ISO 17090-5:2017

INTERNATIONAL ISO
STANDARD 17090-5
First edition
2017-07
Health informatics — Public key
infrastructure —
Part 5:
Authentication using Healthcare PKI
credentials
Informatique de santé — Infrastructure de clé publique —
Partie 5: Authentification à l’aide des identifiants ICP de la santé
Reference number
ISO 17090-5:2017(E)
©
ISO 2017

---------------------- Page: 1 ----------------------
ISO 17090-5:2017(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 17090-5:2017(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 1
5 Scope of application . 2
5.1 General . 2
5.2 Target systems . 2
5.3 Phases of method identification. 3
5.4 Threats and vulnerabilities . 5
6 Validation procedures for HPKI credentials . 6
Annex A (informative) Examples of authentication technology with available X.509
certification as credentials . 9
Annex B (informative) Appropriate use of authentication certificates .10
Bibliography .13
© ISO 2017 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 17090-5:2017(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: w w w . i s o .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
A list of all parts in the ISO 17090 series can be found on the ISO website.
iv © ISO 2017 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 17090-5:2017(E)

Introduction
The healthcare industry is faced with the challenge of reducing costs by moving from paper-based
processes to automated electronic processes. New models of healthcare delivery are emphasizing the
need for patient information to be shared among a growing number of specialist healthcare providers
and across traditional organizational boundaries.
Healthcare information concerning individual citizens is commonly interchanged by means of
electronic mail, remote database access, electronic data interchange and other applications. The
Internet provides a highly cost-effective and accessible means of interchanging information, but it
is also an insecure vehicle that demands additional measures be taken to maintain the privacy and
confidentiality of information. Threats to the security of health information through unauthorized
access (either inadvertent or deliberate) are increasing. It is essential to have available to the healthcare
system reliable information security services that minimize the risk of unauthorized access.
How does the healthcare industry provide appropriate protection for the data conveyed across the
Internet in a practical, cost-effective way? Public key infrastructure (PKI) and digital certificate
technology seek to address this challenge.
The proper deployment of digital certificates requires a blend of technology, policy and administrative
processes that enable the exchange of sensitive data in an unsecured environment by the use of
“public key cryptography” to protect information in transit and “certificates” to confirm the identity
of a person or entity. In healthcare environments, this technology uses authentication, encipherment
and digital signatures to facilitate confidential access to, and movement of, individual health records
to meet both clinical and administrative needs. The services offered by the deployment of digital
certificates (including encipherment, information integrity and digital signatures) are able to address
many of these security issues. This is especially the case if digital certificates are used in conjunction
with an accredited information security standard. Many individual organizations around the world
have started to use digital certificates for this purpose.
Interoperability of digital certificate technology and supporting policies, procedures and practices
is of fundamental importance if information is to be exchanged between organizations and between
jurisdictions in support of healthcare applications (for example, between a hospital and a community
physician working with the same patient).
Achieving interoperability between different digital certificate implementations requires the
establishment of a framework of trust, under which parties responsible for protecting an individual’s
information rights may rely on the policies and practices and, by extension, the validity of digital
certificates issued by other established authorities.
Many countries are deploying digital certificates to support secure communications within their
national boundaries. Inconsistencies will arise in policies and procedures between the certification
authorities (CAs) and the registration authorities (RAs) of different countries if standards development
activity is restricted to within national boundaries.
Digital certificate technology is still evolving in certain aspects that are not specific to healthcare.
Important standardization efforts and, in some cases, supporting legislation are ongoing. On the
other hand, healthcare providers in many countries are already using or planning to use digital
certificates. This document seeks to address the need for guidance to support these rapid international
developments. While underlying security standards address methods for verification, requirements for
secure verification processes to support healthcare purposes are not defined.
This document describes the procedural requirements validating an entity credential based on
Healthcare PKI defined in ISO 17090 series used in healthcare information systems. Although the
cryptographic operations used at the authentication processes and the digital signature processes
are the same, authentication and signature have different meanings. Systems and software prevent
the users from misuse of the private keys and their certificates especially if both keys are on a secure
token. This document describes the requirements to mitigate threats and vulnerabilities within the
authentication processes with Healthcare PKI credentials.
© ISO 2017 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 17090-5:2017(E)
Health informatics — Public key infrastructure —
Part 5:
Authentication using Healthcare PKI credentials
1 Scope
This document defines the procedural requirements for validating an entity credential based on
Healthcare PKI defined in the ISO 17090 series used in healthcare information systems including
accessing remote systems. Authorization procedures and protocols are out of scope of this document.
The data format of digital signatures is also out of scope of this document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 17090-1, Health informatics — Public key infrastructure — Part 1: Overview of digital certificate
services
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 17090-1 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
4 Abbreviated terms
For the purposes of this document, the following abbreviated terms apply.
CRL Certificate Revocation List
CSP Cryptographic Service Provider
HPKI Healthcare Public Key Infrastructure
OCSP Online Certificate Status Protocol
OID Object Identifier
PC/SC Personal Computer/Smart Card
PKCS Public-Key Cryptography Standards
© ISO 2017 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO 17090-5:2017(E)

5 Scope of application
5.1 General
The healthcare information system authenticates healthcare organizations or professionals for access
control to healthcare information, such as EHR or PHR.
Inappropriate process in end entity authentication verification may increase the risk of spoofing,
impersonation, and many other identity-based attacks. As result, that may cause security incidents
leading to critical information leakage and system and data misuse.
This document describes target systems, methods of identification, threats, vulnerabilities and controls
of health software which authenticate using PKI based on the ISO 17090 series.
These controls decrease risks of spoofing.
5.2 Target systems
The target systems of this document are as follows:
a) digital signature library with digital signature creation function and digital signature verification
function for healthcare application;
b) digital signature creation program and digital signature verification program as stand-alone
software or with healthcare application.
Examples of authentication technology to which healthcare PKI can be applied are shown in Annex A.
The following are out of scope:
— healthcare application that does not process digital signature data directly;
— healthcare application that processes digital signature and the result of signature verification with
digital signature library, specific digital signature program or specific digital signature verification
program;
— application interface and user interface within client environment;
— cryptographic library layer, e.g. CSP or PKCS#11, and any subsequent token access layers as depicted
in Figure 1.
Figure 1 illustrates an example of software layers for web-based applications. A digital signature based
application may have the same structure. According to ISO 17090-3, it is assumed that “Storage modules
of the end entity subscriber private key shall conform to standards of levels equal to or higher than US
FIPS 140-2 level 1”. Therefore, in addition to the smart card, as illustrated in Figure 1, a system may use
other tokens, such as a USB token or a software token, for the storage modules of the private key.
2 © ISO 2017 – All rights reserved

---------------------- Page: 7 ----------------------
ISO 17090-5:2017(E)

Figure 1 — Example of processing layer
5.3 Phases of method identification
The authentication process with Healthcare Public Key Infrastructure (HPKI) is composed of three
phases as shown in Figure 2: (1) the preparation phase, (2) the configuration phase, (3) and the
authentication phase.
Figure 2 — Relationship between the three phases of an authentication process with HPKI
Following the preparation phase, go through the configuration phase and proceed to the authentication
phase. After that, the authentication phase is repeated.
(1) Preparation phase
The preparation phase is composed of two steps (see Figure 3):
© ISO 2017 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO 17090-5:2017(E)

(1-1): Certificate Authority creates a certificate for public key corresponding with the subscriber’s
private key stored on the secure token (smart card, etc.) as credential. (Requirement for smart
token that has to conform with FIPS 140-2 level 1 or more and that requirement is possible for
mobile devices. Detail of that is written in ISO 17090-3.).
(1-2): Certificate Authority issues the certificate to the subscriber.
Figure 3 — Preparation phase
The trust anchor of the certificate authority is stored on repository beforehand.
(2) Configuration phase
The configuration phase is composed of two steps (see Figure 4):
(2-1): Server retrieves certificate authority’s certi
...