EN ISO 22600-3:2014
(Main)Health informatics - Privilege management and access control - Part 3: Implementations (ISO 22600-3:2014)
Health informatics - Privilege management and access control - Part 3: Implementations (ISO 22600-3:2014)
ISO 22600 defines principles and specifies services needed for managing privileges and access control to data and/or functions.
It focuses on communication and use of health information distributed across policy domain boundaries. This includes healthcare information sharing across unaffiliated providers of healthcare, healthcare organizations, health insurance companies, their patients, staff members, and trading partners by both individuals and application systems ranging from a local situation to a regional or even national situation.
It specifies the necessary component-based concepts and is intended to support their technical implementation. It will not specify the use of these concepts in particular clinical process pathways.
ISO 22600-3:2014 instantiates requirements for repositories for access control policies and requirements for privilege management infrastructures. It provides implementation examples of the formal models specified in ISO 22600‑2.
Medizinische Informatik - Privilegienmanagement und Zugriffssteuerung - Teil 3: Implementierungen (ISO 22600-3:2014)
Diese mehrteilige Internationale Norm legt Grundsätze fest und spezifiziert die für das Privilegienmanagement und die Zugriffssteuerung auf Daten und Funktionen erforderlichen Dienste.
Sie konzentriert sich auf die Kommunikation und Nutzung von gesundheitsbezogene Informationen, die über die Grenzen von Policy-Domains hinweg verteilt werden. Das umfasst die gemeinsame Nutzung von gesundheitsbezogenen Informationen durch nicht miteinander verbundene Anbieter und Organisationen des Gesundheitswesens, Krankenversicherungen, deren Patienten, Mitarbeiter und Handelspartner sowohl durch Einzelpersonen als auch durch Anwendungssysteme im Bereich von einer lokalen zu einer regionalen oder auch nationalen Situation.
Sie legt die erforderlichen komponentenbasierten Begriffe fest und soll deren technische Implementierung unterstützen. Sie legt jedoch nicht fest, wie diese Begriffe in speziellen klinischen Prozessabläufen zu verwenden sind.
Dieser Teil von ISO 26000 instanziiert Anforderungen an Repositories für Zugriffssteuerungs-Policies und Anforderungen an Infrastrukturen für das Privilegienmanagement. Er gibt Beispiele für die Implementierung der in ISO 22600-2 spezifizierten formalen Modelle.
Dieser Teil von ISO 22600 enthält weder plattformspezifische noch implementierungstechnische Einzelheiten. Sie legt keine technischen Kommunikationssicherheitsdienste, Authentisierungsverfahren und -protokolle fest, die bereits in anderen Internationalen Normen festgelegt sind, wie z. B. in ISO 7498‑2, ISO/IEC 10745 (ITU-T X.803), ISO/IEC TR 13594:1995 (ITU-T X.802), ISO/IEC 10181‑1 (ITU-T X.810), ISO/IEC 9594‑8 (ITU-T X.509), ISO/IEC 9796 (alle Teile), ISO/IEC 9797 (alle Teile) und ISO/IEC 9798 (alle Teile).
Informatique de santé - Gestion de privilèges et contrôle d'accès - Partie 3: Mises en oeuvre (ISO 22600-3:2014)
L'ISO 22600 définit les principes de gestion des privilèges et de contrôle d'accès aux données et/ou aux fonctions et spécifie les services nécessaires à ces activités.
Elle se concentre sur la communication et l'utilisation des informations de santé réparties au-delà des limites d'un domaine de politique. Cela inclut le partage d'informations de santé entre prestataires de soins de santé non affiliés, organisations de soins de santé, sociétés d'assurance‑maladie, patients, membres du personnel et partenaires commerciaux, par des individus tout comme par des systèmes d'application utilisés dans un contexte local, voire régional ou même national.
Elle spécifie les concepts nécessaires pour chaque composante et est destinée à venir à l'appui de leur mise en oeuvre technique. Elle ne spécifiera pas l'utilisation de ces concepts pour des cheminements de processus cliniques particuliers.
L'ISO 22600-3:2014 instancie les exigences applicables aux répertoires de politiques de contrôle d'accès et les exigences applicables aux infrastructures de gestion des privilèges. Elle fournit des exemples de mise en oeuvre des modèles formels spécifiés dans l'ISO 22600-2.
Zdravstvena informatika - Upravljanje privilegijev in dostopovno krmiljenje - 3. del: Izvedbe (ISO 22600-3:2014)
Ta mednarodni standard v več delih določa storitve za upravljanje privilegijev in dostopovno krmiljenje, ki so potrebne za sporočanje in uporabo porazdeljenih zdravstvenih informacij prek meja domene in zaščite. Dokument predstavlja načela in določa storitve, ki so potrebne za upravljanje privilegijev in dostopovno krmiljenje. Določa potrebne koncepte za komponente in je namenjen za podporo njihovi tehnični izvedbi. Ne določa uporabe teh konceptov na določenih poteh kliničnih postopkov in se ne ukvarja s pomisleki glede varnosti, če obstajajo, povezanimi z njihovo uporabo. V 1. delu je opisno predstavljena težava premostitve politike v kontekstu medorganizacijske komunikacije in sodelovanja, 2. del pa določa splošen razvojni postopek za semantično analizo, načrtovanje, izvedbo in uvedbo zdravstvenih informacijskih sistemov. Varnostne storitve, ki so potrebne zaradi pravnih, družbenih, organizacijskih, uporabniških, funkcijskih in tehnoloških zahtev, morajo biti vgrajene v napredni in trajni sistemski arhitekturi, ki izpolnjuje paradigme glede semantične interoperabilnosti. V tem 3. delu standarda ISO 26000 so navedene zahteve glede repozitorijev za politiko o dostopovnem krmiljenju in zahteve glede infrastruktur za upravljanje privilegijev. Navaja primere izvedbe formalnih modelov, določenih v 2. delu. Ta mednarodni standard ne vključuje podrobnosti o platformi in izvedbi. Ne določa varnostnih storitev za tehnično komunikacijo, tehnik za overjanje in protokolov, ki so bili vzpostavljeni v drugih standardih, kot je ISO 7498-2 Sistemi za obdelavo informacij – Medsebojno povezovanje odprtih sistemov – Osnovni referenčni model – 2. del: Varnostna arhitektura, ISO/IEC 10745 (ITU-T X.803), ISO/IEC 13594 IT – Varnost nižjih plasti (ITU-T X.802) in ISO/IEC 10181-1 (ITU-T X.810), ISO/IEC 9594-8 Informacijska tehnologija – Medsebojno povezovanje odprtih sistemov – Imenik – 8. del – Ogrodje za overjanje (enakovr. ITU-T/X.509, ISO/IEC 9796 Varnostne tehnike – Shema digitalnega podpisa za obnovitev sporočila, več delov (1-2), ISO/IEC 9797 Varnostne tehnike – Kode za overjanje sporočil, ISO/IEC 9798 Informacijska tehnologija – Varnostne tehnike – Overjanje entitet.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-februar-2015
Zdravstvena informatika - Upravljanje privilegijev in dostopovno krmiljenje - 3. del:
Izvedbe (ISO 22600-3:2014)
Health informatics - Privilege management and access control - Part 3: Implementations
(ISO/DIS 22600-3:2014)
Medizinische Informatik - Privilegienmanagement und Zugriffssteuerung - Teil 3:
Implementierungen (ISO 22600-3:2014)
Informatique de santé - Gestion de privilèges et contrôle d'accès - Partie 3: Mises en
oeuvre (ISO 22600-3:2014)
Ta slovenski standard je istoveten z: EN ISO 22600-3:2014
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD
EN ISO 22600-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2014
ICS 35.240.80
English Version
Health informatics - Privilege management and access control -
Part 3: Implementations (ISO 22600-3:2014)
Informatique de santé - Gestion de privilèges et contrôle Medizinische Informatik - Privilegienmanagement und
d'accès - Partie 3: Mises en oeuvre (ISO 22600-3:2014) Zugriffssteuerung - Teil 3: Implementierungen (ISO 22600-
3:2014)
This European Standard was approved by CEN on 21 June 2014.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same
status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 22600-3:2014 E
worldwide for CEN national Members.
Contents Page
Foreword .3
Foreword
This document (EN ISO 22600-3:2014) has been prepared by Technical Committee ISO/TC 215 "Health
informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of
which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an identical
text or by endorsement, at the latest by April 2015, and conflicting national standards shall be withdrawn at the
latest by April 2015.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
Endorsement notice
The text of ISO 22600-3:2014 has been approved by CEN as EN ISO 22600-3:2014 without any modification.
INTERNATIONAL ISO
STANDARD 22600-3
First edition
2014-10-01
Health informatics — Privilege
management and access control —
Part 3:
Implementations
Informatique de santé — Gestion de privilèges et contrôle d’accès —
Partie 3: Mises en oeuvre
Reference number
ISO 22600-3:2014(E)
©
ISO 2014
ISO 22600-3:2014(E)
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
ISO 22600-3:2014(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms .13
5 Structures and services for privilege management and access control .15
6 Interpretation of ISO 22600-2 formal models in healthcare settings .18
7 Concept representation for health information systems .18
7.1 Overview .18
7.2 Domain languages .19
7.3 OCL constraint modelling .20
7.4 Other constraint representations .20
8 Consent .22
8.1 Overview .22
8.2 Patient consent .22
8.3 Patient consent management .22
9 Emergency access .22
10 Refinement of the control model .23
11 Refinement of the delegation model .23
Annex A (informative) Privilege management infrastructure .24
Annex B (informative) Attribute certificate extensions.60
Annex C (informative) Terminology comparison .62
Annex D (informative) Examples for policy management and policy representation .63
Bibliography .66
ISO 22600-3:2014(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 215, Health informatics.
This first edition of ISO 22600-3 cancels and replaces ISO/TS 22600-3:2009, which has been technically
revised.
ISO 22600 consists of the following parts, under the general title Health informatics — Privilege
management and access control:
— Part 1: Overview and policy management
— Part 2: Formal models
— Part 3: Implementations
iv © ISO 2014 – All rights reserved
ISO 22600-3:2014(E)
Introduction
The distributed architecture of shared care information systems supporting service-oriented
architecture (SOA) is increasingly based on corporate networks and virtual private networks. For
meeting the interoperability challenge, the use of standardized user interfaces, tools, and protocols,
which ensures platform independence, but also the number of really open information systems, is
rapidly growing during the last couple of years.
As a common situation today, hospitals are supported by several vendors providing different applications,
which are not able to communicate authentication and authorization since each has its own way of
handling these functions. For achieving an integrated scenario, it takes a remarkable amount of money,
time, and efforts to get users and changing organizational environments dynamically mapped before
starting communication and cooperation. Resources required for the development and maintenance
of security functions grow exponentially with the number of applications, with the complexity of
organizations towards a regional, national, or even international level, and with the flexibility of users
playing multiple roles, sometimes even simultaneously.
The situation becomes even more challenging when inter-organizational communications happens,
thereby crossing security policy domain boundaries. Moving from one healthcare centre to another or
from country to country, different rules for privileges and their management can apply to similar types
of users, both for execution of particular functions and for access to information. The policy differences
between these domains have to be bri
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.