1、BRITISH STANDARD BS EN 12251:2004 Health informatics Secure user identification for health care Management and security of authentication by passwords The European Standard EN 12251:2004 has the status of a British Standard ICS 35.240.80 BS EN 12251:2004 This British Standard was published under the
2、 authority of the Standards Policy and Strategy Committee on 3 September 2004 BSI 3 September 2004 ISBN 0 580 44406 6 National foreword This British Standard is the official English language version of EN 12251:2004. It supersedes DD ENV 12251:2001 which is withdrawn. The UK participation in its pre
3、paration was entrusted to Technical Committee IST/35, Health informatics, which has the responsibility to: A list of organizations represented on this committee can be obtained on request to its secretary. Cross-references The British Standards which implement international or European publications
4、referred to in this document may be found in the BSI Catalogue under the section entitled “International Standards Correspondence Index”, or by using the “Search” facility of the BSI Electronic Catalogue or of British Standards Online. This publication does not purport to include all the necessary p
5、rovisions of a contract. Users are responsible for its correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. aid enquirers to understand the text; present to the responsible international/European committee any enquiries on the interpretat
6、ion, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK. Summary of pages This document comprises a front cover, an inside front cover, the EN title page, pages 2 to 13 and a back cover. The BSI copyright
7、 notice displayed in this document indicates when the document was last issued. Amendments issued since publication Amd. No. Date CommentsEUROPEANSTANDARD NORMEEUROPENNE EUROPISCHENORM EN12251 August2004 ICS35.240.80 Englishversion HealthinformaticsSecureUserIdentificationforHealthCare Managementand
8、SecurityofAuthenticationbyPasswords InformatiquedesantScuritdelidentificationde lutilisateurdessoinsdesantGestionetscuritde lauthentificationdesmotsdepasse MedizinischeInformatikSichereNutzeridentifikationim GesundheitswesenManagementundSicherheitfrdie AuthentifizierungdurchPasswrter ThisEuropeanSta
9、ndardwasapprovedbyCENon21June2004. CENmembersareboundtocomplywiththeCEN/CENELECInternalRegulationswhichstipulatetheconditionsforgivingthisEurope an Standardthestatusofanationalstandardwithoutanyalteration.Uptodatelistsandbibliographicalreferencesconcernings uchnational standardsmaybeobtainedonapplic
10、ationtotheCentralSecretariatortoanyCENmember. ThisEuropeanStandardexistsinthreeofficialversions(English,French,German).Aversioninanyotherlanguagemadebytra nslation undertheresponsibilityofaCENmemberintoitsownlanguageandnotifiedtotheCentralSecretariathasthesamestatusast heofficial versions. CENmember
11、sarethenationalstandardsbodiesofAustria,Belgium,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France, Germany,Greece,Hungary,Iceland,Ireland,Italy,Latvia,Lithuania,Luxembourg,Malta,Netherlands,Norway,Poland,Portugal, Slovakia, Slovenia,Spain,Sweden,SwitzerlandandUnitedKingdom. EUROPEANCOMMITTEEFORSTA
12、NDARDIZATION COMITEUROPENDENORMALISATION EUROPISCHESKOMITEEFRNORMUNG ManagementCentre:ruedeStassart,36B1050Brussels 2004CEN Allrightsofexploitationinanyformandbyanymeansreserved worldwideforCENnationalMembers. Ref.No.EN12251:2004:EEN 12251:2004 (E) 2 Contents page Foreword3 Introduction .4 1 Scope 5
13、 2 Normative references 5 3 Terms and definitions .5 4 Requirements.6 4.1 Unique identification and authentication 6 4.2 Identification and authentication prior to all other interactions .6 4.3 Associating unique identity with users.6 4.4 Maintaining the identity of active users 6 4.5 Log-on message
14、 7 4.6 Number of log-on trials .7 4.7 Incorrectly performed log-on procedure.7 4.8 Display of log-on statistics .7 4.9 Password sharing7 4.10 Password storage7 4.11 Logging of passwords 8 4.12 Password display suppression8 4.13 User-changeability of passwords 8 4.14 Default passwords.8 4.15 Initiali
15、sed passwords 8 4.16 Temporary passwords 8 4.17 Password expiration8 4.18 Password expiration notification .8 4.19 Password reuse .9 4.20 Password complexity 9 Annex A (informative) Potential password complexity requirements .10 Annex B (informative) User responsibilities.11 Annex C (informative) Pa
16、ssword communication .12 Bibliography 13 EN 12251:2004 (E) 3 Foreword This document (EN 12251:2004) has been prepared by Technical Committee CEN/TC 251 “Health informatics”, the secretariat of which is held by SIS. This European Standard shall be given the status of a national standard, either by pu
17、blication of an identical text or by endorsement, at the latest by February 2005, and conflicting national standards shall be withdrawn at the latest by February 2005. This document supersedes ENV 12251:2000. This document is designed to improve the authentication of individual users of health care
18、IT system, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities. Although the use of passwords, and the need for improved security in this respect, is by no means specific for the Heal
19、th Care field, it is felt strongly that the way in which systems are being used in this field, often in direct support of patient care and handling very sensitive information, urgently call for a good solution in this area. However, the methods specified in this document can possibly be applied in o
20、ther sectors as well at the discretion of users. According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Gre
21、ece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom. EN 12251:2004 (E) 4 Introduction Information Technology (IT) systems in the health care environment are being used in
22、 increasingly sensitive and critical circumstances. To facilitate secure access control to an IT system and within an IT system, it is essential to uniquely establish the identity of all users seeking access. Further, to have confidence that a user really is who he or she claims to be, there is a ne
23、ed for secure means of verifying the claimed identity. The use of passwords, being confidential to each user, and constructed in such a way that others cannot compromise this confidential authentication information easily, is the most common means of authentication in current computer systems, and w
24、ill be so for some time to come. This document can facilitate the wider process of Security Management. Conventional passwords have several disadvantages. Some of these are: They can easily be shared among several users The use of unprotected network technology makes them easy targets for eavesdropp
25、ing They can be hard to remember if chosen as to be secure Other technologies such as chip cards and biometrics, which provide more secure means of authentication, have been introduced and will eventually phase out the use of passwords. However, in the meantime it is important to facilitate the most
26、 secure use of passwords in health care IT systems. This is the main objective of this document. EN 12251:2004 (E) 5 1 Scope This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the m
27、anagement of user identifiers and passwords, without resorting to additional hardware facilities. This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as t
28、he only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health in
29、formation. This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities. 2 Normative ref
30、erences The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 7498-2, Information processing system
31、s Open systems interconnection Basic reference model Part 2: Security architecture 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 access control prevention of unauthorised use of a resource, including the prevention of use of a resource in a
32、n unauthorised manner 3.2 authentication process of verifying a claimed user identity, in this document on the basis of an entered user identifier and password 3.3 authentication information information used to establish the validity of a claimed identity ISO 7498-2 3.4 authorised user person who is
33、 given access rights to the system, i.e., person who is given a unique user identifier and an initial password, and by this is given the right to log-on to the system, in order to perform the functions or access to the data the user is entitled to 3.5 default password initial password, provided by t
34、he system on installation, to enable initial use EN 12251:2004 (E) 6 3.6 identification process that enables recognition of an authorised user described to the system, by the use of a unique user identifier 3.7 password confidential authentication information composed of a string of characters ISO 7
35、498-2 3.8 security administration act of controlling and administering all relevant security issues in the system. It can be performed by one or more specially authorised users through the assignment of security relevant access rights NOTE These users are called security administrators. 3.9 site-spe
36、cifiable site-modifiable specifiable (or modifiable) by the local security administrators after purchase of the system 3.10 system combination of computer hardware and software, used in this document as the system as it is perceived by the user 3.11 user identifier information, composed of a string
37、of characters, uniquely identifying an authorised user of the information system 4 Requirements 4.1 Unique identification and authentication The system shall use user identifiers to uniquely identify and authenticate users. 4.2 Identification and authentication prior to all other interactions Identi
38、fication and authentication shall take place prior to all other interactions between the system and the user, apart from the system provided log-on message (see 4.5). Other interactions shall only be possible after successful identification and authentication, i.e., identification and authentication
39、 leading to system access, of an authorised user. 4.3 Associating unique identity with users The system shall provide a mechanism which allows site-defined attributes, e.g. name and affiliation, to be associated with each user identifier, for the purpose of uniquely identifying the person. 4.4 Maint
40、aining the identity of active users The system shall maintain the identity of all users currently logged on. EN 12251:2004 (E) 7 4.5 Log-on message Prior to initiating the log-on procedure, the system shall provide a message regarding unauthorised use and the possible consequences of failure to meet
41、 those requirements. This message shall be site-specifiable by the security administrators, and shall be visible to the user during the log-on procedure. NOTE This message should point out the need to comply with confidentiality requirements, and indicate possible legal action after misuse. 4.6 Numb
42、er of log-on trials The log-on procedure shall exit if the user authentication procedure is unsuccessfully performed, i.e., not leading to system access, a site-specifiable number of times within a log-on session. NOTE The recommended number of times is three times. When the site-specifiable number
43、is exceeded, the system shall generate an alarm to the security administrators within the shortest possible time, and actions designed to limit possible misuse shall be initiated. When the site-specifiable number is exceeded, a site-specifiable period of time shall elapse before the log-on process c
44、an be restarted on that input device, provided it can be securely identified (It shall be possible to specify this period of time to be zero for specific input devices, e.g., for input devices in intensive care or emergency units). An alternative is to reject log-on from the user identifier for a si
45、te-specified time. 4.7 Incorrectly performed log-on procedure The system shall appear to perform the entire user authentication, irrespective of errors detected in any of the data entered during the log-on procedure. Error feedback shall not contain any information regarding which part of the authen
46、tication information was incorrect, or in what respect the information was incorrect. 4.8 Display of log-on statistics Upon successful access to the system, the system shall display: a) The date and time of the users last successful access. b) The number of unsuccessful attempts to access the system
47、 by that user identifier since the last successful system access. 4.9 Password sharing The system shall not provide any means to facilitate explicit sharing of passwords by multiple users. The system shall allow a user to choose a password that is already associated with another user. The system sha
48、ll not provide any indication that a password is already associated with another user. 4.10 Password storage The system shall store passwords in a one-way encrypted form. No users shall be able to have, or give themselves, read access to files containing encrypted passwords. EN 12251:2004 (E) 8 NOTE If the system permits, this should include security administrators. Unencrypted passwords shall not be stored in the password management system in any way, other than to the extent that is strictly necessary for the system to perform the p