Health informatics -- Audit trails for electronic health records (ISO 27789:2021)

This document specifies a common framework for audit trails for electronic health records (EHR), in
terms of audit trigger events and audit data, to keep the complete set of personal health information
auditable across information systems and domains.
It is applicable to systems processing personal health information that create a secure audit record
each time a user reads, creates, updates, or archives personal health information via the system.
NOTE Such audit records at a minimum uniquely identify the user, uniquely identify the subject of care,
identify the function performed by the user (record creation, read, update, etc.), and record the date and time at
which the function was performed.
This document covers only actions performed on the EHR, which are governed by the access policy
for the domain where the electronic health record resides. It does not deal with any personal health
information from the electronic health record, other than identifiers, the audit record only containing
links to EHR segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system
security purposes, such as the detection of performance problems, application flaw, or support for
a reconstruction of data, which are dealt with by general computer security standards such as ISO/
IEC 15408 (all parts)[9].
Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services

Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO 27789:2021)

Informatique de santé -- Historique d'expertise des dossiers de santé informatisés (ISO 27789:2021)

Le présent document définit un cadre commun pour les pistes d'audit des dossiers de santé informatisés (DSI), en termes d'événements déclencheurs d'audit et de données d'audit, afin de conserver l'ensemble complet des informations personnelles de santé auditables, quels que soient les systèmes et les domaines d'information.
Le présent document s'applique aux systèmes de traitement des informations personnelles de santé qui créent un enregistrement d'audit sécurisé chaque fois qu'un utilisateur crée des informations personnelles de santé, qu'il les lit, qu'il les met à jour ou qu'il les archive par le biais du système.
NOTE       Au minimum, ces enregistrements d'audit identifient de manière unique l'utilisateur, identifient de manière unique le sujet de soins, identifient la fonction exécutée par l'utilisateur (création d'un dossier, lecture d'un dossier, mise à jour d'un dossier, etc.) et enregistrent la date et l'heure auxquelles la fonction a été exécutée.
Le présent document ne couvre que les actions effectuées sur le dossier de santé informatisé, qui sont régies par une politique d'accès propre au domaine dans lequel s'inscrit le dossier de santé informatisé. Il ne traite d'aucune information personnelle de santé issue de dossiers de santé informatisés, à l'exception des identifiants, les enregistrements d'audit ne contenant que des liens pointant vers des segments du DSI, tels que définis par la politique d'accès applicable.
Le présent document ne couvre pas non plus la spécification et l'utilisation des journaux d'audit à des fins de gestion et de sécurité du système, par exemple, la détection des problèmes de performance, des failles au niveau des applications, ou le support de reconstruction des données, qui sont traités par les normes de sécurité informatique générales, telles que l'ISO/IEC 15408 (toutes les parties)[9].
L'Annexe A donne des exemples de scénarios d'audit. L'Annexe B donne un aperçu des services de journal d'audit.

Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise (ISO 27789:2021)

General Information

Status
Published
Public Enquiry End Date
18-Jun-2020
Publication Date
14-Nov-2021
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
04-Nov-2021
Due Date
09-Jan-2022
Completion Date
15-Nov-2021

Relations

Buy Standard

Standard
SIST EN ISO 27789:2021
English language
56 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
oSIST prEN ISO 27789:2020 - BARVE na PDF-str 44
English language
50 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN ISO 27789:2021
01-december-2021
Nadomešča:
SIST EN ISO 27789:2013

Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise (ISO

27789:2021)

Health informatics -- Audit trails for electronic health records (ISO 27789:2021)

Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO
27789:2021)

Informatique de santé -- Historique d'expertise des dossiers de santé informatisés (ISO

27789:2021)
Ta slovenski standard je istoveten z: EN ISO 27789:2021
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST EN ISO 27789:2021 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO 27789:2021
---------------------- Page: 2 ----------------------
SIST EN ISO 27789:2021
EN ISO 27789
EUROPEAN STANDARD
NORME EUROPÉENNE
October 2021
EUROPÄISCHE NORM
ICS 35.240.80 Supersedes EN ISO 27789:2013
English Version
Health informatics - Audit trails for electronic health
records (ISO 27789:2021)

Informatique de santé - Historique d'expertise des Medizinische Informatik - Audit-Trails für

dossiers de santé informatisés (ISO 27789:2021) elektronische Gesundheitsakten (ISO 27789:2021)

This European Standard was approved by CEN on 15 August 2021.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this

European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references

concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN

member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by

translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management

Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and

United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2021 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 27789:2021 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST EN ISO 27789:2021
EN ISO 27789:2021 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

---------------------- Page: 4 ----------------------
SIST EN ISO 27789:2021
EN ISO 27789:2021 (E)
European foreword

This document (EN ISO 27789:2021) has been prepared by Technical Committee ISO/TC 215 "Health

informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the

secretariat of which is held by NEN.

This European Standard shall be given the status of a national standard, either by publication of an

identical text or by endorsement, at the latest by April 2022, and conflicting national standards shall be

withdrawn at the latest by April 2022.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

This document supersedes EN ISO 27789:2013.

Any feedback and questions on this document should be directed to the users’ national standards

body/national committee. A complete listing of these bodies can be found on the CEN website.

According to the CEN-CENELEC Internal Regulations, the national standards organizations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,

Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,

Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of

North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the

United Kingdom.
Endorsement notice

The text of ISO 27789:2021 has been approved by CEN as EN ISO 27789:2021 without any modification.

---------------------- Page: 5 ----------------------
SIST EN ISO 27789:2021
---------------------- Page: 6 ----------------------
SIST EN ISO 27789:2021
INTERNATIONAL ISO
STANDARD 27789
Second edition
2021-10
Health informatics — Audit trails for
electronic health records
Informatique de santé — Historique d'expertise des dossiers de santé
informatisés
Reference number
ISO 27789:2021(E)
© ISO 2021
---------------------- Page: 7 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO 2021 – All rights reserved
---------------------- Page: 8 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction .............................................................................................................................................................................................................................. vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Abbreviated terms ............................................................................................................................................................................................. 5

5 Requirements and uses of audit data.............................................................................................................................................5

5.1 Ethical and formal requirements ........................................................................................................................................... 5

5.1.1 General ........................................................................................................................................................................................ 5

5.1.2 Access policy .......................................................................................................................................................................... 5

5.1.3 Unambiguous identification of information system users............................................................ 6

5.1.4 User roles .................................................................................................................................................................................. 6

5.1.5 Secure audit records ....................................................................................................................................................... 6

5.2 Uses of audit data ................................................................................................................................................................................. 6

5.2.1 Governance and supervision ................................................................................................................................... 6

5.2.2 Subjects of care exercising their rights .......................................................................................................... 7

5.2.3 Evidence and retention requirements ............................................................................................................ 7

6 Trigger events ......................................................................................................................................................................................................... 7

6.1 General ........................................................................................................................................................................................................... 7

6.2 Details of the event types and their contents ............................................................................................................. 8

6.2.1 Access events to the personal health information ............................................................................... 8

6.2.2 Query events to the personal health information ................................................................................ 8

7 Audit record details .......................................................................................................................................................................................... 8

7.1 The general record format ........................................................................................................................................................... 8

7.2 Trigger event identification ......... .................................................................................................................................. ........... 10

7.2.1 Event ID ................................................................................................................................................................................... 10

7.2.2 Event action code ............................................................................................................................................................ 11

7.2.3 Event date and time ...................................................................................................................................................... 11

7.2.4 Event outcome indicator ...........................................................................................................................................12

7.2.5 Event type code ................................................................................................................................................................12

7.3 User identification ............................................................................................................................................................................12

7.3.1 User ID ...................................................................................................................................................................................... 12

7.3.2 Alternative user ID ........................................................................................................................................................13

7.3.3 User name ..............................................................................................................................................................................13

7.3.4 User is requestor .............................................................................................................................................................13

7.3.5 Role ID code ......................................................................................................................................................................... 13

7.3.6 Purpose of use ................................................................................................................................................................... 14

7.4 Access point identification ........................................................................................................................................................15

7.4.1 Network access point type code ........................................................................................................................ 15

7.4.2 Network access point ID ........................................................................................................................................... 16

7.5 Audit source identification ....................................................................................................................................................... 16

7.5.1 Overview ................................................................................................................................................................................ 16

7.5.2 Audit enterprise site ID ............................................................................................................................................. 17

7.5.3 Audit source ID .................. .................................................... ............................................................................................ 17

7.5.4 Audit source type code .............................................................................................................................................. 17

7.6 Participant object identification .......................................................................................................................................... 18

7.6.1 Overview ................................................................................................................................................................................ 18

7.6.2 Participant object type code ................................................................................................................................. 19

7.6.3 Participant object type code role ..................................................................................................................... 19

7.6.4 Participant object data life cycle and record entry lifecycle events .................................20

7.6.5 Participant object ID type code .......................................................................................................................... 22

7.6.6 Participant object Permission PolicySet .................................................................................................... 23

iii
© ISO 2021 – All rights reserved
---------------------- Page: 9 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)

7.6.7 Participant object sensitivity ............................................................................................................................... 23

7.6.8 Participant object ID .................................................................................................................................................... 24

7.6.9 Participant object name ............................................................................................................................................ 24

7.6.10 Participant object query ........................................................................................................................................... 24

7.6.11 Participant object detail, Participant object description ............................................................ 24

8 Audit records for individual events ..............................................................................................................................................25

8.1 Access events ........................................................................................................................................................................................ 25

8.2 Query events .......................................................................................................................................................................................... 26

9 Secure management of audit data ..................................................................................................................................................28

9.1 Security considerations ...............................................................................................................................................................28

9.2 Securing the availability of the audit system ...........................................................................................................28

9.3 Retention requirements ..............................................................................................................................................................29

9.4 Securing the confidentiality and integrity of audit trails .............................................................................29

9.5 Access to audit data .........................................................................................................................................................................29

Annex A (informative) Audit scenarios ..........................................................................................................................................................30

Annex B (informative) Audit log services ....................................................................................................................................................36

Bibliography .............................................................................................................................................................................................................................45

© ISO 2021 – All rights reserved
---------------------- Page: 10 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Technical Committee ISO/TC 215, Health informatics, in collaboration

with the European Committee for Standardization (CEN) Technical Committee CEN/TC 251, Health

informatics, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna

Agreement).

This second edition cancels and replaces the first edition (ISO 27789: 2013), which has been technically

revised.
The main changes are as follows:
— harmonization between audit record format and DICOM format;
— review of the content in Annex A;
— review of the chart in Annex B;
— bibliography update.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2021 – All rights reserved
---------------------- Page: 11 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
Introduction
0.1 General

Personal health information is regarded by many as among the most confidential of all types of personal

information and protecting its confidentiality is essential to maintain the privacy of subjects of care. In

order to protect the consistency of health information, it is also important that its entire life cycle be

fully auditable. Health records should be created, processed and managed in ways that guarantee the

integrity and confidentiality of their contents and that support legitimate control by subjects of care in

how the records are created, used and maintained.

Trust in electronic health records requires physical and technical security elements along with data

integrity elements. Among the most important of all security requirements to protect personal health

information and the integrity of records are those relating to audit and logging. These help to ensure

accountability for subjects of care who entrust their information to electronic health record (EHR)

systems. They also help to protect record integrity, as they provide a strong incentive to users of such

systems to conform to organizational policies on the use of these systems.

Effective audit and logging can help to uncover misuse of EHR systems or EHR data and can help

organisations and subjects of care obtain redress against users abusing their access privileges. For

auditing to be effective, it is necessary that audit trails contain sufficient information to address a wide

variety of circumstances (see Annex A).

Audit logs are complementary to access controls. The audit logs provide a means to assess conformity

with organizational access policy and can contribute to improving and refining the policy itself. But as

such a policy needs to anticipate the occurrence of unforeseen or emergency cases, analysis of the audit

logs becomes the primary means of ensuring access control for those cases.

This document is strictly limited in scope to logging of events. Changes to data values in fields of

an EHR are presumed to be recorded in the EHR database system itself and not in the audit log. It is

presumed that the EHR system itself contains both the previous and updated values of every field. This

is consistent with contemporary point-in-time database architectures. The audit log itself is presumed

to contain no personal health information other than identifiers and links to the record.

Electronic health records on an individual person can reside in many different information systems

within and across organisational or even jurisdictional boundaries. To keep track of all actions that

involve records on a particular subject of care, a common framework is a prerequisite. This document

provides such a framework. To support audit trails across distinct domains, it is essential to include

references in this framework to the policies that specify the requirements within the domain,

such as access control rules and retention periods. Domain policies may be referenced implicitly by

identification of the audit log source.
0.2 Benefits of using this document

Standardization of audit trails on access to electronic health records aims at two goals:

— ensuring that information captured in an audit log is sufficient to clearly reconstruct a detailed

chronology of the events that have shaped the content of an electronic health record;

— ensuring that an audit trail of actions relating to a subject of care’s record can be reliably followed,

even across organizational domains.

This document is intended for those responsible for overseeing health information security or privacy

and for healthcare organizations and other custodians of health information seeking guidance on audit

trails, together with their security advisors, consultants, auditors, vendors and third-party service

providers.
0.3 Related standards on electronic health record audit trails
© ISO 2021 – All rights reserved
---------------------- Page: 12 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)

This document builds upon, and is consistent with, the work begun in RFC 3881 with respect to access

to the EHR. This document also builds upon and is consistent with the content in ISO/TS 21089:2018.

vii
© ISO 2021 – All rights reserved
---------------------- Page: 13 ----------------------
SIST EN ISO 27789:2021
---------------------- Page: 14 ----------------------
SIST EN ISO 27789:2021
INTERNATIONAL STANDARD ISO 27789:2021(E)
Health informatics — Audit trails for electronic health
records
1 Scope

This document specifies a common framework for audit trails for electronic health records (EHR), in

terms of audit trigger events and audit data, to keep the complete set of personal health information

auditable across information systems and domains.

It is applicable to systems processing personal health information that create a secure audit record

each time a user reads, creates, updates, or archives personal health information via the system.

NOTE Such audit records at a minimum uniquely identify the user, uniquely identify the subject of care,

identify the function performed by the user (record creation, read, update, etc.), and record the date and time at

which the function was performed.

This document covers only actions performed on the EHR, which are governed by the access policy

for the domain where the electronic health record resides. It does not deal with any personal health

information from the electronic health record, other than identifiers, the audit record only containing

links to EHR segments as defined by the governing access policy.

It does not cover the specification and use of audit logs for system management and system

security purposes, such as the detection of performance problems, application flaw, or support for

a reconstruction of data, which are dealt with by general computer security standards such as ISO/

[9]
IEC 15408 (all parts) .

Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 27799:2016, Health informatics — Information security management in health using ISO/IEC 27002

ISO 8601-1, Date and time — Representations for information interchange — Part 1: Basic rules

ISO/TS 21089:2018, Health informatics — Trusted end-to-end information flows
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/TS 21089:2018 and the

following terms and definitions apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
© ISO 2021 – All rights reserved
---------------------- Page: 15 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
3.1
access control

means to ensure that access to assets is authorized and restricted based on business and security

requirements
[SOURCE: ISO/IEC 27000:2018, 3.1]
3.2
access policy
definition of the obligations for authorizing access to a resource
3.3
accountability

obligation of an individual or organization to account for its activities, for completion of a deliverable

or task, accept responsibility for those activities, deliverables or tasks, and to disclose the results in a

transparent manner
[SOURCE: ISO/TS 21089:2018, 3.3.1]
3.4
agent
entity that takes programmed actions, such as software or a device
[SOURCE: ISO/TS 21089:2018, 3.6.4]
3.5
alert

what is sent when the monitor service notices that a series of events matches a pattern

3.6
audit

independent review and examination of records and activities to assess the adequacy of system

controls, to ensure compliance with established policies and operat
...

SLOVENSKI STANDARD
oSIST prEN ISO 27789:2020
01-junij-2020
Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise
(ISO/DIS 27789:2020)

Health informatics -- Audit trails for electronic health records (ISO/DIS 27789:2020)

Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO/DIS

27789:2020)

Informatique de santé -- Historique d'expertise des dossiers de santé informatisés

(ISO/DIS 27789:2020)
Ta slovenski standard je istoveten z: prEN ISO 27789
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
oSIST prEN ISO 27789:2020 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO 27789:2020
---------------------- Page: 2 ----------------------
oSIST prEN ISO 27789:2020
DRAFT INTERNATIONAL STANDARD
ISO/DIS 27789
ISO/TC 215 Secretariat: ANSI
Voting begins on: Voting terminates on:
2020-04-17 2020-07-10
Health informatics — Audit trails for electronic health
records

Informatique de santé — Historique d'expertise des dossiers de santé informatisés

ICS: 35.240.80
THIS DOCUMENT IS A DRAFT CIRCULATED
This document is circulated as received from the committee secretariat.
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
ISO/CEN PARALLEL PROCESSING
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 27789:2020(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO 2020
---------------------- Page: 3 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved
---------------------- Page: 4 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 5

5 Requirements and uses of audit data ............................................................................................................................................. 5

5.1 Ethical and formal requirements ............................................................................................................................................ 5

5.1.1 General...................................................................................................................................................................................... 5

5.1.2 Access policy........................................................................................................................................................................ 5

5.1.3 Unambiguous identification of information system users .......................................................... 5

5.1.4 User roles ............................................................................................................................................................................... 5

5.1.5 Secure audit records ..................................................................................................................................................... 6

5.2 Uses of audit data .................................................................................................................................................................................. 6

5.2.1 Governance and supervision ................................................................................................................................. 6

5.2.2 Subjects of care exercising their rights ......................................................................................................... 6

5.2.3 Healthcare provider's ethical or legal proof of action ..................................................................... 6

6 Trigger events .......................................................................................................................................................................................................... 7

6.1 General ........................................................................................................................................................................................................... 7

6.2 Details of the event types and their contents ............................................................................................................... 7

6.2.1 Access events to the personal health information .............................................................................. 7

6.2.2 Query events to the personal health information ............................................................................... 8

7 Audit record details ........................................................................................................................................................................................... 8

7.1 The general record format ............................................................................................................................................................ 8

7.2 Trigger event identification ......................................................................................................................................................... 9

7.2.1 Event ID .................. .................................................... .............................................................................................................. 9

7.2.2 Event action code .........................................................................................................................................................10

7.2.3 Event date and time ........................................................................................................................................... .........10

7.2.4 Event outcome indicator ........................................................................................................................................11

7.2.5 Event type code ..............................................................................................................................................................11

7.3 User identification ......... ....................................................................................................................................................................11

7.3.1 User ID ...................................................................................................................................................................................11

7.3.2 Alternative user ID ......................................................................................................................................................12

7.3.3 User name ...........................................................................................................................................................................12

7.3.4 User is requestor ...........................................................................................................................................................12

7.3.5 Role ID code ......................................................................................................................................................................12

7.3.6 Purpose of use .................................................................................................................................................................13

7.4 Access point identification .........................................................................................................................................................15

7.4.1 Network access point type code ......................................................................................................................15

7.4.2 Network access point ID ........................................................................................................................................15

7.5 Audit source identification ........................................................................................................................................................15

7.5.1 Overview ..............................................................................................................................................................................15

7.5.2 Audit enterprise site ID ...........................................................................................................................................16

7.5.3 Audit source ID ...............................................................................................................................................................16

7.5.4 Audit source type code ............................................................................................................................................16

7.6 Participant object identification ...........................................................................................................................................17

7.6.1 Overview ..............................................................................................................................................................................17

7.6.2 Participant object type code ...............................................................................................................................18

7.6.3 Participant object type code role ....................................................................................................................18

7.6.4 Participant object data life cycle .....................................................................................................................19

7.6.5 Participant object ID type code ........................................................................................................................20

7.6.6 Participant object Permission PolicySet ...................................................................................................21

© ISO 2020 – All rights reserved iii
---------------------- Page: 5 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)

7.6.7 Participant object sensitivity ..............................................................................................................................21

7.6.8 Participant object ID ..................................................................................................................................................21

7.6.9 Participant object name ..........................................................................................................................................21

7.6.10 Participant object query .........................................................................................................................................21

7.6.11 Participant object detail .........................................................................................................................................22

8 Audit records for individual events ...............................................................................................................................................22

8.1 Access events .........................................................................................................................................................................................22

8.2 Query events ..........................................................................................................................................................................................24

9 Secure management of audit data ...................................................................................................................................................26

9.1 Security considerations ................................................................................................................................................................26

9.2 Securing the availability of the audit system .............................................................................................................26

9.3 Retention requirements ...............................................................................................................................................................26

9.4 Securing the confidentiality and integrity of audit trails ................................................................................26

9.5 Access to audit data .........................................................................................................................................................................27

Annex A (informative) Audit scenarios ...........................................................................................................................................................28

Annex B (informative) Audit log services .....................................................................................................................................................34

Bibliography .............................................................................................................................................................................................................................43

iv © ISO 2020 – All rights reserved
---------------------- Page: 6 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of technical committees is to prepare International Standards. Draft International

Standards adopted by the technical committees are circulated to the member bodies for voting.

Publication as an International Standard requires approval by at least 75 % of the member bodies

casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights.

ISO 27789 was prepared by Technical Committee ISO/TC 215, Health informatics,.

This second edition cancels and replaces the first edition (ISO/TS 27789:2013), which has been

technically revised.
The main changes compared to the previous edition are as follows:
— update ISO27799 chapter titles to the latest
— match between audit record format and DICOM format
— review the content of Annex A audit scenarios
— review the chart of Annex B audit log services
— update bibliography.
© ISO 2020 – All rights reserved v
---------------------- Page: 7 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)
Introduction
0.1 General

Personal health information is regarded by many as among the most confidential of all types of

personal information and protecting its confidentiality is essential if the privacy of subjects of care is

to be maintained. In order to protect the consistency of health information, it is also important that its

entire life cycle be fully auditable. Health records should be created, processed and managed in ways

that guarantee the integrity and confidentiality of their contents and that support legitimate control by

subjects of care in how the records are created, used and maintained.

Trust in electronic health records requires physical and technical security elements along with data

integrity elements. Among the most important of all security requirements to protect personal health

information and the integrity of records are those relating to audit and logging. These help to ensure

accountability for subjects of care who entrust their information to electronic health record (EHR)

systems. They also help to protect record integrity, as they provide a strong incentive to users of such

systems to conform to organizational policies on the use of these systems.

Effective audit and logging can help to uncover misuse of EHR systems or EHR data and can help

organisations and subjects of care obtain redress against users abusing their access privileges. For

auditing to be effective, it is necessary that audit trails contain sufficient information to address a wide

variety of circumstances (see Annex A).

Audit logs are complementary to access controls. The audit logs provide a means to assess compliance

with organizational access policy and can contribute to improving and refining the policy itself. But as

such a policy has to anticipate the occurrence of unforeseen or emergency cases, analysis of the audit

logs becomes the primary means of ensuring access control for those cases.

This document is strictly limited in scope to logging of events. Changes to data values in fields of

an EHR are presumed to be recorded in the EHR database system itself and not in the audit log. It is

presumed that the EHR system itself contains both the previous and updated values of every field. This

is consistent with contemporary point-in-time database architectures. The audit log itself is presumed

to contain no personal health information other than identifiers and links to the record.

Electronic health records on an individual person may reside in many different information systems

within and across organisational or even jurisdictional boundaries. To keep track of all actions that

involve records on a particular subject of care, a common framework is a prerequisite. This document

provides such a framework. To support audit trails across distinct domains it is essential to include

references in this framework to the policies that specify the requirements within the domain,

such as access control rules and retention periods. Domain policies may be referenced implicitly by

identification of the audit log source.
0.2 Benefits of using this document

Standardization of audit trails on access to electronic health records aims at two goals:

— ensuring that information captured in an audit log is sufficient to clearly reconstruct a detailed

chronology of the events that have shaped the content of an electronic health record, and

— ensuring that an audit trail of actions relating to a subject of care’s record can be reliably followed,

even across organizational domains.

This document is intended for those responsible for overseeing health information security or privacy

and for healthcare organizations and other custodians of health information seeking guidance on audit

trails, together with their security advisors, consultants, auditors, vendors and third-party service

providers.
vi © ISO 2020 – All rights reserved
---------------------- Page: 8 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)
0.3 Comparison with related standards on electronic health record audit trails

This document conforms to the requirements of ISO 27799, Health informatics — Security management

in health using ISO/IEC 27002, insofar as they relate to auditing and audit trails.

Some readers may be familiar with Internet Engineering Task Force (IETF) Request for Comment (RFC)

3881 Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications.

[13]

(Readers not already familiar with IETF RFC 3881 need not refer to that document, as familiarity

with it is not required to understand this document). Informational RFC 3881, dated 2004-09 and no

longer listed as active in the IETF database, was an early and useful attempt at specifying the content of

audit logs for healthcare. To the extent possible, this document builds upon, and is consistent with, the

work begun in RFC 3881 with respect to access to the EHR.
0.4 A note on terminology

Several closely related terms are defined in Clause 3 (Terms and definitions). An audit log is a

chronological sequence of audit records; each audit record contains evidence of directly pertaining

to and resulting from the execution of a process or system function. As EHR systems can be complex

aggregations of systems and databases, there may be more than one audit log containing information

on system events that have altered a subject of care’s EHR. Although the terms audit trail and audit log

are often used interchangeably, in this document the term audit trail refers to the collection of all audit

records from one or more audit logs that refer to a specific subject of care or specific electronic health

record or specific user. An audit system provides all the information processing functions necessary to

maintain one or more audit logs.
© ISO 2020 – All rights reserved vii
---------------------- Page: 9 ----------------------
oSIST prEN ISO 27789:2020
---------------------- Page: 10 ----------------------
oSIST prEN ISO 27789:2020
DRAFT INTERNATIONAL STANDARD ISO/DIS 27789:2020(E)
Health informatics — Audit trails for electronic health
records
1 Scope

This document specifies a common framework for audit trails for electronic health records (EHR), in

terms of audit trigger events and audit data, to keep the complete set of personal health information

auditable across information systems and domains.

It is applicable to systems processing personal health information which, complying with ISO 27799,

create a secure audit record each time a user accesses, creates, updates, or archives personal health

information via the system.

NOTE Such audit records at minimum uniquely identify the user, uniquely identify the subject of care,

identify the function performed by the user (record creation, access, update, etc.), and record the date and time at

which the function was performed.

This document covers only actions performed on the EHR, which are governed by the access policy

for the domain where the electronic health record resides. It does not deal with any personal health

information from the electronic health record, other than identifiers, the audit record only containing

links to EHR segments as defined by the governing access policy.

It does not cover the specification and use of audit logs for system management and system

security purposes, such as the detection of performance problems, application flaw, or support

for a reconstruction of data, which are dealt with by general computer security standards such as

[9]
ISO/IEC 15408 .

Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.

2 Normative references

The following referenced documents are indispensable for the application of this document. For dated

references, only the edition cited applies. For undated references, the latest edition of the referenced

document (including any amendments) applies.

ISO 27799:2016, Health informatics — Information security management in health using ISO/IEC 27002

3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
access control

means to ensure that access to assets is authorized and restricted based on business and security

requirements
[SOURCE: ISO/IEC 27000:2009, definition 2.1]
© ISO 2020 – All rights reserved 1
---------------------- Page: 11 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)
3.2
access policy
definition of the obligations for authorizing access to a resource
3.3
accountability

principle that individuals, organizations, and the community are responsible for their actions and may

be required to explain them to others
[SOURCE: ISO 15489-1:2001, definition 3.2]
3.4
audit

systematic and independent examination of accesses, additions, or alterations to electronic health

records to determine whether the activities were conducted, and the data were collected, used, retained

or disclosed according to organizational standard operating procedures, policies, good clinical practice,

and applicable regulatory requirement(s).
3.5
audit archive
archival collection of one or more audit logs
3.6
audit data
data obtained from one or more audit records
3.7
audit log

chronological sequence of audit records, each of which contains data about a specific event

3.8
audit record

record of a single specific event in the life cycle of an electronic health record

3.9
audit system
information processing system that maintains one or more audit logs
3.10
audit trail

collection of audit records from one or more audit logs relating to a specific subject of care or a specific

electronic health record
3.11
authentication
provision of assurance that a claimed characteristic of an entity is correct
[SOURCE: ISO/IEC 27000:2009, definition 2.5]
3.12
authorization

granting of privileges, which includes the granting of privileges to access data and functions

Note 1 to entry: derived from ISO 7498-2: the granting of rights, which includes the granting of access based on

access rights
3.13
authority
entity responsible for issuing certificates
2 © ISO 2020 – All rights reserved
---------------------- Page: 12 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)
3.14
availability
property of being accessible and useable upon demand by an authorized entity
[SOURCE: ISO/IEC 27000:2009, definition 2.7]
3.15
confidentiality

property that information is not made available or disclosed to unauthorized individuals, entities, or

processes
[SOURCE: ISO/IEC 27000:2009, definition 2.9]
3.16
Coordinated Universal Time
UTC

time scale which format the basis of a coordinated radio dissemination of standard frequencies and

time signals; it corresponds exactly in rate with international atomic time, but differs from it by an

integral number of seconds
[SOURCE: IEC 60050-713:1998]
3.17
data integrity
property that data have not been altered or destroyed in an unauthorized manner
[SOURCE: ISO 7498-2:1989, definition 3.3.21]
3.18
electronic health record
EHR

comprehensive, structured set of clinical, demographic, environmental, social, and financial data in

electronic form, documenting the health caregiven to a single individual
[SOURCE: ASTM E 1769:1995]
3.19
EHR segment
part of an EHR that constitutes a distinct resource for the access policy
3.20
identification
performance of tests to enable a data processing system to recognize entities

[SOURCE: ISO/IEC 2382-8:1998, definition 08.04.12 (as identity authentication, identity validation)]

3.21
identifier

piece of information used to claim an identity, before a potential corroboration by a corresponding

authenticator
3.22
information security
preservation of confidentiality, integrity and availability of information
[SOURCE: ISO/IEC 27000:2009, definition 2.19]
3.23
integrity
property of protecting the accuracy and completeness of assets
[SOURCE: ISO/I
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.