ImageVerifierCode 换一换
格式:PDF , 页数:16 ,大小:310.18KB ,
资源ID:570192      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-570192.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS EN 12251-2004 Health informatics - Secure user identification for health care - Management and security of authentication by passwords《健康信息学 保健的安全使用者识别 使用密码校验的管理和安全》.pdf)为本站会员(inwarn120)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS EN 12251-2004 Health informatics - Secure user identification for health care - Management and security of authentication by passwords《健康信息学 保健的安全使用者识别 使用密码校验的管理和安全》.pdf

1、BRITISH STANDARD BS EN 12251:2004 Health informatics Secure user identification for health care Management and security of authentication by passwords The European Standard EN 12251:2004 has the status of a British Standard ICS 35.240.80 BS EN 12251:2004 This British Standard was published under the

2、 authority of the Standards Policy and Strategy Committee on 3 September 2004 BSI 3 September 2004 ISBN 0 580 44406 6 National foreword This British Standard is the official English language version of EN 12251:2004. It supersedes DD ENV 12251:2001 which is withdrawn. The UK participation in its pre

3、paration was entrusted to Technical Committee IST/35, Health informatics, which has the responsibility to: A list of organizations represented on this committee can be obtained on request to its secretary. Cross-references The British Standards which implement international or European publications

4、referred to in this document may be found in the BSI Catalogue under the section entitled “International Standards Correspondence Index”, or by using the “Search” facility of the BSI Electronic Catalogue or of British Standards Online. This publication does not purport to include all the necessary p

5、rovisions of a contract. Users are responsible for its correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. aid enquirers to understand the text; present to the responsible international/European committee any enquiries on the interpretat

6、ion, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK. Summary of pages This document comprises a front cover, an inside front cover, the EN title page, pages 2 to 13 and a back cover. The BSI copyright

7、 notice displayed in this document indicates when the document was last issued. Amendments issued since publication Amd. No. Date CommentsEUROPEANSTANDARD NORMEEUROPENNE EUROPISCHENORM EN12251 August2004 ICS35.240.80 Englishversion HealthinformaticsSecureUserIdentificationforHealthCare Managementand

8、SecurityofAuthenticationbyPasswords InformatiquedesantScuritdelidentificationde lutilisateurdessoinsdesantGestionetscuritde lauthentificationdesmotsdepasse MedizinischeInformatikSichereNutzeridentifikationim GesundheitswesenManagementundSicherheitfrdie AuthentifizierungdurchPasswrter ThisEuropeanSta

9、ndardwasapprovedbyCENon21June2004. CENmembersareboundtocomplywiththeCEN/CENELECInternalRegulationswhichstipulatetheconditionsforgivingthisEurope an Standardthestatusofanationalstandardwithoutanyalteration.Uptodatelistsandbibliographicalreferencesconcernings uchnational standardsmaybeobtainedonapplic

10、ationtotheCentralSecretariatortoanyCENmember. ThisEuropeanStandardexistsinthreeofficialversions(English,French,German).Aversioninanyotherlanguagemadebytra nslation undertheresponsibilityofaCENmemberintoitsownlanguageandnotifiedtotheCentralSecretariathasthesamestatusast heofficial versions. CENmember

11、sarethenationalstandardsbodiesofAustria,Belgium,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France, Germany,Greece,Hungary,Iceland,Ireland,Italy,Latvia,Lithuania,Luxembourg,Malta,Netherlands,Norway,Poland,Portugal, Slovakia, Slovenia,Spain,Sweden,SwitzerlandandUnitedKingdom. EUROPEANCOMMITTEEFORSTA

12、NDARDIZATION COMITEUROPENDENORMALISATION EUROPISCHESKOMITEEFRNORMUNG ManagementCentre:ruedeStassart,36B1050Brussels 2004CEN Allrightsofexploitationinanyformandbyanymeansreserved worldwideforCENnationalMembers. Ref.No.EN12251:2004:EEN 12251:2004 (E) 2 Contents page Foreword3 Introduction .4 1 Scope 5

13、 2 Normative references 5 3 Terms and definitions .5 4 Requirements.6 4.1 Unique identification and authentication 6 4.2 Identification and authentication prior to all other interactions .6 4.3 Associating unique identity with users.6 4.4 Maintaining the identity of active users 6 4.5 Log-on message

14、 7 4.6 Number of log-on trials .7 4.7 Incorrectly performed log-on procedure.7 4.8 Display of log-on statistics .7 4.9 Password sharing7 4.10 Password storage7 4.11 Logging of passwords 8 4.12 Password display suppression8 4.13 User-changeability of passwords 8 4.14 Default passwords.8 4.15 Initiali

15、sed passwords 8 4.16 Temporary passwords 8 4.17 Password expiration8 4.18 Password expiration notification .8 4.19 Password reuse .9 4.20 Password complexity 9 Annex A (informative) Potential password complexity requirements .10 Annex B (informative) User responsibilities.11 Annex C (informative) Pa

16、ssword communication .12 Bibliography 13 EN 12251:2004 (E) 3 Foreword This document (EN 12251:2004) has been prepared by Technical Committee CEN/TC 251 “Health informatics”, the secretariat of which is held by SIS. This European Standard shall be given the status of a national standard, either by pu

17、blication of an identical text or by endorsement, at the latest by February 2005, and conflicting national standards shall be withdrawn at the latest by February 2005. This document supersedes ENV 12251:2000. This document is designed to improve the authentication of individual users of health care

18、IT system, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities. Although the use of passwords, and the need for improved security in this respect, is by no means specific for the Heal

19、th Care field, it is felt strongly that the way in which systems are being used in this field, often in direct support of patient care and handling very sensitive information, urgently call for a good solution in this area. However, the methods specified in this document can possibly be applied in o

20、ther sectors as well at the discretion of users. According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Gre

21、ece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom. EN 12251:2004 (E) 4 Introduction Information Technology (IT) systems in the health care environment are being used in

22、 increasingly sensitive and critical circumstances. To facilitate secure access control to an IT system and within an IT system, it is essential to uniquely establish the identity of all users seeking access. Further, to have confidence that a user really is who he or she claims to be, there is a ne

23、ed for secure means of verifying the claimed identity. The use of passwords, being confidential to each user, and constructed in such a way that others cannot compromise this confidential authentication information easily, is the most common means of authentication in current computer systems, and w

24、ill be so for some time to come. This document can facilitate the wider process of Security Management. Conventional passwords have several disadvantages. Some of these are: They can easily be shared among several users The use of unprotected network technology makes them easy targets for eavesdropp

25、ing They can be hard to remember if chosen as to be secure Other technologies such as chip cards and biometrics, which provide more secure means of authentication, have been introduced and will eventually phase out the use of passwords. However, in the meantime it is important to facilitate the most

26、 secure use of passwords in health care IT systems. This is the main objective of this document. EN 12251:2004 (E) 5 1 Scope This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the m

27、anagement of user identifiers and passwords, without resorting to additional hardware facilities. This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as t

28、he only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health in

29、formation. This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities. 2 Normative ref

30、erences The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 7498-2, Information processing system

31、s Open systems interconnection Basic reference model Part 2: Security architecture 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 access control prevention of unauthorised use of a resource, including the prevention of use of a resource in a

32、n unauthorised manner 3.2 authentication process of verifying a claimed user identity, in this document on the basis of an entered user identifier and password 3.3 authentication information information used to establish the validity of a claimed identity ISO 7498-2 3.4 authorised user person who is

33、 given access rights to the system, i.e., person who is given a unique user identifier and an initial password, and by this is given the right to log-on to the system, in order to perform the functions or access to the data the user is entitled to 3.5 default password initial password, provided by t

34、he system on installation, to enable initial use EN 12251:2004 (E) 6 3.6 identification process that enables recognition of an authorised user described to the system, by the use of a unique user identifier 3.7 password confidential authentication information composed of a string of characters ISO 7

35、498-2 3.8 security administration act of controlling and administering all relevant security issues in the system. It can be performed by one or more specially authorised users through the assignment of security relevant access rights NOTE These users are called security administrators. 3.9 site-spe

36、cifiable site-modifiable specifiable (or modifiable) by the local security administrators after purchase of the system 3.10 system combination of computer hardware and software, used in this document as the system as it is perceived by the user 3.11 user identifier information, composed of a string

37、of characters, uniquely identifying an authorised user of the information system 4 Requirements 4.1 Unique identification and authentication The system shall use user identifiers to uniquely identify and authenticate users. 4.2 Identification and authentication prior to all other interactions Identi

38、fication and authentication shall take place prior to all other interactions between the system and the user, apart from the system provided log-on message (see 4.5). Other interactions shall only be possible after successful identification and authentication, i.e., identification and authentication

39、 leading to system access, of an authorised user. 4.3 Associating unique identity with users The system shall provide a mechanism which allows site-defined attributes, e.g. name and affiliation, to be associated with each user identifier, for the purpose of uniquely identifying the person. 4.4 Maint

40、aining the identity of active users The system shall maintain the identity of all users currently logged on. EN 12251:2004 (E) 7 4.5 Log-on message Prior to initiating the log-on procedure, the system shall provide a message regarding unauthorised use and the possible consequences of failure to meet

41、 those requirements. This message shall be site-specifiable by the security administrators, and shall be visible to the user during the log-on procedure. NOTE This message should point out the need to comply with confidentiality requirements, and indicate possible legal action after misuse. 4.6 Numb

42、er of log-on trials The log-on procedure shall exit if the user authentication procedure is unsuccessfully performed, i.e., not leading to system access, a site-specifiable number of times within a log-on session. NOTE The recommended number of times is three times. When the site-specifiable number

43、is exceeded, the system shall generate an alarm to the security administrators within the shortest possible time, and actions designed to limit possible misuse shall be initiated. When the site-specifiable number is exceeded, a site-specifiable period of time shall elapse before the log-on process c

44、an be restarted on that input device, provided it can be securely identified (It shall be possible to specify this period of time to be zero for specific input devices, e.g., for input devices in intensive care or emergency units). An alternative is to reject log-on from the user identifier for a si

45、te-specified time. 4.7 Incorrectly performed log-on procedure The system shall appear to perform the entire user authentication, irrespective of errors detected in any of the data entered during the log-on procedure. Error feedback shall not contain any information regarding which part of the authen

46、tication information was incorrect, or in what respect the information was incorrect. 4.8 Display of log-on statistics Upon successful access to the system, the system shall display: a) The date and time of the users last successful access. b) The number of unsuccessful attempts to access the system

47、 by that user identifier since the last successful system access. 4.9 Password sharing The system shall not provide any means to facilitate explicit sharing of passwords by multiple users. The system shall allow a user to choose a password that is already associated with another user. The system sha

48、ll not provide any indication that a password is already associated with another user. 4.10 Password storage The system shall store passwords in a one-way encrypted form. No users shall be able to have, or give themselves, read access to files containing encrypted passwords. EN 12251:2004 (E) 8 NOTE If the system permits, this should include security administrators. Unencrypted passwords shall not be stored in the password management system in any way, other than to the extent that is strictly necessary for the system to perform the p

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1