BS EN ISO 22600-3-2014 Health informatics Privilege management and access control Implementations《健康信息学 权限管理和访问控制 安装启用》.pdf

上传人:outsidejudge265 文档编号:581785 上传时间:2018-12-15 格式:PDF 页数:80 大小:2.37MB
下载 相关 举报
BS EN ISO 22600-3-2014 Health informatics Privilege management and access control Implementations《健康信息学 权限管理和访问控制 安装启用》.pdf_第1页
第1页 / 共80页
BS EN ISO 22600-3-2014 Health informatics Privilege management and access control Implementations《健康信息学 权限管理和访问控制 安装启用》.pdf_第2页
第2页 / 共80页
BS EN ISO 22600-3-2014 Health informatics Privilege management and access control Implementations《健康信息学 权限管理和访问控制 安装启用》.pdf_第3页
第3页 / 共80页
BS EN ISO 22600-3-2014 Health informatics Privilege management and access control Implementations《健康信息学 权限管理和访问控制 安装启用》.pdf_第4页
第4页 / 共80页
BS EN ISO 22600-3-2014 Health informatics Privilege management and access control Implementations《健康信息学 权限管理和访问控制 安装启用》.pdf_第5页
第5页 / 共80页
亲,该文档总共80页,到这儿已超出免费预览范围,如果喜欢就下载吧!
资源描述

1、BSI Standards PublicationBS EN ISO 22600-3:2014Health informatics Privilegemanagement and accesscontrolPart 3: ImplementationsBS EN ISO 22600-3:2014 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of EN ISO22600-3:2014. It supersedes DD ISO/TS 22600-3:2009 which iswit

2、hdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users

3、 are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 80570 7ICS 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of the

4、Standards Policy and Strategy Committee on 31 October 2014.Amendments issued since publicationDate Text affectedEUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 22600-3 October 2014 ICS 35.240.80 English Version Health informatics - Privilege management and access control - Part 3: Implement

5、ations (ISO 22600-3:2014) Informatique de sant - Gestion de privilges et contrle daccs - Partie 3: Mises en oeuvre (ISO 22600-3:2014) Medizinische Informatik - Privilegienmanagement und Zugriffssteuerung - Teil 3: Implementierungen (ISO 22600-3:2014) This European Standard was approved by CEN on 21

6、June 2014. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be ob

7、tained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the

8、CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Irela

9、nd, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Cent

10、re: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 22600-3:2014 EBS EN ISO 22600-3:2014EN ISO 22600-3:2014 (E) 3 Foreword This document (EN ISO 22600-3:2014) has been prepared by Technica

11、l Committee ISO/TC 215 “Health informatics“ in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of which is held by NEN. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the

12、 latest by April 2015, and conflicting national standards shall be withdrawn at the latest by April 2015. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all

13、such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Ma

14、cedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO 22600-3:2014 has been approved b

15、y CEN as EN ISO 22600-3:2014 without any modification. BS EN ISO 22600-3:2014ISO 22600-3:2014(E) ISO 2014 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Abbreviated terms .135 Structures and services for privilege manageme

16、nt and access control .156 Interpretation of ISO 22600-2 formal models in healthcare settings 187 Concept representation for health information systems 187.1 Overview . 187.2 Domain languages . 197.3 OCL constraint modelling . 207.4 Other constraint representations 208 Consent 228.1 Overview . 228.2

17、 Patient consent 228.3 Patient consent management 229 Emergency access .2210 Refinement of the control model 2311 Refinement of the delegation model .23Annex A (informative) Privilege management infrastructure 24Annex B (informative) Attribute certificate extensions.60Annex C (informative) Terminolo

18、gy comparison .62Annex D (informative) Examples for policy management and policy representation 63Bibliography .66BS EN ISO 22600-3:2014ISO 22600-3:2014(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The

19、work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-gover

20、nmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance are described in

21、the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the po

22、ssibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list

23、 of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well

24、as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/TC 215, Health informatics.This first edition of ISO 22600-3 cancels and replaces ISO/TS 22

25、600-3:2009, which has been technically revised.ISO 22600 consists of the following parts, under the general title Health informatics Privilege management and access control: Part 1: Overview and policy management Part 2: Formal models Part 3: Implementationsiv ISO 2014 All rights reservedBS EN ISO 2

26、2600-3:2014ISO 22600-3:2014(E)IntroductionThe distributed architecture of shared care information systems supporting service-oriented architecture (SOA) is increasingly based on corporate networks and virtual private networks. For meeting the interoperability challenge, the use of standardized user

27、interfaces, tools, and protocols, which ensures platform independence, but also the number of really open information systems, is rapidly growing during the last couple of years.As a common situation today, hospitals are supported by several vendors providing different applications, which are not ab

28、le to communicate authentication and authorization since each has its own way of handling these functions. For achieving an integrated scenario, it takes a remarkable amount of money, time, and efforts to get users and changing organizational environments dynamically mapped before starting communica

29、tion and cooperation. Resources required for the development and maintenance of security functions grow exponentially with the number of applications, with the complexity of organizations towards a regional, national, or even international level, and with the flexibility of users playing multiple ro

30、les, sometimes even simultaneously.The situation becomes even more challenging when inter-organizational communications happens, thereby crossing security policy domain boundaries. Moving from one healthcare centre to another or from country to country, different rules for privileges and their manag

31、ement can apply to similar types of users, both for execution of particular functions and for access to information. The policy differences between these domains have to be bridged automatically or through policy agreements, defining sets of rules followed by the parties involved, for achieving inte

32、roperability.Another challenge to be met is how to improve the quality of care by using IT without infringing the privacy of the patient. To provide physicians with adequate information about the patient, a virtual electronic health care record is required which makes it possible to keep track of al

33、l the activities belonging to one patient regardless of where and by whom they have been performed and documented. In such an environment, a generic model or specific agreement between the parties for managing privileges and access control including the patient or its representative is needed.Beside

34、s a diversity of roles and responsibilities, typical for any type of large organization, also ethical and legal aspects in the healthcare scenario due to the sensitivity of person-related health information managed and its personal and social impact have to be considered.Advanced solutions for privi

35、lege management and access control are required today already, but this challenge will even grow over the next couple of years. The reason is the increase of information exchanged between systems in order to fulfil the demands of health service providers at different care levels for having access to

36、 more and more patient-related information to ensure the quality and efficiency of patients diagnosis and treatment, however combined with increased security and privacy risks.The implementation of this International Standard might be currently too advanced and therefore not feasible in certain orga

37、nizational and technical settings. For meeting the basic principle of best possible action, it is therefore very important that at least a policy agreement is written between the parties stating to progress towards this International Standard when any update/upgrade of the systems is intended. The l

38、evel of formalization and granularity of policies and the objects these policies are bound to defines the solution maturity on a pathway towards the presented specification.The policy agreement also has to contain defined differences in the security systems and agreed solutions on how to overcome th

39、e differences. For example, the authentication service and privileges of a requesting party at the responding site have to be managed according to the policy declared in the agreement. For that reason, information and service requester, as well as information and service provider on the one hand, an

40、d information and services requested and provided on the other hand, have to be grouped and classified in a limited number of concepts for enabling the specification of a limited number of solution categories. Based on that classification, claimant mechanisms, target sensitivity mechanisms, and poli

41、cy specification and management mechanisms can be implemented. Once all parties have signed the policy agreement, the communication and information exchange can start with the existing systems if the parties can accept the risks. If there are unacceptable risks which have to be eliminated before the

42、 information exchange starts, they also have to be recorded in the policy agreement ISO 2014 All rights reserved vBS EN ISO 22600-3:2014ISO 22600-3:2014(E)together with an action plan stating how these risks have to be removed. The policy agreement also has to contain a time plan for this work and a

43、n agreement on how it has to be financed.The documentation of the negotiation process is very important and provides the platform for the policy agreement.Privilege management and access control address security and privacy services required for communication and cooperation, i.e. distributed use of

44、 health information. It also implies safety aspects, professional standards, and legal and ethical issues. This International Standard introduces principles and specifies services needed for managing privileges and access control. Cryptographic protocols are out of the scope of this International St

45、andard.This three-part International Standard references existing architectural and security standards as well as specifications in the healthcare area such as ISO, CEN, ASTM, OMG, W3C, etc., and endorses existing appropriate standards or identifies enhancements or modifications or the need for new

46、standards. It comprises of: ISO 22600-1: describes the scenarios and the critical parameters in information exchange across policy domains. It also gives examples of necessary documentation methods as the basis for the policy agreement. ISO 22600-2: describes and explains, in a more detailed manner,

47、 the architectures and underlying models for privilege management and access control which are necessary for secure information sharing including the formal representation of policies. ISO 22600-3: describes examples of implementable specifications of application security services and infrastructura

48、l services using different specification languages.It accommodates policy bridging. It is based on a conceptual model where local authorization servers and cross-border directory and policy repository services can assist access control in various applications (software components). The policy reposi

49、tory provides information on rules for access to various application functions based on roles and other attributes. The directory service enables identification of the individual user. The granted access will be based on four aspects: the authenticated identification of principals (i.e. human users and objects that need to operate under their own rights) involved; the rules for access to a specific information object including purpose of use; the rules regarding authorization attributes linked to the principal provided by the authorization manager; th

展开阅读全文
相关资源
  • BS ISO IEC 29150-2011 Information technology Security techniques Signcryption《信息技术 安全技术 签密》.pdfBS ISO IEC 29150-2011 Information technology Security techniques Signcryption《信息技术 安全技术 签密》.pdf
  • BS ISO IEC 15408-1-2009 Information technology - Security techniques - Evaluation criteria for IT Security - Introduction and general model《信息技术 安全技术 IT安全评价准则 一.pdfBS ISO IEC 15408-1-2009 Information technology - Security techniques - Evaluation criteria for IT Security - Introduction and general model《信息技术 安全技术 IT安全评价准则 一.pdf
  • BS ISO 7295-1988+A1-2014 Tyre valves for aircraft Interchangeability dimensions《飞机轮胎汽门嘴 互换性尺寸》.pdfBS ISO 7295-1988+A1-2014 Tyre valves for aircraft Interchangeability dimensions《飞机轮胎汽门嘴 互换性尺寸》.pdf
  • BS ISO 15118-1-2013 Road vehicles Vehicle to grid communication interface General information and use-case definition《道路车辆 车辆到电力通讯接口 通用信息和使用案例定义》.pdfBS ISO 15118-1-2013 Road vehicles Vehicle to grid communication interface General information and use-case definition《道路车辆 车辆到电力通讯接口 通用信息和使用案例定义》.pdf
  • BS ISO 13765-2-2004 Refractory mortars - Determination of consistency using the reciprocating flow table method《耐熔灰浆 使用往复流动表法测定一致性》.pdfBS ISO 13765-2-2004 Refractory mortars - Determination of consistency using the reciprocating flow table method《耐熔灰浆 使用往复流动表法测定一致性》.pdf
  • BS ISO 10998-2008+A1-2014 Agricultural tractors Requirements for steering《农业拖拉机 操纵要求》.pdfBS ISO 10998-2008+A1-2014 Agricultural tractors Requirements for steering《农业拖拉机 操纵要求》.pdf
  • BS Z 9-1998 Space data and information transfer systems - Advanced orbiting systems - Networks and data links - Architectural specification《空间数据和信息传输系统 高级轨道系统 网络和数据链接 结构规范》.pdfBS Z 9-1998 Space data and information transfer systems - Advanced orbiting systems - Networks and data links - Architectural specification《空间数据和信息传输系统 高级轨道系统 网络和数据链接 结构规范》.pdf
  • BS Z 7-1998 Space data and information transfer systems - ASCII encoded English《空间数据和信息传输系统 ASCII 编码英语》.pdfBS Z 7-1998 Space data and information transfer systems - ASCII encoded English《空间数据和信息传输系统 ASCII 编码英语》.pdf
  • BS Z 5-1997 Space data and information transfer systems - Standard formatted data units - Control authority procedures《航天数据和信息发送系统 标准格式数据单元 控制授权程序》.pdfBS Z 5-1997 Space data and information transfer systems - Standard formatted data units - Control authority procedures《航天数据和信息发送系统 标准格式数据单元 控制授权程序》.pdf
  • BS Z 4-1997 Space data and information transfer systems - Standard formatted data units - Structure and construction rules《航天数据和信息传输系统 标准格式数据单元 结构和构造规则》.pdfBS Z 4-1997 Space data and information transfer systems - Standard formatted data units - Structure and construction rules《航天数据和信息传输系统 标准格式数据单元 结构和构造规则》.pdf
  • 猜你喜欢
    相关搜索

    当前位置:首页 > 标准规范 > 国际标准 > BS

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1