Multi-level, Role-based Access Control and Security

Computer Security and access control are essential considerations for healthcare organizations. Security administration can be costly and prone to error because administrators usually specify access control lists for each user on the system. Quantum Choice provides a multi-level, role-based access control and security system that is user-configurable and managed at a level that corresponds to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. With Quantum Choice, security administration consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles.

Access is the ability to do something with a computer resource, such as use, change or view specific documents. Quantum Choice's access controls can prescribe not only who or what process may have access to a specific system resource, but also the type of access that is permitted. These controls may be implemented in the computer system or in external devices.

With Quantum Choice's role-based security, access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a provider system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.

The use of roles to control access provides an effective means for developing and enforcing enterprise-specific security policies, and for streamlining the security management process. Quantum Choice offers a hierarchy of four distinct roles: Plexis, Client, Workgroup, and User (see chart below). With the exception of the Plexis role, access controls are user-configurable. At the same time, each role's access to forms and processes can be limited according to the operations that they perform within an organization.

Plexis Role:

Quantum Choice ships with the Plexis role established. The Plexis role provides the basic elements of the security system and cannot be changed by the client.

Client Role:

Quantum Choice's user configurability allows the client to determine security and access control at the enterprise level. Access controls set at the client level cannot be changed by the workgroup or user roles.

Workgroup Role:

The Workgroup roles are typically determined by the various department functions within an organization. For example, the claims processing department would have access to certain forms and processes required to enter data and adjudicate healthcare claims, but would be restricted from changing fields in a form and from changing pre-determined processes. Other workgroups, such as eligibility specialists, may have access to additional forms and processes, as well as the ability to alter specific fields in a form or alter standard adjudication processes. In a provider-based group, the doctors' workgroup may have the ability to attach and edit notes to a patient's record, while nurses' and other workgroup's access to patient notes is limited to read only. Individual users cannot change access and security controls set at the workgroup level.

User Role:

Quantum Choice allows access controls to be set at the individual user level. Individual users may change such elements on forms as font styles, colors and sizes.

User membership into roles can be revoked easily and new memberships established as job assignments dictate. Role associations can be established when new operations are instituted, and old operations can be deleted as organizational functions change and evolve. Because Quantum Choice allows roles to be updated without updating the privileges for every user on an individual basis, it is easy to administer privileges at all levels.

Organizations can establish the rules for the association of operations with roles. For example, a healthcare provider may decide that the role of User must be constrained to post only the results of certain tests but not to distribute them where routing and human errors could violate a patient's right to privacy. Operations can also be specified in a manner that can be used in the demonstration and enforcement of laws or regulations.

Quantum Choice's role-based security system enables users to carry out a wide array of authorized operations and provides great flexibility. System administrators can control access at a level that is natural to the way that enterprises typically conduct business. This is achieved by regulating users' actions through the establishment and definition of roles, role hierarchies, relationships, and constraints. Thus, once the Quantum Choice role-based security framework is established for an organization, the principal administrative actions are the granting and revoking of users into and out of roles. This is in contrast to the more conventional and less intuitive process of administering lower-level access through control lists on an object-by-object basis.