Access Control in Heterogenous Health Care Systems: A comparison of Role Based Access Control Versus Decision Based Access Control

Abstract

Role based access control (RBAC) is widely used in health care systems today. Some of the biggest systems in use at Norwegian hospitals utilizes role based integration. The basic concept of RBAC is that users are assigned to roles, permissions are assigned to roles and users acquire permissions by being members of roles. An alternative approach to the role based access distribution, is that information should be available only to those who are taking active part in a patient s treatment. This approach is called decision based access control (DBAC). While some RBAC implementations grant access to a groups of people by ward, DBAC ensures that access to relevant parts of the patient s medical record is given for treatment purposes regardless of which department the health care worker belongs to. Until now the granularity which the legal framework describes has been difficult to follow. The practical approach has been to grant access to entire wards or organizational units in which the patient currently resides. Due to the protection of personal privacy, it is not acceptable that any medical record is available to every clinician at all times. The most important reason to implement DBAC where RBAC exists today, is to get an access control model that is more dynamic. The users should have the access they need to perform their job at all times, but not more access than needed. With RBAC, practice has shown that it is very hard to make dynamic access rules when properties such as time and tasks of an employee s work change. This study reveals that pretty much all security measures in the RBAC systems can be overridden by the use of emergency access features. These features are used extensively in everyday work at the hospitals, and thereby creates a security risk. At the same time conformance with the legal framework is not maintained. Two scenarios are simulated in a fictional RBAC and DBAC environment in this report. The results of the simulation show that a complete audit of the logs containing access right enhancements in the RBAC environment is unfeasible at a large hospital, and even checking a few percent of the entries is also a very large job. Changing from RBAC to DBAC would probably affect this situation to the better. Some economical advantages are also pointed out. If a change is made, a considerable amount of time that is used by health care workers to unblock access to information they need in their everyday work will be saved.