Health informatics - Privilege management and access control - Part 2: Formal models (ISO 22600-2:2014)

ISO 22600 defines principles and specifies services needed for managing privileges and access control to data and/or functions.
It focuses on communication and use of health information distributed across policy domain boundaries. This includes healthcare information sharing across unaffiliated providers of healthcare, healthcare organizations, health insurance companies, their patients, staff members, and trading partners by both individuals and application systems ranging from a local situation to a regional or even national situation.
It specifies the necessary component-based concepts and is intended to support their technical implementation. It will not specify the use of these concepts in particular clinical process pathways.
ISO 22600-2:2014 introduces the underlying paradigm of formal high-level models for architectural components. It is based on ISO/IEC 10746 (all parts) and introduces the domain model, the document model, the policy model, the role model, the authorization model, the delegation model, the control model, and the access control model.

Medizinische Informatik - Privilegienmanagement und Zugriffssteuerung - Teil 2: Formale Modelle (ISO 22600-2:2014)

Diese mehrteilige Internationale Norm legt Grundsätze fest und spezifiziert die für das Privilegienmanagement und die Zugriffssteuerung auf Daten und Funktionen erforderlichen Dienste.
Sie konzentriert sich auf die Kommunikation und Nutzung von gesundheitsbezogene Informationen, die über die Grenzen von Policy-Domains hinweg verteilt werden. Das umfasst die gemeinsame Nutzung von gesundheitsbezogenen Informationen durch nicht miteinander verbundene Anbieter und Organisationen des Gesundheitswesens, Krankenversicherungen, deren Patienten, Mitarbeiter und Handelspartner sowohl durch Einzelpersonen als auch durch Anwendungssysteme im Bereich von einer lokalen zu einer regionalen oder auch nationalen Situation.
Sie legt die erforderlichen komponentenbasierten Begriffe fest und soll deren technische Implementierung unterstützen. Sie legt jedoch nicht fest, wie diese Begriffe in speziellen klinischen Prozessabläufen zu verwenden sind.
Dieser Teil von ISO 22600 führt das zugrundeliegende Paradigma von formalen High-Level-Modellen für Architekturkomponenten ein. Es basiert auf ISO/IEC 10746 (alle Teile) und führt das Domainmodell, das Dokumentmodell, das Policy-Modell, das Rollenmodell, das Autorisierungsmodell, das Delegierungsmodell, das Steuerungsmodell und das Zugriffssteuerungsmodell ein.
Die Spezifikationen werden unter Verwendung der Metasprachen Unified Modelling Language (UML, ge: Ver-einheitlichte Modellierungssprache) und Extensible Markup Language (XML, ge: Erweiterbare Auszeich-nungssprache) angegeben. Zur Erläuterung der Grundsätze werden weitere Diagramme verwendet. Die ver-wendeten Attribute wurden auf das HL7-Referenzinformationsmodell (siehe ISO 21731:2006) und die HL7-Datentypdefinitionen referenziert.
Das Rollenmodell wird nur umrissartig und unter Verweisung auf ISO 21298 vorgestellt.

Informatique de santé - Gestion de privilèges et contrôle d'accès - Partie 2: Modèles formels (ISO 22600-2:2014)

L'ISO 22600 définit les principes de gestion des privilèges et de contrôle d'accès aux données et/ou aux fonctions et spécifie les services nécessaires à ces activités.
Elle se concentre sur la communication et l'utilisation des informations de santé distribuées au-delà des limites d'un domaine de politique. Cela inclut le partage d'informations de santé entre professionnels de santé non affiliés, établissements de santé, sociétés d'assurance-maladie, patients, membres du personnel et partenaires commerciaux, par des individus tout comme par des systèmes d'application utilisés dans un contexte local, voire régional ou même national.
Elle spécifie les concepts nécessaires pour chaque composante et est destinée à faciliter leur mise en oeuvre technique. Elle ne spécifiera pas l'utilisation de ces concepts pour des cheminements de processus cliniques particuliers.
L'ISO 22600-2:2014 constitue une introduction au paradigme sous-jacent de modèles formels de haut niveau pour les composantes architecturales. Elle est basée sur l'ISO/IEC 10746 (toutes les parties) et introduit le modèle de domaine, le modèle de document, le modèle de politique, le modèle de rôle, le modèle d'autorisation, le modèle de délégation, le modèle de contrôle et le modèle de contrôle d'accès.

Zdravstvena informatika - Upravljanje privilegijev in dostopovno krmiljenje - 2. del: Formalni modeli (ISO 22600-2:2014)

Porazdeljena arhitektura informacijskih sistemov v skupni rabi vedno bolj temelji na omrežjih. Za izboljšanje interoperabilnosti se v zadnjih nekaj letih hitro povečuje uporaba standardiziranih uporabniških vmesnikov, orodij in protokolov – in s tem povezana neodvisnost platforme – ter število odprtih informacijskih sistemov, ki temeljijo na poslovnih omrežjih in navideznih zasebnih omrežjih. Ta mednarodni standard v več delih določa storitve za upravljanje privilegijev in dostopovno krmiljenje, ki so potrebne za sporočanje in uporabo porazdeljenih zdravstvenih informacij prek političnih meja in meja domen. Dokument predstavlja načela in določa storitve, ki so potrebne za upravljanje privilegijev in dostopovno krmiljenje. Določa potrebne koncepte za komponente in je namenjen za podporo njihovi tehnični izvedbi. Ne določa uporabe teh konceptov na določenih poteh kliničnih postopkov. Ta mednarodni standard je močno povezan z drugimi dokumenti ISO/TC 215, kot so ISO 17090 »Zdravstvena informatika – Infrastruktura javnih ključev«, ISO 22857 »Zdravstvena informatika – Smernice za zaščito podatkov za omogočanje čezmejnega pretoka osebnih zdravstvenih informacij« in ISO 21091 »Zdravstvena informatika – Imeniške storitve za varnost, komunikacijo in identifikacijo zdravstvenega osebja in pacientov«. Povezan je tudi z dokumentom ISO/TS 21298 »Zdravstvena informatika – Funkcijske in strukturne vloge«. Namen tega mednarodnega standarda je podpora potrebam po skupni rabi zdravstvenih informacij med nepovezanimi izvajalci zdravstvenega varstva, zdravstvenimi organizacijami, podjetji, ki se ukvarjajo z zdravstvenim zavarovanjem, njihovimi pacienti, člani osebja in poslovnimi partnerji. Namen tega mednarodnega standarda je tudi podpora poizvedbam s strani posameznikov in sistemov uporabe. Ta mednarodni standard v več delih določa metode za upravljanje avtorizacije in dostopovno krmiljenje podatkov in/ali funkcij. Omogoča premostitev politike. Temelji na konceptualnem modelu, v katerem so lahko lokalni strežniki za upravljanje avtorizacije in čezmejni imeniški strežnik v pomoč pri dostopovnem krmiljenju v različnih aplikacijah (komponente programske opreme). Ta imeniški strežnik vsebuje informacije o pravilih za dostop do različnih funkcij aplikacij na podlagi vlog in drugih atributov posameznega uporabnika. Omogočen dostop bo temeljil na teh vidikih: overjeni identifikaciji uporabnika;  pravilih za dostop do določenega informacijskega objekta, vključno z namenom uporabe;  pravilih glede atributov za avtorizacijo, povezanih z uporabnikom, ki jih zagotovi upravitelj avtorizacije;  funkcijah določene aplikacije.  Ta mednarodni standard naj bi se uporabljal na lokalni, regionalni ali nacionalni ravni. Eden ključnih delov pri tem je združitev organizacijskih kriterijev s profili avtorizacije na podlagi pisnega sporazuma o politiki, ki ga skleneta obe udeleženi strani. Mednarodni standard podpira sodelovanje med upravitelji avtorizacije, ki lahko delujejo prek organizacijskih in političnih meja. Sodelovanje je določeno v sporazumu o politiki, ki ga podpišejo vse udeležene organizacije in vsebuje nabor pravil za delovanje. Ta mednarodni standard ne vključuje podrobnosti o platformi in izvedbi. Ne določa storitev za tehnično komunikacijo in protokolov, ki so bili vzpostavljeni v drugih standardih. Prav tako ne vključuje tehnik za overjanje. V tem 2. delu standarda je predstavljena temeljna paradigma formalnih modelov visoke ravni za arhitekturne komponente na podlagi standarda ISO/IEC 10746 »Informacijska tehnologija – Odprta porazdeljena obdelava – Referenčni model«. V tem kontekstu so predstavljeni naslednji modeli: model za domene, model za dokumente, model za politiko, model za vloge, model za avtorizacijo, model za delegiranje, model za nadzor in model za dostopovno krmiljenje. Specifikacije so podane s poenotenim jezikom modeliranja za metajezike.

General Information

Status
Published
Publication Date
14-Oct-2014
Withdrawal Date
29-Apr-2015
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
15-Oct-2014
Completion Date
15-Oct-2014

Buy Standard

Standard
EN ISO 22600-2:2015
English language
35 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-februar-2015
Zdravstvena informatika - Upravljanje privilegijev in dostopovno krmiljenje - 2. del:
Formalni modeli (ISO 22600-2:2014)
Health informatics - Privilege management and access control - Part 2: Formal models
(ISO 22600-2:2014)
Medizinische Informatik - Privilegienmanagement und Zugriffssteuerung - Teil 2: Formale
Modelle (ISO 22600-2:2014)
Informatique de santé - Gestion de privilèges et contrôle d'accès - Partie 2: Modèles
formels (ISO 22600-2:2014)
Ta slovenski standard je istoveten z: EN ISO 22600-2:2014
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN ISO 22600-2
NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2014
ICS 35.240.80
English Version
Health informatics - Privilege management and access control -
Part 2: Formal models (ISO 22600-2:2014)
Informatique de santé - Gestion de privilèges et contrôle Medizinische Informatik - Privilegienmanagement und
d'accès - Partie 2: Modèles formels (ISO 22600-2:2014) Zugriffssteuerung - Teil 2: Formale Modelle (ISO 22600-
2:2014)
This European Standard was approved by CEN on 22 May 2014.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same
status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 22600-2:2014 E
worldwide for CEN national Members.

Contents Page
Foreword .3
Foreword
This document (EN ISO 22600-2:2014) has been prepared by Technical Committee ISO/TC 215 "Health
informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of
which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an identical
text or by endorsement, at the latest by April 2015, and conflicting national standards shall be withdrawn at the
latest by April 2015.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
Endorsement notice
The text of ISO 22600-2:2014 has been approved by CEN as EN ISO 22600-2:2014 without any modification.

INTERNATIONAL ISO
STANDARD 22600-2
First edition
2014-10-01
Health informatics — Privilege
management and access control —
Part 2:
Formal models
Informatique de santé — Gestion de privilèges et contrôle d’accès —
Partie 2: Modèles formels
Reference number
ISO 22600-2:2014(E)
©
ISO 2014
ISO 22600-2:2014(E)
© ISO 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved

ISO 22600-2:2014(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 6
5 Component paradigm . 6
6 Generic models . 7
6.1 Framework . 7
6.2 Domain model . 9
6.3 Document model .10
6.4 Policy model .11
6.5 Role model .14
6.6 Authorization model — Role and privilege assignment .14
6.7 Control model .15
6.8 Delegation model .16
6.9 Access control model .18
Annex A (informative) Functional and structural roles .20
Bibliography .25
ISO 22600-2:2014(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 215, Health informatics.
This first edition of ISO 22600-2 cancels and replaces ISO/TS 22600-2:2006, which has been technically
revised.
ISO 22600 consists of the following parts, under the general title Health informatics — Privilege
management and access control:
— Part 1: Overview and policy management
— Part 2: Formal models
— Part 3: Implementations
iv © ISO 2014 – All rights reserved

ISO 22600-2:2014(E)
Introduction
The distributed architecture of shared care information systems supporting service-oriented
architecture (SOA) is increasingly based on corporate networks and virtual private networks. For
meeting the interoperability challenge, the use of standardized user interfaces, tools, and protocols,
which ensures platform independence, but also the number of really open information systems, is
rapidly growing during the last couple of years.
As a common situation today, hospitals are supported by several vendors providing different applications,
which are not able to communicate authentication and authorization since each has its own way of
handling these functions. For achieving an integrated scenario, it takes a remarkable amount of money,
time, and efforts to get users and changing organizational environments dynamically mapped before
starting communication and cooperation. Resources required for the development and maintenance
of security functions grow exponentially with the number of applications, with the complexity of
organizations towards a regional, national, or even international level, and with the flexibility of users
playing multiple roles, sometimes even simultaneously.
The situation becomes even more challenging when inter-organizational communications happens,
thereby crossing security policy domain boundaries. Moving from one healthcare centre to another or
from country to country, different rules for privileges and their management can apply to similar types
of users, both for execution of particular functions and for access to information. The policy differences
between these domains have to be bridged automatically or through policy agreements, defining sets of
rules followed by the parties involved, for achieving interoperability.
Another challenge to be met is how to improve the quality of care by using IT without infringing the
privacy of the patient. To provide physicians with adequate information about the patient, a virtual
electronic health care record is required which makes it possible to keep track of all the activities
belonging to one patient regardless of where and by whom they have been performed and documented.
In such an environment, a generic model or specific agreement between the parties for managing
privileges and access control including the patient or its representative is needed.
Besides a diversity of roles and responsibilities, typical for any type of large organization, also ethical
a
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.