《ISO-17090-1-2008.pdf》由会员分享,可在线阅读,更多相关《ISO-17090-1-2008.pdf(44页珍藏版)》请在三一文库上搜索。
1、 Reference number ISO 17090-1:2008(E) ISO 2008 INTERNATIONAL STANDARD ISO 17090-1 First edition 2008-02-15 Health informatics Public key infrastructure Part 1: Overview of digital certificate services Informatique de sant Infrastructure de cl publique Partie 1: Vue densemble des services de certific
2、at numrique Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Boeing Co/5910770001 Not for Resale, 07/25/2008 03:27:16 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 17090-1:2008(E) PDF disclaimer This PDF file may
3、 contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the respo
4、nsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creatio
5、n parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2008
6、All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the countr
7、y of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2008 All rights reserved Copyright International Organization for Standardization Provided by IHS under lice
8、nse with ISO Licensee=Boeing Co/5910770001 Not for Resale, 07/25/2008 03:27:16 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 17090-1:2008(E) ISO 2008 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references. 1 3 Terms and def
9、initions. 2 3.1 Healthcare context terms. 2 3.2 Security services terms . 3 3.3 Public key infrastructure related terms 6 4 Abbreviations 9 5 Healthcare context 10 5.1 Certificate holders and relying parties in healthcare 10 5.2 Examples of actors. 10 5.3 Applicability of digital certificates to hea
10、lthcare. 12 6 Requirements for security services in healthcare applications 12 6.1 Healthcare characteristics. 12 6.2 Digital certificate technical requirements in healthcare. 13 6.3 Separation of authentication from encipherment . 14 6.4 Health industry security management framework for digital cer
11、tificates. 15 6.5 Policy requirements for digital certificate issuance and use in healthcare . 15 7 Public key cryptography 15 7.1 Symmetric vs asymmetric cryptography . 15 7.2 Digital certificates. 16 7.3 Digital signatures 16 7.4 Protecting the private key 16 8 Deploying digital certificates. 17 8
12、.1 Necessary components . 17 8.2 Establishing identity using qualified certificates 18 8.3 Establishing speciality and roles using identity certificates . 19 8.4 Using attribute certificates for authorization and access control. 20 9 Interoperability requirements 20 9.1 Overview 20 9.2 Options for d
13、eploying healthcare digital certificates across jurisdictions 21 9.3 Option usage. 22 Annex A (informative) Scenarios for the use of digital certificates in healthcare. 23 Bibliography. 35 Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Boeing
14、 Co/5910770001 Not for Resale, 07/25/2008 03:27:16 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 17090-1:2008(E) iv ISO 2008 All rights reserved Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (I
15、SO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, gov
16、ernmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC
17、 Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the membe
18、r bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 17090-1 was prepared by Technical Committee ISO/TC 215, Health informati
19、cs. This first edition cancels and replaces the Technical Specification (ISO/TS 17090-1:2002), which has been revised and brought to the status of International Standard. ISO 17090 consists of the following parts, under the general title Health informatics Public key infrastructure: Part 1: Overview
20、 of digital certificate services Part 2: Certificate profile Part 3: Policy management of certification authority Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Boeing Co/5910770001 Not for Resale, 07/25/2008 03:27:16 MDTNo reproduction or ne
21、tworking permitted without license from IHS -,-,- ISO 17090-1:2008(E) ISO 2008 All rights reserved v Introduction The healthcare industry is faced with the challenge of reducing costs by moving from paper-based processes to automated electronic processes. New models of healthcare delivery are emphas
22、izing the need for patient information to be shared among a growing number of specialist healthcare providers and across traditional organizational boundaries. Healthcare information concerning individual citizens is commonly interchanged by means of electronic mail, remote database access, electron
23、ic data interchange and other applications. The Internet provides a highly cost-effective and accessible means of interchanging information, but it is also an insecure vehicle that demands additional measures be taken to maintain the privacy and confidentiality of information. Threats to the securit
24、y of health information through unauthorized access (either inadvertent or deliberate) are increasing. It is essential to have available to the healthcare system, reliable information security services that minimize the risk of unauthorized access. How does the healthcare industry provide appropriat
25、e protection for the data conveyed across the Internet in a practical, cost-effective way? Public key infrastructure (PKI) and digital certificate technology seek to address this challenge. The proper deployment of digital certificates requires a blend of technology, policy and administrative proces
26、ses that enable the exchange of sensitive data in an unsecured environment by the use of “public key cryptography” to protect information in transit and “certificates” to confirm the identity of a person or entity. In healthcare environments, this technology uses authentication, encipherment and dig
27、ital signatures to facilitate confidential access to, and movement of, individual health records to meet both clinical and administrative needs. The services offered by the deployment of digital certificates (including encipherment, information integrity and digital signatures) are able to address m
28、any of these security issues. This is especially the case if digital certificates are used in conjunction with an accredited information security standard. Many individual organizations around the world have started to use digital certificates for this purpose. Interoperability of digital certificat
29、e technology and supporting policies, procedures and practices is of fundamental importance if information is to be exchanged between organizations and between jurisdictions in support of healthcare applications (for example between a hospital and a community physician working with the same patient)
30、. Achieving interoperability between different digital certificate implementations requires the establishment of a framework of trust, under which parties responsible for protecting an individuals information rights may rely on the policies and practices and, by extension, the validity of digital ce
31、rtificates issued by other established authorities. Many countries are deploying digital certificates to support secure communications within their national boundaries. Inconsistencies will arise in policies and procedures between the certification authorities (CAs) and the registration authorities
32、(RAs) of different countries if standards development activity is restricted to within national boundaries. Digital certificate technology is still evolving in certain aspects that are not specific to healthcare. Important standardization efforts and, in some cases, supporting legislation are ongoin
33、g. On the other hand, healthcare providers in many countries are already using or planning to use digital certificates. ISO 17090 seeks to address the need for guidance of these rapid international developments. Copyright International Organization for Standardization Provided by IHS under license w
34、ith ISO Licensee=Boeing Co/5910770001 Not for Resale, 07/25/2008 03:27:16 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 17090-1:2008(E) vi ISO 2008 All rights reserved ISO 17090 describes the common technical, operational and policy requirements that need to be addres
35、sed to enable digital certificates to be used in protecting the exchange of healthcare information within a single domain, between domains and across jurisdictional boundaries. Its purpose is to create a platform for global interoperability. It specifically supports digital certificate-enabled commu
36、nication across borders, but could also provide guidance for the national or regional deployment of digital certificates in healthcare. The Internet is increasingly used as the vehicle of choice to support the movement of healthcare data between healthcare organizations and is the only realistic cho
37、ice for cross-border communication in this sector. ISO 17090 should be approached as a whole, with the three parts all making a contribution to defining how digital certificates can be used to provide security services in the health industry, including authentication, confidentiality, data integrity
38、 and the technical capacity to support the quality of digital signature. This part of ISO 17090 defines the basic concepts underlying the use of digital certificates in healthcare and provides a scheme of interoperability requirements to establish digital certificate-enabled secure communication of
39、health information. ISO 17090-2 provides healthcare-specific profiles of digital certificates based on the international standard X.509 and the profile of this, specified in IETF/RFC 3280 for different types of certificates. ISO 17090-3 deals with management issues involved in implementing and using
40、 digital certificates in healthcare. It defines a structure and minimum requirements for certificate policies (CPs) and a structure for associated certification practice statements. ISO 17090-3 is based on the recommendations of the informational IETF/RFC 3647, and identifies the principles needed i
41、n a healthcare security policy for cross border communication. It also defines the minimum levels of security required, concentrating on the aspects unique to healthcare. Comments on the content of this document, as well as comments, suggestions and information on the application of these standards,
42、 may be forwarded to the ISO/TC 215 secretariat at adickersonhimss.org or WG4 convenor, Ross Fraser, and WG4 secretariat at w4consecmedis.or.jp. Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Boeing Co/5910770001 Not for Resale, 07/25/2008 03
43、:27:16 MDTNo reproduction or networking permitted without license from IHS -,-,- INTERNATIONAL STANDARD ISO 17090-1:2008(E) ISO 2008 All rights reserved 1 Health informatics Public key infrastructure Part 1: Overview of digital certificate services 1 Scope This part of ISO 17090 defines the basic co
44、ncepts underlying use of digital certificates in healthcare and provides a scheme of interoperability requirements to establish a digital certificate-enabled secure communication of health information. It also identifies the major stakeholders who are communicating health- related information, as we
45、ll as the main security services required for health communication where digital certificates may be required. This part of ISO 17090 gives a brief introduction to public key cryptography and the basic components needed to deploy digital certificates in healthcare. It further introduces different ty
46、pes of digital certificate identity certificates and associated attribute certificates for relying parties, self-signed certification authority (CA) certificates, and CA hierarchies and bridging structures. 2 Normative references The following referenced documents are indispensable for the applicati
47、on of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 17090-2, Health informatics Public key infrastructure Part 2: Certificate profile ISO 17090-3:2008, Health informat
48、ics Public key infrastructure Part 3: Policy management of certification authority ISO/IEC 27002, Information technology Security techniques Code of practice for information security management IETF/RFC 3126, Electronic Signature Formats for long term electronic signatures IETF/RFC 3161, Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) IETF/RFC 3281, An Internet Attribute Certificate Profile for Authorization Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Boeing Co/59107700