1、 Reference number ISO/TR 11636:2009(E) ISO 2009TECHNICAL REPORT ISO/TR 11636 First edition 2009-12-01 Health Informatics Dynamic on-demand virtual private network for health information infrastructure Informatique de sant Rseau priv, virtuel, dymanique, sur demande pour infrastructure dinformation d
2、e sant ISO/TR 11636:2009(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing
3、. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be fou
4、nd in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the
5、 address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from eithe
6、r ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2009 All rights reservedISO/TR 11636:2009(E) ISO
7、 2009 All rights reserved iiiContents Page Foreword iv Introduction.v 1 Scope1 2 Terms and definitions .1 3 Abbreviated terms .3 4 Network features in the healthcare field .4 4.1 Pattern of current or expected information services in the healthcare field 4 4.2 Category of healthcare information to b
8、e protected (information assets)5 4.3 Network requirements in the healthcare field 6 5 Concept of network construction in the healthcare field6 5.1 Overview.6 5.2 Responsibility to manage security of healthcare information exchange including personal information between independent institutions 7 5.
9、3 Security concepts in network systems for medical institutions 8 6 Threat analysis and measures .9 7 Network construction in the healthcare field .10 7.1 Minimum guidelines for security management of healthcare information exchange including personal information between external institutions.10 7.2
10、 Technical and operational checklists for evaluation of network security.11 7.3 Application of an on-demand VPN 11 8 Cases of security measures in a dynamic on-demand VPN for exchange of healthcare information with external institutions .12 8.1 Introduction12 8.2 Regional healthcare cooperation mode
11、l with a healthcare portal12 8.3 Online maintenance model.13 8.4 Regional cooperation model with the lead taken by a regional core hospital14 8.5 Model for teleradiology, remote maintenance and network conferencing with the cooperation of university hospitals, research institutions and regional hosp
12、itals .15 8.6 University hospital model centred around teleradiology, telepathology and network conferences conducted between a university hospital and regional hospitals .16 Annex A (informative) Threat analysis and measures 18 Annex B (informative) Security management of medical information exchan
13、ge including personal data between independent institutions (see reference 6) 25 Annex C (informative) Technical and operational checklists for the guideline35 Annex D (informative) Technology used: Dynamic on-demand VPN62 Bibliography70 ISO/TR 11636:2009(E) iv ISO 2009 All rights reservedForeword I
14、SO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical c
15、ommittee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electr
16、otechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the m
17、ember bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. In exceptional circumstances, when a technical committee has collected data of a different kind from that which is normally published as an International Standard
18、 (“state of the art”, for example), it may decide by a simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely informative in nature and does not have to be reviewed until the data it provides are considered to be no longer valid or useful. Att
19、ention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/TR 11636 was prepared by Technical Committee ISO/TC 215, Health informatics. ISO/TR 11636:2009(E) IS
20、O 2009 All rights reserved vIntroduction Currently, healthcare information is normally transferred in the form of paper documents or electronic data through schemes such as dedicated fixed lines connecting the headquarters and branches within a company, through public networks such as an Integrated
21、Services Digital Network (ISDN), or through a dedicated network between specific institutions, enabling a virtual network for the specified users in a dedicated service network managed by communication providers, such as an Internet Protocol virtual private network (IP-VPN). Therefore, healthcare in
22、formation cannot be transferred easily while maintaining security in most cases, because network configurations adequate to these solutions are limited and the costs are very high. The uses of various service networks in the healthcare field include online claims for medical fees, online maintenance
23、 of medical devices, and remote medical care, such as teleradiology, telepathology and healthcare information services for regional healthcare cooperation. To provide such services however, it is necessary for multiple medical institutions to pass healthcare information to each other. A network in w
24、hich a single medical institution is dynamically connected to multiple medical institutions and switched to another institution is required. To make such a network available to many medical institutions at low cost, an open network such as the Internet can be used for connecting with different medic
25、al institutions, medical device providers, and patients. We can use the following VPNs as secure channel systems in an open network: Internet Protocol Security (IPsec) with Internet key exchange (IKE), described as IPsec + IKE which runs in the network layer with authentication and exchange of encry
26、ption keys, and Secure Sockets Layer (SSL) protocol, which runs in the session layer with encrypted communication between a Web browser on a client and SSL servers. Thus, this is adapted to web applications, but other applications, such as e-mail, File Transfer Protocol (FTP), and unique client/serv
27、er systems, cannot be used. On the other hand, the combination of IPsec + IKE can be used with any application needed by medical institutions to provide secure channels without reconstructing any application software. In addition, SSL has an inherent risk because it provides no protection methods ag
28、ainst well-known lower-layer attacks, session hijacking, false Address Resolution Protocol (ARP) statements, and so on. The conventional VPN using IPsec + IKE however, requires complicated configuration of network devices, and setting up the system without expertise could result in failure to protec
29、t healthcare information. Also, it is a fixed-type VPN and can only be connected with fixed parties. Lately, telecommunication carriers and online service providers (OSPs) have been developing systems to provide services with security on network lines, including setting up network devices to safegua
30、rd against these threats, even for a VPN connected in an open network. When a medical institution uses these types of service, most of the responsibilities related to managing the communication lines fall to these service providers (SPs). This reduces the responsibility of the medical institution in
31、 terms of its security-related liabilities, which is well suited for organizations without many IT engineers. A dynamic on-demand VPN, which this Technical Report describes, is one type of VPN. It is not a fixed connection like 1-to-1, which is generally used in ordinary VPN services. It can easily
32、change connection to N-to-N, and the connection parameters are provided automatically by the telecommunication carrier. This makes it suitable for healthcare network infrastructure, as medical institutes are not required to be responsible for or have expertise in setting up such networks. Also, util
33、izing the Internet makes the dynamic on-demand VPN an inexpensive network and thus readily acceptable to medical institutions in terms of cost. This Technical Report describes the threats anticipated in a healthcare network, as well as how a dynamic on-demand VPN is actually applied in the healthcar
34、e field. TECHNICAL REPORT ISO/TR 11636:2009(E) ISO 2009 All rights reserved 1Health Informatics Dynamic on-demand virtual private network for health information infrastructure 1 Scope This Technical Report explains the network requirements in the healthcare field, the network security of an open net
35、work for the healthcare field, and the minimum guidelines for security management of health information exchange, including personal data, between external institutions. These requirements will assist in understanding the operation of security and evaluation of security issues in the healthcare fiel
36、d, and the usefulness of a managed VPN, like a dynamic on-demand VPN. This Technical Report introduces examples of security measures taken in a dynamic on-demand VPN for exchange of medical information; it is not intended to specify the dynamic on-demand VPN itself. These examples provide network so
37、lutions to potential risks in such a user environment. 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 demilitarized zone DMZ area of a network in which any data exchange with areas outside is allowed 2.2 high security zone HSZ area of a netw
38、ork in which no data is exchanged directly with areas outside, except for the purpose of certain remote maintenance 2.3 IPsec standard for cipher communication, a protocol that prevents data tampering and provides confidentiality functions for each IP packet by using an encryption technique 2.4 inte
39、rnet VPN VPN created via the Internet NOTE By using the Internet, connections between remote networks can be managed as connections in a LAN, while maintaining confidentiality. 2.5 IP-VPN VPN created via a wide-area IP network owned by a communication carrier NOTE By using an IP-VPN, connections bet
40、ween remote networks can be managed in the same manner as connections in a local area network (LAN). ISO/TR 11636:2009(E) 2 ISO 2009 All rights reserved2.6 local area network LAN network in which computers, printers and other equipment are connected and data are transferred within one building 2.7 O
41、SI reference model model that divides the functions of communication equipment, such as computers, into a layer structure based on the design policy of Open Systems Interconnection (OSI) established by ISO for network structuring, in order to facilitate heterogeneous network data transfer NOTE Commu
42、nication functions are divided into seven layers, and the standard function module for each layer is defined. 2.8 provider service service that exchanges data between a telecommunication carrier and an OSP 2.9 relay service service that establishes a connection for the sole purpose of exchanging dat
43、a between a network-connected device within a medical institute and an outside device 2.10 remote access connection to a network or computer from outside by using lines such as telephone lines NOTE Remotely accessing a distant computer enables direct operation of the computer as though it is right i
44、n front of the user. 2.11 social insurance medical fee payment fund organization that reviews medical fees invoiced by medical institutions and makes appropriate payments NOTE The reviews are performed by a three-party committee consisting of representatives of medical institute workers, medical ins
45、urers (e.g., health insurance companies), and academic experts. The medical institute submits a medical bill statement (receipt) and claims a payment for the treatment from the health insurance organization. An organization such as a social insurance medical fee payment fund reviews the receipt and
46、makes a payment to the medical institution submitting the invoice. 2.12 SSL protocol that encrypts and transfers data on the internet being able to encrypt current widely used data, such as World Wide Web (www) and File Transfer Protocol (FTP) data and securely transmit and receive privacy-related i
47、nformation and credit card numbers 2.13 security zone SZ area of a network in which limited data exchange with areas outside is allowed 2.14 virtual private network VPN service in which a public line can be used as if it is a dedicated line NOTE It is used for connecting different bases of a company
48、s internal network, instead of installing dedicated lines, in order to reduce cost. ISO/TR 11636:2009(E) ISO 2009 All rights reserved 32.15 wide area network WAN network in which computers in geographically different locations (e.g., at a headquarters building and multiple branches) are connected th
49、rough telephone lines or dedicated lines to transfer data 3 Abbreviated terms For the purposes of this document, the following abbreviations apply. AES Advanced Encryption Standard AH authentication header ASP application service provider ESP Encapsulating Security Payload FTP File Transfer Protocol HEASNET HEAlthcare information Secure NETwork consortium HMAC Hash Message Authentication Code IC integrated circuit IKE Internet key exchange IPsec Internet Protocol Security IP-VPN Internet-Protocol-based virtual private network ISAKMP Internet S
