Health informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords

This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities.
This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as the only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health information.
This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities.

Medizinische Informatik - Sichere Nutzeridentifikation im Gesundheitswesen - Management und Sicherheit für die Authentifizierung durch Passwörter

Informatique de santé - Sécurité de l'identification de l'utilisateur des soins de santé - Gestion et sécurité de l'authentification des mots de passe

Zdravstvena informatika – Varna identifikacija uporabnikov v zdravstvenem varstvu – Upravljanje in varnost avtentikacije z gesli

General Information

Status
Published
Publication Date
31-Dec-2004
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
01-Jan-2005
Due Date
01-Jan-2005
Completion Date
01-Jan-2005

RELATIONS

Buy Standard

Standard
SIST EN 12251:2005
English language
13 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Zdravstvena informatika – Varna identifikacija uporabnikov v zdravstvenem varstvu – Upravljanje in varnost avtentikacije z gesliMedizinische Informatik - Sichere Nutzeridentifikation im Gesundheitswesen - Management und Sicherheit für die Authentifizierung durch PasswörterInformatique de santé - Sécurité de l'identification de l'utilisateur des soins de santé - Gestion et sécurité de l'authentification des mots de passeHealth informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords35.240.80Uporabniške rešitve IT v zdravstveni tehnikiIT applications in health care technologyICS:Ta slovenski standard je istoveten z:EN 12251:2004SIST EN 12251:2005en01-januar-2005SIST EN 12251:2005SLOVENSKI

STANDARDSIST ENV 12251:20031DGRPHãþD
SIST EN 12251:2005

EUROPEAN STANDARDNORME EUROPÉENNEEUROPÄISCHE NORMEN 12251August 2004ICS 35.240.80 English versionHealth informatics - Secure User Identification for Health Care -Management and Security of Authentication by PasswordsInformatique de santé - Sécurité de l'identification del'utilisateur des soins de santé - Gestion et sécurité del'authentification des mots de passeMedizinische Informatik - Sichere Nutzeridentifikation imGesundheitswesen - Management und Sicherheit für dieAuthentifizierung durch PasswörterThis European Standard was approved by CEN on 21 June 2004.CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such nationalstandards may be obtained on application to the Central Secretariat or to any CEN member.This European Standard exists in three official versions (English, French, German). A version in any other language made by translationunder the responsibility of a CEN member into its own language and notified to the Central Secretariat has the same status as the officialversions.CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia,Slovenia, Spain, Sweden, Switzerland and United Kingdom.EUROPEAN COMMITTEE FOR STANDARDIZATIONCOMITÉ EUROPÉEN DE NORMALISATIONEUROPÄISCHES KOMITEE FÜR NORMUNGManagement Centre: rue de Stassart, 36

B-1050 Brussels© 2004 CENAll rights of exploitation in any form and by any means reservedworldwide for CEN national Members.Ref. No. EN 12251:2004: ESIST EN 12251:2005

EN 12251:2004 (E) 2 Contents page Foreword..............................................................................................................................................................3 Introduction.........................................................................................................................................................4 1 Scope......................................................................................................................................................5 2 Normative references............................................................................................................................5 3 Terms and definitions...........................................................................................................................5 4 Requirements.........................................................................................................................................6 4.1 Unique identification and authentication............................................................................................6 4.2 Identification and authentication prior to all other interactions.......................................................6 4.3 Associating unique identity with users...............................................................................................6 4.4 Maintaining the identity of active users..............................................................................................6 4.5 Log-on message....................................................................................................................................7 4.6 Number of log-on trials.........................................................................................................................7 4.7 Incorrectly performed log-on procedure.............................................................................................7 4.8 Display of log-on statistics...................................................................................................................7 4.9 Password sharing..................................................................................................................................7 4.10 Password storage..................................................................................................................................7 4.11 Logging of passwords..........................................................................................................................8 4.12 Password display suppression............................................................................................................8 4.13 User-changeability of passwords........................................................................................................8 4.14 Default passwords.................................................................................................................................8 4.15 Initialised passwords............................................................................................................................8 4.16 Temporary passwords..........................................................................................................................8 4.17 Password expiration..............................................................................................................................8 4.18 Password expiration notification.........................................................................................................8 4.19 Password reuse.....................................................................................................................................9 4.20 Password complexity............................................................................................................................9 Annex A (informative)

Potential password complexity requirements.........................................................10 Annex B (informative)

User responsibilities...................................................................................................11 Annex C (informative)

Password communication.........................................................................................12 Bibliography......................................................................................................................................................13

SIST EN 12251:2005

EN 12251:2004 (E) 3 Foreword This document (EN 12251:2004) has been prepared by Technical Committee CEN/TC 251 “Health informatics”, the secretariat of which is held by SIS. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by February 2005, and conflicting national standards shall be withdrawn at the latest by February 2005. This document supersedes ENV 12251:2000. This document is designed to improve the authentication of individual users of health care IT system, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities. Although the use of passwords, and the need for improved security in this respect, is by no means specific for the Health Care field, it is felt strongly that the way in which systems are being used in this field, often in direct support of patient care and handling very sensitive information, urgently call for a good solution in this area. However, the methods specified in this document can possibly be applied in other sectors as well at the discretion of users. According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom. SIST EN 12251:2005

EN 12251:2004 (E) 4 Introduction Information Technology (IT) systems in the health care environment are being used in increasingly sensitive and critical circumstances. To facilitate secure access control to an IT system and within an IT system, it is essential to uniquely establish the identity of all users seeking access. Further, to have confidence that a user really is who he or she claims to be, there is a need for secure means of verifying the claimed identity. The use of passwords, being confidential to each user, and constructed in such a way that others cannot compromise this confidential authentication information easily, is the most common means of authentication in current computer systems, and will be so for some time to come. This document can facilitate the wider process of Security Management. Conventional passwords have several disadvantages. Some of these are:  They can easily be shared among several users  The use of unprotected network technology makes them easy targets for eavesdropping  They can be hard to remember if chosen as to be secure Other technologies such as chip cards and biometrics, which provide more secure means of authentication, have been introduced and will eventually phase out the use of passwords. However, in the meantime it is important to facilitate the most secure use of passwords in health care IT systems. This is the main objective of this document. SIST EN 12251:2005

EN 12251:2004 (E) 5

1 Scope This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities. This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as the only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health information. This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities. 2 Normative references

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 7498-2, Information processing systems – Open systems interconnection – Basic reference model – Part 2: Security architecture 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1

access control prevention of unauthorised use of a resource, including the prevention of use of a resource in an unauthorised manner 3.2 authentication process of verifying a claimed user identity, in this document on the basis of an entered user identifier and password 3.3 authentication information information used to establish the validity of a claimed identity [ISO 7498-2] 3.4

authorised user person who is given access rights to the system, i.e., person who is given a unique user identifier and an initial password, and by this is given

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.