Health informatics - Electronic health record communication - Part 4: Security (ISO 13606-4:2019)

This document describes a methodology for specifying the privileges necessary to access EHR data. This methodology forms part of the overall EHR communications architecture defined in ISO 13606-1.
This document seeks to address those requirements uniquely pertaining to EHR communications and to represent and communicate EHR-specific information that will inform an access decision. It also refers to general security requirements that apply to EHR communications and points at technical solutions and standards that specify details on services meeting these security needs.
NOTE       Security requirements for EHR systems not related to the communication of EHRs are outside the scope of this document.

Medizinische Informatik - Kommunikation von Patientendaten in elektronischer Form - Teil 4: Sicherheit (ISO 13606-4:2019)

Informatique de santé - Communication du dossier de santé informatisé - Partie 4: Sécurité (ISO 13606-4:2019)

Le présent document décrit une méthodologie permettant de spécifier les privilèges nécessaires pour accéder aux données de DSI. Cette méthodologie forme une partie de l'architecture générale de communication de DSI définie dans l'ISO 13606-1.
Le présent document cherche à traiter uniquement les exigences relatives aux communications de DSI et à représenter et communiquer les informations spécifiques au DSI qui permettent de prendre une décision d'accès. Elle fait également référence aux exigences de sécurité générale qui s'appliquent aux communications de DSI et signale des solutions techniques et des normes qui spécifient les détails de services répondant à ces besoins de sécurité.
NOTE       Les exigences de sécurité pour les systèmes de DSI non associées à la communication de DSI ne relèvent pas du domaine d'application du présent document.

Zdravstvena informatika - Komunikacija z elektronskimi zdravstvenimi zapisi - 4. del: Varnost (ISO 13606-4:2019)

Ta del tega večdelnega standarda o komunikaciji z elektronskimi zapisi na področju zdravstva opisuje metodologijo za določitev privilegijev, potrebnih za dostop do podatkov EHR. Ta metodologija je del celotne komunikacijske arhitekture EHR, opredeljene v 1. delu tega standarda. Ta standard je namenjen obravnavanju zahtev, ki se nanašajo na komunikacije EHR, ter za predstavitev in posredovanje podatkov, specifičnih za EHR, ki bodo sporočali odločitev o dostopu. Prav tako se nanaša na splošne varnostne zahteve, ki veljajo za komunikacije EHR, ter opozarja na tehnične rešitve in standarde, ki določajo podrobnosti o storitvah, ki izpolnjujejo te varnostne potrebe.

General Information

Status
Published
Publication Date
02-Jul-2019
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Due Date
03-Jul-2019
Completion Date
03-Jul-2019

RELATIONS

Buy Standard

Standard
EN ISO 13606-4:2019 - BARVE
English language
40 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Standard
EN ISO 13606-4:2019 - BARVE
English language
40 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN ISO 13606-4:2019
01-september-2019
Nadomešča:
SIST EN 13606-4:2008
Zdravstvena informatika - Komunikacija z elektronskimi zdravstvenimi zapisi - 4.
del: Varnost (ISO 13606-4:2019)

Health informatics - Electronic health record communication - Part 4: Security (ISO

13606-4:2019)

Medizinische Informatik - Kommunikation von Patientendaten in elektronischer Form -

Teil 4: Sicherheit (ISO 13606-4:2019)

Informatique de santé - Communication du dossier de santé informatisé - Partie 4:

Sécurité (ISO 13606-4:2019)
Ta slovenski standard je istoveten z: EN ISO 13606-4:2019
ICS:
35.030 Informacijska varnost IT Security
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST EN ISO 13606-4:2019 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO 13606-4:2019
---------------------- Page: 2 ----------------------
SIST EN ISO 13606-4:2019
EN ISO 13606-4
EUROPEAN STANDARD
NORME EUROPÉENNE
July 2019
EUROPÄISCHE NORM
ICS 35.240.80 Supersedes EN 13606-4:2007
English Version
Health informatics - Electronic health record
communication - Part 4: Security (ISO 13606-4:2019)

Informatique de santé - Communication du dossier de Medizinische Informatik - Kommunikation von

santé informatisé - Partie 4: Sécurité (ISO 13606- Patientendaten in elektronischer Form - Teil 4:

4:2019) Sicherheit (ISO 13606-4:2019)
This European Standard was approved by CEN on 2 July 2019.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this

European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references

concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN

member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management

Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and

United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2019 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 13606-4:2019 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST EN ISO 13606-4:2019
EN ISO 13606-4:2019 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

---------------------- Page: 4 ----------------------
SIST EN ISO 13606-4:2019
EN ISO 13606-4:2019 (E)
European foreword

This document (EN ISO 13606-4:2019) has been prepared by Technical Committee ISO/TC 215 "Health

informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the

secretariat of which is held by NEN.

This European Standard shall be given the status of a national standard, either by publication of an

identical text or by endorsement, at the latest by January 2020, and conflicting national standards shall

be withdrawn at the latest by January 2020.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

This document supersedes EN 13606-4:2007.

According to the CEN-CENELEC Internal Regulations, the national standards organizations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,

Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,

Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of

North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the

United Kingdom.
Endorsement notice

The text of ISO 13606-4:2019 has been approved by CEN as EN ISO 13606-4:2019 without any

modification.
---------------------- Page: 5 ----------------------
SIST EN ISO 13606-4:2019
---------------------- Page: 6 ----------------------
SIST EN ISO 13606-4:2019
INTERNATIONAL ISO
STANDARD 13606-4
First edition
2019-06
Health informatics — Electronic
health record communication —
Part 4:
Security
Informatique de santé — Communication du dossier de santé
informatisé —
Partie 4: Sécurité
Reference number
ISO 13606-4:2019(E)
ISO 2019
---------------------- Page: 7 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved
---------------------- Page: 8 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Abbreviations........................................................................................................................................................................................................... 2

5 Conformance ............................................................................................................................................................................................................. 2

6 Record Component Sensitivity and Functional Roles .................................................................................................... 3

6.1 RECORD_COMPONENT sensitivity......................................................................................................................................... 3

6.2 Functional roles ...................................................................................................................................................................................... 3

6.3 Mapping of Functional Role to COMPOSITION sensitivity ................................................................................ 4

7 Representing access policy information within an EHR_EXTRACT .................................................................4

7.1 Overview ...................................................................................................................................................................................................... 4

7.2 UML representation of the archetype of the access policy COMPOSITION ........................................ 6

7.2.1 Access policy........................................................................................................................................................................ 7

7.2.2 Target ......................................................................................................................................................................................... 7

7.2.3 Request criterion ............................................................................................................................................................. 8

7.2.4 Sensitivity constraint ................................................................................................................................................... 9

7.2.5 Attestation information ..........................................................................................................................................10

7.3 Archetype of the access policy COMPOSITION .........................................................................................................11

8 Representing audit log information ..............................................................................................................................................11

8.1 General ........................................................................................................................................................................................................11

8.1.1 EHR audit log extract ................................................................................................................................................11

8.1.2 Audit log constraint ....................................................................................................................................................12

8.1.3 EHR audit log entry ....................................................................................................................................................13

8.1.4 EHR extract description ..........................................................................................................................................14

8.1.5 Demographic extract .................................................................................................................................................15

Annex A (informative) Illustrative access control example .......................................................................................................16

Annex B (informative) Relations of ISO 13606-4 to alternative approaches ...........................................................20

Bibliography .............................................................................................................................................................................................................................22

© ISO 2019 – All rights reserved iii
---------------------- Page: 9 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following

URL: www .iso .org/iso/foreword .html.

This document was prepared by Technical Committee ISO/TC 215, Health Informatics.

This first edition of ISO 13606-4 cancels and replaces the first edition of ISO/TS 13606-4:2009, which

has been technically revised. The main changes compared to the previous edition are as follows:

— Functional Roles
— Some terms for functional roles have been updated to align with CONTSYS.

— The rules for using this vocabulary now state that jurisdictions can nominate alternatives or

specialisations of these terms if needed.
— Access policy model

The access policy model now also permits jurisdictional alternative terms to be used where

appropriate.
— Audit log model

The audit log model now aligns with the ISO 27789 standard for EHR audit trails. It contains more

information than is present in ISO 27789: it is a kind of specialisation specifically dealing with the

communication of EHR information and audit log information. It therefore includes information

about the EHR extract or the audit log extract being communicated, which is beyond the scope of

ISO 27789.
A list of all parts in the ISO 13606 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2019 – All rights reserved
---------------------- Page: 10 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)
Introduction
0.1 General

This document, is part of a five-part standard series, published jointly by CEN and ISO through the

Vienna Agreement. In this document, dependency upon any of the other parts of this series is explicitly

stated where it applies.
0.2 Challenge addressed by this document

The communication of electronic health records (EHRs) in whole or in part, within and across

organisational boundaries, and sometimes across national borders, is challenging from a security

perspective. Health records should be created, processed and managed in ways that assure the

confidentiality of their contents and legitimate control by patients in how they are used. Around the

globe, these principles are progressively becoming enshrined in national data protection legislation.

These instruments declare that the subject of care has the right to play a pivotal role in decisions on

the content and distribution of his or her electronic health record, as well as rights to be informed of its

contents. The communication of health record information to third parties should take place only with

patient consent (which can be any freely given specific and informed indication of his or her wishes

by which the data subject signifies his or her agreement to personal data relating to him or her being

processed). More details can be found in ISO 22600-3. For EHR communication across national borders,

ISO 22857 provides guidance that can be used to define appropriate security policy specifications.

Ideally, each fine grained entry in a patient's record should only be accessed by those persons who

have permissions to view that information, specified by or approved by the patient and reflecting the

dynamic nature of the set of persons with legitimate duty of care towards the patient through his or

her lifetime. The access control list will ideally also include those persons who have permissions to

access the data for reasons other than a duty of care (such as health service management, epidemiology

and public health, consented research) but exclude any information that they do not need to see or

which the patient feels is too personal for them to access. On the opposite side, the labelling by patients

or their representatives of information as personal or private should ideally not hamper those who

legitimately need to see the information in an emergency, nor accidentally result in genuine health

care providers having such a filtered perspective that they are misled into managing the patient

inappropriately. Patients' views on the inherent sensitivity of entries in their health record can evolve

over time, as their personal health anxieties alter or as societal attitudes to health problems change.

Patients might wish to offer some heterogeneous levels of access to family, friends, carers and members

of their community. Families might wish to provide a means by which they are able to access parts of

each other’s records (but not necessarily to equal extents) in order to monitor the progress of inherited

conditions within a family tree.

Such a set of requirements is arguably more extensive than that required of the data controllers in most

other industry sectors. It is in practice made extremely complex by:

— the large number of health record entries made on a patient during the course of modern health care;

— the large number of health care personnel, often rotating through posts, who might potentially

come into contact with a patient at any one time;

— the large number of organisations with which a patient might come into contact during his or her

lifetime;

— the difficulty (for a patient or for anyone else) of classifying in a standardized way how sensitive a

record entry might be;

— the difficulty of determining how important a single health record entry might be to the future care

of a patient, and to which classes of user;

1) The term sensitivity is widely used in the security domain for a broad range of safeguards and controls, but in

this document the term refers only to access controls.
© ISO 2019 – All rights reserved v
---------------------- Page: 11 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)

— the logically indelible nature of the EHR and the need for revisions to access permissions to be

rigorously managed in the same way as revisions to the EHR entries themselves;

— the need to determine appropriate access very rapidly, in real time, and potentially in a distributed

computing environment;

— the high level of concern expressed by a growing minority of patients to have their consent for

disclosure recorded and respected;

— the low level of concern the majority of patients have about these requirements, which has historically

limited the priority and investment committed to tackling this aspect of EHR communications.

To support interoperable EHRs, and seamless communication of EHR data between health care

providers, the negotiation required to determine if a given requester for EHR data should be permitted

to receive the data should be capable of automation. If this were not possible, the delays and workload of

managing human decisions for all or most record communications would obviate any value in striving

for data interoperability.

The main principles of the approach to standards development in the area of EHR communications

access control are to match the characteristics and parameters of a request to the EHR provider’s

policies, and to any access control or consent declarations within the specified EHR, to maintain

appropriate evidence of the disclosure, and to make this capable of automated processing. In practice,

efforts are in progress to develop international standards for defining access control and privilege

management systems that would be capable of computer-to-computer negotiation. However, this kind

of work is predicated upon health services agreeing a mutually consistent framework for defining the

privileges they wish to assign to staff, and the spectrum of sensitivity they offer for patients to define

within their EHRs. This requires consistency in the way the relevant information is expressed, to make

this sensibly scalable at definition-time (when new EHR entries are being added), at run-time (when

a whole EHR is being retrieved or queried), and durable over a patient’s lifetime. It is also important

to recognize that, for the foreseeable future, diversity will continue to exist between countries on the

specific approaches to securing EHR communications, including differing legislation, and that a highly

prescriptive approach to standardization is not presently possible.

This document therefore does not prescribe the access rules themselves. It does not specify who should

have access to what and by means of which security mechanisms; these need to be determined by user

communities, national guidelines and legislation. However, it does define a basic framework that can

be used as a minimum specification of EHR access policy, and a richer generic representation for the

communication of more fine-grained detailed policy information. This framework complements the

overall architecture defined in ISO 13606-1, and defines specific information structures that are to be

communicated as part of an EHR_EXTRACT defined in ISO 13606-1. Some of the kinds of agreement

necessary for the security of EHR communication are inevitably outside the scope of this document,

and are covered more extensively in ISO 22600 (Privilege Management and Access Control).

It should be noted that there are a number of explicit and implicit dependencies on use of other standards

alongside this document, for overall cohesion of an interoperable information security deployment. In

addition to agreement about the complete range of appropriate standards, a relevant assurance regime

would be required (which is beyond the scope of this document).
0.3 Communication scenarios
0.3.1 Data flows

The interfaces and message models required to support EHR communication are the subject of

ISO 13606-5. The description here is an overview of the communications process in order to show the

interactions for which security features are needed. Figure 1 illustrates the key data flows and scenarios

that need to be considered by this document. For each key data flow there will be an acknowledgement

response, and optionally a rejection may be returned instead of the requested data.

vi © ISO 2019 – All rights reserved
---------------------- Page: 12 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)

Figure 1 — Principal data flows and security-related business processes covered by this

document

The EHR Requester, EHR Recipient and Audit Log Reviewer might be healthcare professionals, the

patient, a legal representative or another party with sufficient authorization to access healthcare

information. Both the EHR_EXTRACT and the audit log, if provided, might need to be filtered to limit

the disclosure to match the privileges of the recipient. This aspect of access control is discussed later in

this introduction (all parties shown here will need to maintain an audit log, not just the EHR Provider.

However, for readability the other audit log processes are not shown or described here).

The following subclauses describe each data flow in Figure 1.
0.3.2 Request EHR data

This interaction is not always required (for example, EHR data might be pushed from Provider to

Recipient as in the case of a discharge summary). The request interface needs to include a sufficient

profile of the Requester to enable the EHR Provider to be in a position to make an access decision, to

populate an audit log, and provide the appropriate data to the intended Recipient. In some cases the

EHR Requester might not be the same party as the EHR Recipient – for example a software agent might

trigger a notification containing EHR data to be sent to a healthcare professional. In such cases it is the

EHR Recipient’s credentials that will principally determine the access decision to be made.

An EHR request might need to include or reference consents for access and mandates for care, for

example by providing some form of explicit consent from the patient, or a care mandate.

The negotiation between Requester and Provider of EHR data will increasingly be automated, and

the information included in this interaction should be sufficient to enable a fully computerised policy

negotiation.

The requirements for this interaction will be reflected in the REQUEST_EHR_EXTRACT interface model

defined in ISO 13606-5.
© ISO 2019 – All rights reserved vii
---------------------- Page: 13 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)
0.3.3 Generate EHR access log entry

This is assumed practice in any EHR system, but it is not specified as a normative interface because of

the diverse approaches and capabilities in present-day systems. The internal audit systems within any

EHR system are not required to be interoperable except in support of the model defined in Clause 8 of

this document and the corresponding interface defined in ISO 13606-5.
0.3.4 Acknowledge receipt of the EHR request
No healthcare-specific security considerations.
0.3.5 Make access decision, filter EHR data

When processing the EHR request, policies pertaining to the EHR Provider and access policies in the

EHR itself all need to be taken into account in determining what data are extracted from the target

EHR. This document cannot dictate the overall set of policies that might influence the EHR Provider,

potentially deriving from national, regional, organisation-specific, professional and other legislation.

A decision to filter the EHR data on the basis of its sensitivity and the privileges of the EHR Requester

and Recipient will need to conform to relevant policies and might need to balance the clinical risks of

denying access to information with the medico-legal risks of releasing information.

This document however does define an overall framework for representing in an interoperable way

the access policies that might relate to any particular EHR, authored by the patient or representatives.

These might not be stored in the physical EHR system in this way; they might instead, for example, be

integrated within a policy server linked to the EHR server.
This access decision is discussed in more detail in Clause 7.
0.3.6 Deny provision of the EHR_EXTRACT

If the access decision is to decline, a coarse-grained set of reasons needs to be defined in order to frame a

suitable set of responses from the EHR Provider. However, it is important that the denial and any reason

given does not imply to the recipient that the requested EHR data does exist – even the disclosure of its

existence could itself be damaging to a patient.

No healthcare-specific security considerations– the interface model is defined in ISO 13606-5.

0.3.7 Provide the EHR_EXTRACT

It should be noted that the EHR Recipient need not be the same as an EHR Requester, and indeed the

provision of an EHR need not have been triggered by a request. It might instead have been initiated by

the provider as part of shared care pathway or to add new data to an existing EHR.

The EHR_EXTRACT is required to conform to the Reference Model defined in ISO 13606-1, and to the

interface model defined in ISO 13606-5.

The EHR_EXTRACT sh include or reference any relevant access policies, represented in conformance

with this document, to govern any onward propagation of the EHR data being communicated. Policies

may only be referenced if the EHR recipient is known to have direct access to the same information by

another means.
0.3.8 Acknowledge receipt of EHR_EXTRACT
No healthcare-specific security considerations.
0.3.9 Generate EHR access log entry
As described in 0.3.3.
0.3.10 Request EHR access log view
viii © ISO 2019 – All rights reserved
---------------------- Page: 14 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)

This is now considered to be desirable practice, to enable a patient to discover who has accessed part

or all of his/her EHR in an information-sharing environment. The scope of this interface, as defined in

this document, is to request a view of the audit log that informs the recipient about who has accessed

what parts of his or her EHR within a given EHR system, and when. This interface is not intended to

support situations where a full inspection of an audit log is required for legal purposes or for other

investigations. This interface is discussed in Clause 6.
The i
...

SLOVENSKI STANDARD
SIST EN ISO 13606-4:2019
01-september-2019
Nadomešča:
SIST EN 13606-4:2008
Zdravstvena informatika - Komunikacija z elektronskimi zapisi na področju
zdravstva - 4. del: Varnost (ISO 13606-4:2019)

Health informatics - Electronic health record communication - Part 4: Security (ISO

13606-4:2019)

Medizinische Informatik - Kommunikation von Patientendaten in elektronischer Form -

Teil 4: Sicherheit (ISO 13606-4:2019)

Informatique de santé - Communication du dossier de santé informatisé - Partie 4:

Sécurité (ISO 13606-4:2019)
Ta slovenski standard je istoveten z: EN ISO 13606-4:2019
ICS:
35.030 Informacijska varnost IT Security
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST EN ISO 13606-4:2019 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO 13606-4:2019
---------------------- Page: 2 ----------------------
SIST EN ISO 13606-4:2019
EN ISO 13606-4
EUROPEAN STANDARD
NORME EUROPÉENNE
July 2019
EUROPÄISCHE NORM
ICS 35.240.80 Supersedes EN 13606-4:2007
English Version
Health informatics - Electronic health record
communication - Part 4: Security (ISO 13606-4:2019)

Informatique de santé - Communication du dossier de Medizinische Informatik - Kommunikation von

santé informatisé - Partie 4: Sécurité (ISO 13606- Patientendaten in elektronischer Form - Teil 4:

4:2019) Sicherheit (ISO 13606-4:2019)
This European Standard was approved by CEN on 2 July 2019.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this

European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references

concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN

member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management

Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and

United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2019 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 13606-4:2019 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST EN ISO 13606-4:2019
EN ISO 13606-4:2019 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

---------------------- Page: 4 ----------------------
SIST EN ISO 13606-4:2019
EN ISO 13606-4:2019 (E)
European foreword

This document (EN ISO 13606-4:2019) has been prepared by Technical Committee ISO/TC 215 "Health

informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the

secretariat of which is held by NEN.

This European Standard shall be given the status of a national standard, either by publication of an

identical text or by endorsement, at the latest by January 2020, and conflicting national standards shall

be withdrawn at the latest by January 2020.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

This document supersedes EN 13606-4:2007.

According to the CEN-CENELEC Internal Regulations, the national standards organizations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,

Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,

Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of

North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the

United Kingdom.
Endorsement notice

The text of ISO 13606-4:2019 has been approved by CEN as EN ISO 13606-4:2019 without any

modification.
---------------------- Page: 5 ----------------------
SIST EN ISO 13606-4:2019
---------------------- Page: 6 ----------------------
SIST EN ISO 13606-4:2019
INTERNATIONAL ISO
STANDARD 13606-4
First edition
2019-06
Health informatics — Electronic
health record communication —
Part 4:
Security
Informatique de santé — Communication du dossier de santé
informatisé —
Partie 4: Sécurité
Reference number
ISO 13606-4:2019(E)
ISO 2019
---------------------- Page: 7 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved
---------------------- Page: 8 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Abbreviations........................................................................................................................................................................................................... 2

5 Conformance ............................................................................................................................................................................................................. 2

6 Record Component Sensitivity and Functional Roles .................................................................................................... 3

6.1 RECORD_COMPONENT sensitivity......................................................................................................................................... 3

6.2 Functional roles ...................................................................................................................................................................................... 3

6.3 Mapping of Functional Role to COMPOSITION sensitivity ................................................................................ 4

7 Representing access policy information within an EHR_EXTRACT .................................................................4

7.1 Overview ...................................................................................................................................................................................................... 4

7.2 UML representation of the archetype of the access policy COMPOSITION ........................................ 6

7.2.1 Access policy........................................................................................................................................................................ 7

7.2.2 Target ......................................................................................................................................................................................... 7

7.2.3 Request criterion ............................................................................................................................................................. 8

7.2.4 Sensitivity constraint ................................................................................................................................................... 9

7.2.5 Attestation information ..........................................................................................................................................10

7.3 Archetype of the access policy COMPOSITION .........................................................................................................11

8 Representing audit log information ..............................................................................................................................................11

8.1 General ........................................................................................................................................................................................................11

8.1.1 EHR audit log extract ................................................................................................................................................11

8.1.2 Audit log constraint ....................................................................................................................................................12

8.1.3 EHR audit log entry ....................................................................................................................................................13

8.1.4 EHR extract description ..........................................................................................................................................14

8.1.5 Demographic extract .................................................................................................................................................15

Annex A (informative) Illustrative access control example .......................................................................................................16

Annex B (informative) Relations of ISO 13606-4 to alternative approaches ...........................................................20

Bibliography .............................................................................................................................................................................................................................22

© ISO 2019 – All rights reserved iii
---------------------- Page: 9 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following

URL: www .iso .org/iso/foreword .html.

This document was prepared by Technical Committee ISO/TC 215, Health Informatics.

This first edition of ISO 13606-4 cancels and replaces the first edition of ISO/TS 13606-4:2009, which

has been technically revised. The main changes compared to the previous edition are as follows:

— Functional Roles
— Some terms for functional roles have been updated to align with CONTSYS.

— The rules for using this vocabulary now state that jurisdictions can nominate alternatives or

specialisations of these terms if needed.
— Access policy model

The access policy model now also permits jurisdictional alternative terms to be used where

appropriate.
— Audit log model

The audit log model now aligns with the ISO 27789 standard for EHR audit trails. It contains more

information than is present in ISO 27789: it is a kind of specialisation specifically dealing with the

communication of EHR information and audit log information. It therefore includes information

about the EHR extract or the audit log extract being communicated, which is beyond the scope of

ISO 27789.
A list of all parts in the ISO 13606 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2019 – All rights reserved
---------------------- Page: 10 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)
Introduction
0.1 General

This document, is part of a five-part standard series, published jointly by CEN and ISO through the

Vienna Agreement. In this document, dependency upon any of the other parts of this series is explicitly

stated where it applies.
0.2 Challenge addressed by this document

The communication of electronic health records (EHRs) in whole or in part, within and across

organisational boundaries, and sometimes across national borders, is challenging from a security

perspective. Health records should be created, processed and managed in ways that assure the

confidentiality of their contents and legitimate control by patients in how they are used. Around the

globe, these principles are progressively becoming enshrined in national data protection legislation.

These instruments declare that the subject of care has the right to play a pivotal role in decisions on

the content and distribution of his or her electronic health record, as well as rights to be informed of its

contents. The communication of health record information to third parties should take place only with

patient consent (which can be any freely given specific and informed indication of his or her wishes

by which the data subject signifies his or her agreement to personal data relating to him or her being

processed). More details can be found in ISO 22600-3. For EHR communication across national borders,

ISO 22857 provides guidance that can be used to define appropriate security policy specifications.

Ideally, each fine grained entry in a patient's record should only be accessed by those persons who

have permissions to view that information, specified by or approved by the patient and reflecting the

dynamic nature of the set of persons with legitimate duty of care towards the patient through his or

her lifetime. The access control list will ideally also include those persons who have permissions to

access the data for reasons other than a duty of care (such as health service management, epidemiology

and public health, consented research) but exclude any information that they do not need to see or

which the patient feels is too personal for them to access. On the opposite side, the labelling by patients

or their representatives of information as personal or private should ideally not hamper those who

legitimately need to see the information in an emergency, nor accidentally result in genuine health

care providers having such a filtered perspective that they are misled into managing the patient

inappropriately. Patients' views on the inherent sensitivity of entries in their health record can evolve

over time, as their personal health anxieties alter or as societal attitudes to health problems change.

Patients might wish to offer some heterogeneous levels of access to family, friends, carers and members

of their community. Families might wish to provide a means by which they are able to access parts of

each other’s records (but not necessarily to equal extents) in order to monitor the progress of inherited

conditions within a family tree.

Such a set of requirements is arguably more extensive than that required of the data controllers in most

other industry sectors. It is in practice made extremely complex by:

— the large number of health record entries made on a patient during the course of modern health care;

— the large number of health care personnel, often rotating through posts, who might potentially

come into contact with a patient at any one time;

— the large number of organisations with which a patient might come into contact during his or her

lifetime;

— the difficulty (for a patient or for anyone else) of classifying in a standardized way how sensitive a

record entry might be;

— the difficulty of determining how important a single health record entry might be to the future care

of a patient, and to which classes of user;

1) The term sensitivity is widely used in the security domain for a broad range of safeguards and controls, but in

this document the term refers only to access controls.
© ISO 2019 – All rights reserved v
---------------------- Page: 11 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)

— the logically indelible nature of the EHR and the need for revisions to access permissions to be

rigorously managed in the same way as revisions to the EHR entries themselves;

— the need to determine appropriate access very rapidly, in real time, and potentially in a distributed

computing environment;

— the high level of concern expressed by a growing minority of patients to have their consent for

disclosure recorded and respected;

— the low level of concern the majority of patients have about these requirements, which has historically

limited the priority and investment committed to tackling this aspect of EHR communications.

To support interoperable EHRs, and seamless communication of EHR data between health care

providers, the negotiation required to determine if a given requester for EHR data should be permitted

to receive the data should be capable of automation. If this were not possible, the delays and workload of

managing human decisions for all or most record communications would obviate any value in striving

for data interoperability.

The main principles of the approach to standards development in the area of EHR communications

access control are to match the characteristics and parameters of a request to the EHR provider’s

policies, and to any access control or consent declarations within the specified EHR, to maintain

appropriate evidence of the disclosure, and to make this capable of automated processing. In practice,

efforts are in progress to develop international standards for defining access control and privilege

management systems that would be capable of computer-to-computer negotiation. However, this kind

of work is predicated upon health services agreeing a mutually consistent framework for defining the

privileges they wish to assign to staff, and the spectrum of sensitivity they offer for patients to define

within their EHRs. This requires consistency in the way the relevant information is expressed, to make

this sensibly scalable at definition-time (when new EHR entries are being added), at run-time (when

a whole EHR is being retrieved or queried), and durable over a patient’s lifetime. It is also important

to recognize that, for the foreseeable future, diversity will continue to exist between countries on the

specific approaches to securing EHR communications, including differing legislation, and that a highly

prescriptive approach to standardization is not presently possible.

This document therefore does not prescribe the access rules themselves. It does not specify who should

have access to what and by means of which security mechanisms; these need to be determined by user

communities, national guidelines and legislation. However, it does define a basic framework that can

be used as a minimum specification of EHR access policy, and a richer generic representation for the

communication of more fine-grained detailed policy information. This framework complements the

overall architecture defined in ISO 13606-1, and defines specific information structures that are to be

communicated as part of an EHR_EXTRACT defined in ISO 13606-1. Some of the kinds of agreement

necessary for the security of EHR communication are inevitably outside the scope of this document,

and are covered more extensively in ISO 22600 (Privilege Management and Access Control).

It should be noted that there are a number of explicit and implicit dependencies on use of other standards

alongside this document, for overall cohesion of an interoperable information security deployment. In

addition to agreement about the complete range of appropriate standards, a relevant assurance regime

would be required (which is beyond the scope of this document).
0.3 Communication scenarios
0.3.1 Data flows

The interfaces and message models required to support EHR communication are the subject of

ISO 13606-5. The description here is an overview of the communications process in order to show the

interactions for which security features are needed. Figure 1 illustrates the key data flows and scenarios

that need to be considered by this document. For each key data flow there will be an acknowledgement

response, and optionally a rejection may be returned instead of the requested data.

vi © ISO 2019 – All rights reserved
---------------------- Page: 12 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)

Figure 1 — Principal data flows and security-related business processes covered by this

document

The EHR Requester, EHR Recipient and Audit Log Reviewer might be healthcare professionals, the

patient, a legal representative or another party with sufficient authorization to access healthcare

information. Both the EHR_EXTRACT and the audit log, if provided, might need to be filtered to limit

the disclosure to match the privileges of the recipient. This aspect of access control is discussed later in

this introduction (all parties shown here will need to maintain an audit log, not just the EHR Provider.

However, for readability the other audit log processes are not shown or described here).

The following subclauses describe each data flow in Figure 1.
0.3.2 Request EHR data

This interaction is not always required (for example, EHR data might be pushed from Provider to

Recipient as in the case of a discharge summary). The request interface needs to include a sufficient

profile of the Requester to enable the EHR Provider to be in a position to make an access decision, to

populate an audit log, and provide the appropriate data to the intended Recipient. In some cases the

EHR Requester might not be the same party as the EHR Recipient – for example a software agent might

trigger a notification containing EHR data to be sent to a healthcare professional. In such cases it is the

EHR Recipient’s credentials that will principally determine the access decision to be made.

An EHR request might need to include or reference consents for access and mandates for care, for

example by providing some form of explicit consent from the patient, or a care mandate.

The negotiation between Requester and Provider of EHR data will increasingly be automated, and

the information included in this interaction should be sufficient to enable a fully computerised policy

negotiation.

The requirements for this interaction will be reflected in the REQUEST_EHR_EXTRACT interface model

defined in ISO 13606-5.
© ISO 2019 – All rights reserved vii
---------------------- Page: 13 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)
0.3.3 Generate EHR access log entry

This is assumed practice in any EHR system, but it is not specified as a normative interface because of

the diverse approaches and capabilities in present-day systems. The internal audit systems within any

EHR system are not required to be interoperable except in support of the model defined in Clause 8 of

this document and the corresponding interface defined in ISO 13606-5.
0.3.4 Acknowledge receipt of the EHR request
No healthcare-specific security considerations.
0.3.5 Make access decision, filter EHR data

When processing the EHR request, policies pertaining to the EHR Provider and access policies in the

EHR itself all need to be taken into account in determining what data are extracted from the target

EHR. This document cannot dictate the overall set of policies that might influence the EHR Provider,

potentially deriving from national, regional, organisation-specific, professional and other legislation.

A decision to filter the EHR data on the basis of its sensitivity and the privileges of the EHR Requester

and Recipient will need to conform to relevant policies and might need to balance the clinical risks of

denying access to information with the medico-legal risks of releasing information.

This document however does define an overall framework for representing in an interoperable way

the access policies that might relate to any particular EHR, authored by the patient or representatives.

These might not be stored in the physical EHR system in this way; they might instead, for example, be

integrated within a policy server linked to the EHR server.
This access decision is discussed in more detail in Clause 7.
0.3.6 Deny provision of the EHR_EXTRACT

If the access decision is to decline, a coarse-grained set of reasons needs to be defined in order to frame a

suitable set of responses from the EHR Provider. However, it is important that the denial and any reason

given does not imply to the recipient that the requested EHR data does exist – even the disclosure of its

existence could itself be damaging to a patient.

No healthcare-specific security considerations– the interface model is defined in ISO 13606-5.

0.3.7 Provide the EHR_EXTRACT

It should be noted that the EHR Recipient need not be the same as an EHR Requester, and indeed the

provision of an EHR need not have been triggered by a request. It might instead have been initiated by

the provider as part of shared care pathway or to add new data to an existing EHR.

The EHR_EXTRACT is required to conform to the Reference Model defined in ISO 13606-1, and to the

interface model defined in ISO 13606-5.

The EHR_EXTRACT sh include or reference any relevant access policies, represented in conformance

with this document, to govern any onward propagation of the EHR data being communicated. Policies

may only be referenced if the EHR recipient is known to have direct access to the same information by

another means.
0.3.8 Acknowledge receipt of EHR_EXTRACT
No healthcare-specific security considerations.
0.3.9 Generate EHR access log entry
As described in 0.3.3.
0.3.10 Request EHR access log view
viii © ISO 2019 – All rights reserved
---------------------- Page: 14 ----------------------
SIST EN ISO 13606-4:2019
ISO 13606-4:2019(E)

This is now considered to be desirable practice, to enable a patient to discover who has accessed part

or all of his/her EHR in an information-sharing environment. The scope of this interface, as defined in

this document, is to request a view of the audit log that informs the recipient about who has accessed

what parts of his or her EHR within a given EHR system, and when. This interface is not intended to

support situations where a full inspection of an audit log is required for legal purposes or for other

investigations. This inter
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.