ISO/IEC TS 21419:2024

Technical
Specification
ISO/IEC TS 21419
First edition
Information technology — Cross-
2024-11
jurisdictional and societal aspects
of implementation of biometric
technologies — Use of biometrics
for identity management in
healthcare
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Identity management in the context of healthcare-related implementation issues . 3
5.1 Problems for identity management in healthcare .3
5.1.1 Overview .3
5.1.2 Availability of essential medical records . .3
5.1.3 Integration and acceptance of patient treatment recording in private homes .3
5.1.4 Medical facility verification of patient identity .4
5.1.5 Identity theft for access to medical treatment and related benefits.4
5.1.6 Proper vetting of medical and ancillary staff .4
5.1.7 Effective correlation of patient data needed for medical and pharmaceutical
research .4
5.2 How this document can address these problems .4
6 Potential advantages of using appropriately designed biometric systems . 5
7 Healthcare use cases where biometrics can potentially bring value . 5
7.1 General .5
7.2 Priority group 1 .6
7.2.1 Use case 5: Fast checking of patient identity in a hospital .6
7.2.2 Use case 7: eHealth: remote monitoring of patient .8
7.3 Priority group 2 .11
7.3.1 Use case 1: Global logical access control of medical staff in the hospital .11
7.4 Priority Group 3. 12
7.4.1 Use case 2: Teleconsultation . 12
7.4.2 Use case 8: Patient authentication for public health, vaccination .14
7.4.3 Use case 9: Identification of citizens in public health to monitor a pandemic
situation . 15
7.5 Priority Group 4.16
7.5.1 Use case 3: Local logical access control of medical staff in the hospital .16
7.6 Priority Group 5.17
7.6.1 Use case 4: Physical access control to restricted zones in the hospital .17
7.6.2 Use case 6: Registration and control of medical practitioners .19
8 Technical design and implementation — challenges and guidance .21
8.1 Guidance on identity management in healthcare .21
8.2 Guidance on medical record sharing .21
8.3 Guidance on secure and consistent recording for patient treatment at home . 22
9 Limitations on the use of biometrics for identity management in healthcare .23
10 Coherent frameworks for identity management and use of biometrics in healthcare .23
Annex A (informative) Medical practitioners poll .24
Bibliography .25

© ISO/IEC 2024 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 37, Biometrics.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
iv
Introduction
The purpose of this document is to raise awareness of the potential role of biometrics in identity management
for medical and healthcare use, to analyze a number of use cases, and to provide feedback from healthcare
practitioners on the use of biometrics in the cases selected.
To date, there has been little use of biometrics in support of healthcare provision in Western Europe.
However, the use of biometrics is already starting to spread in other regions. Trials conducted in certain
developing countries have shown positive trends and provided useful experience. The use of biometrics
presents potentially great advantages in the following situations:
— for patients in enabling consistency of treatment between visits to different places of care;
— for hospital management in the simplification of procedures for ensuring the correct identity of patients at
various stages of treatment, and in managing medical and support staff and recording their interactions
with individual patients;
— in support of medical and pharmaceutical research, for the reliable correlation of anonymous records
collected over time and across different locations from the treatment of consenting patients, with the
assurance that these records (and the use of biometrics) cannot in context reveal the patient's personal
identity.
In all of these examples, the use of biometrics should be combined with proven security techniques, and data
protection procedures.
A large new field for the use of biometrics in healthcare is now opening, with the use of smartphones and
other mobile devices for people monitoring their own health and physical activity at home and abroad. Used
securely, with proper privacy protection for personal data, this can enable remote interaction with medical
and support staff, and provide access for individuals to their own medical records.

© ISO/IEC 2024 – All rights reserved
v
Technical Specification ISO/IEC TS 21419:2024(en)
Information technology — Cross-jurisdictional and societal
aspects of implementation of biometric technologies — Use of
biometrics for identity management in healthcare
1 Scope
This document describes potential applications of biometrics in identity management systems used for
medical and healthcare purposes. It provides feedback from healthcare practitioners on the advantages,
disadvantages, risks and priority of implementing certain use cases of healthcare with biometrics. For those
use cases, information related to the selection of biometric type and associated measures related to security
and privacy protection is provided to system designers.
The document concentrates on aspects of the subject which apply to the good management of healthcare
services for patients who need monitoring, treatment and care in hospitals, clinics or at home, but can be
incapacitated. It does not cover the measurement and interpretation of symptoms and biological data for the
purposes of medical treatment or research.
The document is intended to be useful for the management of public and private healthcare systems
anywhere in the world, and to commercial providers of identity management services and equipment. It
is also potentially relevant to regulatory stakeholders addressing issues of privacy and legality, and the
assessment of potential vulnerabilities in biometrics and identity management systems applied in the
healthcare sector.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For
...