1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationBS EN ISO 21091:2013Health informatics Directory services for healthcare providers, subjects of care and other entities BS EN ISO 21091:2013 BRITISH STANDARDNational forewordThis
2、 British Standard is the UK implementation of EN ISO21091:2013.The UK participation in its preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to
3、include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2013. Published by BSI StandardsLimited 2013ISBN 978 0 580 65602 6ICS 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This B
4、ritish Standard was published under the authority of theStandards Policy and Strategy Committee on 31 March 2013.Amendments issued since publicationDate Text affectedEUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 21091 February 2013 ICS 35.240.80 English Version Health informatics - Direct
5、ory services for healthcare providers, subjects of care and other entities (ISO 21091:2013) Informatique de sant - Services dannuaires pour les fournisseurs de soins de sant, les sujets de soins et autres entits (ISO 21091:2013) Medizinische Informatik - Verzeichnisdienste fr Anbieter, zu Behandelnd
6、e und andere Entitten im Gesundheitswesen (ISO 21091:2013) This European Standard was approved by CEN on 2 February 2013. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard witho
7、ut any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in any other l
8、anguage made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Den
9、mark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTE
10、E FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG Management Centre: Avenue Marnix 17, B-1000 Brussels 2013 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 21091:2013: EBS EN ISO 21091:2013EN I
11、SO 21091:2013 (E) 3 Foreword This document (EN ISO 21091:2013) has been prepared by Technical Committee ISO/TC 215 “Health informatics“ in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of which is held by NEN. This European Standard shall be given the status
12、of a national standard, either by publication of an identical text or by endorsement, at the latest by August 2013, and conflicting national standards shall be withdrawn at the latest by August 2013. Attention is drawn to the possibility that some of the elements of this document may be the subject
13、of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgar
14、ia, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turk
15、ey and the United Kingdom. Endorsement notice The text of ISO 21091:2013 has been approved by CEN as EN ISO 21091:2013 without any modification. BS EN ISO 21091:2013ISO 21091:2013(E) ISO 2013 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and
16、definitions . 14 Symbols (and abbreviated terms) 55 Healthcare context 65.1 General . 65.2 Healthcare persons . 75.3 Multiple affiliations . 75.4 Healthcare organizations . 85.5 Hardware/software 85.6 Healthcare security services . 86 Directory security management framework . 87 Interoperability . 9
17、7.1 Requirements . 97.2 Name space/tree structure 98 Healthcare schema 118.1 Healthcare persons 118.2 Organization identities . 188.3 Roles, Job Function and Group . 239 Distinguished Name .289.1 General 289.2 Relative Distinguished Name . 29Annex A (informative) Healthcare directory scenarios .32An
18、nex B (informative) Referenced object classes 40Bibliography .47BS EN ISO 21091:2013ISO 21091:2013(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally
19、carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the wo
20、rk. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task of technical committees is to prepare Intern
21、ational Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote.Attention is drawn to the possibility that some of the
22、elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights.ISO 21091 was prepared by Technical Committee ISO/TC 215, Health informatics.This first edition cancels and replaces ISO/TS 21091:2005, which has been techni
23、cally revised.iv ISO 2013 All rights reservedBS EN ISO 21091:2013ISO 21091:2013(E)IntroductionHealth informatics directory services for healthcare providers, subjects of care and other entities are intended to support the communication and security requirements of healthcare professionals in the con
24、duct of clinical and administrative functions. Healthcare requires extensive encipherment and access control requirements for the disclosure and transport of all confidential health information. In support of the healthcare public key infrastructure, healthcare will make available a registry of cert
25、ificates including business and professional information necessary to conduct healthcare transactions. This information necessarily includes identification of individual roles within the healthcare system as can only be identified by the respective healthcare organizations. As such, the registration
26、 and management functions are to be extensible, and potentially distributed throughout the healthcare community. Support for these additional healthcare requirements for security is also to be offered through the directory service.The directory is becoming an increasingly popular method of providing
27、 a means for single sign-on capabilities to support authentication. This goal has resulted in the inclusion of authentication and identity attributes to authenticate the identity of a healthcare person or entity.The directory also supports the communication of additional attributes that can be used
28、to support authorization decisions. This goal has driven directory schema extensions to include organization employee management information, healthcare-specific contact information, and healthcare identifiers. This International Standard addresses the healthcare-specific requirements of the directo
29、ry, and defines, as appropriate, standard specifications for inclusion of this information in the healthcare directory.Besides technical security measures that are discussed in other ISO standards, communication of healthcare data requires a reliable accountable “chain of trust.” In order to maintai
30、n this chain of trust within a public key infrastructure, users (relying parties) need to be able to obtain current correct certificates and certificate status information through secure directory management.The healthcare directory will support standard lightweight directory access protocol (LDAP)
31、client searches, interface engines for message transformation, and service oriented architecture (SOA) implementations to enable the service in any environment. Specific implementation guidance, search criteria and support are outside the scope of this International Standard.While specific security
32、measures and access control specifications are out of scope of this International Standard, due to the sensitive nature of health related and privacy information that may be supported through the directory services, significant controls need to be enabled at branch, object classes, and attribute lev
33、els. Processes and procedures should be in place to ensure information integrity represented within the health directory, and responsibility for the content of the directory should be clearly allocated through policy and process. It is anticipated that appropriate access controls managing who can re
34、ad, write or modify all items in the healthcare directory will be applied. This may be accomplished by assigning individuals within the directory to the HCOrganizationalRole and assigning appropriate privileges (e.g. read, modify, delete) to that role in directory management configuration. ISO 2013
35、All rights reserved vBS EN ISO 21091:2013BS EN ISO 21091:2013Health informatics Directory services for healthcare providers, subjects of care and other entities1 ScopeThis International Standard defines minimal specifications for directory services for healthcare. It can be used to enable communicat
36、ions between organizations, devices, servers, application components, systems, technical actors, and devices.This International Standard provides the common directory information and services needed to support the secure exchange of healthcare information over public networks where directory informa
37、tion and services are used for these purposes. It addresses the health directory from a community perspective in anticipation of supporting inter-enterprise, inter-jurisdiction, and international healthcare communications. While several options are supported by this International Standard, a given s
38、ervice will not need to include all of the options.In addition to the support of security services, such as access control and confidentiality, this International Standard provides specification for other aspects of communication, such as addresses and protocols of communication entities.This Intern
39、ational Standard also supports directory services aiming to support identification of health professionals and organizations and the subjects of care.2 Normative referencesThe following referenced documents are indispensable for the application of this document. For dated references, only the editio
40、n cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO/HL7 27931:2009, Data Exchange Standards Health Level Seven Version 2.5 An application protocol for electronic data exchange in healthcare environments3 Terms and definitionsF
41、or the purposes of this document, the following terms and definitions apply.3.1access controlmeans of ensuring that the resources of a data processing system can be accessed only by authorized entities in authorized waysISO/IEC 2382-83.2attribute authorityAAauthority which assigns privileges by issu
42、ing attribute certificatesX.509INTERNATIONAL STANDARD ISO 21091:2013(E) ISO 2013 All rights reserved 1BS EN ISO 21091:2013ISO 21091:2013(E)3.3attribute certificatedata structure, digitally signed by an attribute authority, that binds some attribute values with identification about its holderX.5093.4
43、authenticationprocess of reliably identifying security subjects by securely associating an identifier and its authenticatorISO 7498-23.5authorizationgranting of rights, which includes the granting of access based on access rightsISO 7498-23.6availabilityproperty of being accessible and useable upon
44、demand by an authorized entityISO 7498-23.7certificatepublic key certificate3.8certificate distributionact of publishing certificates and transferring certificates to security subjects3.9certificate issuerauthority trusted by one or more relying parties to create and assign certificatesNote 1 to ent
45、ry: Optionally the certification authority may create the relying parties keys.ISO/IEC 9594-83.10certificate managementprocedures relating to certificates, i.e. certificate generation, certificate distribution, certificate archiving and revocation3.11certificate revocationact of removing any reliabl
46、e link between a certificate and its related owner (or security subject owner) because the certificate is not trusted any more, even though it is unexpired3.12certificate revocation listCRLpublished list of the suspended and revoked certificates (digitally signed by the CA)3.13certificate verificati
47、onverifying that a certificate (3.7) is authentic2 ISO 2013 All rights reservedBS EN ISO 21091:2013ISO 21091:2013(E)3.14certification authorityCAauthority trusted by one or more relying parties to create and assign certificates and which may, optionally, create the relying parties keysNote 1 to entr
48、y: Adapted from ISO/IEC 9594-8.Note 2 to entry: Authority in the CA term does not imply any government authorization, but only denotes that it is trusted.Note 3 to entry: “Certificate issuer” may be a better term, but CA is very widely used.3.15confidentialityproperty that information is not made av
49、ailable or disclosed to unauthorized individuals, entities, or processesISO 7498-23.16data integrityproperty that data has not been altered or destroyed in an unauthorized mannerISO 7498-23.17digital signaturedata appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipientISO 7498-23.18identificationperformance of tests to enable a data processing system to recognize entitiesISO/IEC 238
