1、 Reference number ISO/TS 13606-4:2009(E) ISO 2009TECHNICAL SPECIFICATION ISO/TS 13606-4 First edition 2009-10-01 Health informatics Electronic health record communication Part 4: Security Informatique de sant Communication du dossier de sant informatis Partie 4: Scurit ISO/TS 13606-4:2009(E) PDF dis
2、claimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties
3、 accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to
4、the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PRO
5、TECTED DOCUMENT ISO 2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs
6、member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2009 All rights reservedISO/TS 13606-4:2009(E) ISO 2009 All rights reserved iii Con
7、tents Page Foreword iv 0 Introduction . v 0.1 Challenge addressed by this part of ISO 13606 v 0.2 Communication scenarios. vii 0.3 Requirements and technical approach. x 0.4 Generic EHR access policy model. xiii 0.5 Audit log interoperability xviii 0.6 Relationship to ENV 13606-3 xix 1 Scope . 1 2 C
8、onformance. 1 3 Terms and definitions. 2 4 Abbreviations 4 5 Record component sensitivity and functional roles . 4 5.1 RECORD_COMPONENT sensitivity 4 5.2 Functional roles 5 5.3 Mapping of functional role to RECORD_COMPONENT sensitivity . 5 6 Representing access policy information within an EHR_EXTRA
9、CT . 6 6.1 General. 6 6.2 Archetype of the Access policy COMPOSITION 8 6.3 ADL representation of the archetype of the access policy COMPOSITION . 10 6.4 UML representation of the archetype of the access policy COMPOSITION. 15 7 Representation of audit log information EHR_AUDIT_LOG_EXTRACT model 17 A
10、nnex A (informative) Illustrative access control example . 19 Annex B (informative) Relationship of this part of ISO 13606 to ENV 13606-3:2000. 23 Bibliography . 29 ISO/TS 13606-4:2009(E) iv ISO 2009 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide
11、federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that c
12、ommittee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in acco
13、rdance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requi
14、res approval by at least 75 % of the member bodies casting a vote. In other circumstances, particularly when there is an urgent market requirement for such documents, a technical committee may decide to publish other types of document: an ISO Publicly Available Specification (ISO/PAS) represents an
15、agreement between technical experts in an ISO working group and is accepted for publication if it is approved by more than 50 % of the members of the parent committee casting a vote; an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical committee and is a
16、ccepted for publication if it is approved by 2/3 of the members of the committee casting a vote. An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or
17、ISO/TS is confirmed, it is reviewed again after a further three years, at which time it must either be transformed into an International Standard or be withdrawn. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be he
18、ld responsible for identifying any or all such patent rights. ISO/TS 13606-4 was prepared by Technical Committee ISO/TC 215, Health informatics. ISO 13606 consists of the following parts, under the general title Health informatics Electronic health record communication: Part 1: Reference model Part
19、2: Archetype interchange specification Part 3: Reference archetypes and term lists Part 4: Security Technical Specification Part 5: Interface specification ISO/TS 13606-4:2009(E) ISO 2009 All rights reserved v0 Introduction 0.1 Challenge addressed by this part of ISO 13606 The communication of elect
20、ronic health records (EHRs) in whole or in part, within and across organizational boundaries, and sometimes across national borders, is challenging from a security perspective. Health records should be created, processed and managed in ways that guarantee the confidentiality of their contents and le
21、gitimate control by patients in how they are used. Around the globe these principles are progressively becoming enshrined in national data protection legislation. These instruments declare that the subject of care has the right to play a pivotal role in decisions on the content and distribution of h
22、is or her electronic health record, as well as rights to be informed of its contents. The communication of health record information to third parties should take place only with patient consent (which may be any freely given specific and informed indication of his or her wishes by which the data sub
23、ject signifies his or her agreement to personal data relating to him or her being processed). For EHR communication across national borders ISO 22857 provides guidance that may be used to define appropriate security policy specifications. Ideally, each fine grained entry in a patients record should
24、only be accessed by those persons who have a right to view that information, specified by or approved by the patient and reflecting the dynamic nature of the set of persons with legitimate duty of care towards the patient through his or her lifetime. The access control list will ideally also include
25、 those persons who have a right to access the data for reasons other than a duty of care (such as health service management, epidemiology and public health, consented research) but exclude any information that they do not need to see or which the patient feels is too personal for them to access. On
26、the opposite side, the labelling by patients or their representatives of information as personal or private should ideally not hamper those who legitimately need to see the information in an emergency, nor accidentally result in genuine healthcare providers having such a filtered perspective that th
27、ey are misled into managing the patient inappropriately. Patients views on the inherent sensitivity 1)of entries in their health record may evolve over time, as their personal health anxieties alter or as societal attitudes to health problems change. Patients might wish to offer some heterogeneous l
28、evels of access to family, friends, carers and members of their community. Families may wish to provide a means by which they are able to access parts of each others records (but not necessarily to equal extents) in order to monitor the progress of inherited conditions within a family tree. Such a s
29、et of requirements is arguably more extensive than that required of the data controllers in most other industry sectors. It is in practice made extremely complex by: numbers of health record entries made on a patient during the course of modern healthcare; numbers of healthcare personnel, often rota
30、ting through posts, who might potentially come into contact with a patient at any one time; numbers of organizations with which a patient might come into contact during his or her lifetime; difficulty (for a patient or for anyone else) of classifying, in a standardized way, how sensitive a record en
31、try might be; difficulty of determining how important a single health record entry might be to the future care of a patient and to which classes of user; 1) The term “sensitivity” is widely used in the security domain for a broad range of safeguards and controls, but in this part of ISO 13606 the te
32、rm refers only to access controls. ISO/TS 13606-4:2009(E) vi ISO 2009 All rights reserved logically indelible nature of the EHR and the need for revisions to access permissions to be rigorously managed in the same way as revisions to the EHR entries themselves; need to determine appropriate access v
33、ery rapidly, in real time, and potentially in a distributed computing environment; high level of concern expressed by a growing minority of patients to have their consent for disclosure recorded and respected; low level of concern the majority of patients have about these requirements, which has his
34、torically limited the priority and investment committed to tackling this aspect of EHR communications. To support interoperable EHRs, and seamless communication of EHR data between healthcare providers, the negotiation required to determine if a given requester for EHR data should be permitted to re
35、ceive the data needs to be capable of automation. If this were not possible, the delays and workload of managing human decisions for all or most record communications would obviate any value in striving for data interoperability. The main principles of the approach to standards development in the ar
36、ea of EHR communications access control are to match the characteristics and parameters of a request to the EHR providers policies, and to any access control or consent declarations within the specified EHR, to maintain appropriate evidence of the disclosure, and to make this capable of automated pr
37、ocessing. In practice, efforts are in progress to develop International Standards for defining access control and privilege management systems that would be capable of computer-to-computer negotiation. However, this kind of work is predicated upon health services agreeing a mutually consistent frame
38、work for defining the privileges they wish to assign to staff, and the spectrum of sensitivity they offer for patients to define within their EHRs. This requires consistency in the way the relevant information is expressed, to make this sensibly scalable at definition-time (when new EHR entries are
39、being added), at run-time (when a whole EHR is being retrieved or queried) and durable over a patients lifetime. It is also important to recognise that, for the foreseeable future, diversity will continue to exist between countries on the specific approaches to securing EHR communications, including
40、 differing legislation, and that a highly prescriptive approach to standardization is not currently possible. This part of ISO 13606 therefore does not prescribe the access rules themselves (i.e. it does not specify who should have access to what and by means of which security mechanisms); these nee
41、d to be determined by user communities, national guidelines and legislation. However it does define a basic framework that can be used as a minimum specification of EHR access policy, and a richer generic representation for the communication of more fine-grained detailed policy information. This fra
42、mework complements the overall architecture defined in ISO 13606-1, and defines specific information structures that are to be communicated as part of an EHR_EXTRACT defined in ISO 13606-1. The formalisms used to represent policy specifications in this part of ISO 13606 include Unified Modelling Lan
43、guage (UML: please see http:/www.omg.org/technology/documents/formal/uml.htm for more information) and Archetype Definition Language (ADL: please see http:/www.openehr.org/120-OE.html for more information). Some of the kinds of agreement necessary for the security of EHR communication are inevitably
44、 outside the scope of this part of ISO 13606. The complete protection of EHR communication requires attention to a large number of issues, many of which are not specific to health information. NOTE This document is based on EN 13606-4:2007. The content of this part of ISO 13606 is identical to that
45、of EN 13606-4 with the following exceptions: the wording of this Introduction has been revised to reflect its international rather than European jurisdiction; references to a security standard in development have been updated if that standard has now been published; relationships to new security sta
46、ndards in development have been added where appropriate; the first entry in Table 2 (sensitivity level classification) has been changed from “personal care” to “personal”; a small number of typographic errors and ambiguous expressions within this introduction have been corrected. ISO/TS 13606-4:2009
47、(E) ISO 2009 All rights reserved vii 0.2 Communication scenarios 0.2.1 Data flows The interfaces and message models required to support EHR communication are the subject of ISO 13606-5. The description here is an overview of the communications process in order to show the interactions for which secu
48、rity features are needed. Figure 1 illustrates the key data flows and scenarios that need to be considered by this part of ISO 13606. For each key data flow there will be an acknowledgement response, and optionally a rejection may be returned instead of the requested data. EHR requester EHR recipien
49、t EHR provider EHR server Audit log reviewer Request EHR_EXTRACT Acknowledge request Provide EHR_EXTRACT Acknowledge data/denial Deny EHR_EXTRACT Make access decision, filter EHR if necessary Request audit log view Provide audit log view Acknowledge data/denial Deny audit log view Extract audit log, filter if necessary Audit log Create audit log entry Create audit log entry Create audit log entry Create audit log entryFigure 1 Principal data flows and security-related business processes covere
