“Ready or not, here it comes” is probably a more appropriate title for this article, as forces in the industry are driving us to change our reimbursement models to a value-based system, commonly referred to as population health. Population health will be a hot topic at HIMSS this year, yet likely many won’t be talking about how hospitals should be managing their IT systems to best support it.
However, there are several constraints to successfully using the treasure trove of information we have managed to amass through the digitization of patient records, big data efforts, and data sharing through health information exchanges. One of the biggest is accurately and efficiently managing access across the multitudes who want to participate.
We still have organizations struggling with role-based access controls (RBAC) and using systems that, at best, support group access rules. Yet, we are running headfirst into a paradigm change that is going to require something much more sophisticated. That something is called attribute-based access control (ABAC), which allows us to make access decisions based on various attributes associated with the data, the person, as well as environmental factors – which are exactly what initiatives like population health need.
ABAC is different from other access control models like RBAC because it controls access to information by evaluating rules against attributes of the user and the information, actions allowed, and environmental factors affecting those actions. ABAC can implement discretionary and mandatory access controls as well as risk-adaptive access controls. The beauty of ABAC is that the rules and policies, and therefore roles, are limited only by the ability of the program or computing language. This makes it a very attractive approach to population health, with its diverse set of participating organizations and people. Attributes are assigned by the owner of the information, who then can create the rules. Attributes are assigned to users when employed (e.g., nurse practitioner working in the oncology department); to the information or object it resides in (e.g., oncology folder that holds liver cancer evaluations); then the owner of the information can create an access control rule that governs the set of allowable activities (e.g., all nurses assigned to the oncology department can access the folder that holds results of liver cancer evaluations). ABAC relies on simple Boolean logic that says a user (U) can perform an operation (O) on a particular object (OB) in a specific environment (E) based on a set of rules (R). So U + O + OB + E + R. To learn more about ABAC, see NIST Special Publication SP 800-162, “Guide to Attribute Based Access Control (ABAC) Definitions and Considerations.”
For years, I have made the argument that we need to adopt a data-centric security approach that focuses on reducing risk by smartly managing information and access to it. It’s why I always say the only reason you need to encrypt everything is because you have data resident in too many places. ABAC is another data-centric security approach that makes sense – particularly as we embrace broader and more diverse access models with health information to support new approaches like population health. ABAC, though, like many advanced methodologies, will require organizations to look to standards when architecting solutions – which is exactly what interoperability and data sharing require. Population health is being driven through necessity, and necessity has always been a catalyst for change and innovation. Maybe ABAC is possible.