The following document of information is produced by the Medical Informatics Department of the University of Magdeburg, and is based on several scopes and documents with the copyright of CEN/TC 251. Most of the scopes, drafts, and documents mentioned in the following are available on the WEB server of the CEN/TC 251 addressed by URL http://miginfo.rug.ac.be:8001
Most of the documents correspond with other drafts of the standards and pre-standards produced by CEN/TC 251 and others. The final documents, once they are officially implemented, can be obtained from the CEN Central Secretariat, or from National Standard Institutes of the participating countries.
The quality of information systems used in patient care is one of the key issues in the Healthcare Informatics sector. Two important features of the overall quality of those systems are a) the safety and b) the security of the systems, and these elements will become more and more important because all information systems are used for safety- and security-critical applications increasingly.
The European and national legislation bodies emphasise the importance of quality, safety, and security. They also provide the requisite statutory framework to ensure that information systems used in healthcare have the appropriate levels of quality, safety, and security. Major pan-European documents providing a basis for CEN/TC 251 WG 6 are the recommendations from the Council of Europe which apply to all CEN nations and the European Union Data Protection Directive finally adopted 1995-07-24.
In Healthcare Informatics, security of information systems is often defined as the prevention of breaches of confidentiality, integrity, and availability. In healthcare information systems, the main reason for the major concern with confidentiality, is the protection of privacy of the individuals. Privacy is included in this definition as it is one aspect of security, closely related to confidentiality. The patients have to trust healthcare establishments to care for the very sensitive information they give them. The definition of „system" is to be understood in a wider sense, including the surrounding procedures.
The safety of systems can be defined as the expectation that systems do not, under defined conditions, enter a state that could cause human death or injury. In this definition however, a „system" will include the software, the hardware, the users of the system, and the procedures and practices related to the working of the system. It is not sufficient to analyse a software system without considering how it is used and the environment it is used in. Software does not actually kill or injure people - it is the associated hardware or the actions of inaccurately informed statt that may cause harm.
Quality is defined as the totality of features and characteristics of a product, process or service that bear on its ability to satisfy its stated or intended needs. Safety and security are elements of the quality of a system, at least where they affect the ability of the system to satisfy its stated needs.
It is expected that future development of IT security will take place in the following arenas:
The term protection profile is used here to include specification of various countermeasures to preserve security also when these can not be referenced from existing international standards.
The need to view quality, safety, and security issues in close relation should be also reflected in these arenas. This means that the scope of protection profiles as it is today should be broadened to encompass quality and safety objectives and requirements. It also means that evaluation and certification schemes for the three arenas should be harmonised, aiming for the possibility of performing a single evaluation and certification per product / system covering both quality, safety, and security requirements.
Standardisation efforts have shifted gradually to the first of these arenas, i.e. the development of protection profiles. An active part in this should be played by the users in the healthcare sector, specifying both the needs for quality, safety, and security in the various systems which can be distinguished. Of course, care should be taken to include ethical and juridical notions in these considerations. It must be emphasised that standards for security, safety, and quality must be developed in parallel with the basic informatics standards for e.g. healthcare communication or electronic record systems. Without considering these important regulatory aspects, the technical possibilities for important efficiency improvements using health telematics can not be fully exploited.
Although no clear framework exists of this, it could be said that WG 6 should 'audit' other work within the sphere of CEN/TC 251, to identify and handle all relevant quality (and thus: security and safety) related issues. Most work until now has been done on Security for Healthcare Information Systems: a project team is now active there as well (PT6-012). Translated into the framework given above, the work items related mainly to security can be categorised as follows:
Working Group 6 so far has one project team for a work item entitled Security Categorisation and Protection for Healthcare Information Systems. This itemwas based on extensive risk analysis study in typical healthcare systems in different European countries. The project team has developed a proposed method for categorisation of healthcare systems. For each category a protection profile is associated that describes an extensive list of appropriate security measures to be taken.
The Working Group has also done considerable work developing standards without project teams. The first one is called Secure User Identification for Healthcare; Identification and Authentication by Passwords - Management and Security. CEN/TC 251/WG 6 has also drafted an ENV called Algorithm for Digital Signature Services in Healthcare based on the already existing de facto standard, the RSA algorithm (Rivest, Shamir and Adleman).
The Working Group has also been able to produce draft technical reports such as A Framework for Security of Healthcare Communication and Security Requirements for Intermittently connected devices.
Although it should be recognised the fact that both for historical and practical reasons there is a division of the three aspects of quality, safety, and security over different work items, we emphasise again the need to consider all these aspects, and reconcile the different approaches.
Although many of these aspects will be relevant to other CEN/TC 251 Working Groups, special links can be noted to WG 1 (focusing on Security of Electronic Healthcare Record Systems), WG3, WG4, and WG 7.
W.I. |
ACRONYM |
TITLE |
Page |
| 6.1. | SAFETY | Safety-Related Standards for Healthcare | 3.6.5 |
| 6.2. | COMPUSEC
PT6-012 |
Security Categorisation and Protection for Healthcare Information Systems | 3.6.7 |
| 6.3. | HELI NON ACT |
Medical Record handling and archiving: Harmonisation of ethical/legal Issues | Annex
4.6.3 |
| 6.4. | SEC-ID | Secure User Identification for Healthcare | 3.6.11 |
| 6.5. | SQA | Software Quality Assurance for Healthcare | 3.6.15 |
| 6.6. | EPAS
--> WG 4 |
Evaluation of Physiological Analysis Systems | 3.4.11 |
| 6.7. | HLSPRF | High Level Security Policy and Regulations Framework | 3.6.19 |
| 6.8. | UAAC
NON ACT |
User Authentication and Access Control: Technology Impact for Medical Informatics | Annex
4.6.5 |
| 6.9. | ACCOUNT | Accountability Mechanisms for Healthcare Information Systems | 3.6.21 |
| 6.10. | SEC- COM | Security for Healthcare Communication | 3.6.25 |
| 6.11. | SEC-ID/PSS
prENV |
Secure User Identification for Healthcare; Identification and Authentication by Passwords - Management and Security | Annex
1.6.3 |
| 6.12. | SR-ICD | Security Requirements for Intermittently Connected Devices | 3.6.27 |
| 6.13. | ADSS | Algorithm for Digital Signature Services in Healthcare | 3.6.29 |
| actual active work items | |
| work items for which a Project Team is required |
Name: SEC-ID/PSS
Key-words: password, security management, identity, authentication.
This European pre-standard is designed to improve the authentication of individuals wishing to utilise a healthcare IT systems, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities.
The European pre-standard applies to all information systems (hereafter called systems) within the healthcare environment that handle or store sensitive person identifiable health information, using passwords as the only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this European pre-standard include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health information.
IT systems in the healthcare environment are being utilised in increasingly sensitive and critical circumstances. To facilitate secure access control to an IT system and within an IT system, it is necessary to uniquely establish the identity of all users seeking access. Further, to have confidence that a user really is who he or she claims to be, there is a need for secure means of verifying the identity. The use of passwords, being confidential to each user, and constructed in a way that others cannot compromise this confidential authentication information easily, is the most common means of authentication in current computer systems, and will be so for some time to come.
Conventional passwords have several disadvantages. Some of these are:
Other technologies such as chip cards and biometrics, which provide more secure means of authentication, have been introduced and will eventually phase out the use of passwords. However, in the meantime it is necessary to facilitate the secure use of passwords in healthcare IT systems.
Examples of issues treated in this European pre-standard:
Name: COMPUSEC (PT6-012)
Key-words: security, risk elements, security profiles, risk scenarios
Risk to healthcare data is ever present, from the point of creation to the point of use. Risk and errors are associated at data creation time where irreducible error rates have been identified for some clinical processes. Such errors can compound with subsequent risk elements in the data-to-information chain to introduce overt risks to the patient or staff member. All staff have a duty to provide the best care for clinical data but they can only act or defend within the limits of their knowledge; often they are unaware of what the real risks and threats are, nor do they have a personal model of the environment of risk within which they work. To enhance this understanding and thereby improve the quality of handling healthcare data, a coherent scheme is needed which indicates possible consequences of relevant threats.
The objectives are:
So far, a number of risk scenarios have been defined together with a set of consequences of possible security breaches. These have been drawn from other relevant work in Europe as well as from studies by the Project Team members. A proposal has been developed for system classification which is currently being considered by a number of interested parties before producing a revised classification together with associated security profiles.
Current Status: expected date for final document: September, 1996
Name : ADSS
Key-words : digital signature
The use of data processing and telecommunications in healthcare must be accompanied by appropriate security measures to ensure data confidentiality and integrity in compliance with the legal framework. These are aimed at protecting patient privacy as well as professional accountability.
Digital signature is defined in [ISO 7498-2]: data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of that unit and protect against forgery e.g. by the recipient.
Examples of uses are:
Additional derived security services that can be implemented with the digital signatures are:
No inter-sector standard exists that defines the precise algorithm to be used for the digital signature. In European healthcare with the need for open secure communications between all parties involved, regionally and increasingly also transborder, it is essential that at least one standard algorithm can be used for all services depending on digital signature techniques.
This European pre-standard defines a digital signature algorithm for use in European healthcare should such an algorithm be required.
The algorithm defined in this standard is the well known widely used RSA-algorithm named after its inventors, Rivest, Shamir and Adleman. The normative part is in fact identical to the text given as an informative example in the following international standard:
ISO/IEC 9796: 1991 Information technology - Open systems interconnection - Digital signature scheme giving message recovery.
The full functionality of the use of this core algorithm for various applications, requires additional specifications of protocol elements related to the application requirements. These may be user agreements and/or may be parts of future standards for e.g. security of healthcare communication or healthcare records.
Current Status: prENV (out for formal vote)Name : SEC-COM
Key-words : digital signature
This draft of a CEN report covering the first step of the work item which will lead to an ENV Security for health care communication was prepared following the discussions at a meeting of WG 6 and on previous contributions in the area.
The use of data processing and telecommunications in health care must be accompanied by appropriate security measures to ensure data confidentiality and integrity in compliance with the legal framework, protecting patients as well as professional accountability and organisational assets. In addition availability aspects are important to consider in many systems. Health care information technology (IT)-systems are today no longer isolated systems. Instead data communication is used more and more for a variety of purposes within and between health care establishments. A variety of different security measures should be considered targeted towards the requirements of the application area, mainly the nature of data communicated, and the type of data communication employed.
This CEN report aims at promoting a better understanding of the security issues in relation to health care IT-communication, to point at already existing applicable International and European standards. The report shall define the detailed scope of the required further standardisation work in this area, to be followed up in this work item by the planned project team. As a part of this, this report proposes a framework that can be used by the project team in order to prescribe security functionality in a variety of communication scenarios, and also to establish effectiveness assurances (in terms of e.g. suitability and binding analysis) as an integrated part of its standardisation work.
The question why two parties should communicate, and particularly what data shall be transmitted, is a major factor in determining the security requirements for the three major aspects of security:
Confidentiality
Integrity
Availability
The communication for searching published information from a bibliographic database is different from remote control of a CT-scanner.
Some of the major aspects to consider are: