Role-Based Access Control (RBAC)

1. Role-Based Access Control (RBAC) Semi-Annual Report PRESENTATION TO xxxHigh Performance Technologies Group (HPTG), a DRC Company Period of Performance August 2011 to January 2012

2. Report Objectives and Background • Present a review of all accumulated changes conducted to RBAC documentation. Include a summary of documents of what has changed. • Support the development of security and privacy vocabulary and standards within Health Level 7 (HL7) crucial to creating the rules that express who can see what information under what conditions. • Software Security Architecture provides support for the development of VHA line of business role definitions and standardization of such roles for interoperability purposes where feasible.

3. RBAC Activities within the Past Six Months The following RBAC deliverables have been reviewed and updated: • HL7 Permission Catalog • HL7 Constraint Catalog • VHA Functional Role Catalog • VHA Structural Role Catalog • RBAC Roadmap • RBAC Database • RBAC Task Force Charter

4. Role Based Access Control (RBAC) – Permission Catalog Healthcare Permission Catalog, Release 2 HL7 Security Technical Committee Description: The Permission Catalog as an HL7 standard presents normative language to the HL7 permission vocabulary by constructing {operation, object} pairs. • Editorial update performed. • The updated document (version 4.13) of the HL7 Permission Catalog will be presented at the upcoming January WGM in San Antonio. • If the changes made to the document are substantial the Permission Catalog will need to go through an additional ballot cycle.

5. Illustration of Updates – HL7 RBAC Permission Catalog

6. Role Based Access Control (RBAC) – Constraint Catalog Constraint Catalog, Version 1.41 HL7 Security Technical Committee Description: The Constraint Catalog introduces a process and a catalog of constraints on identified healthcare permissions as presented in the HL7 RBAC Permission Catalog, a normative HL7 standard. • Reviewed the content, performed editorial update and updated references. • Updated versions of the HL7 Constraint Catalog will be presented at the upcoming January WGM in San Antonio.

7. Illustration of Updates – HL7 Constraint Catalog

8. Role Based Access Control (RBAC) – Functional Roles VA Functional Role Catalog, Version 11.4 Description: The VA Functional Role Catalog defines functional roles for use within the Department of Veteran Affairs (VA). The Functional Role Catalog includes support for functional roles needed for authorizing VA healthcare provider access to Protected Health Information (PHI), as well as other categories of roles needed throughout the Department. • Document template updated • Updated citations and references • RBAC Roadmap V13.3 embedded into document

9. Illustration of Updates – VA Functional Role Catalog REFERENCES UPDATED

10. Role Based Access Control (RBAC) – Structural Roles VA Structural Role Catalog, Version 11.2 Description: The VA Structural Role Catalog defines structural roles within the Department of Veteran Affairs Veterans Health Administration (VHA) and represents the consensus work product of the VA RBAC Task Force. • Role descriptions and NUCC referencesupdated. • Additional roles accepted in the referenced ASTM E1986-09 added • SNOMED code values column added • Numeric identifier added as found in ASTM E1986-09 and RBAC Permission Catalog, Release 2 • The Structural Role document table has been rearranged to correspond in-line with data found in the ASTM E1986.

11. Illustration of Updates – VA Structural Roles NUCC SNOMED CT NUMERIC ID

12. Role Based Access Control (RBAC) – Role Roadmap VA Role Roadmap, Version 13.3 Description: The RBAC Roadmap contains mappings between roles and permissions as defined by the VHA RBAC Task Force. • ReadMe descriptive tab added to spreadsheet • Consolidated previously listed “non-ASTM” and “VHA-specific” tabs to the main spreadsheet to coincide with the new ASTM E1986-09 accepted standard. • The RBAC Roadmap now contains only two tabs: Licensed and Non-Licensed Providers and has been • Roles reorganized to directly correspond to both the ASTM E1986-09 standard and the Structural Roles Catalog

13. Illustration of Changes – RBAC Roadmap NEW

14. Role Based Access Control (RBAC) – Role Database Role Based Access Control (RBAC) Database Version 2.0 Description: The RBAC Database implemented in Microsoft Access contains the information provided by the previously mentioned RBAC catalogs. The RBAC Database supports a generation of queries and reports to be used for various purposes. • Database reviewed for consistency with the current RBAC documentation. • Database will be updated with the 2012 versions of: • Structural Roles • Functional Roles • Permission Catalog, Version 2

15. Role Based Access Control (RBAC) – Task Force Charter RBAC Task Force Charter VA RBAC Support Group Charter Description: The purpose of the RBAC charter is to establish the Department of Veterans Affairs (VA) RBAC Support Group (SG), define mission, scope of authority, responsibilities, executive sponsors, stakeholders, membership, and communication modes. Collaboration between VA and DoD is envisioned and the development of a new RBAC SG will be established. • Support Group Charter reflects a VA-wide RBAC support. • Further instruction and guidance on VA organization will be provided by VA Scope of the RBAC TF is being redefined. Collaboration of VA with DoD is a possibility. The RBAC Support Group charter will reflect current focus and scope once established. Coordination is being pursued by VA and DoD representatives. Detailed information is not available at the time of this report.