient privacy by limiting
the access to healthcare applications and patient records to qualified personnel on a “need-to-know” basis.
• RBAC is critically important to the security aspects of healthcare organizations.
“Should this person (or a person who performs this job function) typically be allowed to access this type of data?”
12 July 2004GBA 573 Final Project
3
Problem Statement
Healthcare Partners Association, with $20 billion a year in revenues and 100,000
employees, must comply with the HIPAA regulations by June 2006 by implementing an access control technology such as role-based
access control.As such, Healthcare Partners Association has
formed the Authorization Infrastructure Program to implement an RBAC mechanism within its current health information systems.
12 July 2004GBA 573 Final Project
4
Project Overview
• Supports the definition of healthcare functional roles and permissions within the Authorization Infrastructure Program
• Analysis-based • Composed of individuals knowledgeable in healthcare
workflows • Creation of a harmonized list of healthcare permissions along
with associated work profiles • Derivation of healthcare roles for authorization use within the
Healthcare Partners Association health information systems
Gotcha - • Implementation within healthcare is very challenging with a vast
array of healthcare personnel roles and tasks• Never been accomplished before
12 July 2004GBA 573 Final Project
5
Project Analysis:Project Objectives
The targeted objectives are:• Adopt a role engineering process to
accomplish defining roles and permissions• Identify and model healthcare workflows of
licensed, non-licensed and non-caregiver healthcare personnel
• Define healthcare functional roles and permissions for use in the access control portions of Healthcare Partners Association health information systems
12 July 2004GBA 573 Final Project
6
ROI Analysis:Cost/Benefit Analysis
• Costs – Definition of the healthcare functional roles and permissions– Implementation of the Authorization Infrastructure Program will cost $30
million, $1.2 million allocated to this project• Tangible Benefits
– Measured against the overarching Authorization Infrastructure Program – Annual administrative cost savings ranges can be $6.92 per employee– Average annual savings related to improved employee productivity are
estimated at $74 per employee• Intangible Benefits
– More fine-grained access control due to improved management of assignment of permissions using roles
– Reduces excessive assignment of permissions – Assignment of users to roles can be done by administrative/clerical
personnel vice security
12 July 2004GBA 573 Final Project
7
ROI Analysis:Cost/Benefit Analysis
Cost
Setup $18,600
Licensed HC Personnel $516,300
NonLicensed HC Personnel $106,500
NonCaregiver HC Personnel $502,560
Delivery to Authorization Infra Program $2,400
Authorization Infrastructure Program $28,853,640
Total Cost $30,000,000
Benefits
Administration savings ($6.92/employee per year) $692,000
Increase in employee productivity ($74/employee per year) $74,000,000
Total Benefits $74,692,000
ROI 4.8 months!
12 July 2004GBA 573 Final Project
8
Project Design:Requirements Analysis
The Healthcare RBAC Project has the following requirements:
• Perform analysis of the workflows of licensed healthcare personnel (e.g. physician, registered nurse)
• Perform analysis of the workflows of non‑licensed healthcare personnel (e.g. nurse’s aide, phlebotomist)
• Perform analysis of the workflows of non‑caregiver healthcare personnel (e.g. clergy, admission clerk)
• Create a healthcare scenario roadmap detailing the functional roles and permissions associated with healthcare personnel
• Use a database for all data collection
12 July 2004GBA 573 Final Project
9
Project Design:Risk Management Plan
• A comprehensive analysis of all risks with an assessment of their likelihood of occurrence and expected consequences
• A mitigation plan is established for each item identified as a risk.
• Developed and implemented under the leadership of the RBAC Project Manager
• Risks continuously tracked and reported on at each monthly Progress Review
12 July 2004GBA 573 Final Project
10
Project Design:Risk Assessment
Risk #
Risk Description/Text Description
Risk Exposure
Risk Evaluation
Trigger Mitigation
R1 Licensed subteam will not meet schedule due to regular job duties.
108 5 Some project team members are not dedicated personnel.
Line up alternates.
R2 Non-licensed subteam will not meet schedule due to regular job duties.
12 1 Some project team members are not dedicated personnel.
Line up alternates.
R3 Non-caregiver subteam will not meet schedule due to regular job duties.
41 1 Some project team members are not dedicated personnel.
Line up alternates.
Total 161
12 July 2004GBA 573 Final Project
11
Project Design:Communications Plan
• E-Mail– Used as needed
• Weekly Conference Calls– Used for management updates and technical interchange
• Monthly Progress Reviews– Used for top-level management review and update
• Groove Collaboration Tool – Used for collaborative work and development of artifacts
• RBAC Website – The RBAC website is located on the Internet at http://
www.va.gov/RBAC/. • Issues Database
– GUI-based tool created in Groove for issues tracking
12 July 2004GBA 573 Final Project
12
Project Development:WBS
ID WBS Task Name Duration Start Finish
1 1 Setup 60 days 8/2/04 10/22/04
2 1.1 Create database 10 days 8/2/04 8/13/04
3 1.2 Create website 60 days 8/2/04 10/22/04
4 1.3 Create issues database 5 days 8/2/04 8/6/04
5 2 Licensed HC Personnel 239 days 10/25/04 9/22/05
6 2.1 HC Scenario Roadmap - Licensed 144 days 10/25/04 5/12/05
7 2.2 Scenario Development - Licensed 45 days 5/13/05 7/14/05
8 2.3 Model Unnormalized Permissions - Licensed 45 days 5/13/05 7/14/05
9 2.4 Role & Permission Identification - Licensed 10 days 7/15/05 7/28/05
10 2.5 Review Licensed Roles and Permissions 40 days 7/29/05 9/22/05
11 2.6 Approve Licensed Roles and Permissions 0 days 9/22/05 9/22/05
12 3 NonLicensed HC Personnel 125 days 10/25/04 4/15/05
13 3.1 HC Scenario Roadmap - NonLicensed 60 days 10/25/04 1/14/05
14 3.2 Scenario Development - NonLicensed 30 days 1/17/05 2/25/05
15 3.3 Model Unnormalized Permissions - NonLicensed 30 days 1/17/05 2/25/05
16 3.4 Role & Permission Identification - NonLicensed 10 days 2/28/05 3/11/05
17 3.5 Review Non-Licensed Roles and Permissions 25 days 3/14/05 4/15/05
18 3.6 Approve Non-Licensed Roles and Permissions 0 days 4/15/05 4/15/05
19 4 NonCaregiver HC Personnel 248 days 10/25/04 10/5/05
20 4.1 HC Scenario Roadmap - NonCaregiver 138 days 10/25/04 5/4/05
21 4.2 Scenario Development - NonCaregiver 60 days 5/5/05 7/27/05
22 4.3 Model Unnormalized Permissions - NonCaregiver 60 days 5/5/05 7/27/05
23 4.4 Role & Permission Identification - NonCaregiver 10 days 7/28/05 8/10/05
24 4.5 Review Non-Caregiver Roles and Permissions 40 days 8/11/05 10/5/05
25 4.6 Approve Non-Caregiver Roles and Permissions 0 days 10/5/05 10/5/05
8/2 8/13
8/2 10/22
8/2 8/6
10/25 5/12
5/13 7/14
5/13 7/14
7/15 7/28
7/29 9/22
9/22
10/25 1/14
1/17 2/25
1/17 2/25
2/28 3/11
3/14 4/15
4/15
10/25 5/4
5/5 7/27
5/5 7/27
7/28 8/10
8/11 10/5
10/5
Qtr 1 Qtr 2 Qtr 3 Qtr 4 Qtr 1 Qtr 2 Qtr 3 Qtr 4 Qtr 1 Qtr 22004 2005 2006
12 July 2004GBA 573 Final Project
13
Project Development:WBS (cont.)
ID WBS Task Name Duration Start Finish
26 5 Delivery to Authorization Infra Program 4 days 10/6/05 10/11/05
27 5.1 Database Extraction 3 days 10/6/05 10/10/05
28 5.2 Role & Permission Delivery 1 day 10/11/05 10/11/05
29 6 Project Completion 0 days 10/11/05 10/11/05
10/6 10/10
10/11 10/11
10/11
Qtr 1 Qtr 2 Qtr 3 Qtr 4 Qtr 1 Qtr 2 Qtr 3 Qtr 4 Qtr 1 Qtr 22004 2005 2006
12 July 2004GBA 573 Final Project
14
Project Development:Staffing
RBAC ProjectManager
Role-Based Access Control Project
Licensed HealthcarePersonnel Lead
Non-LicensedHealthcare Personnel
Lead
Non-CaregiverHealthcare Personnel
Lead
5 Domain Experts 3 Domain Experts 7 Domain Experts
Support
• Project is unique in that – – Primarily an analysis of healthcare workflows– Domain experts from various healthcare disciplines are required– Healthcare personnel greatly vary in cost
12 July 2004GBA 573 Final Project
15
Project Development:Implementation Method
The Healthcare RBAC Project will use a role engineering process based upon the scenario-driven process as defined by Neumann and Strembeck.
The role engineering process is defined as:– Identify and Model Usage Scenarios– Derive Permissions from Scenarios– Refine the Scenario Model (Iterative), as necessary– Define Tasks and Work Profiles– Derivation of a Preliminary Role-hierarchy– Define the RBAC Model
G. Neumann and M. Strembeck. A Scenario-driven Role Engineering Process for Functional RBAC Roles, June 2002.
12 July 2004GBA 573 Final Project
16
Project Development:Implementation Method
OBJOPS
(PA)PermissionAssignment
(UA)User
Assignment
PERM
OPS = OperationsOBJ = ObjectsPERM = Permissions
UsersFunctional
Roles
12 July 2004GBA 573 Final Project
17
Testing/Documentation
• No testing is required since this is an analysis project • Peer reviews and approval of all deliverables is
required• Mandatory that the licensed, non-licensed and non-
caregiver domain experts review all other deliverables, such as the Healthcare Scenario Roadmap
• Deliverable peer reviews will be accomplished using the Peer Review Process as defined by the organization
12 July 2004GBA 573 Final Project
18
Final Analysis
The Healthcare RBAC Project…• Is critical to the success of the Authorization Infrastructure
Program• Will enable the Authorization Infrastructure Program to
complete its integration with the health info systems• Return on investment within 4.8 months and will continue
to have cost savings associated with the implementation of RBAC for years to come
But…• High-risk item completing the analysis of the licensed
healthcare personnel • Imperative that the RBAC Project Manager continuously
monitor the progress of the project and proactively recruit alternates for the licensed healthcare subteam
12 July 2004GBA 573 Final Project
19
Questions?