Are we ready for population health?

Feb. 23, 2016
Mac McMillan, CEO, CynergisTek

“Ready or not, here it comes” is probably a more appropriate title for this article, as forces in the industry are driving us to change our reimbursement models to a value-based system, commonly referred to as population health. Population health will be a hot topic at HIMSS this year, yet likely many won’t be talking about how hospitals should be managing their IT systems to best support it.

However, there are several constraints to successfully using the treasure trove of information we have managed to amass through the digitization of patient records, big data efforts, and data sharing through health information exchanges. One of the biggest is accurately and efficiently managing access across the multitudes who want to participate.

We still have organizations struggling with role-based access controls (RBAC) and using systems that, at best, support group access rules. Yet, we are running headfirst into a paradigm change that is going to require something much more sophisticated. That something is called attribute-based access control (ABAC), which allows us to make access decisions based on various attributes associated with the data, the person, as well as environmental factors – which are exactly what initiatives like population health need.

From the NIST SP 800-162, “Guide to Attribute Based Access Control (ABAC) Definitions and Considerations.”

ABAC is different from other access control models like RBAC because it controls access to information by evaluating rules against attributes of the user and the information, actions allowed, and environmental factors affecting those actions. ABAC can implement discretionary and mandatory access controls as well as risk-adaptive access controls. The beauty of ABAC is that the rules and policies, and therefore roles, are limited only by the ability of the program or computing language. This makes it a very attractive approach to population health, with its diverse set of participating organizations and people. Attributes are assigned by the owner of the information, who then can create the rules. Attributes are assigned to users when employed (e.g., nurse practitioner working in the oncology department); to the information or object it resides in (e.g., oncology folder that holds liver cancer evaluations); then the owner of the information can create an access control rule that governs the set of allowable activities (e.g., all nurses assigned to the oncology department can access the folder that holds results of liver cancer evaluations). ABAC relies on simple Boolean logic that says a user (U) can perform an operation (O) on a particular object (OB) in a specific environment (E) based on a set of rules (R). So U + O + OB + E + R. To learn more about ABAC, see NIST Special Publication SP 800-162, “Guide to Attribute Based Access Control (ABAC) Definitions and Considerations.”

For years, I have made the argument that we need to adopt a data-centric security approach that focuses on reducing risk by smartly managing information and access to it. It’s why I always say the only reason you need to encrypt everything is because you have data resident in too many places. ABAC is another data-centric security approach that makes sense – particularly as we embrace broader and more diverse access models with health information to support new approaches like population health. ABAC, though, like many advanced methodologies, will require organizations to look to standards when architecting solutions – which is exactly what interoperability and data sharing require. Population health is being driven through necessity, and necessity has always been a catalyst for change and innovation. Maybe ABAC is possible.

Sponsored Recommendations

The Race to Replace POTS Lines: Keeping Your People and Facilities Safe

Don't wait until it's too late—join our webinar to learn how healthcare organizations are racing to replace obsolete POTS lines, ensuring compliance, reducing liability, and maintaining...

Transform Care Team Operations & Enhance Patient Care

Discover how to overcome key challenges and enhance patient care in our upcoming webinar on September 26. Learn how innovative technologies and strategies can transform care team...

Prior Authorization in Healthcare: Why Now?

Prepare your organization for the CMS 2027 mandate on prior authorization via API. Join our webinar to explore investment insights, real-time data exchange, and the benefits of...

Securing Remote Radiology with the Zero Trust Exchange

Discover how the Zero Trust Exchange is transforming remote radiology security. This video delves into innovative solutions that protect sensitive patient data, ensuring robust...