PD CEN ISO/TS 14441:2013
Current
The latest, up-to-date edition.
Health informatics. Security and privacy requirements of EHR systems for use in conformity assessment
Hardcopy , PDF
English
02-28-2014
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Security and privacy requirements
6 Best practice and guidance for establishing and
maintaining conformity assessment programs
Annex A (informative) - Conformity assessment
programs - Design considerations and
illustrative examples from member countries
as of 2010
Annex B (informative) - Comparison of jurisdictional
requirements
Bibliography
Describes security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment.
Committee |
IST/35
|
DevelopmentNote |
Reviewed and confirmed by BSI, June 2017. (05/2017)
|
DocumentType |
Standard
|
Pages |
124
|
PublisherName |
British Standards Institution
|
Status |
Current
|
This Technical Specification examines electronic patient record systems at the clinical point of care that are also interoperable with EHRs. Hardware and process controls are out of the scope. This Technical Specification addresses their security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment.
ISO/IEC 15408 (all parts) defines “targets of evaluation” for security evaluation of IT products. This Technical Specification includes a cross-mapping of 82 security and privacy requirements against the Common Criteria categories in ISO/IEC 15408 (all parts). The point-of-service (POS) clinical software is typically part of a larger system, for example, running on top of an operating system, so it must work in concert with other components to provide proper security and privacy. While a Protection Profile (PP) includes requirements for component security functions to support system security services, it does not specify protocols or standards for conformity assessment, and does not address privacy requirements.
This Technical Specification focuses on two main topics:
Security and privacy requirements (Clause 5). Clause 5 is technical and provides a comprehensive set of 82 requirements necessary to protect (information, patients) against the main categories of risks, addressing the broad scope of security and privacy concerns for point of care, interoperable clinical (electronic patient record) systems. These requirements are suitable for conformity assessment purposes.
Best practice and guidance for establishing and maintaining conformity assessment programs (Clause 6). Clause 6 provides an overview of conformity assessment concepts and processes that can be used by governments, local authorities, professional associations, software developers, health informatics societies, patients’ representatives and others, to improve conformity with health software security and privacy requirements. Annex A provides complementary information useful to countries in designing conformity assessment programs such as further material on conformity assessment business models, processes and other considerations, along with illustrative examples of conformity assessment activities in four countries.
Policies that apply to a local, regional or national implementation environment, and procedural, administrative or physical (including hardware) aspects of privacy and security management are outside the scope of this Technical Specification. Security management is included in the scope of ISO 27799.
Standards | Relationship |
CEN ISO/TS 14441:2013 | Identical |
ISO/TS 14441:2013 | Identical |
ISO/IEC 17065:2012 | Conformity assessment — Requirements for bodies certifying products, processes and services |
ISO/IEC 17000:2004 | Conformity assessment Vocabulary and general principles |
ISO/TS 25237:2008 | Health informatics Pseudonymization |
ISO/TS 22600-1:2006 | Health informatics Privilege management and access control Part 1: Overview and policy management |
ISO 18308:2011 | Health informatics — Requirements for an electronic health record architecture |
ISO/IEC 15408-2:2008 | Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional components |
ISO/TS 14265:2011 | Health Informatics - Classification of purposes for processing personal health information |
ISO/IEC 27001:2013 | Information technology — Security techniques — Information security management systems — Requirements |
ISO/IEC 17021:2011 | Conformity assessment Requirements for bodies providing audit and certification of management systems |
CFR 45(PTS1-199) : OCT 2017 | PUBLIC WELFARE - SUBTITLE A - DEPARTMENT OF HEALTH AND HUMAN SERVICES - GENERAL ADMINISTRATION - SUBTITLE B - REGULATIONS RELATING TO PUBLIC WELFARE |
ISO/IEC 15408-3:2008 | Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance components |
ISO/IEC 27006:2015 | Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems |
ISO/TS 21547:2010 | Health informatics Security requirements for archiving of electronic health records Principles |
ISO/IEC 27002:2013 | Information technology Security techniques Code of practice for information security controls |
ISO/IEC 27005:2011 | Information technology Security techniques Information security risk management |
ISO/TS 22600-2:2006 | Health informatics Privilege management and access control Part 2: Formal models |
ISO/TS 13606-4:2009 | Health informatics Electronic health record communication Part 4: Security |
ISO/TS 22600-3:2009 | Health informatics Privilege management and access control Part 3: Implementations |
ISO/IEC 15408-1:2009 | Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model |
ISO/HL7 10781:2015 | Health Informatics — HL7 Electronic Health Records-System Functional Model, Release 2 (EHR FM) |
ISO/TR 21548:2010 | Health informatics Security requirements for archiving of electronic health records Guidelines |
ISO/IEC 27000:2016 | Information technology Security techniques Information security management systems Overview and vocabulary |
ISO/TS 21298:2008 | Health informatics Functional and structural roles |
ISO 27799:2016 | Health informatics Information security management in health using ISO/IEC 27002 |
Access your standards online with a subscription
Features
-
Simple online access to standards, technical information and regulations.
-
Critical updates of standards and customisable alerts and notifications.
-
Multi-user online standards collection: secure, flexible and cost effective.