1、BS EN ISO 21298:2017Health informatics Functional and structural roles(ISO 21298:2017)BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS EN ISO 21298:2017 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of EN ISO21298:2017. BSI, as a m
2、ember of CEN, is obliged to publish EN ISO 21298:2017 as a British Standard. However, attention is drawn to the fact that during the development of the International Standard, the UK committee voted against its approval.The UK committee does not consider an international standardof this type to be a
3、pplicable to UK practice. For example, Table3 gives definitions for Personal healthcare professional andPrivileged healthcare professional which are not relevant in the UK.Additionally the term Supporting healthcare party could apply to a wide range of clinical and non-clinical staff, contractors an
4、d thirdparties.The UK committee also believe the codes used within Annex A need to be validated further, as some are no longer appropriate. For example (P25), the SNOMED CT code 159023002 is inactive and387619007 would have been more accurate.The UK participation in its preparation was entrusted to
5、TechnicalCommittee IST/35, Health informatics.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standar
6、ds Institution 2017. Published by BSI Standards Limited 2017ISBN 978 0 580 83465 3ICS 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 31 March 2017.Amendm
7、ents/corrigenda issued since publicationDate Text affectedEUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 21298 February 2017 ICS 35.240.80 English Version Health informatics - Functional and structural roles (ISO 21298:2017) Informatique de sant - Rles fonctionnels et structurels (ISO 2129
8、8:2017) Medizinische Informatik - Funktionelle und strukturelle Rollen (ISO 21298:2017) This European Standard was approved by CEN on 20 January 2017. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status
9、 of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, Germ
10、an). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia
11、, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey
12、and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref.
13、 No. EN ISO 21298:2017 EBS EN ISO 21298:2017EN ISO 21298:2017 (E) 3 European foreword This document (EN ISO ISO 21298:2017) has been prepared by Technical Committee ISO/TC 215 “Health informatics” in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of which is h
14、eld by NEN. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by August 2017, and conflicting national standards shall be withdrawn at the latest by August 2017. Attention is drawn to the possibility t
15、hat some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound
16、to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,
17、Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO 21298:2017 has been approved by CEN as EN ISO 21298:2017 without any modification. BS EN ISO 21298:2017ISO 21298:2017(E)Foreword ivIntroduction v1 Scope . 12 Normative r
18、eferences 13 Terms and definitions . 14 Abbreviated terms 55 Modeling roles in an architectural context . 55.1 Roles within the Generic Component Model . 55.2 Roles and policy aspects . 85.3 Roles in privilege management 95.4 Relations of this standard to related privilege management specifications
19、95.5 Structural roles 105.5.1 General. 105.5.2 Structural roles of healthcare professions from the International Labour Organization for trans-jurisdiction mapping .105.5.3 Healthcare specialties 115.6 Functional roles . 126 Formally modelling roles 146.1 Roles within the Generic Component Model 146
20、.2 Developing the role model . 146.2.1 Relationships and transformation . 146.2.2 Assignment of structural roles 156.2.3 Generic role specification 166.3 Relationships between structural and functional roles 187 Use cases for the use of structural and functional roles in an interregional or internat
21、ional context 19Annex A (informative) ISCO-08 sample mapping .20Annex B (informative) Sample certificate profile for regulated healthcare professional .31Bibliography .33 ISO 2017 All rights reserved iiiContents PageBS EN ISO 21298:2017ISO 21298:2017(E)ForewordISO (the International Organization for
22、 Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the
23、right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedu
24、res used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial
25、rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights
26、identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an expla
27、nation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www .iso .org/ iso/ foreword .html.This first edi
28、tion of ISO 21298 cancels and replaces ISO/TS 21298:2008, which has been technically revised.The committee responsible for this document is ISO/TC 215, Health informatics.iv ISO 2017 All rights reservedBS EN ISO 21298:2017ISO 21298:2017(E)IntroductionThis document contains a specification for encodi
29、ng information related to roles for health professionals and consumers. At least five areas have been identified where a model for encoding role information is needed.a) Privilege management and access control: role-based access control is not possible without an effective means of recording role in
30、formation for healthcare actors.b) Directory services: structural roles are usefully recorded within directories of healthcare providers (see for example, ISO 21091).c) Audit trails: functional roles are usefully recorded within audit trails for health information applications.d) Public key infrastr
31、ucture (PKI): The ISO 17090 series allows for the encoding of healthcare roles in certificate extensions, but no structured vocabulary for such roles is specified. This document identifies such a coded vocabulary.e) Purpose of use: A role specification determines for what purposes healthcare informa
32、tion can be used. Purposes of use are tied to specific roles in many cases (see for example, ISO 21091).In addition to these security-related applications, there are several other possible applications of this standard, such as follows. Clinical care provision: finding and identifying the right prof
33、essional for a health service. Support of care: billing of healthcare services. Communication management: directing healthcare-related messages by means of a specific role. Health service management and quality assurance: defining the purpose of use for specific data.This document is complementary t
34、o other relevant standards that also describe and define roles for the purpose of access control. It extends the model through the separation of role and policy. This separation allows for a richer and more flexible capability to instantiate business rules across multiple domains and jurisdictions.
35、Backward compatibility with ANSI International Committee for Information Technology Standards (INCITS) and HL7 RBAC (Role-Based Access Control) is provided through simplification by combining policy and role into a single construct.The role concepts defined in this document are referenced and reused
36、 in many international standards created, for example, by ISO, CEN, HL7 International. Examples are ISO 22600, Reference 9, Reference 10 and Reference 11.The European Commission and the EU Parliament have established a Professional Qualifications Directive (2005/36/EC) defining medical specialties (
37、see http:/ eur -lex .europa .eu/ legal -content/ EN/ T X T/ HTML/ ?uri = CELEX: 02005L0036 -20140117 an authority trusted by one or more relying parties to create, assign and manage certificatesNote 1 to entry: Optionally, the certification authority can create the relying parties keys ISO 9594-8. T
38、he CA issues certificates by signing certificate data with its private signing key.Note 2 to entry: Authority in the CA term does not imply any government authorization, only that it is trusted. Certificate issuer can be a better term but CA is used very broadly.SOURCE: ISO 22600-1:2014, 3.83.6deleg
39、ationconveyance of privilege from one entity (3.8) that holds such privilege, to another entitySOURCE: ISO 22600-1:2014, 3.103.7delegation pathordered sequence of certificates which, together with authentication of a privilege asserters (3.19) identity, can be processed to verify the authenticity of
40、 a privilege asserters privilegeSOURCE: ISO 22600-2:2014, 3.153.8entityany concrete or abstract thing of interestNote 1 to entry: While in general, the word entity can be used to refer to anything, in the context of modelling it is reserved to refer to things in the universe of discourse being model
41、led.3.9functional rolerole (3.21) which is bound to an actNote 1 to entry: Functional roles can be assigned to be performed during an act.Note 2 to entry: Functional roles have been specified in this document.Note 3 to entry: Functional roles correspond to the ISO/HL7 21731 RIM participation.Note 4
42、to entry: See also structural role (3.26).2 ISO 2017 All rights reservedBS EN ISO 21298:2017ISO 21298:2017(E)3.10healthcare organizationofficially registered organization that has a main activity related to healthcare services or health promotionEXAMPLE Hospitals, Internet healthcare website provide
43、rs, and healthcare research institutions.Note 1 to entry: The organization is recognized to be legally liable for its activities but need not be registered for its specific role (3.21) in health.SOURCE: ISO 17090-1:2013, 3.1.43.11healthcare professionalhealthcare personnel having a healthcare profes
44、sional entitlement recognized in a given jurisdictionNote 1 to entry: The healthcare professional entitlement entitles a healthcare professional to provide healthcare independent of a role (3.21) in a healthcare organization (3.10).EXAMPLE GP, medical consultant, therapist, dentist, etc.3.12identifi
45、cationperformance of tests to enable a data processing system to recognize entities3.13non-regulated healthcare personnelperson employed by a healthcare organization (3.10), but who is not a regulated health professionalEXAMPLE Massage therapist, music therapist, etc.SOURCE: ISO 17090-1:2013, 3.1.5,
46、 modified3.14organization employeeperson employed by a healthcare organization (3.10) or a supporting organization (3.27)EXAMPLE Medical records transcriptionists, healthcare insurance claims adjudicators, and pharmaceutical order entry clerks.3.15policyset of legal, political, organizational, funct
47、ional and technical obligations for communication and cooperationSOURCE: ISO 22600-1:2014, 3.133.16policy agreementwritten agreement where all involved parties commit themselves to a specified set of policiesSOURCE: ISO 22600-1:2014, 3.143.17principalhuman users and objects that need to operate unde
48、r their own rightsSOURCE: OMG Security Services Specification: 2001 ISO 2017 All rights reserved 3BS EN ISO 21298:2017ISO 21298:2017(E)3.18privilegecapacity assigned to an entity (3.8) by an authority according to the entitys attributeNote 1 to entry: Per OASIS Extensible Access Control Markup Langu
49、age (XACML) V2.0, privilege, permissions, authorization, entitlement and rights are replaced by the term rule.SOURCE: ISO 22600-1:2014, 3.173.19privilege asserterprivilege holder using their attribute certificate (3.3) or public-key certificate to assert privilege (3.18)SOURCE: ISO 22600-2:2014, 3.273.20privilege verifierentity (3.8) verifying certificates against a privilege policySOURCE: ISO 22600-2:2014, 3.303.21roleset of competencies and/or performances that are associated with a taskSOURCE: ISO 22600-2:2014, 3
