1、May 2017 English price group 26No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 35.240.80!%eAt“2663081www.din.deDIN
2、EN ISO 25237Health informatics Pseudonymization (ISO 25237:2017);English version EN ISO 25237:2017,English translation of DIN EN ISO 25237:2017-05Medizinische Informatik Pseudonymisierung (ISO 25237:2017);Englische Fassung EN ISO 25237:2017,Englische bersetzung von DIN EN ISO 25237:2017-05Informatiq
3、ue de sant Pseudonymisation (ISO 25237:2017);Version anglaise EN ISO 25237:2017,Traduction anglaise de DIN EN ISO 25237:2017-05www.beuth.deDocument comprises 69 pagesDTranslation by DIN-Sprachendienst.In case of doubt, the German-language original shall be considered authoritative.05.17 DIN EN ISO 2
4、5237:2017-05 2 A comma is used as the decimal marker. National foreword This document (EN ISO 25237:2017) has been prepared by Technical Committee ISO/TC 215 “Health informatics” (Secretariat: ANSI, USA) with the active participation of German experts in collaboration with Technical Committee CEN/TC
5、 251 “Health informatics” (Secretariat: NEN, Netherlands). The responsible German body involved in its preparation was DIN-Normenausschuss Medizin (DIN Standards Committee Medicine), Working Committee NA 063-07-04 AA “Security”. The DIN Standards corresponding to the International Standards referred
6、 to in this document method for the transformation of data (3.14) in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized use3.13cryptographic key managementkey managementgeneration, storage, distribution, deletion, archiving and application of k
7、eys (3.31) in accordance with a security policy (3.46)SOURCE: ISO 7498-2:1989, 3.3.333.14datareinterpretable representation of information (3.29) in a formalized manner suitable for communication, interpretation or processingNote 1 to entry: Data can be processed by humans or by automatic means.SOUR
8、CE: ISO/IEC 2382:2015, 21212723.15data integrityproperty that data (3.14) has not been altered or destroyed in an unauthorized mannerSOURCE: ISO 7498-2:1989, 3.3.213.16data linkingmatching and combining data (3.14) from multiple databases3.17data protectiontechnical and social regimen for negotiatin
9、g, managing and ensuring informational privacy (3.39), and security3.18data subjectperson to whom data (3.14) refer3.19decryptionprocess of converting encrypted data (3.14) back into its original form so it can be understood3.20de-identificationgeneral term for any process of reducing the associatio
10、n between a set of identifying data (3.14) and the data subject (3.18)3.21directly identifying datadata (3.14) that directly identifies a single individualNote 1 to entry: Direct identifiers are those data that can be used to identify a person without additional information or with cross-linking thr
11、ough other information that is in the public domain.DIN EN ISO 25237:2017-05 EN ISO 25237:2017 (E)9 3.22disclosuredivulging of, or provision of access to, data (3.14)Note 1 to entry: Whether the recipient actually looks at the data, takes them into knowledge or retains them, is irrelevant to whether
12、 disclosure has occurred.3.23encryptionprocess of converting information (3.29) or data (3.14) into a cipher or code3.24healthcare identifiersubject of care identifieridentifier (3.27) of a person for primary use by a healthcare system3.25identifiable personone who can be identified, directly or ind
13、irectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identitySOURCE: Directive 95/46/EC3.26identificationprocess of using claimed or observed attributes of an entity to single out the e
14、ntity among other entities in a set of identitiesNote 1 to entry: The identification of an entity within a certain context enables another entity to distinguish between the entities with which it interacts.3.27identifierinformation (3.29) used to claim an identity, before a potential corroboration b
15、y a corresponding authenticatorSOURCE: ENV 13608-1:2000, 3.443.28indirectly identifying datadata (3.14) that can identify a single person only when used together with other indirectly identifying dataNote 1 to entry: Indirect identifiers can reduce the population to which the person belongs, possibl
16、y down to one if used in combination.EXAMPLE Postcode, sex, age, date of birth.3.29informationknowledge concerning objects that within a certain context has a particular meaningSOURCE: ISO/IEC 2382:2015, 2121271, modified.3.30irreversibilitysituation when, for any passage from identifiable to pseudo
17、nymous, it is computationally unfeasible to trace back to the original identifier (3.27) from the pseudonym (3.43)DIN EN ISO 25237:2017-05 EN ISO 25237:2017 (E) 10 3.31keysequence of symbols which controls the operations of encryption (3.23) and decryption (3.19)SOURCE: ISO 7498-2:1989, 3.3.323.32li
18、nkage of information objectsprocess allowing a logical association to be established between different information objects3.33longitudinal or lifetime personal health recordpermanent, coordinated record of significant information, in chronological sequenceNote 1 to entry: It may include all historic
19、al data collected or be retrieved as a user designated synopsis of significant demographic, genetic, clinical and environmental facts and events maintained within an automated system.SOURCE: ISO/TR 21089:2004, 3.61, modified3.34natural personreal human being as opposed to a legal person which may be
20、 a private or public organization3.35person identificationprocess for establishing an association between an information object and a physical person3.36personal identifierinformation with the purpose of uniquely identifying a person within a given context3.37personal datainformation relating to an
21、identified or identifiable natural person (3.34) (“data subject”)SOURCE: Directive 95/46/EC3.38primary use of personal datauses and disclosures (3.22) that are intended for the data (3.14) collected3.39privacyfreedom from intrusion into the private life or affairs of an individual when that intrusio
22、n results from undue or illegal gathering and use of data (3.14) about that individualSOURCE: ISO/IEC 2382:2015, 21262633.40processing of personal dataoperation or set of operations that is performed upon personal data (3.37), whether or not by automatic means, such as collection, recording, organiz
23、ation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destructionSOURCE: Directive 95/46/ECDIN EN ISO 25237:2017-05 EN ISO 25237:2017 (E)11 3.41processornatural o
24、r legal person, public authority, agency or any other body that processes personal data (3.37) on behalf of the controller (3.10)Note 1 to entry: See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of
25、personal data and on the free movement of such data.3.42pseudonymizationparticular type of de-identification (3.20) that both removes the association with a data subject (3.18) and adds an association between a particular set of characteristics relating to the data subject and one or more pseudonyms
26、 (3.43)3.43pseudonympersonal identifier (3.36) that is different from the normally used personal identifier and is used with pseudonymized data to provide dataset coherence linking all the information about a subject, without disclosing the real world person identity.Note 1 to entry: This may be eit
27、her derived from the normally used personal identifier in a reversible or irreversible way or be totally unrelated.Note 2 to entry: Pseudonym is usually restricted to mean an identifier that does not allow the direct derivation of the normal personal identifier. Such pseudonymous information is thus
28、 functionally anonymous. A trusted third party may be able to obtain the normal personal identifier from the pseudonym.3.44recipientnatural or legal person, public authority, agency or any other body to whom data (3.14) are disclosed3.45secondary use of personal datauses and disclosures (3.22) that
29、are different than the initial intended use for the data (3.14) collected3.46security policyplan or course of action adopted for providing computer securitySOURCE: ISO/IEC 2382:2015, 21262463.47trusted third partysecurity authority, or its agent, trusted by other entities with respect to security-re
30、lated activitiesSOURCE: ISO/IEC 18014-1:2008, 3.204 Abbreviated termsDICOM Digital Imaging and Communication in MedicineHIPA A Health Insurance Portability and Accountability ActHIS Health Information SystemHIV Human Immunodeficiency VirusIP Internet ProtocolVoV Victim of Violence useDIN EN ISO 2523
31、7:2017-05 EN ISO 25237:2017 (E) 12 5 Requirements for privacy protection of identities in healthcare5.1 Objectives of privacy protectionThe objective of privacy protection as part of the confidentiality objective of security is to prevent the unauthorized or unwanted disclosure of information about
32、a person which may further influence legal, organizational and financial risk factors. Privacy protection is a subdomain of generic privacy protection that, by definition, includes other privacy sensitive entities such as organizations. As privacy is the best regulated and pervasive one, this concep
33、tual model focuses on privacy. Protective solutions designed for privacy can also be transposed for the privacy protection of other entities. This may be useful in countries where the privacy of entities or organizations is regulated by law.There are two objectives in the protection of personal data
34、; one that is the protection of personal data in interaction with on-line applications (e.g. web browsing) and at the other is the protection of collected personal data in databases. This document will restrict itself to the latter objective.Data can be extracted from databases. The objective is to
35、reduce the risk that the identities of the data subjects are disclosed. Researchers work with “cases”, longitudinal histories of patients collected in time and/or from different sources. For the aggregation of various data elements into the cases, it is, however, necessary to use a technique that en
36、ables aggregations without endangering the privacy of the data subjects whose data are being aggregated. This can be achieved by pseudonymization of the data.De-identification is used to reduce privacy risks in a wide variety of situations.Extreme de-identification is used for educational materials
37、that will be made widely public, yet should convey enough detail to be useful for medical education purposes (there is an IHE profile for automation assistance for performing this kind of de-identification. Much of the process is customized to the individual patient and educational purpose).Public h
38、ealth uses de-identified databases to track and understand diseases.Clinical trials use de-identification both to protect privacy and to avoid subconscious bias by removing other information such as whether the patient received a placebo or an experimental drug.Slight de-identification is used in ma
39、ny clinical reviews, where the reviewers are kept ignorant of the treating physician, hospital, patient, etc. both to reduce privacy risks and to remove subconscious biases. This kind of de-identification only prevents incidental disclosure to reviewers. An intentional effort will easily discover th
40、e patient identity, etc.When undertaking production of workload statistics or workload analysis within hospitals or of treatments provided against contracts with commissioners or purchasers of health care services, it is necessary to be able to separate individual patients without the need to know w
41、ho the individual patients are. This is an example of the use of de-identification within a business setting.The process of risk stratification (of re-hospitalization, for example) can be undertaken by using records from primary and secondary care services for patients. The records are de-identified
42、 for the analysis, but where the patients that are indicated as being of high risk, these patients can be re-identified by an appropriate clinician to enable follow-up interventions. For details on the healthcare pseudonymizaton, see Annex A.5.2 GeneralDe-identification is the general term for any p
43、rocess of reducing the association between a set of identifying data and the data subject with one or more intended use of the resulting data-set. Pseudonymization is a subcategory of de-identification. The pseudonym is the means by which pseudonymized data are linked to the same person or informati
44、on systems without revealing the identity of the person. De-identification inherently can limit the utility of the resulting data. Pseudonymization can be performed with or without the possibility of re-identifying the subject of the data (reversible or irreversible pseudonymization). There are seve
45、ral use case scenarios in healthcare for pseudonymization with particular applicability in increasing electronic processing of patient data, DIN EN ISO 25237:2017-05 EN ISO 25237:2017 (E)13 together with increasing patient expectations for privacy protection. Several examples of these are provided i
46、n Annex A.It is important to note that as long as there are any pseudonymized data, there is some risk of unauthorized re-identification. This is not unlike encryption, in that brute force can crack encryption, but the objective is to make it so difficult that the cost is prohibitive. There is less
47、experience with de-identification than encryption so the risks are not as well understood.5.3 De-identification as a process to reduce risk5.3.1 GeneralThe de-identification process should consider the security and privacy controls that will manage the resulting data-set. It is rare to lower the ris
48、k so much that the data-set needs no ongoing security controls.Figure 1 Visualization of the de-identification processFigure 1 is an informative diagram of a visualization of this de-identification process. This shows that the topmost concept is de-identification, as a process. This process utilizes sub-processes: pseudonymization and/or anonymization. These sub-processes use various too
