EN ISO 13606-4:2019
(Main)Health informatics - Electronic health record communication - Part 4: Security (ISO 13606-4:2019)
Health informatics - Electronic health record communication - Part 4: Security (ISO 13606-4:2019)
This document describes a methodology for specifying the privileges necessary to access EHR data. This methodology forms part of the overall EHR communications architecture defined in ISO 13606-1.
This document seeks to address those requirements uniquely pertaining to EHR communications and to represent and communicate EHR-specific information that will inform an access decision. It also refers to general security requirements that apply to EHR communications and points at technical solutions and standards that specify details on services meeting these security needs.
NOTE Security requirements for EHR systems not related to the communication of EHRs are outside the scope of this document.
Medizinische Informatik - Kommunikation von Patientendaten in elektronischer Form - Teil 4: Sicherheit (ISO 13606-4:2019)
Informatique de santé - Communication du dossier de santé informatisé - Partie 4: Sécurité (ISO 13606-4:2019)
Le présent document décrit une méthodologie permettant de spécifier les privilèges nécessaires pour accéder aux données de DSI. Cette méthodologie forme une partie de l'architecture générale de communication de DSI définie dans l'ISO 13606-1.
Le présent document cherche à traiter uniquement les exigences relatives aux communications de DSI et à représenter et communiquer les informations spécifiques au DSI qui permettent de prendre une décision d'accès. Elle fait également référence aux exigences de sécurité générale qui s'appliquent aux communications de DSI et signale des solutions techniques et des normes qui spécifient les détails de services répondant à ces besoins de sécurité.
NOTE Les exigences de sécurité pour les systèmes de DSI non associées à la communication de DSI ne relèvent pas du domaine d'application du présent document.
Zdravstvena informatika - Komunikacija z elektronskimi zdravstvenimi zapisi - 4. del: Varnost (ISO 13606-4:2019)
Ta del tega večdelnega standarda o komunikaciji z elektronskimi zapisi na področju zdravstva opisuje metodologijo za določitev privilegijev, potrebnih za dostop do podatkov EHR. Ta metodologija je del celotne komunikacijske arhitekture EHR, opredeljene v 1. delu tega standarda. Ta standard je namenjen obravnavanju zahtev, ki se nanašajo na komunikacije EHR, ter za predstavitev in posredovanje podatkov, specifičnih za EHR, ki bodo sporočali odločitev o dostopu. Prav tako se nanaša na splošne varnostne zahteve, ki veljajo za komunikacije EHR, ter opozarja na tehnične rešitve in standarde, ki določajo podrobnosti o storitvah, ki izpolnjujejo te varnostne potrebe.
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-september-2019
Nadomešča:
SIST EN 13606-4:2008
Zdravstvena informatika - Komunikacija z elektronskimi zapisi na področju
zdravstva - 4. del: Varnost (ISO 13606-4:2019)
Health informatics - Electronic health record communication - Part 4: Security (ISO
13606-4:2019)
Medizinische Informatik - Kommunikation von Patientendaten in elektronischer Form -
Teil 4: Sicherheit (ISO 13606-4:2019)
Informatique de santé - Communication du dossier de santé informatisé - Partie 4:
Sécurité (ISO 13606-4:2019)
Ta slovenski standard je istoveten z: EN ISO 13606-4:2019
ICS:
35.030 Informacijska varnost IT Security
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EN ISO 13606-4
EUROPEAN STANDARD
NORME EUROPÉENNE
July 2019
EUROPÄISCHE NORM
ICS 35.240.80 Supersedes EN 13606-4:2007
English Version
Health informatics - Electronic health record
communication - Part 4: Security (ISO 13606-4:2019)
Informatique de santé - Communication du dossier de Medizinische Informatik - Kommunikation von
santé informatisé - Partie 4: Sécurité (ISO 13606- Patientendaten in elektronischer Form - Teil 4:
4:2019) Sicherheit (ISO 13606-4:2019)
This European Standard was approved by CEN on 2 July 2019.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 13606-4:2019 E
worldwide for CEN national Members.
Contents Page
European foreword . 3
European foreword
This document (EN ISO 13606-4:2019) has been prepared by Technical Committee ISO/TC 215 "Health
informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the
secretariat of which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by January 2020, and conflicting national standards shall
be withdrawn at the latest by January 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN 13606-4:2007.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO 13606-4:2019 has been approved by CEN as EN ISO 13606-4:2019 without any
modification.
INTERNATIONAL ISO
STANDARD 13606-4
First edition
2019-06
Health informatics — Electronic
health record communication —
Part 4:
Security
Informatique de santé — Communication du dossier de santé
informatisé —
Partie 4: Sécurité
Reference number
ISO 13606-4:2019(E)
©
ISO 2019
ISO 13606-4:2019(E)
© ISO 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved
ISO 13606-4:2019(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviations. 2
5 Conformance . 2
6 Record Component Sensitivity and Functional Roles . 3
6.1 RECORD_COMPONENT sensitivity. 3
6.2 Functional roles . 3
6.3 Mapping of Functional Role to COMPOSITION sensitivity . 4
7 Representing access policy information within an EHR_EXTRACT .4
7.1 Overview . 4
7.2 UML representation of the archetype of the access policy COMPOSITION . 6
7.2.1 Access policy. 7
7.2.2 Target . 7
7.2.3 Request criterion . 8
7.2.4 Sensitivity constraint . 9
7.2.5 Attestation information .10
7.3 Archetype of the access policy COMPOSITION .11
8 Representing audit log information .11
8.1 General .11
8.1.1 EHR audit log extract .11
8.1.2 Audit log constraint .12
8.1.3 EHR audit log entry .13
8.1.4 EHR extract description .14
8.1.5 Demographic extract .15
Annex A (informative) Illustrative access control example .16
Annex B (informative) Relations of ISO 13606-4 to alternative approaches .20
Bibliography .22
ISO 13606-4:2019(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 215, Health Informatics.
This first edition of ISO 13606-4 cancels and replaces the first edition of ISO/TS 13606-4:2009, which
has been technically revised. The main changes compared to the previous edition are as follows:
— Functional Roles
— Some terms for functional roles have been updated to align with CONTSYS.
— The rules for using this vocabulary now state that jurisdictions can nominate alternatives or
specialisations of these terms if needed.
— Access policy model
The access policy model now also permits jurisdictional alternative terms to be used where
appropriate.
— Audit log model
The audit log model now aligns with the ISO 27789 standard for EHR audit trails. It contains more
information than is present in ISO 27789: it is a kind of specialisation specifically dealing with the
communication of EHR information and audit log information. It therefore includes information
about the EHR extract or the audit log extract being communicated, which is beyond the scope of
ISO 27789.
A list of all parts in the ISO 13606 series can be found on the ISO websit
...
SLOVENSKI STANDARD
01-september-2019
Nadomešča:
SIST EN 13606-4:2008
Zdravstvena informatika - Komunikacija z elektronskimi zdravstvenimi zapisi - 4.
del: Varnost (ISO 13606-4:2019)
Health informatics - Electronic health record communication - Part 4: Security (ISO
13606-4:2019)
Medizinische Informatik - Kommunikation von Patientendaten in elektronischer Form -
Teil 4: Sicherheit (ISO 13606-4:2019)
Informatique de santé - Communication du dossier de santé informatisé - Partie 4:
Sécurité (ISO 13606-4:2019)
Ta slovenski standard je istoveten z: EN ISO 13606-4:2019
ICS:
35.030 Informacijska varnost IT Security
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EN ISO 13606-4
EUROPEAN STANDARD
NORME EUROPÉENNE
July 2019
EUROPÄISCHE NORM
ICS 35.240.80 Supersedes EN 13606-4:2007
English Version
Health informatics - Electronic health record
communication - Part 4: Security (ISO 13606-4:2019)
Informatique de santé - Communication du dossier de Medizinische Informatik - Kommunikation von
santé informatisé - Partie 4: Sécurité (ISO 13606- Patientendaten in elektronischer Form - Teil 4:
4:2019) Sicherheit (ISO 13606-4:2019)
This European Standard was approved by CEN on 2 July 2019.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2019 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 13606-4:2019 E
worldwide for CEN national Members.
Contents Page
European foreword . 3
European foreword
This document (EN ISO 13606-4:2019) has been prepared by Technical Committee ISO/TC 215 "Health
informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the
secretariat of which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by January 2020, and conflicting national standards shall
be withdrawn at the latest by January 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN 13606-4:2007.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO 13606-4:2019 has been approved by CEN as EN ISO 13606-4:2019 without any
modification.
INTERNATIONAL ISO
STANDARD 13606-4
First edition
2019-06
Health informatics — Electronic
health record communication —
Part 4:
Security
Informatique de santé — Communication du dossier de santé
informatisé —
Partie 4: Sécurité
Reference number
ISO 13606-4:2019(E)
©
ISO 2019
ISO 13606-4:2019(E)
© ISO 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved
ISO 13606-4:2019(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviations. 2
5 Conformance . 2
6 Record Component Sensitivity and Functional Roles . 3
6.1 RECORD_COMPONENT sensitivity. 3
6.2 Functional roles . 3
6.3 Mapping of Functional Role to COMPOSITION sensitivity . 4
7 Representing access policy information within an EHR_EXTRACT .4
7.1 Overview . 4
7.2 UML representation of the archetype of the access policy COMPOSITION . 6
7.2.1 Access policy. 7
7.2.2 Target . 7
7.2.3 Request criterion . 8
7.2.4 Sensitivity constraint . 9
7.2.5 Attestation information .10
7.3 Archetype of the access policy COMPOSITION .11
8 Representing audit log information .11
8.1 General .11
8.1.1 EHR audit log extract .11
8.1.2 Audit log constraint .12
8.1.3 EHR audit log entry .13
8.1.4 EHR extract description .14
8.1.5 Demographic extract .15
Annex A (informative) Illustrative access control example .16
Annex B (informative) Relations of ISO 13606-4 to alternative approaches .20
Bibliography .22
ISO 13606-4:2019(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 215, Health Informatics.
This first edition of ISO 13606-4 cancels and replaces the first edition of ISO/TS 13606-4:2009, which
has been technically revised. The main changes compared to the previous edition are as follows:
— Functional Roles
— Some terms for functional roles have been updated to align with CONTSYS.
— The rules for using this vocabulary now state that jurisdictions can nominate alternatives or
specialisations of these terms if needed.
— Access policy model
The access policy model now also permits jurisdictional alternative terms to be used where
appropriate.
— Audit log model
The audit log model now aligns with the ISO 27789 standard for EHR audit trails. It contains more
information than is present in ISO 27789: it is a kind of specialisation specifically dealing with the
communication of EHR information and audit log information. It therefore includes information
about the EHR extract or the audit log extract being communicated, which is beyond the scope of
ISO 27789.
A list of all parts in the ISO 13606 series can be found on the ISO website.
Any feedback or questio
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.