Dr. Jones Orthopedics: Role-Based Access Control (RBAC)
Role Based Access Control (RBAC) has been widely implemented since the 1970s. It has been implemented and favored, even to this day for smaller organizations where business rules do not need the granular access control to its assets. RBAC is used on the provisioning process – administration time to provide access to a user by assigning a role. It also allows for hierarchical roles (e.g. nurse_supervisors and nurse_staff) – along with this hierarchy, specific duties are separated per role (e.g. nurse_supervisors can approve timesheets, nurse_staff can only enter or view timesheets).
But the increasing business requirements, explosion of new technologies, the onset of mobile devices and the need to secure assets from malicious intents – the …show more content…
Nurse_radiology has access to all radiology patients, including Patient A.
Nurse at Dr. Jones Orthopedics needs to have a view only access Dr. Jones patient’s data only – this will include patient A. (Nurse at Dr. Jones Orthopedics is nurse_orthopedics Role2). Nurse_orthopedics can only access patients of Dr. Jones Orthopedics – and should not have access to other patient’s medical data on the EHR system.
Assuming Mary the Nurse works for both the Radiology Department and at Dr. Jones Orthopedics – it means that with RBAC – Mary needs to be assigned two different user log-ins to be able to view the same set of patient’s data (this case Patient A).
With the implementation of ABAC – Mary can be assigned with a single user log -in. And based on the following Attributes: Department (Radiology), Office Location (Dr. Jones Orthopedics), Authority Level (view) of Patient’s Data – a user authentication policy is examined to allow/grant access to the data. So, when Mary the nurse logs-in to the EHR system, she will be able to view Patient’s A data from the Radiology Department while she is logged on at Dr. Jones Orthopedics located on a separate building or even on another …show more content…
Conclusions
RBAC is widely implemented across different systems. The shortcomings of RBAC is addressed when the access control management is supplemented with ABAC method.
RBAC and ABAC advantage
ABAC will be a great addition to the RBAC implementation. RBAC Roles can be considered as one of the attributes for ABAC. This will allow for a system with the RBAC advantage of defining roles and the policy based authorization with the introduction of ABAC. Policy based authorization is attribute driven and can provide real time authorization management.
Matters for Consideration
Cost is one of the reasons why companies are not implementing nor adapting ABAC to the already stable legacy systems.
Development and Maintenance Cost
Audit controls must be in place for the harmonized RBAC-ABAC
But the increasing business requirements, explosion of new technologies, the onset of mobile devices and the need to secure assets from malicious intents – the …show more content…
Nurse_radiology has access to all radiology patients, including Patient A.
Nurse at Dr. Jones Orthopedics needs to have a view only access Dr. Jones patient’s data only – this will include patient A. (Nurse at Dr. Jones Orthopedics is nurse_orthopedics Role2). Nurse_orthopedics can only access patients of Dr. Jones Orthopedics – and should not have access to other patient’s medical data on the EHR system.
Assuming Mary the Nurse works for both the Radiology Department and at Dr. Jones Orthopedics – it means that with RBAC – Mary needs to be assigned two different user log-ins to be able to view the same set of patient’s data (this case Patient A).
With the implementation of ABAC – Mary can be assigned with a single user log -in. And based on the following Attributes: Department (Radiology), Office Location (Dr. Jones Orthopedics), Authority Level (view) of Patient’s Data – a user authentication policy is examined to allow/grant access to the data. So, when Mary the nurse logs-in to the EHR system, she will be able to view Patient’s A data from the Radiology Department while she is logged on at Dr. Jones Orthopedics located on a separate building or even on another …show more content…
Conclusions
RBAC is widely implemented across different systems. The shortcomings of RBAC is addressed when the access control management is supplemented with ABAC method.
RBAC and ABAC advantage
ABAC will be a great addition to the RBAC implementation. RBAC Roles can be considered as one of the attributes for ABAC. This will allow for a system with the RBAC advantage of defining roles and the policy based authorization with the introduction of ABAC. Policy based authorization is attribute driven and can provide real time authorization management.
Matters for Consideration
Cost is one of the reasons why companies are not implementing nor adapting ABAC to the already stable legacy systems.
Development and Maintenance Cost
Audit controls must be in place for the harmonized RBAC-ABAC