iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
SIST

SIST EN 12251:2005

(Main)

Health informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords

Health informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords

This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities.
This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as the only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health information.
This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities.

Medizinische Informatik - Sichere Nutzeridentifikation im Gesundheitswesen - Management und Sicherheit für die Authentifizierung durch Passwörter

Informatique de santé - Sécurité de l'identification de l'utilisateur des soins de santé - Gestion et sécurité de l'authentification des mots de passe

Zdravstvena informatika – Varna identifikacija uporabnikov v zdravstvenem varstvu – Upravljanje in varnost avtentikacije z gesli

General Information

Status
Published
Publication Date
31-Dec-2004
ICS
35.030 - IT Security
35.240.80 - IT applications in health care technology
Technical Committee
ITC - Information technology
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
01-Jan-2005
Due Date
01-Jan-2005
Completion Date
01-Jan-2005
Ref Project
EN 12251:2004 - Health informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords

Relations

Replaces
SIST ENV 12251:2003 - Health informatics - Secure user identification for health care - Management and security of authentication by passwords
Effective Date
22-Dec-2008

Buy Standard

EN 12251:2005EN 12251:2005
PreviousNext
Standard
EN 12251:2005
English language
13 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Zdravstvena informatika – Varna identifikacija uporabnikov v zdravstvenem varstvu – Upravljanje in varnost avtentikacije z gesliMedizinische Informatik - Sichere Nutzeridentifikation im Gesundheitswesen - Management und Sicherheit für die Authentifizierung durch PasswörterInformatique de santé - Sécurité de l'identification de l'utilisateur des soins de santé - Gestion et sécurité de l'authentification des mots de passeHealth informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords35.240.80Uporabniške rešitve IT v zdravstveni tehnikiIT applications in health care technologyICS:Ta slovenski standard je istoveten z:EN 12251:2004SIST EN 12251:2005en01-januar-2005SIST EN 12251:2005SLOVENSKI
STANDARDSIST ENV 12251:20031DGRPHãþD



SIST EN 12251:2005



EUROPEAN STANDARDNORME EUROPÉENNEEUROPÄISCHE NORMEN 12251August 2004ICS 35.240.80 English versionHealth informatics - Secure User Identification for Health Care -Management and Security of Authentication by PasswordsInformatique de santé - Sécurité de l'identification del'utilisateur des soins de santé - Gestion et sécurité del'authentification des mots de passeMedizinische Informatik - Sichere Nutzeridentifikation imGesundheitswesen - Management und Sicherheit für dieAuthentifizierung durch PasswörterThis European Standard was approved by CEN on 21 June 2004.CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such nationalstandards may be obtained on application to the Central Secretariat or to any CEN member.This European Standard exists in three official versions (English, French, German). A version in any other language made by translationunder the responsibility of a CEN member into its own language and notified to the Central Secretariat has the same status as the officialversions.CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia,Slovenia, Spain, Sweden, Switzerland and United Kingdom.EUROPEAN COMMITTEE FOR STANDARDIZATIONCOMITÉ EUROPÉEN DE NORMALISATIONEUROPÄISCHES KOMITEE FÜR NORMUNGManagement Centre: rue de Stassart, 36
B-1050 Brussels© 2004 CENAll rights of exploitation in any form and by any means reservedworldwide for CEN national Members.Ref. No. EN 12251:2004: ESIST EN 12251:2005



EN 12251:2004 (E) 2 Contents page Foreword.3 Introduction.4 1 Scope.5 2 Normative references.5 3 Terms and definitions.5 4 Requirements.6 4.1 Unique identification and authentication.6 4.2 Identification and authentication prior to all other interactions.6 4.3 Associating unique identity with users.6 4.4 Maintaining the identity of active users.6 4.5 Log-on message.7 4.6 Number of log-on trials.7 4.7 Incorrectly performed log-on procedure.7 4.8 Display of log-on statistics.7 4.9 Password sharing.7 4.10 Password storage.7 4.11 Logging of passwords.8 4.12 Password display suppression.8 4.13 User-changeability of passwords.8 4.14 Default passwords.8 4.15 Initialised passwords.8 4.16 Temporary passwords.8 4.17 Password expiration.8 4.18 Password expiration notification.8 4.19 Password reuse.9 4.20 Password complexity.9 Annex A (informative)
Potential password complexity requirements.10 Annex B (informative)
User responsibilities.11 Annex C (informative)
Password communication.12 Bibliography.13
SIST EN 12251:2005



EN 12251:2004 (E) 3 Foreword This document (EN 12251:2004) has been prepared by Technical Committee CEN/TC 251 “Health informatics”, the secretariat of which is held by SIS. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by February 2005, and conflicting national standards shall be withdrawn at the latest by February 2005. This document supersedes ENV 12251:2000. This document is designed to improve the authentication of individual users of health care IT system, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities. Although the use of passwords, and the need for improved security in this respect, is by no means specific for the Health Care field, it is felt strongly that the way in which systems are being used in this field, often in direct support of patient care and handling very sensitive information, urgently call for a good solution in this area. However, the methods specified in this document can possibly be applied in other sectors as well at the discretion of users. According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom. SIST EN 12251:2005



EN 12251:2004 (E) 4 Introduction Information Technology (IT) systems in the health care environment are being used in increasingly sensitive and critical circumstances. To facilitate secure access control to an IT system and within an IT system, it is essential to uniquely establish the identity of all users seeking access. Further, to have confidence that a user really is who he or she claims to be, there is a need for secure means of verifying the claimed identity. The use of passwords, being confidential to each user, and constructed in such a way that others cannot compromise this confidential authentication information easily, is the most common means of authentication in current computer systems, and will be so for some time to come. This document can facilitate the wider process of Security Management. Conventional passwords have several disadvantages. Some of these are:  They can easily be shared among several users  The use of unprotected network technology makes them easy targets for eavesdropping  They can be hard to remember if chosen as to be secure Other technologies such as chip cards and biometrics, which provide more secure means of authentication, have been introduced and will eventually phase out the use of passwords. However, in the meantime it is important to facilitate the most secure use of passwords in health care IT systems. This is the main objective of this document. SIST EN 12251:2005



EN 12251:2004 (E) 5
1 Scope This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities. This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as the only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health information. This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities. 2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 7498-2, Information processing systems – Open systems interconnection – Basic reference model – Part 2: Security architecture 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1
access control prevention of unauthorised use of a resource, including the prevention of use of a resource in an unauthorised manner 3.2 authentication process of verifying a claimed user identity, in this document on the basis of an entered user identifier and password 3.3 authentication information information used to establish the validity of a claimed identity [ISO 7498-2] 3.4
authorised user person who is given access rights to the system, i.e., person who is given a unique user identifier and an initial password, and by this is given
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

SIST
SIST EN ISO 13606-4:2019(Main)
Health informatics - Electronic health record communication - Part 4: Security (ISO 13606-4:2019)
EN ISO 13606-4:2019

This part of this multipart standard on Electronic Health Record Communication describes a methodology for specifying the privileges necessary to access EHR data. This methodology forms part of the overall EHR communications architecture defined in Part 1 of this standard. This standard seeks to address those requirements uniquely pertaining to EHR communications and to represent and communicate EHR-specific information that will inform an access decision. It also refers to general security requirements that apply to EHR communications and points at technical solutions and standards that specify details on services meeting these security needs.

  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 27799:2017(Main)
Health informatics - Information security management in health using ISO/IEC 27002 (ISO 27799:2016)
EN ISO 27799:2016

This International Standard gives guidelines for organizational information security standards and
information security management practices including the selection, implementation and management
of controls taking into consideration the organization’s information security risk environment(s).
This International Standard defines guidelines to support the interpretation and implementation in
health informatics of ISO/IEC 27002 and is a companion to that International Standard.4)
This International Standard provides implementation guidance for the controls described in
ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for
managing health information security. By implementing this International Standard, healthcare
organizations and other custodians of health information will be able to ensure a minimum requisite
level of security that is appropriate to their organization’s circumstances and that will maintain the
confidentiality, integrity and availability of personal health information in their care.
This International Standard applies to health information in all its aspects, whatever form the
information takes (words and numbers, sound recordings, drawings, video, and medical images),
whatever means are used to store it (printing or writing on paper or storage electronically), and
whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as
the information is always be appropriately protected.
This International Standard and ISO/IEC 27002 taken together define what is required in terms of
information security in healthcare, they do not define how these requirements are to be met. That is
to say, to the fullest extent possible, this International Standard is technology-neutral. Neutrality with
respect to implementing technologies is an important feature. Security technology is still undergoing
rapid development and the pace of that change is now measured in months rather than years. By
contrast, while subject to periodic review, International Standards are expected on the whole to remain
valid for years. Just as importantly, technological neutrality leaves vendors and service providers free
to suggest new or developing technologies that meet the necessary requirements that this International
Standard describes.
As noted in the introduction, familiarity with ISO/IEC 27002 is indispensable to an understanding of
this International Standard.
The following areas of information security are outside the scope of this International Standard:
a) methodologies and statistical tests for effective anonymization of personal health information;
b) methodologies for pseudonymization of personal health information (see Bibliography for a brief
description of a Technical Specification that deals specifically with this topic);
c) network quality of service and methods for measuring availability of networks used for health
informatics;
d) data quality (as distinct from data integrity).

  • Standard
    114 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    126 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN ISO/TS 14441:2014(Main)
Health informatics - Security and privacy requirements of EHR systems for use in conformity assessment (ISO/TS 14441:2013)
CEN ISO/TS 14441:2013

ISO/TS 14441 examines electronic patient record systems at the clinical point of care that are also interoperable with EHRs. Hardware and process controls are out of the scope. This Technical Specification addresses their security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment. ISO/IEC 15408 (all parts) defines ?targets of evaluation? for security evaluation of IT products. This Technical Specification includes a cross-mapping of 82 security and privacy requirements against the Common Criteria categories in ISO/IEC 15408 (all parts). The point-of-service (POS) clinical software is typically part of a larger system, for example, running on top of an operating system, so it must work in concert with other components to provide proper security and privacy. While a Protection Profile (PP) includes requirements for component security functions to support system security services, it does not specify protocols or standards for conformity assessment, and does not address privacy requirements. This Technical Specification focuses on two main topics: a) Security and privacy requirements (Clause 5). Clause 5 is technical and provides a comprehensive set of 82 requirements necessary to protect (information, patients) against the main categories of risks, addressing the broad scope of security and privacy concerns for point of care, interoperable clinical (electronic patient record) systems. These requirements are suitable for conformity assessment purposes. b) Best practice and guidance for establishing and maintaining conformity assessment programs (Clause 6). Clause 6 provides an overview of conformity assessment concepts and processes that can be used by governments, local authorities, professional associations, software developers, health informatics societies, patients? representatives and others, to improve conformity with health software security and privacy requirements. Annex A provides complementary information useful to countries in designing conformity assessment programs such as further material on conformity assessment business models, processes and other considerations, along with illustrative examples of conformity assessment activities in four countries. Policies that apply to a local, regional or national implementation environment, and procedural, administrative or physical (including hardware) aspects of privacy and security management are outside the scope of this Technical Specification. Security management is included in the scope of ISO 27799.

  • Technical specification
    122 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TP CEN/TR 15300:2006(Main)
Health informatics - Framework for formal modelling of healthcare security policies
CEN/TR 15300:2006

This CEN report specifies the starting point for working on some formalising tools that could be used by the healthcare actors to express, compare and validate local and/or network security policies.
Defining and validating a correct security policy encompass different activities such as expressing correctly
(i.e. without any ambiguity), formulating correctly (i.e. without any misinterpretation) and proving the correctness (i.e. without known failures or major lack) of the [to be formally modelled] security policy.
This CEN report does NOT intend at all to specify a UNIQUE or UNIVERSAL formal model that need to be used by the European healthcare community: it only indicates, as a first working step, some ways that could be followed to help that healthcare community to correctly and fruitfully manipulate the security policy concept(s) and the formal modelling techniques.
This CEN report does NOT intend to indicate an EXHAUSTIVE spectrum of all the published formal security policy models: it only gives a readable and understandable flavour of the most well-known formal models and also of the [maybe] most interesting ones from the healthcare activity and needs point of view. This CEN report is, in this very first version, divided in five parts:
o   Part #1 - Introduction to formal modelling: this clause summarises and justifies the following needs:
i.   need for policies, in general and for any context;
ii.   need for security policies, in any data processing context;
iii.   need for models (or modelling facilities) of security policies, in some generic system environments;
iv.   need for formal models (or formal modelling facilities) of security policies, in some sensitive areas;
v.   need for healthcare-oriented formal models of security policies, specialized to healthcare specificities.
o   Part #2 - Historical security policies and models: this clause explains and introduces the main objectives and concepts of the security policy modelling activity that seems to be of

  • Technical report
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 14484:2004(Main)
Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy
EN 14484:2003

This item will provide guidance on the data protection policy which should be implemented by organisations which are participants in international applications which involve transfer of person identifiable data across national borders and which require compliance with the EU Data Protection Directive.

  • Standard
    55 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
oSIST prEN 13608-1:2006
Health informatics - Security for healthcare communication - Part 1: Concepts and terminology
prEN 13608-1
  • Draft
    85 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
oSIST prEN 13608-2:2006
Health informatics - Security for healthcare communication - Part 2: Secure data objects
prEN 13608-2
  • Draft
    22 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
oSIST prEN 13608-3:2006
Health informatics - Security for healthcare communication - Part 3: Secure data channels
prEN 13608-3
  • Draft
    23 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 81001-5-1:2022(Main)
Health software and health IT systems safety, effectiveness and security - Part 5-1: Security - Activities in the product life cycle (IEC 81001-5-1:2021)
EN IEC 81001-5-1:2022

1.1 Purpose
This document defines the LIFE CYCLE requirements for development and maintenance of HEALTH SOFTWARE needed to support conformity to IEC 62443-4-1 - taking the specific needs for HEALTH SOFTWARE into account. The set of PROCESSES, ACTIVITIES, and TASKS described in this document establishes a common framework for secure HEALTH SOFTWARE LIFE CYCLE PROCESSES.
[Fig. 1]
The purpose is to increase the information SECURITY of HEALTH SOFTWARE by establishing certain ACTIVITIES and TASKS in the HEALTH SOFTWARE LIFE CYCLE PROCESSES and also by increasing the SECURITY of SOFTWARE LIFE CYCLE PROCESSES themselves.
It is important to maintain an appropriate balance of the key properties SAFETY, effectiveness and SECURITY as discussed in IEC 81001-1.
This document excludes specification of ACCOMPANYING DOCUMENTATION contents.
1.2 Field of application
This document applies to the development and maintenance of HEALTH SOFTWARE by a MANUFACTURER, but recognizes the critical importance of bi-lateral communication with organizations (e.g. HDOs) who have SECURITY responsibilities for the HEALTH SOFTWARE and the systems it is incorporated into, once the software has been developed and released. The IEC/ISO 81001-5 series of standards (for which this is part 1, is therefore being designed to include future parts addressing SECURITY that apply to the implementation, operations and use phases of the LIFE CYCLE for organizations such as HDOs.
Medical device software is a subset of HEALTH SOFTWARE. Therefore, this document applies to:
− Software as part of a medical device;
− Software as part of hardware specifically intended for health use;
− Software as a medical device (SaMD); and
− Software-only PRODUCT for other health use.
Note: In this document, the scope of software considered part of the LIFE CYCLE ACTIVITIES for secure HEALTH SOFTWARE is larger and includes more software (drivers, platforms, operating systems) than for SAFETY, because for SECURITY the focus will be on any use including foreseeable unauthorized access rather than just the INTENDED USE.
[Fig. 2]
1.3 Conformance
HEALTH SOFTWARE conformance with this document is defined as implementing all of the PROCESSES, ACTIVITIES, and TASKS identified in the normative parts of this document - with the exception of Annex F.
Conformance of TRANSITIONAL HEALTH SOFTWARE with Annex F of this document is defined as only implementing the PROCESSES, ACTIVITIES, and TASKS identified in Annex F of this document.
Conformance is determined by inspection and establishing traceability of the PROCESSES, ACTIVITIES and TASKS required.
The quality management system may be implemented according to ISO 13485 or other equivalent quality management system standards.
IEC 62304 specifies ACTIVITIES, based on the software SAFETY classification. The required ACTIVITIES are indicated in the normative text of IEC 62304 as "[Class A, B, C]", "[Class B, C]" or "[Class C]", indicating that they are required selectively depending on the classification of the software to which they apply. The requirements in this document have a special focus on information SECURITY and therefore do not follow the concept of SAFETY classes. For conformity to this document the selection of ACTIVITIES is independent of SAFETY classes.
Implementing the PROCESSES, ACTIVITIES and TASKS specified in this document is sufficient to implement the PROCESS requirements of IEC 62443-4-1. MANUFACTURERS may implement the specifications for Annex E in order to achieve full conformity to IEC 62443-4-1.
This document requires establishing one or more PROCESSES that comprise of identified ACTIVITIES. The LIFE CYCLE PROCESSES shall implement these ACTIVITIES. None of the requirements in this document requires to implement these ACTIVITIES as one single PROCESS or as separate PROCESSES. The ACTIVITIES specified in this document will typically be part of an existing LIFE CYCLE PROCESS.

  • Standard
    59 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 13606-4:2019(Main)
Health informatics - Electronic health record communication - Part 4: Security (ISO 13606-4:2019)
EN ISO 13606-4:2019

This part of this multipart standard on Electronic Health Record Communication describes a methodology for specifying the privileges necessary to access EHR data. This methodology forms part of the overall EHR communications architecture defined in Part 1 of this standard. This standard seeks to address those requirements uniquely pertaining to EHR communications and to represent and communicate EHR-specific information that will inform an access decision. It also refers to general security requirements that apply to EHR communications and points at technical solutions and standards that specify details on services meeting these security needs.

  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day