Health informatics -- Audit trails for electronic health records (ISO 27789:2021)

This document specifies a common framework for audit trails for electronic health records (EHR), in
terms of audit trigger events and audit data, to keep the complete set of personal health information
auditable across information systems and domains.
It is applicable to systems processing personal health information that create a secure audit record
each time a user reads, creates, updates, or archives personal health information via the system.
NOTE Such audit records at a minimum uniquely identify the user, uniquely identify the subject of care,
identify the function performed by the user (record creation, read, update, etc.), and record the date and time at
which the function was performed.
This document covers only actions performed on the EHR, which are governed by the access policy
for the domain where the electronic health record resides. It does not deal with any personal health
information from the electronic health record, other than identifiers, the audit record only containing
links to EHR segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system
security purposes, such as the detection of performance problems, application flaw, or support for
a reconstruction of data, which are dealt with by general computer security standards such as ISO/
IEC 15408 (all parts)[9].
Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services

Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO 27789:2021)

Informatique de santé -- Historique d'expertise des dossiers de santé informatisés (ISO 27789:2021)

Le présent document définit un cadre commun pour les pistes d'audit des dossiers de santé informatisés (DSI), en termes d'événements déclencheurs d'audit et de données d'audit, afin de conserver l'ensemble complet des informations personnelles de santé auditables, quels que soient les systèmes et les domaines d'information.
Le présent document s'applique aux systèmes de traitement des informations personnelles de santé qui créent un enregistrement d'audit sécurisé chaque fois qu'un utilisateur crée des informations personnelles de santé, qu'il les lit, qu'il les met à jour ou qu'il les archive par le biais du système.
NOTE       Au minimum, ces enregistrements d'audit identifient de manière unique l'utilisateur, identifient de manière unique le sujet de soins, identifient la fonction exécutée par l'utilisateur (création d'un dossier, lecture d'un dossier, mise à jour d'un dossier, etc.) et enregistrent la date et l'heure auxquelles la fonction a été exécutée.
Le présent document ne couvre que les actions effectuées sur le dossier de santé informatisé, qui sont régies par une politique d'accès propre au domaine dans lequel s'inscrit le dossier de santé informatisé. Il ne traite d'aucune information personnelle de santé issue de dossiers de santé informatisés, à l'exception des identifiants, les enregistrements d'audit ne contenant que des liens pointant vers des segments du DSI, tels que définis par la politique d'accès applicable.
Le présent document ne couvre pas non plus la spécification et l'utilisation des journaux d'audit à des fins de gestion et de sécurité du système, par exemple, la détection des problèmes de performance, des failles au niveau des applications, ou le support de reconstruction des données, qui sont traités par les normes de sécurité informatique générales, telles que l'ISO/IEC 15408 (toutes les parties)[9].
L'Annexe A donne des exemples de scénarios d'audit. L'Annexe B donne un aperçu des services de journal d'audit.

Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise (ISO 27789:2021)

General Information

Status
Published
Public Enquiry End Date
18-Jun-2020
Publication Date
14-Nov-2021
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
04-Nov-2021
Due Date
09-Jan-2022
Completion Date
15-Nov-2021

Relations

Buy Standard

Standard
EN ISO 27789:2021
English language
56 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
prEN ISO 27789:2020 - BARVE
English language
50 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN ISO 27789:2021
01-december-2021
Nadomešča:
SIST EN ISO 27789:2013
Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise (ISO
27789:2021)
Health informatics -- Audit trails for electronic health records (ISO 27789:2021)
Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO
27789:2021)
Informatique de santé -- Historique d'expertise des dossiers de santé informatisés (ISO
27789:2021)
Ta slovenski standard je istoveten z: EN ISO 27789:2021
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST EN ISO 27789:2021 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO 27789:2021

---------------------- Page: 2 ----------------------
SIST EN ISO 27789:2021


EN ISO 27789
EUROPEAN STANDARD

NORME EUROPÉENNE

October 2021
EUROPÄISCHE NORM
ICS 35.240.80 Supersedes EN ISO 27789:2013
English Version

Health informatics - Audit trails for electronic health
records (ISO 27789:2021)
Informatique de santé - Historique d'expertise des Medizinische Informatik - Audit-Trails für
dossiers de santé informatisés (ISO 27789:2021) elektronische Gesundheitsakten (ISO 27789:2021)
This European Standard was approved by CEN on 15 August 2021.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2021 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 27789:2021 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------
SIST EN ISO 27789:2021
EN ISO 27789:2021 (E)
Contents Page
European foreword . 3

2

---------------------- Page: 4 ----------------------
SIST EN ISO 27789:2021
EN ISO 27789:2021 (E)
European foreword
This document (EN ISO 27789:2021) has been prepared by Technical Committee ISO/TC 215 "Health
informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the
secretariat of which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by April 2022, and conflicting national standards shall be
withdrawn at the latest by April 2022.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO 27789:2013.
Any feedback and questions on this document should be directed to the users’ national standards
body/national committee. A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO 27789:2021 has been approved by CEN as EN ISO 27789:2021 without any modification.


3

---------------------- Page: 5 ----------------------
SIST EN ISO 27789:2021

---------------------- Page: 6 ----------------------
SIST EN ISO 27789:2021
INTERNATIONAL ISO
STANDARD 27789
Second edition
2021-10
Health informatics — Audit trails for
electronic health records
Informatique de santé — Historique d'expertise des dossiers de santé
informatisés
Reference number
ISO 27789:2021(E)
© ISO 2021

---------------------- Page: 7 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
  © ISO 2021 – All rights reserved

---------------------- Page: 8 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 5
5 Requirements and uses of audit data.5
5.1 Ethical and formal requirements . 5
5.1.1 General . 5
5.1.2 Access policy . 5
5.1.3 Unambiguous identification of information system users. 6
5.1.4 User roles . 6
5.1.5 Secure audit records . 6
5.2 Uses of audit data . 6
5.2.1 Governance and supervision . 6
5.2.2 Subjects of care exercising their rights . 7
5.2.3 Evidence and retention requirements . 7
6 Trigger events . 7
6.1 General . 7
6.2 Details of the event types and their contents . 8
6.2.1 Access events to the personal health information . 8
6.2.2 Query events to the personal health information . 8
7 Audit record details . 8
7.1 The general record format . 8
7.2 Trigger event identification . . . 10
7.2.1 Event ID . 10
7.2.2 Event action code . 11
7.2.3 Event date and time . 11
7.2.4 Event outcome indicator .12
7.2.5 Event type code .12
7.3 User identification .12
7.3.1 User ID . 12
7.3.2 Alternative user ID .13
7.3.3 User name .13
7.3.4 User is requestor .13
7.3.5 Role ID code . 13
7.3.6 Purpose of use . 14
7.4 Access point identification .15
7.4.1 Network access point type code . 15
7.4.2 Network access point ID . 16
7.5 Audit source identification . 16
7.5.1 Overview . 16
7.5.2 Audit enterprise site ID . 17
7.5.3 Audit source ID . . . 17
7.5.4 Audit source type code . 17
7.6 Participant object identification . 18
7.6.1 Overview . 18
7.6.2 Participant object type code . 19
7.6.3 Participant object type code role . 19
7.6.4 Participant object data life cycle and record entry lifecycle events .20
7.6.5 Participant object ID type code . 22
7.6.6 Participant object Permission PolicySet . 23
iii
© ISO 2021 – All rights reserved

---------------------- Page: 9 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
7.6.7 Participant object sensitivity . 23
7.6.8 Participant object ID . 24
7.6.9 Participant object name . 24
7.6.10 Participant object query . 24
7.6.11 Participant object detail, Participant object description . 24
8 Audit records for individual events .25
8.1 Access events . 25
8.2 Query events . 26
9 Secure management of audit data .28
9.1 Security considerations .28
9.2 Securing the availability of the audit system .28
9.3 Retention requirements .29
9.4 Securing the confidentiality and integrity of audit trails .29
9.5 Access to audit data .29
Annex A (informative) Audit scenarios .30
Annex B (informative) Audit log services .36
Bibliography .45
iv
  © ISO 2021 – All rights reserved

---------------------- Page: 10 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics, in collaboration
with the European Committee for Standardization (CEN) Technical Committee CEN/TC 251, Health
informatics, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna
Agreement).
This second edition cancels and replaces the first edition (ISO 27789: 2013), which has been technically
revised.
The main changes are as follows:
— harmonization between audit record format and DICOM format;
— review of the content in Annex A;
— review of the chart in Annex B;
— bibliography update.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
© ISO 2021 – All rights reserved

---------------------- Page: 11 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
Introduction
0.1  General
Personal health information is regarded by many as among the most confidential of all types of personal
information and protecting its confidentiality is essential to maintain the privacy of subjects of care. In
order to protect the consistency of health information, it is also important that its entire life cycle be
fully auditable. Health records should be created, processed and managed in ways that guarantee the
integrity and confidentiality of their contents and that support legitimate control by subjects of care in
how the records are created, used and maintained.
Trust in electronic health records requires physical and technical security elements along with data
integrity elements. Among the most important of all security requirements to protect personal health
information and the integrity of records are those relating to audit and logging. These help to ensure
accountability for subjects of care who entrust their information to electronic health record (EHR)
systems. They also help to protect record integrity, as they provide a strong incentive to users of such
systems to conform to organizational policies on the use of these systems.
Effective audit and logging can help to uncover misuse of EHR systems or EHR data and can help
organisations and subjects of care obtain redress against users abusing their access privileges. For
auditing to be effective, it is necessary that audit trails contain sufficient information to address a wide
variety of circumstances (see Annex A).
Audit logs are complementary to access controls. The audit logs provide a means to assess conformity
with organizational access policy and can contribute to improving and refining the policy itself. But as
such a policy needs to anticipate the occurrence of unforeseen or emergency cases, analysis of the audit
logs becomes the primary means of ensuring access control for those cases.
This document is strictly limited in scope to logging of events. Changes to data values in fields of
an EHR are presumed to be recorded in the EHR database system itself and not in the audit log. It is
presumed that the EHR system itself contains both the previous and updated values of every field. This
is consistent with contemporary point-in-time database architectures. The audit log itself is presumed
to contain no personal health information other than identifiers and links to the record.
Electronic health records on an individual person can reside in many different information systems
within and across organisational or even jurisdictional boundaries. To keep track of all actions that
involve records on a particular subject of care, a common framework is a prerequisite. This document
provides such a framework. To support audit trails across distinct domains, it is essential to include
references in this framework to the policies that specify the requirements within the domain,
such as access control rules and retention periods. Domain policies may be referenced implicitly by
identification of the audit log source.
0.2 Benefits of using this document
Standardization of audit trails on access to electronic health records aims at two goals:
— ensuring that information captured in an audit log is sufficient to clearly reconstruct a detailed
chronology of the events that have shaped the content of an electronic health record;
— ensuring that an audit trail of actions relating to a subject of care’s record can be reliably followed,
even across organizational domains.
This document is intended for those responsible for overseeing health information security or privacy
and for healthcare organizations and other custodians of health information seeking guidance on audit
trails, together with their security advisors, consultants, auditors, vendors and third-party service
providers.
0.3  Related standards on electronic health record audit trails
vi
  © ISO 2021 – All rights reserved

---------------------- Page: 12 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
This document builds upon, and is consistent with, the work begun in RFC 3881 with respect to access
to the EHR. This document also builds upon and is consistent with the content in ISO/TS 21089:2018.
vii
© ISO 2021 – All rights reserved

---------------------- Page: 13 ----------------------
SIST EN ISO 27789:2021

---------------------- Page: 14 ----------------------
SIST EN ISO 27789:2021
INTERNATIONAL STANDARD ISO 27789:2021(E)
Health informatics — Audit trails for electronic health
records
1 Scope
This document specifies a common framework for audit trails for electronic health records (EHR), in
terms of audit trigger events and audit data, to keep the complete set of personal health information
auditable across information systems and domains.
It is applicable to systems processing personal health information that create a secure audit record
each time a user reads, creates, updates, or archives personal health information via the system.
NOTE Such audit records at a minimum uniquely identify the user, uniquely identify the subject of care,
identify the function performed by the user (record creation, read, update, etc.), and record the date and time at
which the function was performed.
This document covers only actions performed on the EHR, which are governed by the access policy
for the domain where the electronic health record resides. It does not deal with any personal health
information from the electronic health record, other than identifiers, the audit record only containing
links to EHR segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system
security purposes, such as the detection of performance problems, application flaw, or support for
a reconstruction of data, which are dealt with by general computer security standards such as ISO/
[9]
IEC 15408 (all parts) .
Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 27799:2016, Health informatics — Information security management in health using ISO/IEC 27002
ISO 8601-1, Date and time — Representations for information interchange — Part 1: Basic rules
ISO/TS 21089:2018, Health informatics — Trusted end-to-end information flows
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/TS 21089:2018 and the
following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
1
© ISO 2021 – All rights reserved

---------------------- Page: 15 ----------------------
SIST EN ISO 27789:2021
ISO 27789:2021(E)
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements
[SOURCE: ISO/IEC 27000:2018, 3.1]
3.2
access policy
definition of the obligations for authorizing access to a resource
3.3
accountability
obligation of an individual or organization to account for its activities, for completion of a deliverable
or task, accept responsibility for those activities, deliverables or tasks, and to disclose the results in a
transparent manner
[SOURCE: ISO/TS 21089:2018, 3.3.1]
3.4
agent
entity that takes programmed actions, such as software or a device
[SOURCE: ISO/TS 21089:2018, 3.6.4]
3.5
alert
what is sent when the monitor service notices that a series of events matches a pattern
3.6
audit
independent review and examination of records and activities to assess the adequacy of system
controls, to ensure compliance with established policies and operat
...

SLOVENSKI STANDARD
oSIST prEN ISO 27789:2020
01-junij-2020
Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise
(ISO/DIS 27789:2020)
Health informatics -- Audit trails for electronic health records (ISO/DIS 27789:2020)
Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO/DIS
27789:2020)
Informatique de santé -- Historique d'expertise des dossiers de santé informatisés
(ISO/DIS 27789:2020)
Ta slovenski standard je istoveten z: prEN ISO 27789
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
oSIST prEN ISO 27789:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO 27789:2020

---------------------- Page: 2 ----------------------
oSIST prEN ISO 27789:2020
DRAFT INTERNATIONAL STANDARD
ISO/DIS 27789
ISO/TC 215 Secretariat: ANSI
Voting begins on: Voting terminates on:
2020-04-17 2020-07-10
Health informatics — Audit trails for electronic health
records
Informatique de santé — Historique d'expertise des dossiers de santé informatisés
ICS: 35.240.80
THIS DOCUMENT IS A DRAFT CIRCULATED
This document is circulated as received from the committee secretariat.
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
ISO/CEN PARALLEL PROCESSING
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 27789:2020(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO 2020

---------------------- Page: 3 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved

---------------------- Page: 4 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 5
5 Requirements and uses of audit data . 5
5.1 Ethical and formal requirements . 5
5.1.1 General. 5
5.1.2 Access policy. 5
5.1.3 Unambiguous identification of information system users . 5
5.1.4 User roles . 5
5.1.5 Secure audit records . 6
5.2 Uses of audit data . 6
5.2.1 Governance and supervision . 6
5.2.2 Subjects of care exercising their rights . 6
5.2.3 Healthcare provider's ethical or legal proof of action . 6
6 Trigger events . 7
6.1 General . 7
6.2 Details of the event types and their contents . 7
6.2.1 Access events to the personal health information . 7
6.2.2 Query events to the personal health information . 8
7 Audit record details . 8
7.1 The general record format . 8
7.2 Trigger event identification . 9
7.2.1 Event ID . . . 9
7.2.2 Event action code .10
7.2.3 Event date and time . .10
7.2.4 Event outcome indicator .11
7.2.5 Event type code .11
7.3 User identification . .11
7.3.1 User ID .11
7.3.2 Alternative user ID .12
7.3.3 User name .12
7.3.4 User is requestor .12
7.3.5 Role ID code .12
7.3.6 Purpose of use .13
7.4 Access point identification .15
7.4.1 Network access point type code .15
7.4.2 Network access point ID .15
7.5 Audit source identification .15
7.5.1 Overview .15
7.5.2 Audit enterprise site ID .16
7.5.3 Audit source ID .16
7.5.4 Audit source type code .16
7.6 Participant object identification .17
7.6.1 Overview .17
7.6.2 Participant object type code .18
7.6.3 Participant object type code role .18
7.6.4 Participant object data life cycle .19
7.6.5 Participant object ID type code .20
7.6.6 Participant object Permission PolicySet .21
© ISO 2020 – All rights reserved iii

---------------------- Page: 5 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)

7.6.7 Participant object sensitivity .21
7.6.8 Participant object ID .21
7.6.9 Participant object name .21
7.6.10 Participant object query .21
7.6.11 Participant object detail .22
8 Audit records for individual events .22
8.1 Access events .22
8.2 Query events .24
9 Secure management of audit data .26
9.1 Security considerations .26
9.2 Securing the availability of the audit system .26
9.3 Retention requirements .26
9.4 Securing the confidentiality and integrity of audit trails .26
9.5 Access to audit data .27
Annex A (informative) Audit scenarios .28
Annex B (informative) Audit log services .34
Bibliography .43
iv © ISO 2020 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 27789 was prepared by Technical Committee ISO/TC 215, Health informatics,.
This second edition cancels and replaces the first edition (ISO/TS 27789:2013), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— update ISO27799 chapter titles to the latest
— match between audit record format and DICOM format
— review the content of Annex A audit scenarios
— review the chart of Annex B audit log services
— update bibliography.
© ISO 2020 – All rights reserved v

---------------------- Page: 7 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)

Introduction
0.1  General
Personal health information is regarded by many as among the most confidential of all types of
personal information and protecting its confidentiality is essential if the privacy of subjects of care is
to be maintained. In order to protect the consistency of health information, it is also important that its
entire life cycle be fully auditable. Health records should be created, processed and managed in ways
that guarantee the integrity and confidentiality of their contents and that support legitimate control by
subjects of care in how the records are created, used and maintained.
Trust in electronic health records requires physical and technical security elements along with data
integrity elements. Among the most important of all security requirements to protect personal health
information and the integrity of records are those relating to audit and logging. These help to ensure
accountability for subjects of care who entrust their information to electronic health record (EHR)
systems. They also help to protect record integrity, as they provide a strong incentive to users of such
systems to conform to organizational policies on the use of these systems.
Effective audit and logging can help to uncover misuse of EHR systems or EHR data and can help
organisations and subjects of care obtain redress against users abusing their access privileges. For
auditing to be effective, it is necessary that audit trails contain sufficient information to address a wide
variety of circumstances (see Annex A).
Audit logs are complementary to access controls. The audit logs provide a means to assess compliance
with organizational access policy and can contribute to improving and refining the policy itself. But as
such a policy has to anticipate the occurrence of unforeseen or emergency cases, analysis of the audit
logs becomes the primary means of ensuring access control for those cases.
This document is strictly limited in scope to logging of events. Changes to data values in fields of
an EHR are presumed to be recorded in the EHR database system itself and not in the audit log. It is
presumed that the EHR system itself contains both the previous and updated values of every field. This
is consistent with contemporary point-in-time database architectures. The audit log itself is presumed
to contain no personal health information other than identifiers and links to the record.
Electronic health records on an individual person may reside in many different information systems
within and across organisational or even jurisdictional boundaries. To keep track of all actions that
involve records on a particular subject of care, a common framework is a prerequisite. This document
provides such a framework. To support audit trails across distinct domains it is essential to include
references in this framework to the policies that specify the requirements within the domain,
such as access control rules and retention periods. Domain policies may be referenced implicitly by
identification of the audit log source.
0.2 Benefits of using this document
Standardization of audit trails on access to electronic health records aims at two goals:
— ensuring that information captured in an audit log is sufficient to clearly reconstruct a detailed
chronology of the events that have shaped the content of an electronic health record, and
— ensuring that an audit trail of actions relating to a subject of care’s record can be reliably followed,
even across organizational domains.
This document is intended for those responsible for overseeing health information security or privacy
and for healthcare organizations and other custodians of health information seeking guidance on audit
trails, together with their security advisors, consultants, auditors, vendors and third-party service
providers.
vi © ISO 2020 – All rights reserved

---------------------- Page: 8 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)

0.3  Comparison with related standards on electronic health record audit trails
This document conforms to the requirements of ISO 27799, Health informatics — Security management
in health using ISO/IEC 27002, insofar as they relate to auditing and audit trails.
Some readers may be familiar with Internet Engineering Task Force (IETF) Request for Comment (RFC)
3881 Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications.
[13]
(Readers not already familiar with IETF RFC 3881 need not refer to that document, as familiarity
with it is not required to understand this document). Informational RFC 3881, dated 2004-09 and no
longer listed as active in the IETF database, was an early and useful attempt at specifying the content of
audit logs for healthcare. To the extent possible, this document builds upon, and is consistent with, the
work begun in RFC 3881 with respect to access to the EHR.
0.4  A note on terminology
Several closely related terms are defined in Clause 3 (Terms and definitions). An audit log is a
chronological sequence of audit records; each audit record contains evidence of directly pertaining
to and resulting from the execution of a process or system function. As EHR systems can be complex
aggregations of systems and databases, there may be more than one audit log containing information
on system events that have altered a subject of care’s EHR. Although the terms audit trail and audit log
are often used interchangeably, in this document the term audit trail refers to the collection of all audit
records from one or more audit logs that refer to a specific subject of care or specific electronic health
record or specific user. An audit system provides all the information processing functions necessary to
maintain one or more audit logs.
© ISO 2020 – All rights reserved vii

---------------------- Page: 9 ----------------------
oSIST prEN ISO 27789:2020

---------------------- Page: 10 ----------------------
oSIST prEN ISO 27789:2020
DRAFT INTERNATIONAL STANDARD ISO/DIS 27789:2020(E)
Health informatics — Audit trails for electronic health
records
1 Scope
This document specifies a common framework for audit trails for electronic health records (EHR), in
terms of audit trigger events and audit data, to keep the complete set of personal health information
auditable across information systems and domains.
It is applicable to systems processing personal health information which, complying with ISO 27799,
create a secure audit record each time a user accesses, creates, updates, or archives personal health
information via the system.
NOTE Such audit records at minimum uniquely identify the user, uniquely identify the subject of care,
identify the function performed by the user (record creation, access, update, etc.), and record the date and time at
which the function was performed.
This document covers only actions performed on the EHR, which are governed by the access policy
for the domain where the electronic health record resides. It does not deal with any personal health
information from the electronic health record, other than identifiers, the audit record only containing
links to EHR segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system
security purposes, such as the detection of performance problems, application flaw, or support
for a reconstruction of data, which are dealt with by general computer security standards such as
[9]
ISO/IEC 15408 .
Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 27799:2016, Health informatics — Information security management in health using ISO/IEC 27002
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements
[SOURCE: ISO/IEC 27000:2009, definition 2.1]
© ISO 2020 – All rights reserved 1

---------------------- Page: 11 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)

3.2
access policy
definition of the obligations for authorizing access to a resource
3.3
accountability
principle that individuals, organizations, and the community are responsible for their actions and may
be required to explain them to others
[SOURCE: ISO 15489-1:2001, definition 3.2]
3.4
audit
systematic and independent examination of accesses, additions, or alterations to electronic health
records to determine whether the activities were conducted, and the data were collected, used, retained
or disclosed according to organizational standard operating procedures, policies, good clinical practice,
and applicable regulatory requirement(s).
3.5
audit archive
archival collection of one or more audit logs
3.6
audit data
data obtained from one or more audit records
3.7
audit log
chronological sequence of audit records, each of which contains data about a specific event
3.8
audit record
record of a single specific event in the life cycle of an electronic health record
3.9
audit system
information processing system that maintains one or more audit logs
3.10
audit trail
collection of audit records from one or more audit logs relating to a specific subject of care or a specific
electronic health record
3.11
authentication
provision of assurance that a claimed characteristic of an entity is correct
[SOURCE: ISO/IEC 27000:2009, definition 2.5]
3.12
authorization
granting of privileges, which includes the granting of privileges to access data and functions
Note 1 to entry: derived from ISO 7498-2: the granting of rights, which includes the granting of access based on
access rights
3.13
authority
entity responsible for issuing certificates
2 © ISO 2020 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST prEN ISO 27789:2020
ISO/DIS 27789:2020(E)

3.14
availability
property of being accessible and useable upon demand by an authorized entity
[SOURCE: ISO/IEC 27000:2009, definition 2.7]
3.15
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
[SOURCE: ISO/IEC 27000:2009, definition 2.9]
3.16
Coordinated Universal Time
UTC
time scale which format the basis of a coordinated radio dissemination of standard frequencies and
time signals; it corresponds exactly in rate with international atomic time, but differs from it by an
integral number of seconds
[SOURCE: IEC 60050-713:1998]
3.17
data integrity
property that data have not been altered or destroyed in an unauthorized manner
[SOURCE: ISO 7498-2:1989, definition 3.3.21]
3.18
electronic health record
EHR
comprehensive, structured set of clinical, demographic, environmental, social, and financial data in
electronic form, documenting the health caregiven to a single individual
[SOURCE: ASTM E 1769:1995]
3.19
EHR segment
part of an EHR that constitutes a distinct resource for the access policy
3.20
identification
performance of tests to enable a data processing system to recognize entities
[SOURCE: ISO/IEC 2382-8:1998, definition 08.04.12 (as identity authentication, identity validation)]
3.21
identifier
piece of information used to claim an identity, before a potential corroboration by a corresponding
authenticator
3.22
information security
preservation of confidentiality, integrity and availability of information
[SOURCE: ISO/IEC 27000:2009, definition 2.19]
3.23
integrity
property of protecting the accuracy and completeness of assets
[SOURCE: ISO/I
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.