Skip to content
Please enter a keyword to search

  • PD CEN ISO/TS 14441:2013

    Current The latest, up-to-date edition.

    Health informatics. Security and privacy requirements of EHR systems for use in conformity assessment

    Available format(s):  Hardcopy, PDF

    Language(s):  English

    Published date:  28-02-2014

    Publisher:  British Standards Institution

    Add To Cart

    Table of Contents - (Show below) - (Hide below)

    Foreword
    Introduction
    1 Scope
    2 Normative references
    3 Terms and definitions
    4 Abbreviations
    5 Security and privacy requirements
    6 Best practice and guidance for establishing and
      maintaining conformity assessment programs
    Annex A (informative) - Conformity assessment
            programs - Design considerations and
            illustrative examples from member countries
            as of 2010
    Annex B (informative) - Comparison of jurisdictional
            requirements
    Bibliography

    Abstract - (Show below) - (Hide below)

    Describes security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment.

    Scope - (Show below) - (Hide below)

    This Technical Specification examines electronic patient record systems at the clinical point of care that are also interoperable with EHRs. Hardware and process controls are out of the scope. This Technical Specification addresses their security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment.

    ISO/IEC 15408 (all parts) defines “targets of evaluation?? for security evaluation of IT products. This Technical Specification includes a cross-mapping of 82 security and privacy requirements against the Common Criteria categories in ISO/IEC 15408 (all parts). The point-of-service (POS) clinical software is typically part of a larger system, for example, running on top of an operating system, so it must work in concert with other components to provide proper security and privacy. While a Protection Profile (PP) includes requirements for component security functions to support system security services, it does not specify protocols or standards for conformity assessment, and does not address privacy requirements.

    This Technical Specification focuses on two main topics:

    • Security and privacy requirements (Clause 5). Clause 5 is technical and provides a comprehensive set of 82 requirements necessary to protect (information, patients) against the main categories of risks, addressing the broad scope of security and privacy concerns for point of care, interoperable clinical (electronic patient record) systems. These requirements are suitable for conformity assessment purposes.

    • Best practice and guidance for establishing and maintaining conformity assessment programs (Clause 6). Clause 6 provides an overview of conformity assessment concepts and processes that can be used by governments, local authorities, professional associations, software developers, health informatics societies, patients’ representatives and others, to improve conformity with health software security and privacy requirements. Annex A provides complementary information useful to countries in designing conformity assessment programs such as further material on conformity assessment business models, processes and other considerations, along with illustrative examples of conformity assessment activities in four countries.

    Policies that apply to a local, regional or national implementation environment, and procedural, administrative or physical (including hardware) aspects of privacy and security management are outside the scope of this Technical Specification. Security management is included in the scope of ISO 27799.

    General Product Information - (Show below) - (Hide below)

    Committee IST/35
    Development Note Reviewed and confirmed by BSI, June 2017. (05/2017)
    Document Type Standard
    Publisher British Standards Institution
    Status Current

    Standards Referencing This Book - (Show below) - (Hide below)

    ISO/IEC 17065:2012 Conformity assessment — Requirements for bodies certifying products, processes and services
    ISO/IEC 17000:2004 Conformity assessment Vocabulary and general principles
    ISO/TS 25237:2008 Health informatics Pseudonymization
    ISO/TS 22600-1:2006 Health informatics Privilege management and access control Part 1: Overview and policy management
    ISO 18308:2011 Health informatics — Requirements for an electronic health record architecture
    ISO/IEC 15408-2:2008 Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional components
    ISO/TS 14265:2011 Health Informatics - Classification of purposes for processing personal health information
    ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
    ISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems
    CFR 45(PTS1-199) : OCT 2017 PUBLIC WELFARE - SUBTITLE A - DEPARTMENT OF HEALTH AND HUMAN SERVICES - GENERAL ADMINISTRATION - SUBTITLE B - REGULATIONS RELATING TO PUBLIC WELFARE
    ISO/IEC 15408-3:2008 Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance components
    ISO/IEC 27006:2015 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
    ISO/TS 21547:2010 Health informatics Security requirements for archiving of electronic health records Principles
    ISO/IEC 27002:2013 Information technology Security techniques Code of practice for information security controls
    ISO/IEC 27005:2011 Information technology Security techniques Information security risk management
    ISO/TS 22600-2:2006 Health informatics Privilege management and access control Part 2: Formal models
    ISO/TS 13606-4:2009 Health informatics Electronic health record communication Part 4: Security
    ISO/TS 22600-3:2009 Health informatics Privilege management and access control Part 3: Implementations
    ISO/IEC 15408-1:2009 Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model
    ISO/HL7 10781:2015 Health Informatics — HL7 Electronic Health Records-System Functional Model, Release 2 (EHR FM)
    ISO/TR 21548:2010 Health informatics Security requirements for archiving of electronic health records Guidelines
    ISO/IEC 27000:2016 Information technology Security techniques Information security management systems Overview and vocabulary
    ISO/TS 21298:2008 Health informatics Functional and structural roles
    ISO 27799:2016 Health informatics Information security management in health using ISO/IEC 27002
    View more information

    • Access your standards online with a subscription

      Features

      • Simple online access to standards, technical information and regulations
      • Critical updates of standards and customisable alerts and notifications
      • Multi - user online standards collection: secure, flexibile and cost effective