Healthcare Role-Based Access Control System

Business Challenge

The customer aimed to have a system for RBAC, pursuing the following goals:

• Compliance with the key healthcare regulations and protection of sensitive patients’ data
• Ensuring centralized access control across the set of medical apps, avoiding inconsistency
• Managing user access to data and features based on the roles, extended security options
• Better auditing and incident response
• Reducing the risk of data misuse and breaches

Solution

.NET full-stack engineers planned, designed, and implemented the role-based access control solution with the following features:

Types of users:

• Superadmin (from the service provider side, assigns contracts* and manages the facilities directory) 
• Users (from the facility side with different user groups and permissions, like facility admin, doctor, nurse, lab technician, etc.). These users have the permissions to use different related sets of medical apps, like the EHR system etc.
• Users for separate access to the app for logistics, warehousing, and drug sales (a separate category of internal users).

*Note: Role or contract = customer (facility). Users from one facility cannot see users from another facility. Each facility has a directory of allowed domains (it was possible to register a user with certain defined domains)

User & facilities management by superadmin:

• Facilities creation, editing, and deletion. Assigning facility admins for further independent facility and user management
• Changing facility statuses (activate/deactivate)
• Global user management (superadmin has rights to review, filter, add/edit/adjust users, settings, user groups, permissions, etc.)
• Facilities directory filtering and sorting
• Assigning superadmin roles

User management within the facility by the admin:

• Manual adding of the users
• Adding users through invite links
• Import and export of users using a CSV file
• User profile management (editing user details)
• Password management (change, reset)
• Reporting: user log-in history (with failed login attempts) and activity logs
• Changing user statuses (active, blocked, etc.)
• User deletion
• Manual user groups creation/editing/deleting (within one facility) and assigning users to the groups manually
• Automatic user groups creation (within one facility) and assigning users to the groups based on email domains, departments, job titles, and other rules
• Assigning/editing/deleting the permissions for the user groups
• Reports: history of adjustments and permission changes

Business Impact

The full-stack .NET development team implemented the healthcare role-based access control system for the smooth usage of the medical apps by the facilities with an exact permissions distribution based on the roles. All this allowed to ensure the following:

• Improved process of introducing facilities into the system and providing users with access to the relevant areas of responsibility
• Enhanced security with reduced breach risk and liability
• Creating a unified system for managing access to various medical applications
• Improved workforce productivity, as personnel see only the information and functionality they need to perform their direct duties
• Lower operational costs for maintenance and manual addition of user access to applications by the support team