ISO 17090-1:2013

INTERNATIONAL ISO
STANDARD 17090-1
Second edition
2013-05-01
Health informatics — Public key
infrastructure —
Part 1:
Overview of digital certificate services
Informatique de santé — Infrastructure de clé publique —
Partie 1: Vue d’ensemble des services de certificat numérique
Reference number
ISO 17090-1:2013(E)
©
ISO 2013

---------------------- Page: 1 ----------------------
ISO 17090-1:2013(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2013 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 17090-1:2013(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 Healthcare context terms . 1
3.2 Security services terms . 3
3.3 Public key infrastructure related terms . 6
4 Abbreviations. 9
5 Healthcare context . 9
5.1 Certificate holders and relying parties in healthcare . 9
5.2 Examples of actors .10
5.3 Applicability of digital certificates to healthcare .11
6 Requirements for security services in healthcare applications .12
6.1 Healthcare characteristics .12
6.2 Digital certificate technical requirements in healthcare.13
6.3 Healthcare-specific needs and the separation of authentication from
data encipherment.14
6.4 Health industry security management framework for digital certificates .14
6.5 Policy requirements for digital certificate issuance and use in healthcare .14
7 Public key cryptography .15
7.1 Symmetric vs. asymmetric cryptography .15
7.2 Digital certificates.15
7.3 Digital signatures .15
7.4 Protecting the private key .16
8 Deploying digital certificates .17
8.1 Necessary components .17
8.2 Establishing identity using qualified certificates .18
8.3 Establishing speciality and roles using identity certificates .18
8.4 Using attribute certificates for authorisation and access control .19
9 Interoperability requirements .20
9.1 Overview .20
9.2 Options for deploying healthcare digital certificates across jurisdictions .20
9.3 Option usage .22
Annex A (informative) Scenarios for the use of digital certificates in healthcare .23
Bibliography .38
© ISO 2013 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 17090-1:2013(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 17090-1 was prepared by Technical Committee ISO/TC 215, Health informatics.
This second edition cancels and replaces the first edition (ISO 17090-1:2008), of which it constitutes a
minor revision.
ISO 17090 consists of the following parts, under the general title Health informatics — Public key
infrastructure:
— Part 1: Overview of digital certificate services
— Part 2: Certificate profile
— Part 3: Policy management of certification authority
Annex A of this part of ISO 17090 is for information only.
iv © ISO 2013 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 17090-1:2013(E)

Introduction
The healthcare industry is faced with the challenge of reducing costs by moving from paper-based
processes to automated electronic processes. New models of healthcare delivery are emphasizing the
need for patient information to be shared among a growing number of specialist healthcare providers
and across traditional organisational boundaries.
Healthcare information concerning individual citizens is commonly interchanged by means of electronic
mail, remote database access, electronic data interchange, and other applications. The Internet provides
a highly cost-effective and accessible means of interchanging information, but it is also an insecure vehicle
that demands additional measures be taken to maintain the privacy and confidentiality of information.
Threats to the security of health information through unauthorised access (either inadvertent or
deliberate) are increasing. It is essential to have available to the healthcare system reliable information
security services that minimise the risk of unauthorised access.
How does the healthcare industry provide appropriate protection for the data conveyed across the
Internet in a practical, cost-effective way? Public key infrastructure (PKI) and digital certificate
technology seek to address this challenge.
The proper deployment of digital certificates requires a blend of technology, policy, and administrative
processes that enable the exchange of sensitive data in an unsecured environment by the use of “public
key cryptography” to protect information in transit and “certificates” to confirm the identity of a person
or entity. In healthcare environments, this technology uses authentication, encipherment, and digital
signatures to facilitate confidential access to, and movement of, individual health records to meet
both clinical and administrative needs. The services offered by the deployment of digital certificates
(including encipherment, information integrity, and digital signatures) are able to address many of
these security issues. This is especially the case if digital certificates are used in conjunction with an
accredited information security standard. Many individual organisations around the world have started
to use digital certificates for this purpose.
Interoperability of digital certificate technology and supporting policies, procedures, and practices
is of fundamental importance if information is to be exchanged between organisations and between
jurisdictions in support of healthcare applications (for example between a hospital and a community
physician working with the same patient).
Achieving interoperability between different digital certificate implementations requires the
establishment of a framework of trust, under which parties responsible for protecting an individual’s
information rights may rely on the policies and practices and, by extension, the validity of digital
certificates issued by other established authorities.
Many countries are deploying digital certificates to support secure communications within their national
boundaries. Inconsistencies will arise in policies and procedures between the certification authorities
(CAs) and the registration authorities (RAs) of different countries if standards development activity is
restricted to within national boundaries.
Digital certificate technology is still evolving in certain aspects that are not specific to healthcare.
Important standardisation efforts and, in some cases, supporting legislation are ongoing. On the other
hand, healthcare providers in many countries are already using or planning to use digital certificates.
This International Standard seeks to address the need for guidance of these rapid international
developments.
This International Standard describes the common technical, operational, and policy requirements that
need to be addressed to enable digital certificates to be used in protecting the exchange of healthcare
information within a single domain, between domains, and across jurisdictional boundaries. Its purpose
is to create a platform for global interoperability. It specifically supports digital certificate-enabled
communication across borders, but could also provide guidance for the national or regional deployment
of digital certificates in healthcare. The Internet is increasingly used as the vehicle of choice to support
the movement of healthcare data between healthcare organisations and is the only realistic choice for
cross-border communication in this sector.
© ISO 2013 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO 17090-1:2013(E)

This International Standard should be approached as a whole, with the three parts all making a
contribution to defining how digital certificates can be used to provide security services in the health
industry, including authentication, confidentiality, data integrity, and the technical capacity to support
the quality of digital signature.
ISO 17090-1 defines the basic concepts underlying the use of digital certificates in healthcare and
provides a scheme of interoperability requirements to establish digital certificate-enabled secure
communication of health information.
ISO 17090-2 provides healthcare specific profiles of digital certificates based on the International
Standard X.509 and the profile of this specified in IETF/RFC 3280 for different types of certificates.
ISO 17090-3 deals with management issues involved in implementing and using digital certificates in
healthcare. It defines a structure and minimum requirements for certificate policies (CPs) and a structure
for associated certification practice statements. ISO 17090-3 is based on the recommendations of the
informational IETF/RFC 3647, Internet X.509 Public Key Infrastructure Certificate Policy and Certification
Practices Framework, and identifies the principles needed in a healthcare security policy for cross border
communication. It also defines the minimum levels of security required, concentrating on the aspects
unique to healthcare.
Comments on the content of this International Standard, as well as comments, suggestions, and
information on the application of these standards may be forwarded to the ISO/TC 215 secretariat.
vi © ISO 2013 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 17090-1:2013(E)
Health informatics — Public key infrastructure —
Part 1:
Overview of digital certificate services
1 Scope
This part of ISO 17090 defines the basic concepts underlying the use of digital certificates in healthcare
and provides a scheme of interoperability requirements to establish a digital certificate-enabled secure
communication of health information. It also identifies the major stakeholders who are communicating
health-related information, as well as the main security services required for health communication
where digital certificates may be required.
This part of ISO 17090 gives a brief introduction to public key cryptography and the basic components
needed to deploy digital certificates in healthcare. It further introduces different types of digital
certificates — identity certificates and associated attribute certificates for relying parties, self-signed
certification authority (CA) certificates, and CA hierarchies and bridging structures.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 17090-2:2008, Health informatics — Public key infrastructure — Part 2: Certificate profile
ISO 17090-3:2008, Health informatics — Public key infrastructure — Part 3: Policy management of
certification authority
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1 Healthcare context terms
3.1.1
application
identifiable computer running software process that is the holder of a private encipherment key
Note 1 to entry: Application, in this context, can be any software process used in healthcare information systems,
including those without any direct role in treatment or diagnosis.
Note 2 to entry: In some jurisdictions, including software, processes can be regulated medical devices.
3.1.2
device
identifiable computer-controlled apparatus or instrument that is the holder of a private encipherment key
Note 1 to entry: This includes the class of regulated medical devices that meet the above definition.
Note 2 to entry: Device, in this context, is any device used in healthcare information systems, including those
without any direct role in treatment or diagnosis.
© ISO 2013 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO 17090-1:2013(E)

3.1.3
healthcare actor
regulated health professional, non-regulated health professional, sponsored healthcare provider,
supporting organisation employee, patient/consumer, healthcare organisation, device, or application
that acts in a health-related communication and requires a certificate for a digital certificate-enabled
security service
3.1.4
healthcare organisation
officially registered organisation that has a main activity related to healthcare services or health promotion
EXAMPLE Hospitals, Internet healthcare website providers, and healthcare research institutions.
Note 1 to entry: The organisation is recognised to be legally liable for its activities but need not be registered for
its specific role in health.
Note 2 to entry: An internal part of an organisation is called here an organisational unit, as in X.501.
3.1.5
non-regulated health professional
person employed by a healthcare organisation who is not a regulated health professional
EXAMPLE Medical receptionist who organises appointments or nurses aid who assists with patient care.
Note 1 to entry: The fact that the employee is not authorised by a body independent of the employer in his/her
professional capacity does, of course, not imply that the employee is not professional in conducting his/her services.
3.1.6
organisation employee
person employed by a healthcare organisation or a supporting organisation
EXAMPLE Medical records transcriptionists, healthcare insurance claims adjudicators, and pharmaceutical
order entry clerks.
3.1.7
patient
consumer
person who is the receiver of health-related services and who is an actor in a health information system
3.1.8
privacy
freedom from intrusion into the private life or affairs of an individual when that intrusion results from
undue or illegal gathering and use of data about that individual
[SOURCE: ISO/IEC 2382-8:1998]
3.1.9
regulated health professional
person who is authorised by a nationally recognised body to be qualified to perform certain health services
EXAMPLE Physicians, registered nurses, and pharmacists.
Note 1 to entry: The types of registering or accrediting bodies differ in different countries and for different
professions. Nationally recognised bodies include local or regional governmental agencies, independent
professional associations, and other formally and nationally recognised organisations. They may be exclusive or
non-exclusive in their territory.
Note 2 to entry: A nationally recognised body in this definition does not imply one nationally controlled system
of professional registration but, in order to facilitate international communication, it would be preferable for one
nationwide directory of recognised health professional registration bodies to exist.
2 © ISO 2013 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 17090-1:2013(E)

3.1.10
sponsored healthcare provider
health services provider who is not a regulated professional in the jurisdiction of his/her practice, but
who is active in his/her healthcare community and sponsored by a regulated healthcare organisation
EXAMPLE A drug and alcohol education officer who is working with a particular ethnic group, or a healthcare
aid worker in a developing country.
3.1.11
supporting organisation
officially registered organisation which is providing services to a healthcare organisation, but which is
not providing healthcare services
EXAMPLE Healthcare financing bodies such as insurance institutions, suppliers of pharmaceuticals and
other goods.
3.2 Security services terms
3.2.1
access control
means of ensuring that the resources of a data processing system can be accessed only by authorised
entities in authorised ways
[SOURCE: ISO/IEC 2382-8:1998]
3.2.2
accountability
property that ensures that the actions of an entity may be traced uniquely to the entity
[SOURCE: ISO 7498-2:1989]
3.2.3
asymmetric cryptographic algorithm
algorithm for performing encipherment or the corresponding decipherment in which the keys used for
encipherment and decipherment differ
[SOURCE: ISO/IEC 10181-1:1996]
3.2.4
authentication
process of reliably identifying security subjects by securely associating an identifier and its authenticator
[SOURCE: ISO 7498-2:1989]
Note 1 to entry: See also data origin authentication and peer entity authentication.
3.2.5
authorisation
granting of rights, which includes the granting of access based on access rights
[SOURCE: ISO 7498-2:1989]
3.2.6
availability
property of being accessible and useable upon demand by an authorised entity
[SOURCE: ISO 7498-2:1989]
© ISO 2013 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO 17090-1:2013(E)

3.2.7
ciphertext
data produced through the use of encipherment, the semantic content of which is not available
Note 1 to entry: Adapted from ISO 7498-2:1989.
3.2.8
confidentiality
property that information is not made available or disclosed to unauthorised individuals, entities, or
processes
[SOURCE: ISO 7498-2:1989]
3.2.9
cryptography
discipline which embodies principles, means, and methods for the transformation of data in order to
hide its information content, prevent its undetected modification, and/or prevent its unauthorised use
[SOURCE: ISO 7498-2:1989]
3.2.10
cryptographic algorithm
cipher
method for the transformation of data in order to hide its information content, prevent its undetected
modification, and/or prevent its unauthorised use
[SOURCE: ISO 7498-2:1989]
3.2.11
data integrity
property that data have not been altered or destroyed in an unauthorised manner
[SOURCE: ISO 7498-2:1989]
3.2.12
data origin authentication
corroboration that the source of data received is as claimed
[SOURCE: ISO 7498-2:1989]
3.2.13
decipherment
decryption
process of obtaining, from a ciphertext, the original corresponding data
[SOURCE: ISO/IEC 2382-8:1998]
Note 1 to entry: A ciphertext may be enciphered a second time, in which case a single decipherment does not
produce the original plaintext.
3.2.14
digital signature
data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data
unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient
[SOURCE: ISO 7498-2:1989]
Note 1 to entry: See cryptography.
4 © ISO 2013 – All rights reserved

---------------------- Page: 10 ----------------------
ISO 17090-1:2013(E)

3.2.15
encipherment
encryption
cryptographic transformation of data to produce ciphertext
[SOURCE: ISO 7498-2:1989]
Note 1 to entry: See cryptography.
3.2.16
identification
performance of tests to enable a data processing system to recognise entities
[SOURCE: ISO/IEC 2382-8:1998]
3.2.17
identifier
piece of information used to claim an identity, before a potential corroboration by a corresponding
authenticator
[SOURCE: ENV 13608-1]
3.2.18
integrity
proof that the message content has not been altered, deliberately or accidentally, in any way during
transmission
Note 1 to entry: Adapted from ISO 7498-2:1989.
3.2.19
key
sequence of symbols that controls the operations of encipherment and decipherment
[SOURCE: ISO 7498-2:1989]
3.2.20
key management
generation, storage, distribution, deletion, archiving, and application of keys in accordance with a
security policy
[SOURCE: ISO 7498-2:1989]
3.2.21
non-repudiation
service providing proof of the integrity and origin of data (both in an unforgeable relationship), which
can be verified by any party
[19]
Note 1 to entry: Adapted from Reference.
3.2.22
private key
key that is used with an asymmetric cryptographic algorithm and whose possession is restricted
(usually to only one entity)
[SOURCE: ISO/IEC 10181-1:1996]
3.2.23
public key
key that is used with an asymmetric cryptographic algorithm and that can be made publicly available
[SOURCE: ISO/IEC 10181-1:1996]
© ISO 2013 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO 17090-1:2013(E)

3.2.24
role
set of behaviours that is associated with a task
3.2.25
security
combination of availability, confidentiality, integrity, and accountability
[SOURCE: ENV 13608-1]
3.2.26
security policy
plan or course of action adopted for providing computer security
[SOURCE: ISO/IEC 2382-8:1998]
3.2.27
security service
service, provided by a layer of communicating open systems, which ensures adequate security of the
systems or of data transfers
[SOURCE: ISO 7498-2:1989]
3.3 Public key infrastructure related terms
3.3.1
attribute authority
AA
authority which assigns privileges by issuing attribute certificates
[SOURCE: X.509]
3.3.2
attribute certificate
data structure, digitally signed by an attribute authority, that binds some attribute values with
identification about its holder
[SOURCE: X.509]
3.3.3
authority certificate
certificate issued to a certification authority or to an attribute authority
Note 1 to entry: Adapted from X.509.
3.3.4
certificate
public key certificate
3.3.5
certificate distribution
act of publishing certificates and transferring certificates to security subjects
3.3.6
certificate extension
extension fields (known as extensions) in X.509 certificates that provide methods for associating
additional attributes with users or public keys and for managing the certification hierarchy
Note 1 to entry: Certificate extensions may be either critical (i.e. a certificate-using system has to reject the
certificate if it encounters a critical extension it does not recognise) or non-critical (i.e. it may be ignored if the
extension is not recognised).
6 © ISO 2013 – All rights reserved

---------------------- Page: 12 ----------------------
ISO 17090-1:2013(E)

3.3.7
certificate generation
act of creating certificates
3.3.8
certificate management
procedures relating to certificates, i.e. certificate generation, certificate distribution, certificate
archiving and revocation
3.3.9
certificate profile
specification of the structure and permissible content of a certificate type
3.3.10
certificate revocation
act of removing any reliable link between a certificate and its related owner (or security subject owner)
because the certificate is not trusted any more, even though it is unexpired
3.3.11
certificate holder
entity that is named as the subject of a valid certificate
3.3.12
certificate verification
verifying that a certificate is authentic
3.3.13
certification
procedure by which a third party gives assurance that all or part of a data processing system conforms
to security requirements
[SOURCE: ISO/IEC 2382-8:1998]
3.3.14
certification authority
CA
certificate issuer
authority trusted by one or more relying parties to create and assign certificates and which may,
optionally, create the relying parties’ keys
Note 1 to entry: Adapted from ISO/IEC 9594-8:2008.
Note 2 to entry: Authority in the CA term does not imply any government authorisation but only denotes that
it is trusted.
Note 3 to entry: Certificate issuer may be a better term, but CA is very widely used.
3.3.15
certificate policy
CP
named set of rules that indicates the applicability of a certificate to a particular community and/or class
of application with common security requirements
[SOURCE: IETF/RFC 3647]
3.3.16
certification practices statement
CPS
statement of the practices which a certification authority employs in issuing certificates
[SOURCE: IETF/RFC 3647]
© ISO 2013 – All rights reserve
...