NISTIR 5820 -- Section 3 - Technical Overview

Technical Overview of Role Based Access Control

There are two basic types of access control mechanisms used to protect information from unauthorized access: discretionary access controls (DAC) and mandatory access controls (MAC). Because DAC places the decision of who can access information at the discretion of the creator of the information, DAC is not applicable to the majority of health care information. Because MAC requires all those who create, access, and maintain information to follow rules set by administrators, MAC is the kind of access control mechanism required of health care information.

The most commonly used MAC is the multi-level security mechanism used by the Department of Defense (DOD). This is the mechanism which associates information with such labels as TOP SECRET, SECRET, and CONFIDENTIAL. It has become apparent that this type of MAC is not sufficiently flexible for industry use. This type of MAC is also not adequate for the needs of health care.

Role Based Access Control (RBAC)[RBAC] is a MAC which has been developed at NIST to meet the needs of industry. Rather than labeling information, it associates roles with each individual who might have a need to access information. Each role defines a specific set of operations that the individual acting in that role may perform. The operations may be broad or very specific, e.g., when a diagnosis is entered into a patient record, the symptoms leading to that diagnosis must also be entered. Once an individual has been properly identified and that identification authenticated, the individual chooses a role that has been assigned and accesses information according to the operations assigned to the role.

This project determines the applicability of RBAC to health care information. While it is generally accepted that RBAC is more suited to health care than others, the question remains as to whether RBAC meets all of the requirements for the security of health care information. Moreover, there are several variations on the RBAC model and there is the question of which variations are most suitable for health care information.

In order to illustrate the usefulness of RBAC to health care, this project also produces a demonstration of the use of RBAC with patient records. The demonstration suggests different roles that are appropriate with patient records and defines sample operations associated with those roles.

A sample RBAC policy related to clinical and administrative patient data has been identified. This draft specification [GRIEW], represents some degree of consensus on a policy for patient information access. The UK policy is RBAC with the addition of the capability of labeling information that is only available to the patient and the doctor. It specifies roles and the level of access permitted by each role.

Up Previous Next