1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationBS EN ISO 27789:2013Health informatics Audittrails for electronic healthrecords (ISO 27789:2013)BS EN ISO 27789:2013 BRITISH STANDARDNational forewordThis British Standard is the
2、 UK implementation of EN ISO27789:2013.The UK participation in its preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessar
3、yprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2013. Published by BSI StandardsLimited 2013ISBN 978 0 580 57559 4ICS 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was publ
4、ished under the authority of theStandards Policy and Strategy Committee on 30 April 2013.Amendments issued since publicationDate Text affectedEUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 27789 March 2013 ICS 35.240.80 English Version Health informatics - Audit trails for electronic healt
5、h records (ISO 27789:2013) Informatique de sant - Historique dexpertise des dossiers de sant informatiss (ISO 27789:2013) Medizinische Informatik - Audit-Trails fr elektronische Gesundheitsakten (ISO 27789:2013) This European Standard was approved by CEN on 16 February 2013. CEN members are bound to
6、 comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CE
7、NELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has t
8、he same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxem
9、bourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG Management Centre: Avenue Marnix 17, B-1000 Brussels 2013 CEN
10、All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 27789:2013: EBS EN ISO 27789:2013EN ISO 27789:2013 (E) 3 Foreword This document (EN ISO 27789:2013) has been prepared by Technical Committee ISO/TC 215 “Health informatics“ in collabo
11、ration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of which is held by NEN. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by September 2013, and conflicting national st
12、andards shall be withdrawn at the latest by September 2013. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENEL
13、EC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Ice
14、land, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO 27789:2013 has been approved by CEN as EN ISO 27789:2013 without any modificat
15、ion. BS EN ISO 27789:2013ISO 27789:2013(E) ISO 2013 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Symbols and abbreviated terms . 45 Requirements and uses of audit data . 55.1 Ethical and formal requirements 55.2 Uses of
16、audit data 66 Trigger events 76.1 General . 76.2 Details of the event types and their contents . 77 Audit record details . 87.1 The general record format 87.2 Trigger event identification . 97.3 User identification . 117.4 Access point identification . 147.5 Audit source identification 157.6 Partici
17、pant object identification . 178 Audit records for individual events .238.1 Access events . 238.2 Query events 249 Secure management of audit data .269.1 Security considerations 269.2 Securing the availability of the audit system . 279.3 Retention requirements . 279.4 Securing the confidentiality an
18、d integrity of audit trails 279.5 Access to audit data . 27Annex A (informative) Audit scenarios .28Annex B (informative) Audit log services .35Bibliography .44BS EN ISO 27789:2013ISO 27789:2013(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national
19、standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International
20、 organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.International Standards are drafted in accordance with the rules gi
21、ven in the ISO/IEC Directives, Part 2.The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least
22、75 % of the member bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights.ISO 27789 was prepared by Technical Committee ISO/TC 215, Hea
23、lth informatics.iv ISO 2013 All rights reservedBS EN ISO 27789:2013ISO 27789:2013(E)Introduction0.1 GeneralPersonal health information is regarded by many as among the most confidential of all types of personal information and protecting its confidentiality is essential if the privacy of subjects of
24、 care is to be maintained. In order to protect the consistency of health information, it is also important that its entire life cycle be fully auditable. Health records should be created, processed and managed in ways that guarantee the integrity and confidentiality of their contents and that suppor
25、t legitimate control by subjects of care in how the records are created, used and maintained.Trust in electronic health records requires physical and technical security elements along with data integrity elements. Among the most important of all security requirements to protect personal health infor
26、mation and the integrity of records are those relating to audit and logging. These help to ensure accountability for subjects of care who entrust their information to electronic health record (EHR) systems. They also help to protect record integrity, as they provide a strong incentive to users of su
27、ch systems to conform to organizational policies on the use of these systems.Effective audit and logging can help to uncover misuse of EHR systems or EHR data and can help organizations and subjects of care obtain redress against users abusing their access privileges. For auditing to be effective, i
28、t is necessary that audit trails contain sufficient information to address a wide variety of circumstances (see Annex A).Audit logs are complementary to access controls. The audit logs provide a means to assess compliance with organizational access policy and can contribute to improving and refining
29、 the policy itself. But as such a policy has to anticipate the occurrence of unforeseen or emergency cases, analysis of the audit logs becomes the primary means of ensuring access control for those cases.This International Standard is strictly limited in scope to logging of events. Changes to data v
30、alues in fields of an EHR are presumed to be recorded in the EHR database system itself and not in the audit log. It is presumed that the EHR system itself contains both the previous and updated values of every field. This is consistent with contemporary point-in-time database architectures.The audi
31、t log itself is presumed to contain no personal health information other than identifiers and links to the record.Electronic health records on an individual person may reside in many different information systems within and across organizational or even jurisdictional boundaries. To keep track of al
32、l actions that involve records on a particular subject of care, a common framework is a prerequisite. This International Standard provides such a framework. To support audit trails across distinct domains it is essential to include references in this framework to the policies that specify the requir
33、ements within the domain, such as access control rules and retention periods. Domain policies may be referenced implicitly by identification of the audit log source.0.2 Benefits of using this International StandardStandardization of audit trails on access to electronic health records aims at two goa
34、ls: ensuring that information captured in an audit log is sufficient to clearly reconstruct a detailed chronology of the events that have shaped the content of an electronic health record, and ensuring that an audit trail of actions relating to a subject of cares record can be reliably followed, eve
35、n across organizational domains.This International Standard is intended for those responsible for overseeing health information security or privacy and for healthcare organizations and other custodians of health information seeking guidance on audit trails, together with their security advisors, con
36、sultants, auditors, vendors and third-party service providers.0.3 Comparision with related standards on electronic health record audit trails ISO 2013 All rights reserved vBS EN ISO 27789:2013ISO 27789:2013(E)This International Standard conforms to the requirements of ISO 27799:2008, insofar as they
37、 relate to auditing and audit trails.Some readers may be familiar with Internet Engineering Task Force (IETF) Request for Comment (RFC) 3881.13(Readers not already familiar with IETF RFC 3881 need not refer to that document, as familiarity with it is not required to understand this International Sta
38、ndard.) Informational RFC 3881, dated 2004-09 and no longer listed as active in the IETF database, was an early and useful attempt at specifying the content of audit logs for healthcare. To the extent possible, this International Standard builds upon, and is consistent with, the work begun in RFC 38
39、81 with respect to access to the EHR.0.4 A note on terminologySeveral closely related terms are defined in Clause 3. An audit log is a chronological sequence of audit records; each audit record contains evidence of directly pertaining to and resulting from the execution of a process or system functi
40、on. As EHR systems can be complex aggregations of systems and databases, there may be more than one audit log containing information on system events that have altered a subject of cares EHR. Although the terms audit trail and audit log are often used interchangeably, in this International Standard
41、the term audit trail refers to the collection of all audit records from one or more audit logs that refer to a specific subject of care or specific electronic health record or specific user. An audit system provides all the information processing functions necessary to maintain one or more audit log
42、s.vi ISO 2013 All rights reservedBS EN ISO 27789:2013INTERNATIONAL STANDARD ISO 27789:2013(E)Health informatics Audit trails for electronic health records1 ScopeThis International Standard specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger ev
43、ents and audit data, to keep the complete set of personal health information auditable across information systems and domains.It is applicable to systems processing personal health information which, complying with ISO 27799, create a secure audit record each time a user accesses, creates, updates o
44、r archives personal health information via the system.NOTE Such audit records, at a minimum, uniquely identify the user, uniquely identify the subject of care, identify the function performed by the user (record creation, access, update, etc.), and record the date and time at which the function was
45、performed.This International Standard covers only actions performed on the EHR, which are governed by the access policy for the domain where the electronic health record resides. It does not deal with any personal health information from the electronic health record, other than identifiers, the audi
46、t record only containing links to EHR segments as defined by the governing access policy.It does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of d
47、ata, which are dealt with by general computer security standards such as ISO/IEC 15408-2.9Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.2 Normative referencesThe following referenced documents are indispensable for the application of this document. For da
48、ted references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO 8601:2004, Data elements and interchange formats Information interchange Representation of dates and timesISO 27799:2008, Health informatics In
49、formation security management in health using ISO/IEC 270023 Terms and definitionsFor the purposes of this document, the following terms and definitions apply.3.1access controlmeans to ensure that access to assets is authorized and restricted based on business and security requirementsISO/IEC 27000:2012, definition 2.13.2access policydefinition of the obligations for authorizing access to a resource ISO 2013 All rights reserved 1BS EN ISO 27789:2013ISO 27789:2013(E)3.3accountabilityprinciple that individuals, organizations and the community