Role Based Access Control Project GBA 573 IT Project Management Amy Page 12 July 2004 Overview Role Based Access Control RBAC is a method to control access to resources on an information system The Health Insurance Portability and Accountability Act HIPAA is requiring that organizations secure patient data and limit access to patient data Healthcare organizations need to ensure patient privacy by limiting the access to healthcare applications and patient records to qualified personnel on a need to know basis RBAC is critically important to the security aspects of healthcare organizations Should this person or a person who performs this job function typically be allowed to access this type of data 12 July 2004 GBA 573 Final Project 2 Problem Statement Healthcare Partners Association with 20 billion a year in revenues and 100 000 employees must comply with the HIPAA regulations by June 2006 by implementing an access control technology such as role based access control As such Healthcare Partners Association has formed the Authorization Infrastructure Program to implement an RBAC mechanism within its current health information systems 12 July 2004 GBA 573 Final Project 3 Project Overview Supports the definition of healthcare functional roles and permissions within the Authorization Infrastructure Program Analysis based Composed of individuals knowledgeable in healthcare workflows Creation of a harmonized list of healthcare permissions along with associated work profiles Derivation of healthcare roles for authorization use within the Healthcare Partners Association health information systems Gotcha Implementation within healthcare is very challenging with a vast array of healthcare personnel roles and tasks Never been accomplished before 12 July 2004 GBA 573 Final Project 4 Project Analysis Project Objectives The targeted objectives are Adopt a role engineering process to accomplish defining roles and permissions Identify and model healthcare workflows of licensed non licensed and non caregiver healthcare personnel Define healthcare functional roles and permissions for use in the access control portions of Healthcare Partners Association health information systems 12 July 2004 GBA 573 Final Project 5 ROI Analysis Cost Benefit Analysis Costs Definition of the healthcare functional roles and permissions Implementation of the Authorization Infrastructure Program will cost 30 million 1 2 million allocated to this project Tangible Benefits Measured against the overarching Authorization Infrastructure Program Annual administrative cost savings ranges can be 6 92 per employee Average annual savings related to improved employee productivity are estimated at 74 per employee Intangible Benefits More fine grained access control due to improved management of assignment of permissions using roles Reduces excessive assignment of permissions Assignment of users to roles can be done by administrative clerical personnel vice security 12 July 2004 GBA 573 Final Project 6 ROI Analysis Cost Benefit Analysis Cost Setup 18 600 Licensed HC Personnel 516 300 NonLicensed HC Personnel 106 500 NonCaregiver HC Personnel 502 560 Delivery to Authorization Infra Program 2 400 Authorization Infrastructure Program 28 853 640 Total Cost 30 000 000 Benefits Administration savings 6 92 employee per year 692 000 Increase in employee productivity 74 employee per year 12 July 2004 GBA 573 Final Project 74 000 000 Total Benefits 74 692 000 ROI 4 8 months 7 Project Design Requirements Analysis The Healthcare RBAC Project has the following requirements Perform analysis of the workflows of licensed healthcare personnel e g physician registered nurse Perform analysis of the workflows of non licensed healthcare personnel e g nurse s aide phlebotomist Perform analysis of the workflows of non caregiver healthcare personnel e g clergy admission clerk Create a healthcare scenario roadmap detailing the functional roles and permissions associated with healthcare personnel Use a database for all data collection 12 July 2004 GBA 573 Final Project 8 Project Design Risk Management Plan A comprehensive analysis of all risks with an assessment of their likelihood of occurrence and expected consequences A mitigation plan is established for each item identified as a risk Developed and implemented under the leadership of the RBAC Project Manager Risks continuously tracked and reported on at each monthly Progress Review 12 July 2004 GBA 573 Final Project 9 Project Design Risk Assessment Risk Risk Description Text Description Risk Exposure Risk Evaluation Trigger Mitigation R1 Licensed subteam will not meet schedule due to regular job duties 108 5 Some project team members are not dedicated personnel Line up alternates R2 Non licensed subteam will not meet schedule due to regular job duties 12 1 Some project team members are not dedicated personnel Line up alternates R3 Non caregiver subteam will not meet schedule due to regular job duties 41 1 Some project team members are not dedicated personnel Line up alternates Total 12 July 2004 GBA 573 Final Project 161 10 Project Design Communications Plan E Mail Used as needed Weekly Conference Calls Used for management updates and technical interchange Monthly Progress Reviews Used for top level management review and update Groove Collaboration Tool Used for collaborative work and development of artifacts RBAC Website The RBAC website is located on the Internet at http www va gov RBAC Issues Database GUI based tool created in Groove for issues tracking 12 July 2004 GBA 573 Final Project 11 Project Development WBS ID 1 2 WBS Task Name 1 Setup 1 1 Create database 3 1 2 Create w ebsite 4 1 3 Create issues database 5 Duration 2 Licensed HC Personnel Start Finish 2004 Qtr 1 Qtr 2 2005 Qtr 3 Qtr 4 Qtr 1 Qtr 2 60 days 8 2 04 10 22 04 10 days 8 2 04 8 13 04 8 2 10 22 04 8 2 8 2 60 days 8 2 04 5 days 8 2 04 8 6 04 239 days 10 25 04 9 22 05 2006 Qtr 3 Qtr 4 Qtr 1 Qtr 2 8 13 10 22 8 6 10 25 5 12 6 2 1 HC Scenario Roadmap Licensed 144 days 10 25 04 5 12 05 7 2 2 Scenario Development Licensed 45 days 5 13 05 7 14 05 5 13 7 14 5 13 7 14 8 2 3 Model Unnormalized Permissions Licensed 45 days 5 13 05 7 14 05 9 2 4 Role Permission Identification Licensed 10 days 7 15 05 7 28 05 10 2 5 Review Licensed Roles and Permissions 40 days 7 29 05 9 22 05 11 2 6 Approve Licensed Roles and Permissions 0 days 9 22 05 9 22 05 125 days 10 25 04 4 15 05 12 3 NonLicensed HC Personnel 7 15 7 29 10 25 1 14 3 1 HC Scenario Roadmap
View Full Document
Unlocking...