ISO/TC 215/WG 4 - Security, Safety and Privacy

This document defines the set of frameworks of consent for the collection, use and/or disclosure of personal information by healthcare practitioners or organizations that are frequently used to obtain agreement to process the personal health information of subjects of care. This is in order to provide an informational consent framework which can be specified and used by individual policy domains (e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the consistent management of information in the delivery of healthcare services and the communication of electronic health records across organizational and jurisdictional boundaries. This document is applicable to Personal Health Information (PHI). Good practice requirements are specified for each framework of informational consent. Adherence to these requirements is intended to ensure any subject of care and any parties that process personal health information that their agreement to do so has been properly obtained and correctly specified. The document is intended to be used to inform: — discussion of national or jurisdictional informational consent policies; — ways in which individuals and the public are informed about how personal health information is processed within organizations providing health services and health systems; — how to judge the adequacy of the information provided when seeking informational consent; — design of both paper and electronic informational consent declaration forms; — design of those portions of electronic privacy policy services and security services that regulate access to personal health data; — working practices of organizations and personnel who obtain or comply with consent for processing personal health information. The document does not: — address the granting of consent to the delivery of healthcare-related treatment and care. Consent to the delivery of care or treatment has its own specific requirements, and is distinct from informational consent. — specify what consent framework is applicable to a data classification or data purpose as this can vary according to law or policy, although an examples of implementation profile is provided in Annex B; — specify the data format used when consent status is communicated. The focus is on the information characteristics of consent, and not the technology or medium in which the characteristics are instantiated; — specify how individuals giving Informed Consent come to be informed of the responsibilities, obligations and consequences related to granting consent; — specify requirements on how individuals are informed of the specifics of the data, data sharing or data processing concerned; — specify requirements on how consent itself or the specific activities of the consent process are recorded. Specific requirements on recording consent in EHR systems are given in ISO/TS 14441:2013, 5.3.2; — specify any information security requirements, e.g. the use of encryption or specific forms of user authentication (see e.g. ISO 27799).

This document specifies a numbering system and registration procedure for identifying both healthcare application providers and health card holders in order to exchange information through the use of cards issued for healthcare services. This document focuses on the machine-readable cards of ID-1 type defined in ISO/IEC 7810 that are issued for healthcare services provided in a service area that crosses the national borders of two or more countries/areas. This document applies to healthcare data cards where the issuer and the application provider are the same party. This document applies directly, or refers, to existing International Standards for physical characteristics and recording techniques. Security issues follow the requirements of each healthcare data card system.

This document specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger events and audit data, to keep the complete set of personal health information auditable across information systems and domains. It is applicable to systems processing personal health information that create a secure audit record each time a user reads, creates, updates, or archives personal health information via the system. NOTE Such audit records at a minimum uniquely identify the user, uniquely identify the subject of care, identify the function performed by the user (record creation, read, update, etc.), and record the date and time at which the function was performed. This document covers only actions performed on the EHR, which are governed by the access policy for the domain where the electronic health record resides. It does not deal with any personal health information from the electronic health record, other than identifiers, the audit record only containing links to EHR segments as defined by the governing access policy. It does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of data, which are dealt with by general computer security standards such as ISO/IEC 15408 (all parts)[9]. Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.

This document provides an overview of security and privacy considerations for Electronic Health Records (EHR) in a cloud computing service that users can leverage when selecting a service provider.

This document gives guidelines for certificate management issues involved in deploying digital certificates in healthcare. It specifies a structure and minimum requirements for certificate policies, as well as a structure for associated certification practice statements. This document also identifies the principles needed in a healthcare security policy for cross-border communication and defines the minimum levels of security required, concentrating on aspects unique to healthcare.

This document defines the basic concepts underlying the use of digital certificates in healthcare and provides a scheme of interoperability requirements to establish a digital certificate-enabled secure communication of health information. It also identifies the major stakeholders who are communicating health-related information, as well as the main security services required for health communication where digital certificates can be required. This document gives a brief introduction to public key cryptography and the basic components needed to deploy digital certificates in healthcare. It further introduces different types of digital certificates — identity certificates and associated attribute certificates for relying parties, self-signed certification authority (CA) certificates, and CA hierarchies and bridging structures.

This document gives a guideline for implementation of an ISMS by showing practical examples of risk analysis on remote maintenance services (RMS) for information systems in healthcare facilities (HCFs) as provided by vendors of medical devices or health information systems in order to protect both sides' information assets (primarily the information system itself and personal health data) in a safe and efficient (i.e. economical) manner. This document consists of: — application of ISMS to RMS; — security management measures for RMS; — an example of the evaluation and effectiveness based on the "controls" defined in the ISMS.

This document supports interchangeability of digital signatures and the prevention of incorrect or illegal digital signatures by providing minimum requirements and formats for generating and verifying digital signatures and related certificates. This document describes the common technical, operational, and policy requirements that need to be addressed to enable digital certificates to be used in protecting the exchange of healthcare information within a single domain, between domains, and across jurisdictional boundaries. Its purpose is to create a platform for global interoperability. It specifically supports digital certificate enabled communication across borders but could also provide guidance for the national or regional deployment of digital certificates in healthcare. It defines the provable compliance with a PKI policy necessary in the domain of healthcare. This document specifies a method of adopting long-term signature formats to ensure integrity and non-repudiation in long-term electronic preservation of healthcare information. This document provides Healthcare specific PKI (HPKI) profiles of digital signature based on the ETSI Standard and the profile of the ISO/ETSI Standard specified in CAdES, XAdES, and PAdES.

The document gives guidance for managing healthcare service security using connectable personal health devices. This document considers unidirectional data uploading from the PHD to the gateway (manager device), however, there are many clinical use cases for bidirectional data exchange. This document is applicable to identification and authentication between the bidirectionally connected PHDs and gateway by providing possible use cases and the associated threats and vulnerabilities. Since some smart devices with mobile healthcare apps and software might connect to the healthcare service network, these devices will be considered connectable PHDs in this document. This document addresses those devices used in a homecare setting, where the knowledge and capabilities regarding the use of PHDs might not be as advanced as in other healthcare settings. This document excludes specific protocols, methods and technical solutions for identification and authentication.

This document focuses on remote maintenance services (RMS) for information systems in healthcare facilities (HCFs) as provided by vendors of medical devices and health information systems. This document specifies the risk assessment necessary to protect remote maintenance activities, taking into consideration the special characteristics of the healthcare field such as patient safety, regulations and privacy protections. This document provides practical examples of risk analysis to protect both the HCF and RMS provider information assets in a safe and efficient (i.e. economical) manner. These assets are primarily the information system itself and personal health data held in the information system.

This document describes a methodology for specifying the privileges necessary to access EHR data. This methodology forms part of the overall EHR communications architecture defined in ISO 13606-1. This document seeks to address those requirements uniquely pertaining to EHR communications and to represent and communicate EHR-specific information that will inform an access decision. It also refers to general security requirements that apply to EHR communications and points at technical solutions and standards that specify details on services meeting these security needs. NOTE Security requirements for EHR systems not related to the communication of EHRs are outside the scope of this document.

This document provides a model framework for improving the surveillance and reporting of events with respect to the safety of health software. This document defines those data elements needed for identification of particular events including incidents, near-misses and unsafe conditions, as well as outlining good principles, relevant concepts and a process model for the recording, analysis and reporting of event-specific information related to the safety of health software.

ISO 17090-5:2017 defines the procedural requirements for validating an entity credential based on Healthcare PKI defined in the ISO 17090 series used in healthcare information systems including accessing remote systems. Authorization procedures and protocols are out of scope of this document. The data format of digital signatures is also out of scope of this document.

ISO/TR 18638:2017 specifies the essential educational components recommended to establish and deliver a privacy education program to support information privacy protection in healthcare organizations. The primary users of this document are those responsible for planning, establishing and delivering healthcare information privacy education to a healthcare organization. ISO/TR 18638:2017 provides the components of privacy education within the context of roles and job responsibilities. It is the responsibility of the organization to define and apply privacy protection policies and procedures and, in turn, ensure that all staff in the healthcare organization understands their privacy protection responsibilities. The scope of ISO/TR 18638:2017 covers: a) the concept of information privacy in healthcare; b) the challenges of protecting information practices in the healthcare organization; c) the components of a healthcare information privacy education program; d) basic health information privacy educational content.

ISO 21298:2017 defines a model for expressing functional and structural roles and populates it with a basic set of roles for international use in health applications. Roles are generally assigned to entities that are actors. This will focus on roles of persons (e.g. the roles of health professionals) and their roles in the context of the provision of care (e.g. subject of care). Roles can be structural (e.g. licensed general practitioner, non-licensed transcriptionist, etc.) or functional (e.g. a provider who is a member of a therapeutic team, an attending physician, prescriber, etc.). Structural roles are relatively static, often lasting for many years. They deal with relationships between entities expressed at a level of complex concepts. Functional roles are bound to the realization of actions and are highly dynamic. They are normally expressed at a decomposed level of fine-grained concepts. Roles addressed in this document are not restricted to privilege management purposes, though privilege management and access control is one of the applications of this document. This document does not address specifications related to permissions. This document treats the role and the permission as separate constructs. Further details regarding the relationship with permissions, policy, and access control are provided in ISO 22600.

ISO 25237:2017 contains principles and requirements for privacy protection using pseudonymization services for the protection of personal health information. This document is applicable to organizations who wish to undertake pseudonymization processes for themselves or to organizations who make a claim of trustworthiness for operations engaged in pseudonymization services. ISO 25237:2017 - defines one basic concept for pseudonymization (see Clause 5), - defines one basic methodology for pseudonymization services including organizational, as well as technical aspects (see Clause 6), - specifies a policy framework and minimal requirements for controlled re-identification (see Clause 7), - gives an overview of different use cases for pseudonymization that can be both reversible and irreversible (see Annex A), - gives a guide to risk assessment for re-identification (see Annex B), - provides an example of a system that uses de-identification (see Annex C), - provides informative requirements to an interoperability to pseudonymization services (see Annex D), and - specifies a policy framework and minimal requirements for trustworthy practices for the operations of a pseudonymization service (see Annex E).

ISO 21549-7:2016 applies to situations in which such data is recorded on or transported by patient healthcards compliant with the physical dimensions of ID-1 cards defined by ISO/IEC 7810. ISO 21549-7:2016 specifies the basic structure of the data contained within the medication data object, but does not specify or mandate particular data sets for storage on devices. The purpose of this document is for cards to provide information to other health professionals and to the patient or its non-professional caregiver. It can also be used to carry a new prescription from the prescriber to the dispenser/pharmacy in the design of its sets. Medication data include the following four components: - medication notes: additional information related to medication and the safe use of medicines by the patient such as medication history, sensitivities and allergies; - medication prescriptions: to carry a new prescription from the prescriber to the dispenser/pharmacy; - medication dispensed: the records of medications dispensed for the patient; - medication references: pointers to other systems that contain information that makes up medication prescription and the authority to dispense. The following topics are beyond the scope of this document: - physical or logical solutions for the practical functioning of particular types of data cards; - how the message is processed further "downstream" of the interface between two systems; - the form which the data takes for use outside the data card, or the way in which such data is visibly represented on the data card or elsewhere. NOTE Not only does the definition of "medicinal products" differ from country to country, but also the same name can relate to entirely different products in some countries. Therefore, it is important to consider the safety of the patient when the card is used across borders. ISO 21549-7:2016 describes and defines the Medication data objects used within or referenced by patient-held health data cards using UML, plain text and Abstract Syntax Notation (ASN.1). ISO 21549-7:2016 does not describe nor define the common objects defined within ISO 21549-2, even though they are referenced and utilized within this document.

ISO 27799:2016 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s). It defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard. ISO 27799:2016 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information in their care. It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information is always be appropriately protected. ISO 27799:2016 and ISO/IEC 27002 taken together define what is required in terms of information security in healthcare, they do not define how these requirements are to be met. That is to say, to the fullest extent possible, ISO 27799:2016 is technology-neutral. Neutrality with respect to implementing technologies is an important feature. Security technology is still undergoing rapid development and the pace of that change is now measured in months rather than years. By contrast, while subject to periodic review, International Standards are expected on the whole to remain valid for years. Just as importantly, technological neutrality leaves vendors and service providers free to suggest new or developing technologies that meet the necessary requirements that ISO 27799:2016 describes. As noted in the introduction, familiarity with ISO/IEC 27002 is indispensable to an understanding of ISO 27799:2016. The following areas of information security are outside the scope of ISO 27799:2016: a) methodologies and statistical tests for effective anonymization of personal health information; b) methodologies for pseudonymization of personal health information (see Bibliography for a brief description of a Technical Specification that deals specifically with this topic); c) network quality of service and methods for measuring availability of networks used for health informatics; d) data quality (as distinct from data integrity).

ISO 17090-2:2015 specifies the certificate profiles required to interchange healthcare information within a single organization, between different organizations and across jurisdictional boundaries. It details the use made of digital certificates in the health industry and focuses, in particular, on specific healthcare issues relating to certificate profiles.

ISO 22600 defines principles and specifies services needed for managing privileges and access control to data and/or functions. It focuses on communication and use of health information distributed across policy domain boundaries. This includes healthcare information sharing across unaffiliated providers of healthcare, healthcare organizations, health insurance companies, their patients, staff members, and trading partners by both individuals and application systems ranging from a local situation to a regional or even national situation. It specifies the necessary component-based concepts and is intended to support their technical implementation. It will not specify the use of these concepts in particular clinical process pathways. ISO 22600-2:2014 introduces the underlying paradigm of formal high-level models for architectural components. It is based on ISO/IEC 10746 (all parts) and introduces the domain model, the document model, the policy model, the role model, the authorization model, the delegation model, the control model, and the access control model.

ISO 22600 defines principles and specifies services needed for managing privileges and access control to data and/or functions. It focuses on communication and use of health information distributed across policy domain boundaries. This includes healthcare information sharing across unaffiliated providers of healthcare, healthcare organizations, health insurance companies, their patients, staff members, and trading partners by both individuals and application systems ranging from a local situation to a regional or even national situation. It specifies the necessary component-based concepts and is intended to support their technical implementation. It will not specify the use of these concepts in particular clinical process pathways. ISO 22600-3:2014 instantiates requirements for repositories for access control policies and requirements for privilege management infrastructures. It provides implementation examples of the formal models specified in ISO 22600‑2.

ISO 22600 defines principles and specifies services needed for managing privileges and access control to data and/or functions. It focuses on communication and use of health information distributed across policy domain boundaries. This includes healthcare information sharing across unaffiliated providers of healthcare, healthcare organizations, health insurance companies, their patients, staff members, and trading partners by both individuals and application systems ranging from a local situation to a regional or even national situation. It specifies the necessary component-based concepts and is intended to support their technical implementation. It will not specify the use of these concepts in particular clinical process pathways. ISO 22600-1:2014 proposes a template for the policy agreement. It enables the comparable documentation from all parties involved in the information exchange.

ISO 21549-3:2014 is applicable to situations in which limited clinical data are recorded on or transported by patient healthcards compliant with the physical dimensions of ID-1 cards defined by ISO/IEC 7810. ISO 21549-3:2014 describes and defines the limited clinical data objects used in or referenced by patient healthcards using UML, plain text and abstract syntax notation (ASN.1). ISO 21549-3:2014 specifies the basic structure of the data contained within the data object limited clinical data, but does not specify or mandate particular data sets for storage on devices.

ISO 21549-4:2014 is applicable to situations in which clinical data additional to the limited clinical data defined in ISO 21549‑3 is recorded on or transported by patient healthcare data cards compliant with the physical dimensions of ID-1 cards defined by ISO/IEC 7810. ISO 21549-4:2014 specifies the basic structure of the data contained within the data object extended clinical data, but does not specify or mandate particular data sets for storage on devices.

ISO 21549-2:2014 establishes a common framework for the content and the structure of common objects used to construct data held on patient healthcare data cards. It is also applicable to common objects referenced by other data objects. ISO 21549-2:2014 is applicable to situations in which such data is recorded on or transported by patient healthcards compliant with the physical dimensions of ID-1 cards defined by ISO/IEC 7810. ISO 21549-2:2014 specifies the basic structure of the data, but does not specify or mandate particular data-sets for storage on devices.

ISO 20301:2014 describes general characteristics of machine-readable cards used in the field of healthcare. This International Standard is designed to confirm the identities of both the healthcare application provider and the healthcare cardholder in order that information can be exchanged by using cards issued for healthcare service. This International Standard focuses on the machine-readable cards of ID-1 type defined in ISO/IEC 7810 that are issued for healthcare services provided in a service area that crosses the national borders of two or more countries/areas. This International Standard applies directly or refers to existing ISO standards for the physical characteristics and recording techniques. Security issues follow the requirements of each healthcare card system. In addition, this International Standard regulates the visual information written on the card.

ISO 22857:2013 provides guidance on data protection requirements to facilitate the transfer of personal health data across national or jurisdictional borders. It is normative only in respect of international or trans-jurisdictional exchange of personal health data. However it can be informative with respect to the protection of health information within national/jurisdictional boundaries and provide assistance to national or jurisdictional bodies involved in the development and implementation of data protection principles. ISO 22857:2013 covers both the data protection principles that apply to international or trans-jurisdictional transfers and the security policy which an organization adopts to ensure compliance with those principles. ISO 22857:2013 aims to facilitate international and trans-jurisdictional health-related applications involving the transfer of personal health data. It seeks to provide the means by which health data relating to data subjects, such as patients, will be adequately protected when sent to, and processed in, another country/jurisdiction.

ISO/TR 17791:2013 provides guidance to National Member Bodies (NMBs) and readers by identifying a coherent set of international standards relevant to the development, implementation and use of safer health software. The framework presented in ISO/TR 17991:2013, together with the mapping of standards to the framework, illustrate relevant standards and how they can optimally be applied. The mapping works to clearly demonstrate where standards gaps and overlaps exist. Specifically, ISO/TR 17791:2013: identifies a coherent set of international standards that promote the patient-safe (or safer) development, implementation and use of health software, provides guidance on the applicability of these standards towards enabling optimal safety in health software within overall risk management and quality management approaches, as well as within the lifecycle steps and processes of health software development, addresses the health software safety issues that remain, either as gaps or overlaps between or among the identified standards, and discusses how those gaps and overlaps could be addressed?in the short or long term?through revision of the current standards or the development of new ones. Harm to the operators of health software, should any such risk exist, is outside the scope of ISO/TR 17791:2013.

ISO/TS 14441:2013 examines electronic patient record systems at the clinical point of care that are also interoperable with EHRs. ISO/TS 14441:2013 addresses their security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment. ISO/TS 14441:2013 includes a cross-mapping of 82 security and privacy requirements against the Common Criteria categories in ISO/IEC 15408 (all parts).

ISO 21549-1:2013 defines a general structure for the different types of data to be defined in other parts of ISO 21549 using UML notation. ISO 21549 defines data structures held on patient healthcards compliant with the physical dimensions of ID-1 cards, as defined by ISO/IEC 7810.

ISO 21091:2013 defines minimal specifications for directory services for healthcare. It can be used to enable communications between organizations, devices, servers, application components, systems, technical actors, and devices. ISO 21091:2013 provides the common directory information and services needed to support the secure exchange of healthcare information over public networks where directory information and services are used for these purposes. It addresses the health directory from a community perspective in anticipation of supporting inter-enterprise, inter-jurisdiction, and international healthcare communications. While several options are supported by ISO 21091:2013, a given service will not need to include all of the options. In addition to the support of security services, such as access control and confidentiality, ISO 21091:2013 provides specification for other aspects of communication, such as addresses and protocols of communication entities. ISO 21091:2013 also supports directory services aiming to support identification of health professionals and organizations and the subjects of care.

ISO/TS 14265:2011 defines a set of high-level categories of purposes for which personal health information can be processed. This is in order to provide a framework for classifying the various specific purposes that can be defined and used by individual policy domains (e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the consistent management of information in the delivery of health care services and for the communication of electronic health records across organizational and jurisdictional boundaries. The scope of application of ISO/TS 14265:2011 is limited to Personal Health Information as defined in ISO 27799, information about an identifiable person that relates to the physical or mental health of the individual, or to provision of health services to the individual.

ISO 21549‑8:2010 defines a way to facilitate access to distributed patient records and/or administrative information using healthcards. It defines the structure and elements of “links” typically stored in healthcards and representing references to individual patients' records as well as to subcomponents of them. Access control mechanisms, data protection mechanisms, access methods and other security services are outside the scope of ISO 21549‑8:2010.

The purpose of ISO/TS 21547:2010 is to define the basic principles needed to securely preserve health records in any format for the long term. It concentrates on previously documented healthcare specific archiving problems. It also gives a brief introduction to the general archiving principles. Unlike the traditional approach to standardization work, where the perspective is that of modelling, code sets and messages, this Technical Specification looks at archiving from the angle of document management and related privacy protection. In ISO/TS 21547:2010 archiving is understood to be a wider process than just the permanent preservation of selected records. ISO/TS 21547:2010 defines architecture and technology-independent security requirements for long-term preservation of EHRs having fixed content. ISO/TS 21547:2010 and a complementary Technical Report, ISO 21548, concentrate on the security requirements (integrity, confidentiality, availability and accountability) necessary for ensuring adequate protection of health information in long-term digital preservation. This Technical Specification will also address privacy protection requirements for both the EHR and eArchiving systems used in the healthcare environment. ISO/TS 21547:2010 defines functional security requirements for long term archiving of EHRs, but the practical archiving models and technology required are outside the concept of this Technical Specification.

ISO/TR 21548:2010 is an implementation guide for ISO/TS 21547. ISO/TR 21548:2010 will provide a methodology that will facilitate the implementation of ISO/TS 21547 in all organizations that have the responsibility to securely archive electronic health records for the long term. ISO/TR 21548:2010 gives an overview of processes and factors to consider in organizations wishing to fulfil requirements set by ISO/TS 21547.

ISO/TR 11636:2009 explains the network requirements in the healthcare field, the network security of an open network for the healthcare field, and the minimum guidelines for security management of health information exchange, including personal data, between external institutions. These requirements will assist in understanding the operation of security and evaluation of security issues in the healthcare field, and the usefulness of a managed VPN, like a dynamic on-demand VPN. ISO/TR 11636:2009 introduces examples of security measures taken in a dynamic on-demand VPN for exchange of medical information; it is not intended to specify the dynamic on-demand VPN itself. These examples provide network solutions to potential risks in such a user environment.

ISO 21549-6:2008 is applicable to situations in which administrative data are recorded on or transported by patient healthcards compliant with the physical dimensions of ID-1 cards defined by ISO/IEC 7810. ISO 21549-6:2008 specifies the basic structure of the data contained within the data object administrative data, but does not specify or mandate particular data sets for storage on devices. The detailed functions and mechanisms of the following services are not within the scope of this ISO 21549-6:2008, although its structures can accommodate suitable data objects elsewhere specified: the encoding of free text data; security functions and related services that are likely to be specified by users for data cards depending on their specific application, e.g. confidentiality protection, data integrity protection, and authentication of persons and devices related to these functions; access control services that may depend on active use of some data card classes such as microprocessor cards; the initialization and issuing process, which begins the operating lifetime of an individual data card, and by which the data card is prepared for the data to be subsequently communicated to it according to this part of ISO 21549.

ISO/TS 17975:2015 defines the set of frameworks of consent for the Collection, Use and/or Disclosure of personal information by health care practitioners or organizations that are frequently used to obtain agreement to process the personal health information of subjects of care. This is in order to provide an Informational Consent framework which can be specified and used by individual policy domains (e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the consistent management of information in the delivery of health care services and the communication of electronic health records across organizational and jurisdictional boundaries. The scope of application of this Technical Specification is limited to Personal Health Information (PHI) as defined in ISO 27799, "information about an identifiable person that relates to the physical or mental health of the individual, or to provision of health services to the individual. This information might include: - information about the registration of the individual for the provision of health services; - information about payments or eligibility for health care in respect to the individual; - a number, symbol or particular code assigned to an individual to uniquely identify the individual for health purposes; - any information about the individual that is collected in the course of the provision of health services to the individual; - information derived from the testing or examination of a body part or bodily substance; - identification of a person, e.g. a health professional, as a provider of healthcare to the individual." Good practice requirements are specified for each framework of Informational Consent. Adherence to these requirements is intended to ensure any subject of care and any parties that process personal health information that their agreement to do so has been properly obtained and correctly specified. ISO/TS 17975:2015 is intended to be used to inform: - discussion of national or jurisdictional Informational Consent policies; - ways in which individuals and the public are informed about how personal health information is processed within organizations providing health services and health systems; - how to judge the adequacy of the information provided when seeking Informational Consent; - design of both paper and electronic Informational Consent declaration forms; - design of those portions of electronic privacy policy services and security services that regulate access to personal health data; - working practices of organizations and personnel who obtain or comply with consent for processing personal health information. ISO/TS 17975:2015 does not: - address the granting of consent to the delivery of healthcare-related treatment and care. Consent to the delivery of care or treatment has its own specific requirements, and is distinct from Informational Consent. Note that as Consent to Treatment and Care are outside the scope of this Technical Specification, the phrase "informational consent" is hereafter supplanted by the shorter "consent". In every case, it is Informational Consent that is intended; - specify any jurisdiction's legal requirements or regulations relating to consent. The focus is on frameworks, not on jurisdictional legislation or its adequacy in any given jurisdiction. While care has been taken to design the frameworks so that they do not conflict with the legislation in most jurisdictions, they might challenge some existing practices. This Technical Specification uses an approach that allows organizations or jurisdictions to select a subset of those frameworks which best fit their law culture and approach to data sharing; - specify what consent framework is to be applied to a data classification or data purpose as this may vary according to law or policy, although some examples of implementation profiles are provided in an informative Annex; - determine the legal adequacy of the informati

ISO 21549-5:2015 describes and defines the basic structure of the identification data objects held on healthcare data cards, but does not specify particular data sets for storage on devices. The detailed functions and mechanisms of the following services are not within the scope of this part of ISO 21549 (although its structures can accommodate suitable data objects elsewhere specified): - security functions and related services that are likely to be specified by users for data cards depending on their specific application, e.g. confidentiality protection, data integrity protection and authentication of persons and devices related to these functions; - access control services; - the initialization and issuing process (which begins the operating lifetime of an individual data card, and by which the data card is prepared for the data to be subsequently communicated to it according to this part of ISO 21549). The following topics are therefore beyond the scope of this part of ISO 21549: - physical or logical solutions for the practical functioning of particular types of data card; - the forms that data take for use outside the data card, or the way in which such data are visibly represented on the data card or elsewhere.

ISO 17090-4:2014 supports interchangeability of digital signatures and the prevention of incorrect or illegal digital signatures by providing minimum requirements and formats for generating and verifying digital signatures and related certificates. Furthermore, it defines the provable compliance with a PKI policy necessary in the domain of healthcare. This part of ISO 17090 adopts long-term signature formats to ensure integrity and non-repudiation in long-term electronic preservation of healthcare information. This part of ISO 17090 conforms to ISO/ETSI standards for long-term signature formats to improve and guarantee interoperability in the healthcare field. There is no limitation regarding the data format and the subject for which the signature is created.

ISO 20302:2014 is designed to confirm, via a numbering system and registration procedure, the identities of both the healthcare application provider and the health card holder in order that information may be exchanged by using cards issued for healthcare services. ISO 20302:2014 focuses on the machine-readable cards of ID-1 type defined in ISO/IEC 7810 that are issued for healthcare services provided in a service area that crosses the national borders of two or more countries/areas. ISO 20302:2014 applies to healthcare data cards where the issuer and the application provider are the same party. ISO 20302:2014 applies directly, or refers, to existing ISO standards for physical characteristics and recording techniques. Security issues follow the requirements of each healthcare data card system. In addition, ISO 20302:2014 regulates the visual information written on the healthcare data card.

ISO 17090-1:2013 defines the basic concepts underlying the use of digital certificates in healthcare and provides a scheme of interoperability requirements to establish a digital certificate-enabled secure communication of health information. It also identifies the major stakeholders who are communicating health-related information, as well as the main security services required for health communication where digital certificates may be required. ISO 17090-1:2013 gives a brief introduction to public key cryptography and the basic components needed to deploy digital certificates in healthcare. It further introduces different types of digital certificates ? identity certificates and associated attribute certificates for relying parties, self-signed certification authority (CA) certificates, and CA hierarchies and bridging structures.

ISO 27789:2013 specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger events and audit data, to keep the complete set of personal health information auditable across information systems and domains. It is applicable to systems processing personal health information which, complying with ISO 27799, create a secure audit record each time a user accesses, creates, updates or archives personal health information via the system. ISO 27789:2013 covers only actions performed on the EHR, which are governed by the access policy for the domain where the electronic health record resides. It does not deal with any personal health information from the electronic health record, other than identifiers, the audit record only containing links to EHR segments as defined by the governing access policy. It does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of data, which are dealt with by general computer security standards such as ISO/IEC 15408-2.

ISO/TS 22600-3:2009 instantiates requirements for repositories for access control policies and requirements for privilege management infrastructures for health informatics. It provides implementation examples of the formal models specified in ISO/TS 22600-2:2006.

ISO/TR 11633‑2:2009 provides an example of selected and applied "controls" for RMS security based on the definition in the ISMS, on the basis of the risk analysis result mentioned in ISO/TR 11633‑1. ISO/TR 11633‑2:2009 excludes the handling of the communication problems and the use of encryption method. ISO/TR 11633‑2:2009 consists of: a catalogue of types of security environment in health care facilities and RMS providers; an example of combinations of threats and vulnerabilities identified under the environment in the "use cases"; an example of the evaluation and effectiveness based on the "controls" defined in the ISMS.

ISO/TR 11633-1:2009 focuses on remote maintenance services (RMS) for information systems in health care facilities as provided by vendors of medical devices or health information systems (RMS providers) and shows an example of carrying out a risk analysis in order to protect both sides' information assets (primarily the information system itself and personal health data) in a safe and efficient (i.e. economical) manner. ISO/TR 11633-1:2009 consists of: a catalogue of use cases for RMS; a catalogue of information assets in healthcare facilities (HCF) and RMS providers; an example of the risk analysis based on use cases.

ISO/TS 13606-4:2009 describes a methodology for specifying the privileges necessary to access EHR data. This methodology forms part of the overall EHR communications architecture defined in ISO 13606‑1. ISO/TS 13606-4:2009 seeks to address those requirements uniquely pertaining to EHR communications and to represent and communicate EHR-specific information that will inform an access decision. It also refers to general security requirements that apply to EHR communications and points at technical solutions and standards that specify details on services meeting these security needs.

ISO/TS 25237:2008 contains principles and requirements for privacy protection using pseudonymization services for the protection of personal health information. ISO/TS 25237:2008 is applicable to organizations who make a claim of trustworthiness for operations engaged in pseudonymization services. ISO/TS 25237:2008: defines one basic concept for pseudonymization; gives an overview of different use cases for pseudonymization that can be both reversible and irreversible; defines one basic methodology for pseudonymization services including organizational as well as technical aspects; gives a guide to risk assessment for re-identification; specifies a policy framework and minimal requirements for trustworthy practices for the operations of a pseudonymization service; specifies a policy framework and minimal requirements for controlled re-identification; specifies interfaces for the interoperability of services interfaces.

ISO 27799:2008 defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that standard. ISO 27799:2008 specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. By implementing this International Standard, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information. ISO 27799:2008 applies to health information in all its aspects; whatever form the information takes (words and numbers, sound recordings, drawings, video and medical images), whatever means are used to store it (printing or writing on paper or electronic storage) and whatever means are used to transmit it (by hand, via fax, over computer networks or by post), as the information must always be appropriately protected.

ISO 17090-2:2008 specifies the certificate profiles required to interchange healthcare information within a single organization, between different organizations and across jurisdictional boundaries. It details the use made of digital certificates in the health industry and focuses, in particular, on specific healthcare issues relating to certificate profiles.