Update on Security, Privacy and Safety Standards

Transcription

1 , January 7-12, 2007, San Diego, CA Update on Security, Privacy and Safety Standards HL7 Germany

2 Aspects of Protection and Security after C. Laske Security of personal data (data protection) Protection of privacy Protection of the user Security and Protection Protection of the data subject Patient safety...

3

4

5 ISO TC 215 is undertaking a leadership role in the harmonization of globally based health informatics standards. This important effort is in response to a call for such action by government and industry leaders, and reflects the evolving business model of ISO TC 215 which includes a greater global focus on orchestration of standards.

6 Agreement Principles Continue to accommodate member bodies needs and processes individual SDO mandates and external influences, Be business requirements driven, Be customer focused through strengthened connection with governments, vendors and providers, Undertake joint strategic and operational planning, Coordinate standards at the beginning of standards development processes, Jointly determine which standards to harmonize and include in respective work programs, Be topic and project focused in undertaking collaboration, coordination and cooperation, Support, facilitate and effectively use collective resource capacity and expertise in the development of health information standards, and Provide common communications to our various external stakeholders and communities of interest.

7 These principles will be applied to the processes of choosing, launching, communicating, resourcing, marketing and supporting standards that need to be developed or are being developed. They recognize the commitment of ISO/TC to serve as a coordinating mechanism and focal point for the collective work of the SDOs.

8 Standards Classification (1/2) Architecture standards - HL7 versions 2.x/3, CORBA, MDA, HISA Modelling standards - UML, CEN 15300: CEN Report: Framework for formal modelling of healthcare security policies Communication standards - CEN 13608: Security for healthcare communication, CEN 13606: Electronic healthcare record communication EN EHRcom Infrastructure standards - ISO 17090: Public key infrastructure, ETSI TS : Electronic Signature Formats

9 Standards Classification (2/2) Privacy standards - ASTM E : Standard guide for individual rights regarding health information, CEN 13729: Secure user identification - Strong authentication using microprocessor cards Safety standards - CEN 13694: CEN Report: Safety and security related software quality standards for healthcare ; ISO/DTS "Health Informatics - Classification of safety risks from health informatics products" Terminology and ontology standards - UMLS, SNOMED Identifier and identification schemes - LOINC, ASTM E : Standard guide for properties of a Universal Healthcare Identifier

10 Based on the Electronic signature directive Legal coherence with European rules Legal coherence with national rules, i.e. legal interoperability Common TTP policy Based on the EESSI electronic signature standard Technical coherence with European (international) standards Technical coherence with standards, i.e. technical interoperability

11

12

13

14 Additional Challenge for Network and Information Security in the Information Society (after Andrea Servida) TECHNICAL dimension SOCIAL dimension TRUSTWORTHY, SECURE & RELIABLE ICT ECONOMIC dimension LEGAL dimension

15 CEN TC 251 pren 13606, Health informatics Electronic healthcare record communication pren Health Informatics Security of healthcare communication

16 Card-related standards: CEN CEN ENV published in 1999 (CEN TC 251 WG III) Revision of CEN ENV towards CEN EN rev. Revision of an ENV or a prenv after a period of three years (acceptance, revision, cancellation) Extension of card usage to a global scope (Asia, USA, Australia) a task for ISO TC 215 WG 4 and WG 5 German HPC specification v1 (1997) not valid anymore, other countries (Belgium, Slovenia, France, Italy, etc.) with similar specifications Extended functionality, especially towards C2C (CVC) Report with specifications from respective countries Revision of standard as a second step

17 ISO TC 215 ISO/TS Health informatics - Public key infrastructure - First accepted and published ISO TC 215 standard - ISO/TS :2002 Part 1: Framework and overview - ISO/TS :2002 Part 2: Certificate profile - ISO/TS :2002 Part 3: Policy management of certification authority ISO/IEC PDTS 25237Health Informatics: Pseudonymisation Practices for the Protection of Personal Health Information and Health Related Services ISO/TS Health Informatics. Directory Services for Security, Communications, and Identification of Professionals and Patients ISO/TR 16056:2004 Health informatics - Interoperability of telehealth systems and networks

18 Pseudonymisation Data Source Person Identification Service Ps eudonym isation Service Data Target request data request acknolwledge reques t ID s ervice receipt acknowledge transfer IDAT to PID request pseudonymisation service receipt acknowledge transfer PID to PSN delivery acknowledge submit de-identified data delivery acknowledge Bernd delivery Blobelacknowledge

19 Security Standards of ETSI ETSI TS V1.3.2 ( ) XML Advanced Electronic Signatures (XAdES) ETSI TS V1.4.1 ( ) Electronic Signatures and Infrastructures (ESI) - Policy requirements for certification authorities issuing qualified certificates ETSI TS V1.3.1 ( ) Time stamping profile ETSI TR V1.3.1 ( ) Electronic Signatures and Infrastructures (ESI) - International Harmonization of Policy Requirements for CAs issuing Certificates ETSI TS V1.3.1 ( ) Electronic Signature Formats

20 ISO TC 215 ISO/TS Functional and Structure Roles ISO TS Privilege Management and Access Control ISO/NP 21547: "Health Informatics - Archiving of Electronic Health Records" - Part 1: Principles and Requirements - Part 2: Guidelines ISO/IEC PDTS 25237Health Informatics: Pseudonymisation Practices for the Protection of Personal Health Information and Health Related Services ISO/DTS Classification of Safety Risks CEN TC 251 CEN/TS Health informatics - Categorisation of risks from health informatics products CEN/TR Health informatics - Safety procedures for identification of patients and related objects

21 Questions? Contact: Ph.D., Associate Professor Head, Franz-Josef-Strauss-Allee Regensburg Tel.: Fax :