Question

HIPAA security , physical safeguard

give examples of the following :

1) user-based access control

2) role-based access control

3) context-based access control

Answer 1

An access control specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. When a subject requests an operation on an object in an access control -based security model the operating system first checks the access control for an applicable entry to decide whether the requested operation is authorized.

1. User-based access control:

This type of access control can be provided to an individual user. It is a method of securing software and its features at the individual level. It does not have predefined roles they behave on the user regarding to the policy standard they are used because of its risk free. The most basic form of user-based access is a simple login and password combination that either grants or denies access.

Ex: In a web application we have employee and manager the manager can send the some medical documents are these medical documents can be read by the employee but he cannot rewrite the document if the document if any correction is needed he has to give request to the manager to rewrite the document this way are the process are monitored and more dynamic than static with pre defined roles in the healthcare.

2. Role-based access control:

Roles based access system are which are used to give the user a particular role when they access the system .the particular system is responsible to display only the data what he or she only accessible.

Ex: A doctors can see the entire patient’s medical information, but the patients cannot see all the information for all the patients. Their access is more permission oriented.

A subject assigned the role of Manager will have access to a different set of objects than someone assigned the role of Analyst.

3. Context-based access control:

It can make decision of access completely based upon the context of a collection of information rather than the content (sensitivity of data) within an object. Contextual information like device type, user location and time can be taken.

Ex: Firewalls make context-based access decisions when they collect state information on a packet before allowing it into the network.

If no SYN packet has been received, firewalls will not allow the SYN/ACK packet to correlate the connection.