1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA
2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any
3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-23405-8 SANS 17090-3:2009Edition 2 ISO 17090-3:2008Edition 1SOUTH AFRICAN NATIONAL STANDARD Health informatics Public key infrastructure P
4、art 3: Policy management of certification authority This national standard is the identical implementation of ISO 17090-3:2008 and is adopted with the permission of the International Organization for Standardization. Published by SABS Standards Division 1 Dr Lategan Road Groenkloof Private Bag X191
5、Pretoria 0001Tel: +27 12 428 7911 Fax: +27 12 344 1568 www.sabs.co.za SABS SANS 17090-3:2009 Edition 2 ISO 17090-3:2008 Edition 1 Table of changes Change No. Date Scope National foreword This South African standard was approved by National Committee SABS TC 215, Health informatics, in accordance wit
6、h procedures of the SABS Standards Division, in compliance with annex 3 of the WTO/TBT agreement. This SANS document was published in December 2009. This SANS document supersedes SANS 17090-3:2003 (edition 1). Reference numberISO 17090-3:2008(E)ISO 2008INTERNATIONAL STANDARD ISO17090-3First edition2
7、008-02-15Health informatics Public key infrastructure Part 3: Policy management of certification authority Informatique de sant Infrastructure de cl publique Partie 3: Gestion politique dautorit de certification SANS 17090-3:2009This s tandard may only be used and printed by approved subscription an
8、d freemailing clients of the SABS .ISO 17090-3:2008(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the comp
9、uter performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to crea
10、te this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the
11、 Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2008 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permi
12、ssion in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2008 All rights reser
13、vedSANS 17090-3:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 17090-3:2008(E) ISO 2008 All rights reserved iiiContents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references . 1 3 Terms and definitions. 1 4 Abbreviations
14、 2 5 Requirements for digital certificate policy management in a healthcare context . 2 5.1 General. 2 5.2 Need for a high level of assurance . 2 5.3 Need for a high level of infrastructure availability 3 5.4 Need for a high level of trust . 3 5.5 Need for Internet compatibility 3 5.6 Need to facili
15、tate evaluation and comparison of CPs. 3 6 Structure of healthcare CPs and healthcare CPSs . 3 6.1 General requirements for CPs. 3 6.2 General requirements for CPSs 4 6.3 Relationship between a CP and a CPS. 5 6.4 Applicability. 5 7 Minimum requirements for a healthcare CP 5 7.1 General requirements
16、. 5 7.2 Publication and repository responsibilities. 5 7.3 Identification and authentication 6 7.4 Certificate life-cycle operational requirements . 10 7.5 Physical controls 19 7.6 Technical security controls . 20 7.7 Certificate, CRL and OCSP profiles 25 7.8 Compliance audit 25 7.9 Other business a
17、nd legal matters . 27 8 Model PKI disclosure statement . 33 8.1 Introduction . 33 8.2 Structure of PKI disclosure statement . 33 Bibliography . 35 SANS 17090-3:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 17090-3:2008(E) iv ISO 200
18、8 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a
19、subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission
20、 (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical com
21、mittees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not
22、 be held responsible for identifying any or all such patent rights. ISO 17090-3 was prepared by Technical Committee ISO/TC 215, Health informatics. This first edition cancels and replaces the Technical Specification (ISO/TS 17090-3:2002), which has been revised and brought to the status of Internati
23、onal Standard. ISO 17090 consists of the following parts, under the general title Health informatics Public key infrastructure: Part 1: Overview of digital certificate services Part 2: Certificate profile Part 3: Policy management of certification authority SANS 17090-3:2009This s tandard may only b
24、e used and printed by approved subscription and freemailing clients of the SABS .ISO 17090-3:2008(E) ISO 2008 All rights reserved vIntroduction The healthcare industry is faced with the challenge of reducing costs by moving from paper-based processes to automated electronic processes. New models of
25、healthcare delivery are emphasizing the need for patient information to be shared among a growing number of specialist healthcare providers and across traditional organizational boundaries. Healthcare information concerning individual citizens is commonly interchanged by means of electronic mail, re
26、mote database access, electronic data interchange and other applications. The Internet provides a highly cost-effective and accessible means of interchanging information, but it is also an insecure vehicle that demands additional measures be taken to maintain the privacy and confidentiality of infor
27、mation. Threats to the security of health information through unauthorized access (either inadvertent or deliberate) are increasing. It is essential to have available to the healthcare system reliable information security services that minimize the risk of unauthorized access. How does the healthcar
28、e industry provide appropriate protection for the data conveyed across the Internet in a practical, cost-effective way? Public key infrastructure (PKI) and digital certificate technology seek to address this challenge. The proper deployment of digital certificates requires a blend of technology, pol
29、icy and administrative processes that enable the exchange of sensitive data in an unsecured environment by the use of “public key cryptography” to protect information in transit and “certificates” to confirm the identity of a person or entity. In healthcare environments, this technology uses authent
30、ication, encipherment and digital signatures to facilitate confidential access to, and movement of, individual health records to meet both clinical and administrative needs. The services offered by the deployment of digital certificates (including encipherment, information integrity and digital sign
31、atures) are able to address many of these security issues. This is especially the case if digital certificates are used in conjunction with an accredited information security standard. Many individual organizations around the world have started to use digital certificates for this purpose. Interoper
32、ability of digital certificate technology and supporting policies, procedures and practices is of fundamental importance if information is to be exchanged between organizations and between jurisdictions in support of healthcare applications (for example between a hospital and a community physician w
33、orking with the same patient). Achieving interoperability between different digital certificate implementations requires the establishment of a framework of trust, under which parties responsible for protecting an individuals information rights may rely on the policies and practices and, by extensio
34、n, the validity of digital certificates issued by other established authorities. Many countries are deploying digital certificates to support secure communications within their national boundaries. Inconsistencies will arise in policies and procedures between the certification authorities (CAs) and
35、the registration authorities (RAs) of different countries if standards development activity is restricted to within national boundaries. Digital certificate technology is still evolving in certain aspects that are not specific to healthcare. Important standardization efforts and, in some cases, supp
36、orting legislation are ongoing. On the other hand, healthcare providers in many countries are already using or planning to use digital certificates. ISO 17090 seeks to address the need for guidance of these rapid international developments. ISO 17090 describes the common technical, operational and p
37、olicy requirements that need to be addressed to enable digital certificates to be used in protecting the exchange of healthcare information within a single domain, between domains and across jurisdictional boundaries. Its purpose is to create a platform for global interoperability. It specifically s
38、upports digital certificate-enabled communication across borders, but could also provide guidance for the national or regional deployment of digital certificates in healthcare. The Internet SANS 17090-3:2009This s tandard may only be used and printed by approved subscription and freemailing clients
39、of the SABS .ISO 17090-3:2008(E) vi ISO 2008 All rights reservedis increasingly used as the vehicle of choice to support the movement of healthcare data between healthcare organizations and is the only realistic choice for cross-border communication in this sector. ISO 17090 should be approached as
40、a whole, with the three parts all making a contribution to defining how digital certificates can be used to provide security services in the health industry, including authentication, confidentiality, data integrity and the technical capacity to support the quality of digital signature. ISO 17090-1
41、defines the basic concepts underlying the use of digital certificates in healthcare and provides a scheme of interoperability requirements to establish digital certificate-enabled secure communication of health information. ISO 17090-2 provides healthcare-specific profiles of digital certificates ba
42、sed on the international standard X.509 and the profile of this, specified in IETF/RFC 3280 for different types of certificates. This part of ISO 17909 deals with management issues involved in implementing and using digital certificates in healthcare. It defines a structure and minimum requirements
43、for certificate policies (CPs) and a structure for associated certification practice statements. This part of ISO 17090 is based on the recommendations of the informational IETF/RFC 3647, and identifies the principles needed in a healthcare security policy for cross border communication. It also def
44、ines the minimum levels of security required, concentrating on the aspects unique to healthcare. Comments on the content of this document, as well as comments, suggestions and information on the application of these standards, may be forwarded to the ISO/TC 215 secretariat at adickersonhimss.org or
45、WG4 convenor, Ross Fraser, and WG4 secretariat at w4consecmedis.or.jp. SANS 17090-3:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .INTERNATIONAL STANDARD ISO 17090-3:2008(E) ISO 2008 All rights reserved 1Health informatics Public key inf
46、rastructure Part 3: Policy management of certification authority 1 Scope This part of ISO 17090 gives guidelines for certificate management issues involved in deploying digital certificates in healthcare. It specifies a structure and minimum requirements for certificate policies, as well as a struct
47、ure for associated certification practice statements. This part of ISO 17090 also identifies the principles needed in a healthcare security policy for cross-border communication and defines the minimum levels of security required, concentrating on aspects unique to healthcare. 2 Normative references
48、 The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 17090-1:2008, Health informatics Public key
49、infrastructure Part 1: Overview of digital certificate services ISO 17090-2:2008, Health informatics Public key infrastructure Part 2: Certificate profile ISO/IEC 27002, Information technology Security techniques Code of practice for information security management IETF/RFC 3647, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework IETF/RFC 4211, Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF) 3 Terms and definitions For the purposes of th
