ISO/TS 6268-1:2025

Technical
Specification
ISO/TS 6268-1
First edition
Health informatics — Cybersecurity
2025-02
framework for telehealth
environments —
Part 1:
Overview and concepts
Informatique de santé — Cadre en matière de cybersécurité pour
les environnements de télésanté —
Partie 1: Vue d'ensemble et concepts
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview of cybersecurity framework for telehealth . 5
4.1 Concepts of telehealth cybersecurity .5
4.2 Actors of telehealth services .6
4.3 Activities of telehealth services .7
4.4 Environment of telehealth services .8
4.5 Parameters of telehealth cybersecurity .8
Bibliography .10

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO’s adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
A list of all parts in the ISO/TS 6268 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
Telehealth once provided a limited range of services to subjects of care in specific environments. However,
the scope of telehealth services is rapidly expanding through advanced ICT such as mobile-based, cloud-
based and other network-based applications. Additionally, emerging global pandemics have acutely
increased the need to diagnose, prevent, monitor, treat or mitigate diseases and injuries without face-to-
face, in-person contact between subjects of care and care providers, making telehealth a more commonly
accepted medical practice.
These services can be described as telehealth services because information and communication technology
services are being used to support healthcare activities. Telehealth services can include but are not limited
to telemedicine, telecare, mHealth (healthcare supported by mobile devices), remote use of medical
applications, tele-monitoring, tele-diagnostics and virtual care. Examples of health services include but
are not limited to tele-pathology, tele-dermatology, tele-cardiology, tele-rehabilitation, tele-oncology, and
tele-orthopaedics. Healthcare activities that directly or indirectly support care recipients include but are
not limited to teleconsultation, telephone advice, health alarm systems and health status monitoring at
home. Telehealth services can support immediate healthcare activities using synchronous communications
services such as a telephone or video conversation, or delayed health care activities using asynchronous
[4]
communications services such as messaging services.
Furthermore, depending on the perspective from which telehealth is viewed, the subcategories of telehealth
can vary. Physicians are familiar with the division of telehealth into medical departments. Medical IT
experts will look at telehealth according to system topology and network. When it comes to telehealth in
cybersecurity, it is necessary to consider telehealth actors, interactions between each actor, data flow, service
environment, and technology. Therefore, establishing concept and models of telehealth cybersecurity would
be the first step to build a framework for cybersecurity in telehealth environment.
Telehealth cybersecurity concepts and models serve as a baseline for cybersecurity threats and
countermeasures. Telehealth cybersecurity countermeasures need to consider not only technical aspects,
but also management and physical approaches to operating telehealth services. This is because telehealth
cybersecurity addresses interactions between multiple actors physically located in environments with
different levels of cybersecurity. The cybersecurity policies and processes to be inherited by each actor can
also act as variable in the cybersecurity posture.
Another consideration of telehealth cybersecurity framework is the interaction of health information
systems with remote medical devices. It would be desirable to present a methodology to assess and respond
to the overall risks by integrating the risks of medical devices from a safety perspective and the risks of
telehealth services from a cybersecurity perspective.
The cybersecurity framework for telehealth environment is structured as follows:
— Part 1: Overview and concepts;
— Part 2: Cybersecurity reference model of telehealth;
— Part 3: Cybersecurity requirements for telehealth.
This document contains general definitions of concepts applied to the entire document with brief
descriptions of the overall document structure. It contains explanations of the main components of each
part, and through this, it provides the overall organization and quick understanding of the document.

v
Technical Specification ISO/TS 6268-1:2025(en)
Health informatics — Cybersecurity framework for telehealth
environments —
Part 1:
Overview and concepts
1 Scope
This document provides a concept and overview of the overall cybersecurity framework for systems and
services applied to telehealth.
This document contains a general description of:
— concept and introduction of telehealth cybersecurity;
— actors of telehealth services;
— activities of telehealth services;
— environments of telehealth services;
— variables of telehealth security.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
care
interactions between a care recipient (3.3) and a healthcare actor (3.5) to benefit the health state of the care
recipient
Note 1 to entry: The term care is frequently used in combination with other words, such as healthcare (3.4) or care
recipient.
Note 2 to entry: Care also includes interactions between caregivers (3.2) who are not healthcare professionals, such as
informal caregivers.
[SOURCE: ISO 13131:2021, 3.3.3]

3.2
caregiver
carer
individual who is entrusted with the direct or indirect provision of defined healthcare services (3.7) to an
individual subject of care (3.18) or to populations
[SOURCE: ISO/TS 21089:2018, 3.30]
3.3
care recipient
healthcare actor (3.5) with a person role, who seeks to receive, is receiving or has received healthcare (3.4)
[SOURCE: ISO 13131:2021, 3.2.2, modified — Other preferred and admitted terms were removed.]
3.4
healthcare
care activities, services, or supplies related to the health of an individual
[SOURCE: ISO 13940:2015, 3.1.1, modified — “management” removed from definition and Note to entry
removed.]
3.5
healthcare actor
organization (3.9) or person participating in healthcare (3.4)
Note 1 to entry: An individual person may be regarded as a legal entity in some situations depending on the service
being delivered and the relevant national legislation.
[SOURCE: ISO 13940:2015, 5.2]
3.6
healthcare delivery organization
HDO
facility or enterprise such as a clinic or hospital that provides healthcare services (3.7)
[SOURCE: ISO 81001-1:2021, 3.1.4]
3.7
healthcare service
service (3.17) that is the result of a healthcare (3.4) process (3.13)
[SOURCE: ISO 13940:2015, 8.2.6]
3.8
medical device
instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material
or other similar or related article, intended by the manufacturer to be used, alone or in combination, for
human beings, for one or more of the specific medical purpose(s) of:
— diagnosis, prevention, monitoring, treatment or alleviation of disease;
— diagnosis, monitoring, treatment, alleviation of or compensation for an injury;
— investigation, replacement, modification, or support of the anatomy or of a physiological process;
— supporting or sustaining life;
— control of conception;
— disinfection of medical devices;
— providing information by means of in vitro examination of specimens derived from the human body;

and that does not achieve its primary intended action by pharmacological, immunological or metabolic
means, in or on the human body, but which may be assisted in its intended function by such means
[SOURCE: ISO 13485:2016, 3.11, modified — Note to entry was removed.]
3.9
organization
persons or groups of people that has its own functions with responsibilities, authorities and relationships to
achieve its objectives
Note 1 to entry: An organization can in some cases be a single health professional.
[SOURCE: ISO 9000:2015, 3.2.1, modified — original Notes to entry were removed and a new note was added.]
3.10
personal health device
PHD
device used in personal health applications
[SOURCE: IEEE 11073-10408:2008, 3.1.11]
3.11
platform
combination of an operating system and hardware that makes up the operating environment in which a
program runs
[SOURCE: ISO/IEC/IEEE 26513:2017, 3.30]
3.12
procedure
specified way to carry out an activity or process (3.13)
[SOURCE: ISO 9000:2015, 3.4.5, modified — Note to entry was removed.]
3.13
process
set of interrelated or interacting activities that use inputs to deliver an intended result
[SOURCE: ISO 900
...