• Shopping Cart
    There are no items in your cart

PD CEN ISO/TS 14441:2013

Current

Current

The latest, up-to-date edition.

Health informatics. Security and privacy requirements of EHR systems for use in conformity assessment

Available format(s)

Hardcopy , PDF

Language(s)

English

Published date

28-02-2014

€397.33
Excluding VAT

Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Security and privacy requirements
6 Best practice and guidance for establishing and
  maintaining conformity assessment programs
Annex A (informative) - Conformity assessment
        programs - Design considerations and
        illustrative examples from member countries
        as of 2010
Annex B (informative) - Comparison of jurisdictional
        requirements
Bibliography

Describes security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment.

Committee
IST/35
DevelopmentNote
Reviewed and confirmed by BSI, June 2017. (05/2017)
DocumentType
Standard
Pages
124
PublisherName
British Standards Institution
Status
Current

This Technical Specification examines electronic patient record systems at the clinical point of care that are also interoperable with EHRs. Hardware and process controls are out of the scope. This Technical Specification addresses their security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment.

ISO/IEC 15408 (all parts) defines “targets of evaluation” for security evaluation of IT products. This Technical Specification includes a cross-mapping of 82 security and privacy requirements against the Common Criteria categories in ISO/IEC 15408 (all parts). The point-of-service (POS) clinical software is typically part of a larger system, for example, running on top of an operating system, so it must work in concert with other components to provide proper security and privacy. While a Protection Profile (PP) includes requirements for component security functions to support system security services, it does not specify protocols or standards for conformity assessment, and does not address privacy requirements.

This Technical Specification focuses on two main topics:

  • Security and privacy requirements (Clause 5). Clause 5 is technical and provides a comprehensive set of 82 requirements necessary to protect (information, patients) against the main categories of risks, addressing the broad scope of security and privacy concerns for point of care, interoperable clinical (electronic patient record) systems. These requirements are suitable for conformity assessment purposes.

  • Best practice and guidance for establishing and maintaining conformity assessment programs (Clause 6). Clause 6 provides an overview of conformity assessment concepts and processes that can be used by governments, local authorities, professional associations, software developers, health informatics societies, patients’ representatives and others, to improve conformity with health software security and privacy requirements. Annex A provides complementary information useful to countries in designing conformity assessment programs such as further material on conformity assessment business models, processes and other considerations, along with illustrative examples of conformity assessment activities in four countries.

Policies that apply to a local, regional or national implementation environment, and procedural, administrative or physical (including hardware) aspects of privacy and security management are outside the scope of this Technical Specification. Security management is included in the scope of ISO 27799.

Standards Relationship
CEN ISO/TS 14441:2013 Identical
ISO/TS 14441:2013 Identical

ISO/IEC 17065:2012 Conformity assessment — Requirements for bodies certifying products, processes and services
ISO/IEC 17000:2004 Conformity assessment Vocabulary and general principles
ISO/TS 25237:2008 Health informatics Pseudonymization
ISO/TS 22600-1:2006 Health informatics Privilege management and access control Part 1: Overview and policy management
ISO 18308:2011 Health informatics — Requirements for an electronic health record architecture
ISO/IEC 15408-2:2008 Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional components
ISO/TS 14265:2011 Health Informatics - Classification of purposes for processing personal health information
ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems
CFR 45(PTS1-199) : OCT 2017 PUBLIC WELFARE - SUBTITLE A - DEPARTMENT OF HEALTH AND HUMAN SERVICES - GENERAL ADMINISTRATION - SUBTITLE B - REGULATIONS RELATING TO PUBLIC WELFARE
ISO/IEC 15408-3:2008 Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance components
ISO/IEC 27006:2015 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
ISO/TS 21547:2010 Health informatics Security requirements for archiving of electronic health records Principles
ISO/IEC 27002:2013 Information technology Security techniques Code of practice for information security controls
ISO/IEC 27005:2011 Information technology Security techniques Information security risk management
ISO/TS 22600-2:2006 Health informatics Privilege management and access control Part 2: Formal models
ISO/TS 13606-4:2009 Health informatics Electronic health record communication Part 4: Security
ISO/TS 22600-3:2009 Health informatics Privilege management and access control Part 3: Implementations
ISO/IEC 15408-1:2009 Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model
ISO/HL7 10781:2015 Health Informatics — HL7 Electronic Health Records-System Functional Model, Release 2 (EHR FM)
ISO/TR 21548:2010 Health informatics Security requirements for archiving of electronic health records Guidelines
ISO/IEC 27000:2016 Information technology Security techniques Information security management systems Overview and vocabulary
ISO/TS 21298:2008 Health informatics Functional and structural roles
ISO 27799:2016 Health informatics Information security management in health using ISO/IEC 27002

Access your standards online with a subscription

Features

  • Simple online access to standards, technical information and regulations.

  • Critical updates of standards and customisable alerts and notifications.

  • Multi-user online standards collection: secure, flexible and cost effective.