ImageVerifierCode 换一换
格式:PDF , 页数:56 ,大小:1.41MB ,
资源ID:581943      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-581943.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS EN ISO 27789-2013 Health informatics Audit trails for electronic health records《健康信息学 电子健康档案审计跟踪》.pdf)为本站会员(visitstep340)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS EN ISO 27789-2013 Health informatics Audit trails for electronic health records《健康信息学 电子健康档案审计跟踪》.pdf

1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationBS EN ISO 27789:2013Health informatics Audittrails for electronic healthrecords (ISO 27789:2013)BS EN ISO 27789:2013 BRITISH STANDARDNational forewordThis British Standard is the

2、 UK implementation of EN ISO27789:2013.The UK participation in its preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessar

3、yprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2013. Published by BSI StandardsLimited 2013ISBN 978 0 580 57559 4ICS 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was publ

4、ished under the authority of theStandards Policy and Strategy Committee on 30 April 2013.Amendments issued since publicationDate Text affectedEUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 27789 March 2013 ICS 35.240.80 English Version Health informatics - Audit trails for electronic healt

5、h records (ISO 27789:2013) Informatique de sant - Historique dexpertise des dossiers de sant informatiss (ISO 27789:2013) Medizinische Informatik - Audit-Trails fr elektronische Gesundheitsakten (ISO 27789:2013) This European Standard was approved by CEN on 16 February 2013. CEN members are bound to

6、 comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CE

7、NELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has t

8、he same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxem

9、bourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG Management Centre: Avenue Marnix 17, B-1000 Brussels 2013 CEN

10、All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 27789:2013: EBS EN ISO 27789:2013EN ISO 27789:2013 (E) 3 Foreword This document (EN ISO 27789:2013) has been prepared by Technical Committee ISO/TC 215 “Health informatics“ in collabo

11、ration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of which is held by NEN. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by September 2013, and conflicting national st

12、andards shall be withdrawn at the latest by September 2013. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENEL

13、EC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Ice

14、land, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO 27789:2013 has been approved by CEN as EN ISO 27789:2013 without any modificat

15、ion. BS EN ISO 27789:2013ISO 27789:2013(E) ISO 2013 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Symbols and abbreviated terms . 45 Requirements and uses of audit data . 55.1 Ethical and formal requirements 55.2 Uses of

16、audit data 66 Trigger events 76.1 General . 76.2 Details of the event types and their contents . 77 Audit record details . 87.1 The general record format 87.2 Trigger event identification . 97.3 User identification . 117.4 Access point identification . 147.5 Audit source identification 157.6 Partici

17、pant object identification . 178 Audit records for individual events .238.1 Access events . 238.2 Query events 249 Secure management of audit data .269.1 Security considerations 269.2 Securing the availability of the audit system . 279.3 Retention requirements . 279.4 Securing the confidentiality an

18、d integrity of audit trails 279.5 Access to audit data . 27Annex A (informative) Audit scenarios .28Annex B (informative) Audit log services .35Bibliography .44BS EN ISO 27789:2013ISO 27789:2013(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national

19、standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International

20、 organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.International Standards are drafted in accordance with the rules gi

21、ven in the ISO/IEC Directives, Part 2.The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least

22、75 % of the member bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights.ISO 27789 was prepared by Technical Committee ISO/TC 215, Hea

23、lth informatics.iv ISO 2013 All rights reservedBS EN ISO 27789:2013ISO 27789:2013(E)Introduction0.1 GeneralPersonal health information is regarded by many as among the most confidential of all types of personal information and protecting its confidentiality is essential if the privacy of subjects of

24、 care is to be maintained. In order to protect the consistency of health information, it is also important that its entire life cycle be fully auditable. Health records should be created, processed and managed in ways that guarantee the integrity and confidentiality of their contents and that suppor

25、t legitimate control by subjects of care in how the records are created, used and maintained.Trust in electronic health records requires physical and technical security elements along with data integrity elements. Among the most important of all security requirements to protect personal health infor

26、mation and the integrity of records are those relating to audit and logging. These help to ensure accountability for subjects of care who entrust their information to electronic health record (EHR) systems. They also help to protect record integrity, as they provide a strong incentive to users of su

27、ch systems to conform to organizational policies on the use of these systems.Effective audit and logging can help to uncover misuse of EHR systems or EHR data and can help organizations and subjects of care obtain redress against users abusing their access privileges. For auditing to be effective, i

28、t is necessary that audit trails contain sufficient information to address a wide variety of circumstances (see Annex A).Audit logs are complementary to access controls. The audit logs provide a means to assess compliance with organizational access policy and can contribute to improving and refining

29、 the policy itself. But as such a policy has to anticipate the occurrence of unforeseen or emergency cases, analysis of the audit logs becomes the primary means of ensuring access control for those cases.This International Standard is strictly limited in scope to logging of events. Changes to data v

30、alues in fields of an EHR are presumed to be recorded in the EHR database system itself and not in the audit log. It is presumed that the EHR system itself contains both the previous and updated values of every field. This is consistent with contemporary point-in-time database architectures.The audi

31、t log itself is presumed to contain no personal health information other than identifiers and links to the record.Electronic health records on an individual person may reside in many different information systems within and across organizational or even jurisdictional boundaries. To keep track of al

32、l actions that involve records on a particular subject of care, a common framework is a prerequisite. This International Standard provides such a framework. To support audit trails across distinct domains it is essential to include references in this framework to the policies that specify the requir

33、ements within the domain, such as access control rules and retention periods. Domain policies may be referenced implicitly by identification of the audit log source.0.2 Benefits of using this International StandardStandardization of audit trails on access to electronic health records aims at two goa

34、ls: ensuring that information captured in an audit log is sufficient to clearly reconstruct a detailed chronology of the events that have shaped the content of an electronic health record, and ensuring that an audit trail of actions relating to a subject of cares record can be reliably followed, eve

35、n across organizational domains.This International Standard is intended for those responsible for overseeing health information security or privacy and for healthcare organizations and other custodians of health information seeking guidance on audit trails, together with their security advisors, con

36、sultants, auditors, vendors and third-party service providers.0.3 Comparision with related standards on electronic health record audit trails ISO 2013 All rights reserved vBS EN ISO 27789:2013ISO 27789:2013(E)This International Standard conforms to the requirements of ISO 27799:2008, insofar as they

37、 relate to auditing and audit trails.Some readers may be familiar with Internet Engineering Task Force (IETF) Request for Comment (RFC) 3881.13(Readers not already familiar with IETF RFC 3881 need not refer to that document, as familiarity with it is not required to understand this International Sta

38、ndard.) Informational RFC 3881, dated 2004-09 and no longer listed as active in the IETF database, was an early and useful attempt at specifying the content of audit logs for healthcare. To the extent possible, this International Standard builds upon, and is consistent with, the work begun in RFC 38

39、81 with respect to access to the EHR.0.4 A note on terminologySeveral closely related terms are defined in Clause 3. An audit log is a chronological sequence of audit records; each audit record contains evidence of directly pertaining to and resulting from the execution of a process or system functi

40、on. As EHR systems can be complex aggregations of systems and databases, there may be more than one audit log containing information on system events that have altered a subject of cares EHR. Although the terms audit trail and audit log are often used interchangeably, in this International Standard

41、the term audit trail refers to the collection of all audit records from one or more audit logs that refer to a specific subject of care or specific electronic health record or specific user. An audit system provides all the information processing functions necessary to maintain one or more audit log

42、s.vi ISO 2013 All rights reservedBS EN ISO 27789:2013INTERNATIONAL STANDARD ISO 27789:2013(E)Health informatics Audit trails for electronic health records1 ScopeThis International Standard specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger ev

43、ents and audit data, to keep the complete set of personal health information auditable across information systems and domains.It is applicable to systems processing personal health information which, complying with ISO 27799, create a secure audit record each time a user accesses, creates, updates o

44、r archives personal health information via the system.NOTE Such audit records, at a minimum, uniquely identify the user, uniquely identify the subject of care, identify the function performed by the user (record creation, access, update, etc.), and record the date and time at which the function was

45、performed.This International Standard covers only actions performed on the EHR, which are governed by the access policy for the domain where the electronic health record resides. It does not deal with any personal health information from the electronic health record, other than identifiers, the audi

46、t record only containing links to EHR segments as defined by the governing access policy.It does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of d

47、ata, which are dealt with by general computer security standards such as ISO/IEC 15408-2.9Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.2 Normative referencesThe following referenced documents are indispensable for the application of this document. For da

48、ted references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO 8601:2004, Data elements and interchange formats Information interchange Representation of dates and timesISO 27799:2008, Health informatics In

49、formation security management in health using ISO/IEC 270023 Terms and definitionsFor the purposes of this document, the following terms and definitions apply.3.1access controlmeans to ensure that access to assets is authorized and restricted based on business and security requirementsISO/IEC 27000:2012, definition 2.13.2access policydefinition of the obligations for authorizing access to a resource ISO 2013 All rights reserved 1BS EN ISO 27789:2013ISO 27789:2013(E)3.3accountabilityprinciple that individuals, organizations and the community

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1