Role-Based Access Control Project GBA 573 – IT Project Management Amy Page 12 July 2004

Role-Based Access Control Project

GBA 573 – IT Project ManagementAmy Page

12 July 2004

12 July 2004GBA 573 Final Project

2

Overview

• Role-Based Access Control (RBAC) is a method to control access to resources on an information system.

• The Health Insurance Portability and Accountability Act (HIPAA) is requiring that organizations secure patient data and limit access to patient data. – Healthcare organizations need to ensure patient privacy by limiting

the access to healthcare applications and patient records to qualified personnel on a “need-to-know” basis.

• RBAC is critically important to the security aspects of healthcare organizations.

“Should this person (or a person who performs this job function) typically be allowed to access this type of data?”


3

Problem Statement

Healthcare Partners Association, with $20 billion a year in revenues and 100,000

employees, must comply with the HIPAA regulations by June 2006 by implementing an access control technology such as role-based

access control.As such, Healthcare Partners Association has

formed the Authorization Infrastructure Program to implement an RBAC mechanism within its current health information systems.


4

Project Overview

• Supports the definition of healthcare functional roles and permissions within the Authorization Infrastructure Program

• Analysis-based • Composed of individuals knowledgeable in healthcare

workflows • Creation of a harmonized list of healthcare permissions along

with associated work profiles • Derivation of healthcare roles for authorization use within the

Healthcare Partners Association health information systems

Gotcha - • Implementation within healthcare is very challenging with a vast

array of healthcare personnel roles and tasks• Never been accomplished before


5

Project Analysis:Project Objectives

The targeted objectives are:• Adopt a role engineering process to

accomplish defining roles and permissions• Identify and model healthcare workflows of

licensed, non-licensed and non-caregiver healthcare personnel

• Define healthcare functional roles and permissions for use in the access control portions of Healthcare Partners Association health information systems


6

ROI Analysis:Cost/Benefit Analysis

• Costs – Definition of the healthcare functional roles and permissions– Implementation of the Authorization Infrastructure Program will cost $30

million, $1.2 million allocated to this project• Tangible Benefits

– Measured against the overarching Authorization Infrastructure Program – Annual administrative cost savings ranges can be $6.92 per employee– Average annual savings related to improved employee productivity are

estimated at $74 per employee• Intangible Benefits

– More fine-grained access control due to improved management of assignment of permissions using roles

– Reduces excessive assignment of permissions – Assignment of users to roles can be done by administrative/clerical

personnel vice security


7

ROI Analysis:Cost/Benefit Analysis

Cost

Setup $18,600

Licensed HC Personnel $516,300

NonLicensed HC Personnel $106,500

NonCaregiver HC Personnel $502,560

Delivery to Authorization Infra Program $2,400

Authorization Infrastructure Program $28,853,640

Total Cost $30,000,000

Benefits

Administration savings ($6.92/employee per year) $692,000

Increase in employee productivity ($74/employee per year) $74,000,000

Total Benefits $74,692,000

ROI 4.8 months!


8

Project Design:Requirements Analysis

The Healthcare RBAC Project has the following requirements:

• Perform analysis of the workflows of licensed healthcare personnel (e.g. physician, registered nurse)

• Perform analysis of the workflows of non‑licensed healthcare personnel (e.g. nurse’s aide, phlebotomist)

• Perform analysis of the workflows of non‑caregiver healthcare personnel (e.g. clergy, admission clerk)

• Create a healthcare scenario roadmap detailing the functional roles and permissions associated with healthcare personnel

• Use a database for all data collection


9

Project Design:Risk Management Plan

• A comprehensive analysis of all risks with an assessment of their likelihood of occurrence and expected consequences

• A mitigation plan is established for each item identified as a risk.

• Developed and implemented under the leadership of the RBAC Project Manager

• Risks continuously tracked and reported on at each monthly Progress Review


10

Project Design:Risk Assessment

Risk #

Risk Description/Text Description

Risk Exposure

Risk Evaluation

Trigger Mitigation

R1 Licensed subteam will not meet schedule due to regular job duties.

108 5 Some project team members are not dedicated personnel.

Line up alternates.

R2 Non-licensed subteam will not meet schedule due to regular job duties.


Line up alternates.

R3 Non-caregiver subteam will not meet schedule due to regular job duties.


Line up alternates.

Total 161


11

Project Design:Communications Plan

• E-Mail– Used as needed

• Weekly Conference Calls– Used for management updates and technical interchange

• Monthly Progress Reviews– Used for top-level management review and update

• Groove Collaboration Tool – Used for collaborative work and development of artifacts

• RBAC Website – The RBAC website is located on the Internet at http://

www.va.gov/RBAC/. • Issues Database

– GUI-based tool created in Groove for issues tracking


12

Project Development:WBS

ID WBS Task Name Duration Start Finish

1 1 Setup 60 days 8/2/04 10/22/04

2 1.1 Create database 10 days 8/2/04 8/13/04

3 1.2 Create website 60 days 8/2/04 10/22/04

4 1.3 Create issues database 5 days 8/2/04 8/6/04

5 2 Licensed HC Personnel 239 days 10/25/04 9/22/05

6 2.1 HC Scenario Roadmap - Licensed 144 days 10/25/04 5/12/05

7 2.2 Scenario Development - Licensed 45 days 5/13/05 7/14/05

8 2.3 Model Unnormalized Permissions - Licensed 45 days 5/13/05 7/14/05

9 2.4 Role & Permission Identification - Licensed 10 days 7/15/05 7/28/05

10 2.5 Review Licensed Roles and Permissions 40 days 7/29/05 9/22/05

11 2.6 Approve Licensed Roles and Permissions 0 days 9/22/05 9/22/05

12 3 NonLicensed HC Personnel 125 days 10/25/04 4/15/05

13 3.1 HC Scenario Roadmap - NonLicensed 60 days 10/25/04 1/14/05

14 3.2 Scenario Development - NonLicensed 30 days 1/17/05 2/25/05

15 3.3 Model Unnormalized Permissions - NonLicensed 30 days 1/17/05 2/25/05

16 3.4 Role & Permission Identification - NonLicensed 10 days 2/28/05 3/11/05

17 3.5 Review Non-Licensed Roles and Permissions 25 days 3/14/05 4/15/05

18 3.6 Approve Non-Licensed Roles and Permissions 0 days 4/15/05 4/15/05

19 4 NonCaregiver HC Personnel 248 days 10/25/04 10/5/05

20 4.1 HC Scenario Roadmap - NonCaregiver 138 days 10/25/04 5/4/05

21 4.2 Scenario Development - NonCaregiver 60 days 5/5/05 7/27/05

22 4.3 Model Unnormalized Permissions - NonCaregiver 60 days 5/5/05 7/27/05

23 4.4 Role & Permission Identification - NonCaregiver 10 days 7/28/05 8/10/05

24 4.5 Review Non-Caregiver Roles and Permissions 40 days 8/11/05 10/5/05

25 4.6 Approve Non-Caregiver Roles and Permissions 0 days 10/5/05 10/5/05

8/2 8/13

8/2 10/22

8/2 8/6

10/25 5/12

5/13 7/14

5/13 7/14

7/15 7/28

7/29 9/22

9/22

10/25 1/14

1/17 2/25

1/17 2/25

2/28 3/11

3/14 4/15

4/15

10/25 5/4

5/5 7/27

5/5 7/27

7/28 8/10

8/11 10/5

10/5

Qtr 1 Qtr 2 Qtr 3 Qtr 4 Qtr 1 Qtr 2 Qtr 3 Qtr 4 Qtr 1 Qtr 22004 2005 2006


13

Project Development:WBS (cont.)

ID WBS Task Name Duration Start Finish

26 5 Delivery to Authorization Infra Program 4 days 10/6/05 10/11/05

27 5.1 Database Extraction 3 days 10/6/05 10/10/05

28 5.2 Role & Permission Delivery 1 day 10/11/05 10/11/05

29 6 Project Completion 0 days 10/11/05 10/11/05

10/6 10/10

10/11 10/11

10/11

Qtr 1 Qtr 2 Qtr 3 Qtr 4 Qtr 1 Qtr 2 Qtr 3 Qtr 4 Qtr 1 Qtr 22004 2005 2006


14

Project Development:Staffing

RBAC ProjectManager

Role-Based Access Control Project

Licensed HealthcarePersonnel Lead

Non-LicensedHealthcare Personnel

Lead

Non-CaregiverHealthcare Personnel

Lead

5 Domain Experts 3 Domain Experts 7 Domain Experts

Support

• Project is unique in that – – Primarily an analysis of healthcare workflows– Domain experts from various healthcare disciplines are required– Healthcare personnel greatly vary in cost


15

Project Development:Implementation Method

The Healthcare RBAC Project will use a role engineering process based upon the scenario-driven process as defined by Neumann and Strembeck.

The role engineering process is defined as:– Identify and Model Usage Scenarios– Derive Permissions from Scenarios– Refine the Scenario Model (Iterative), as necessary– Define Tasks and Work Profiles– Derivation of a Preliminary Role-hierarchy– Define the RBAC Model

G. Neumann and M. Strembeck. A Scenario-driven Role Engineering Process for Functional RBAC Roles, June 2002.


16

Project Development:Implementation Method

OBJOPS

(PA)PermissionAssignment

(UA)User

Assignment

PERM

OPS = OperationsOBJ = ObjectsPERM = Permissions

UsersFunctional

Roles


17

Testing/Documentation

• No testing is required since this is an analysis project • Peer reviews and approval of all deliverables is

required• Mandatory that the licensed, non-licensed and non-

caregiver domain experts review all other deliverables, such as the Healthcare Scenario Roadmap

• Deliverable peer reviews will be accomplished using the Peer Review Process as defined by the organization


18

Final Analysis

The Healthcare RBAC Project…• Is critical to the success of the Authorization Infrastructure

Program• Will enable the Authorization Infrastructure Program to

complete its integration with the health info systems• Return on investment within 4.8 months and will continue

to have cost savings associated with the implementation of RBAC for years to come

But…• High-risk item completing the analysis of the licensed

healthcare personnel • Imperative that the RBAC Project Manager continuously

monitor the progress of the project and proactively recruit alternates for the licensed healthcare subteam


19

Questions?

Documents

Role-Based Access Control Project GBA 573 – IT Project Management Amy Page 12 July 2004