Access control allows us to have restrictions on the availability of data and system components within an organisation. This is useful in a variety of scenarios like if a component is a special feature that the organisation wants to be available only to its premium customers, they can do that by implementing an access control mechanism.
In healthcare various laws and regulations like HIPAA are in place to ensure that the patient data is stored and transferred in a secure fashion. While there are multiple checks that must be put in place to ensure the security of patient data, the first one towards this is to ensure that only the people authorised to handle that have access to it.
We recently worked on a US based healthcare platform where we designed and developed the whole application from the scratch. One of the primary requirement that came up was the need for an access control system within the application which would ensure that the patient data could be accessed only by the users who had the authority to do so
We divided the task in hand into two parts-
For the first step, we had a couple of discussion with the clients where we tried to analyse how their organisation was currently set up. We found that within the organisation there were department like divisions with each department taking care of a particular activity. Certain data was restricted to access by people that were part of that department only. Inside the department there was a hierarchical structure, which further enhanced the access control inside the department. It was also found that one person could be part of multiple department.
With this understanding we moved on to the next part of designing an architecture and worked on how we could replicate this structure efficiently in our application. We proposed two new attributes that would be attached to the users of the organisation with which we could create an architecture that would represent the organisations original structure. These are described below-
Using the combination of both these we were able to introduce an effective access control system in our application which was similar in structure to the organisations original structure.
Since our solution was based on how their organisation was working, which we had gathered from our interactions with the client, it enabled us to propose an architecture that was similar to their existing organisation structure. This eased out their learning curve towards the new application, while also enabling us to implement that solution easily since we had considered the ease of implementing the solution as well before proposing it.
For a technical view of how the solution was implemented, please refer to this blog.
Designing an access control architecture by incorporating organisations existing structure.