Role-Based Access Control (RBAC)Semi-Annual Report

PRESENTATION TO xxxHigh Performance Technologies Group (HPTG), a DRC Company

Period of Performance August 2011 to January 2012

VETERANS HEALTH ADMINISTRATION

Report Objectives and Background

Present a review of all accumulated changes conducted to RBAC documentation. Include a summary of documents of what has changed.

Support the development of security and privacy vocabulary and standards within Health Level 7 (HL7) crucial to creating the rules that express who can see what information under what conditions.

Software Security Architecture provides support for the development of VHA line of business role definitions and standardization of such roles for interoperability purposes where feasible.

2

VETERANS HEALTH ADMINISTRATION

RBAC Activities within the Past Six Months

3

The following RBAC deliverables have been reviewed and updated:

HL7 Permission Catalog

HL7 Constraint Catalog

VHA Functional Role Catalog

VHA Structural Role Catalog

RBAC Roadmap

RBAC Database

RBAC Task Force Charter

VETERANS HEALTH ADMINISTRATION

Role Based Access Control (RBAC) – Permission Catalog

Healthcare Permission Catalog, Release 2HL7 Security Technical Committee

Description: The Permission Catalog as an HL7 standard presents normative language to the HL7 permission vocabulary by constructing {operation, object} pairs.

Editorial update performed. The updated document (version 4.13) of the HL7 Permission

Catalog will be presented at the upcoming January WGM in San Antonio.

If the changes made to the document are substantial the Permission Catalog will need to go through an additional ballot cycle.

VETERANS HEALTH ADMINISTRATION

Illustration of Updates – HL7 RBAC Permission Catalog

5

VETERANS HEALTH ADMINISTRATION

Role Based Access Control (RBAC) – Constraint Catalog

Constraint Catalog, Version 1.41HL7 Security Technical Committee

Description: The Constraint Catalog introduces a process and a catalog of constraints on identified healthcare permissions as presented in the HL7 RBAC Permission Catalog, a normative HL7 standard.

Reviewed the content, performed editorial update and updated references.

Updated versions of the HL7 Constraint Catalog will be presented at

the upcoming January WGM in San Antonio.

VETERANS HEALTH ADMINISTRATION

Illustration of Updates – HL7 Constraint Catalog

7

VETERANS HEALTH ADMINISTRATION

Role Based Access Control (RBAC) – Functional Roles

VA Functional Role Catalog, Version 11.4

Description: The VA Functional Role Catalog defines functional roles for use within the Department of Veteran Affairs (VA). The Functional Role Catalog includes support for functional roles needed for authorizing VA healthcare provider access to Protected Health Information (PHI), as well as other categories of roles needed throughout the Department.

Document template updated Updated citations and references RBAC Roadmap V13.3 embedded into document

VETERANS HEALTH ADMINISTRATION

Illustration of Updates – VA Functional Role Catalog

9

REFERENCES UPDATED

VETERANS HEALTH ADMINISTRATION

Role Based Access Control (RBAC) – Structural Roles

VA Structural Role Catalog, Version 11.2Description: The VA Structural Role Catalog defines structural roles within the Department of Veteran Affairs Veterans Health Administration (VHA) and represents the consensus work product of the VA RBAC Task Force.

Role descriptions and NUCC references updated. Additional roles accepted in the referenced ASTM E1986-09

added SNOMED code values column added Numeric identifier added as found in ASTM E1986-09 and

RBAC Permission Catalog, Release 2 The Structural Role document table has been rearranged

to correspond in-line with data found in the ASTM E1986.

VETERANS HEALTH ADMINISTRATION

Illustration of Updates – VA Structural Roles

11

NUCC

SNOMED CT

NUMERIC ID

VETERANS HEALTH ADMINISTRATION

Role Based Access Control (RBAC) – Role Roadmap

VA Role Roadmap, Version 13.3

Description: The RBAC Roadmap contains mappings between roles and permissions as defined by the VHA RBAC Task Force.

ReadMe descriptive tab added to spreadsheet Consolidated previously listed “non-ASTM” and “VHA-specific”

tabs to the main spreadsheet to coincide with the new ASTM E1986-09 accepted standard.

The RBAC Roadmap now contains only two tabs: Licensed and Non-Licensed Providers and has been

Roles reorganized to directly correspond to both the ASTM E1986-09 standard and the Structural Roles Catalog

VETERANS HEALTH ADMINISTRATION

Illustration of Changes – RBAC Roadmap

13

NEW

VETERANS HEALTH ADMINISTRATION

Role Based Access Control (RBAC) – Role Database

Role Based Access Control (RBAC) DatabaseVersion 2.0

Description: The RBAC Database implemented in Microsoft Access contains the information provided by the previously mentioned RBAC catalogs. The RBAC Database supports a generation of queries and reports to be used for various purposes.

Database reviewed for consistency with the current RBAC documentation.

Database will be updated with the 2012 versions of: Structural Roles Functional Roles Permission Catalog, Version 2

VETERANS HEALTH ADMINISTRATION

Role Based Access Control (RBAC) – Task Force Charter

RBAC Task Force CharterVA RBAC Support Group Charter

Description: The purpose of the RBAC charter is to establish the Department of Veterans Affairs (VA) RBAC Support Group (SG), define mission, scope of authority, responsibilities, executive sponsors, stakeholders, membership, and communication modes. Collaboration between VA and DoD is envisioned and the development of a new RBAC SG will be established.

Support Group Charter reflects a VA-wide RBAC support. Further instruction and guidance on VA organization will be

provided by VA

Scope of the RBAC TF is being redefined. Collaboration of VA with DoD is a possibility. The RBAC Support Group charter will reflect current focus and scope once established. Coordination is being pursued by VA and DoDrepresentatives. Detailed information is not available at the time of this report.