ENV 12924 : DRAFT 1997
Withdrawn
A Withdrawn Standard is one, which is removed from sale, and its unique number can no longer be used. The Standard can be withdrawn and not replaced, or it can be withdrawn and replaced by a Standard with a different number.
MEDICAL INFORMATICS - SECURITY CATEGORISATION AND PROTECTION FOR HEALTHCARE INFORMATION SYSTEMS
14-03-2008
12-01-2013
Contents
1. Scope
2. Normative references
3. Definitions
4. Abbreviations
5. Security categorisation model
5.1 System categories
5.2 Requirements
5.3 Healthcare information systems characteristics
5.3.1 Data
5.3.2 Hardware & Software configuration
5.3.3 People
5.3.4 Environment
6. Procedure for security categorisation and requirement
specification
6.1 Recommended Steps of Action
6.1.1 Procedure step 1
6.1.2 Procedure step 2
6.1.3 Procedure step 3
6.1.4 Procedure step 4
6.1.5 Procedure step 5
6.1.6 Procedure step 6
7. Security categorisation methodology
7.1 Structure of the categorisation
7.2 ACI attribute values
7.2.1 Availability (A)
7.2.2 Confidentiality (C)
7.2.3 Integrity (I)
7.3 System categories
7.4 Environment assumptions
7.4.1 Environment - Physical environment assumptions
7.4.2 Environment - Physical connectivity assumptions
7.4.3 Environment - Logical connectivity assumptions
8. Baseline requirements / Protection profile 1
8.1 System requirements
8.1.1 Identification and authentication
8.1.2 Access control and authorisation
8.1.3 Accountability and audit
8.1.4 Accuracy
8.1.5 Reliability of service
8.1.6 Data exchange and networking
8.2 Administrative and operational requirements
8.2.1 Security management
8.2.2 Security Manager
8.2.3 IT security policy
8.2.4 Security response management
8.2.5 Contingency planning
8.2.6 Virus protection
8.2.7 System maintenance
8.2.8 Media and documentation control
8.2.9 Software development
8.3 Personnel requirements
8.3.1 Recruitment
8.3.2 Staff management issues
8.3.3 Security awareness
8.3.4 Employment termination
8.3.5 HCE staff privacy
8.4 Physical and environmental requirements
8.4.1 Physical access control
8.4.2 Protection against theft
8.4.3 Protection of the operational environment
8.4.4 Fire, water damage and disaster controle
8.4.5 Additional requirements for areas which contain
the main computer resource
9. Additional requirements common to Protection profile II-VI
9.1 System requirements
9.1.1 Access control
9.1.2 Accountability and audit
9.1.3 Reliability of service
9.1.4 Data exchange and networking
9.2 Administrative and operational requirements
9.2.1 Security management
9.2.2 Media and documentation control
9.2.3 Virus protection measures
9.2.4 System maintenance
9.3 Personnel requirements
9.4 Physical and environmental requirements
9.4.1 Physical access control
10. Protection profile II
10.1 Baseline requirements
10.2 Additional requirements
10.2.1 System requirements
10.2.2 Administrative and operational requirements
10.2.3 Physical and environmental requirements
11. Protection profile III
11.1 Baseline requirements
11.2 Additional requirements
11.2.1 System requirements
11.2.2 Administrative and operational requirements
11.2.3 Physical and environmental requirements
12. Protection profile IV
12.1 Baseline requirements
12.2 Additional requirements
12.2.1 System requirements
12.2.2 Administrative and operational requirements
12.2.3 Physical and environmental requirements
13. Protection profile V
13.1 Baseline requirements
13.2 Additional requirements
13.2.1 System requirements
13.2.2 Administrative and operational requirements
13.2.3 Physical and environmental requirements
14. Protection profile VI
14.1 Baseline requirements
14.2 Additional requirements
14.2.1 System requirements
14.2.2 Administrative and operational requirements
14.2.3 Physical and environmental requirements
Annex A (informative) Information system categorisation examples
Annex B (Informative) How to proceed beyond the standard
Annex C (Informative) Sources of Threats to HCIS'
Annex D (Informative) Bibliography
Gives a model and a method of categorising automated healthcare information systems in the context of security and privacy. Security means the preservation to an acceptable level of data availability, confidentially and integrity. A corresponding set of protection recommendations and requirements for each system category is given which is appropriate to the level of risks inherent in that category.
Committee |
TC 251
|
DocumentType |
Draft
|
PublisherName |
Comite Europeen de Normalisation
|
Status |
Withdrawn
|
Standards | Relationship |
NBN ENV 12924 : 1998 | Identical |
NEN NVN ENV 12924 : 1997 | Identical |
I.S. ENV 12924:1998 | Identical |
UNE-ENV 12924:1998 | Identical |
UNI ENV 12924 : 1998 | Identical |
DD ENV 12924:1998 | Identical |
NF ENV 12924 : 2000 XP | Identical |
DIN V ENV 12924:1998-02 | Identical |
S.R. CR 13694:1999 | HEALTH INFORMATICS - SAFETY AND SECURITY RELATED SOFTWARE QUALITY STANDARDS FOR HEALTHCARE (SSQS) |
BS EN 14485:2003 | Health informatics. Guidance for handling personal health data in international applications in the context of the EU data protection directive |
CR 13694:1999 | Health Informatics - Safety and Security Related Software Quality Standards for Healthcare (SSQS) |
PD CR 13694:1999 | Health informatics. Safety and security related software quality standards for healthcare (SSQS) |
CEN/TR 15300:2006 | Health informatics - Framework for formal modelling of healthcare security policies |
EN 14485:2003 | Health informatics - Guidance for handling personal health data in international applications in the context of the EU data protection directive |
EN 14484:2003 | Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy |
I.S. CEN TR 15300:2006 | HEALTH INFORMATICS - FRAMEWORK FOR FORMAL MODELLING OF HEALTHCARE SECURITY POLICIES |
BS EN 14484:2003 | Health informatics. International transfer of personal health data covered by the EU data protection directive. High level security policy |
ISO/IEC 9594-8:2017 | Information technology Open Systems Interconnection The Directory Part 8: Public-key and attribute certificate frameworks |
ISO 7498-2:1989 | Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture |
Access your standards online with a subscription
Features
-
Simple online access to standards, technical information and regulations.
-
Critical updates of standards and customisable alerts and notifications.
-
Multi-user online standards collection: secure, flexible and cost effective.