SIST EN ISO 27789:2013

SLOVENSKI STANDARD
SIST EN ISO 27789:2013
01-maj-2013
Zdravstvena informatika - Revizijske sledi za elektronske zapise v zdravstvenem
varstvu (ISO 27789:2013)
Health informatics - Audit trails for electronic health records (ISO 27789:2013)
Medizinische Informatik - Audit Trails für elektronische Gesundheitsakten (ISO
27789:2013)
Informatique de santé - Historique d'expertise des dossiers de santé informatisés (ISO
27789:2013)
Ta slovenski standard je istoveten z: EN ISO 27789:2013
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST EN ISO 27789:2013 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN ISO 27789:2013

---------------------- Page: 2 ----------------------

SIST EN ISO 27789:2013


EUROPEAN STANDARD
EN ISO 27789

NORME EUROPÉENNE

EUROPÄISCHE NORM
March 2013
ICS 35.240.80
English Version
Health informatics - Audit trails for electronic health records (ISO
27789:2013)
Informatique de santé - Historique d'expertise des dossiers Medizinische Informatik - Audit-Trails für elektronische
de santé informatisés (ISO 27789:2013) Gesundheitsakten (ISO 27789:2013)
This European Standard was approved by CEN on 16 February 2013.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same
status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2013 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 27789:2013: E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST EN ISO 27789:2013
EN ISO 27789:2013 (E)
Contents Page
Foreword . 3

2

---------------------- Page: 4 ----------------------

SIST EN ISO 27789:2013
EN ISO 27789:2013 (E)
Foreword
This document (EN ISO 27789:2013) has been prepared by Technical Committee ISO/TC 215 "Health
informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of
which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an identical
text or by endorsement, at the latest by September 2013, and conflicting national standards shall be
withdrawn at the latest by September 2013.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
Endorsement notice
The text of ISO 27789:2013 has been approved by CEN as EN ISO 27789:2013 without any modification.

3

---------------------- Page: 5 ----------------------

SIST EN ISO 27789:2013

---------------------- Page: 6 ----------------------

SIST EN ISO 27789:2013
INTERNATIONAL ISO
STANDARD 27789
First edition
2013-03-01
Health informatics — Audit trails for
electronic health records
Informatique de santé — Historique d’expertise des dossiers de
santé informatisés
Reference number
ISO 27789:2013(E)
©
ISO 2013

---------------------- Page: 7 ----------------------

SIST EN ISO 27789:2013
ISO 27789:2013(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2013 – All rights reserved

---------------------- Page: 8 ----------------------

SIST EN ISO 27789:2013
ISO 27789:2013(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 4
5 Requirements and uses of audit data . 5
5.1 Ethical and formal requirements . 5
5.2 Uses of audit data . 6
6 Trigger events . 7
6.1 General . 7
6.2 Details of the event types and their contents . 7
7 Audit record details . 8
7.1 The general record format . 8
7.2 Trigger event identification . 9
7.3 User identification . .11
7.4 Access point identification .14
7.5 Audit source identification .15
7.6 Participant object identification .17
8 Audit records for individual events .23
8.1 Access events .23
8.2 Query events .24
9 Secure management of audit data .26
9.1 Security considerations .26
9.2 Securing the availability of the audit system .27
9.3 Retention requirements .27
9.4 Securing the confidentiality and integrity of audit trails .27
9.5 Access to audit data .27
Annex A (informative) Audit scenarios .28
Annex B (informative) Audit log services .35
Bibliography .44
© ISO 2013 – All rights reserved iii

---------------------- Page: 9 ----------------------

SIST EN ISO 27789:2013
ISO 27789:2013(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 27789 was prepared by Technical Committee ISO/TC 215, Health informatics.
iv © ISO 2013 – All rights reserved

---------------------- Page: 10 ----------------------

SIST EN ISO 27789:2013
ISO 27789:2013(E)

Introduction
0.1 General
Personal health information is regarded by many as among the most confidential of all types of personal
information and protecting its confidentiality is essential if the privacy of subjects of care is to be
maintained. In order to protect the consistency of health information, it is also important that its entire
life cycle be fully auditable. Health records should be created, processed and managed in ways that
guarantee the integrity and confidentiality of their contents and that support legitimate control by
subjects of care in how the records are created, used and maintained.
Trust in electronic health records requires physical and technical security elements along with data
integrity elements. Among the most important of all security requirements to protect personal health
information and the integrity of records are those relating to audit and logging. These help to ensure
accountability for subjects of care who entrust their information to electronic health record (EHR)
systems. They also help to protect record integrity, as they provide a strong incentive to users of such
systems to conform to organizational policies on the use of these systems.
Effective audit and logging can help to uncover misuse of EHR systems or EHR data and can help
organizations and subjects of care obtain redress against users abusing their access privileges. For
auditing to be effective, it is necessary that audit trails contain sufficient information to address a wide
variety of circumstances (see Annex A).
Audit logs are complementary to access controls. The audit logs provide a means to assess compliance
with organizational access policy and can contribute to improving and refining the policy itself. But as
such a policy has to anticipate the occurrence of unforeseen or emergency cases, analysis of the audit
logs becomes the primary means of ensuring access control for those cases.
This International Standard is strictly limited in scope to logging of events. Changes to data values in
fields of an EHR are presumed to be recorded in the EHR database system itself and not in the audit
log. It is presumed that the EHR system itself contains both the previous and updated values of every
field. This is consistent with contemporary point-in-time database architectures.The audit log itself is
presumed to contain no personal health information other than identifiers and links to the record.
Electronic health records on an individual person may reside in many different information systems
within and across organizational or even jurisdictional boundaries. To keep track of all actions that
involve records on a particular subject of care, a common framework is a prerequisite. This International
Standard provides such a framework. To support audit trails across distinct domains it is essential to
include references in this framework to the policies that specify the requirements within the domain,
such as access control rules and retention periods. Domain policies may be referenced implicitly by
identification of the audit log source.
0.2 Benefits of using this International Standard
Standardization of audit trails on access to electronic health records aims at two goals:
— ensuring that information captured in an audit log is sufficient to clearly reconstruct a detailed
chronology of the events that have shaped the content of an electronic health record, and
— ensuring that an audit trail of actions relating to a subject of care’s record can be reliably followed,
even across organizational domains.
This International Standard is intended for those responsible for overseeing health information security
or privacy and for healthcare organizations and other custodians of health information seeking guidance
on audit trails, together with their security advisors, consultants, auditors, vendors and third-party
service providers.
0.3 Comparision with related standards on electronic health record audit trails
© ISO 2013 – All rights reserved v

---------------------- Page: 11 ----------------------

SIST EN ISO 27789:2013
ISO 27789:2013(E)

This International Standard conforms to the requirements of ISO 27799:2008, insofar as they relate to
auditing and audit trails.
Some readers may be familiar with Internet Engineering Task Force (IETF) Request for Comment
[13]
(RFC) 3881. (Readers not already familiar with IETF RFC 3881 need not refer to that document, as
familiarity with it is not required to understand this International Standard.) Informational RFC 3881,
dated 2004-09 and no longer listed as active in the IETF database, was an early and useful attempt at
specifying the content of audit logs for healthcare. To the extent possible, this International Standard
builds upon, and is consistent with, the work begun in RFC 3881 with respect to access to the EHR.
0.4 A note on terminology
Several closely related terms are defined in Clause 3. An audit log is a chronological sequence of audit
records; each audit record contains evidence of directly pertaining to and resulting from the execution of a
process or system function. As EHR systems can be complex aggregations of systems and databases, there
may be more than one audit log containing information on system events that have altered a subject of
care’s EHR. Although the terms audit trail and audit log are often used interchangeably, in this International
Standard the term audit trail refers to the collection of all audit records from one or more audit logs that
refer to a specific subject of care or specific electronic health record or specific user. An audit system
provides all the information processing functions necessary to maintain one or more audit logs.
vi © ISO 2013 – All rights reserved

---------------------- Page: 12 ----------------------

SIST EN ISO 27789:2013
INTERNATIONAL STANDARD ISO 27789:2013(E)
Health informatics — Audit trails for electronic health
records
1 Scope
This International Standard specifies a common framework for audit trails for electronic health records
(EHR), in terms of audit trigger events and audit data, to keep the complete set of personal health
information auditable across information systems and domains.
It is applicable to systems processing personal health information which, complying with ISO 27799,
create a secure audit record each time a user accesses, creates, updates or archives personal health
information via the system.
NOTE Such audit records, at a minimum, uniquely identify the user, uniquely identify the subject of care,
identify the function performed by the user (record creation, access, update, etc.), and record the date and time at
which the function was performed.
This International Standard covers only actions performed on the EHR, which are governed by the
access policy for the domain where the electronic health record resides. It does not deal with any
personal health information from the electronic health record, other than identifiers, the audit record
only containing links to EHR segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system security
purposes, such as the detection of performance problems, application flaw, or support for a reconstruction
[9]
of data, which are dealt with by general computer security standards such as ISO/IEC 15408-2.
Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 8601:2004, Data elements and interchange formats — Information interchange — Representation of
dates and times
ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements
[ISO/IEC 27000:2012, definition 2.1]
3.2
access policy
definition of the obligations for authorizing access to a resource
© ISO 2013 – All rights reserved 1

---------------------- Page: 13 ----------------------

SIST EN ISO 27789:2013
ISO 27789:2013(E)

3.3
accountability
principle that individuals, organizations and the community are responsible for their actions and may
be required to explain them to others
[ISO 15489-1:2001, definition 3.2]
3.4
audit
systematic and independent examination of accesses, additions or alterations to electronic health
records to determine whether the activities were conducted, and the data were collected, used, retained
or disclosed according to organizational standard operating procedures, policies, good clinical practice,
and applicable regulatory requirement(s)
3.5
audit archive
archival collection of one or more audit logs
3.6
audit data
data obtained from one or more audit records
3.7
audit log
chronological sequence of audit records, each of which contains data about a specific event
3.8
audit record
record of a single specific event in the life cycle of an electronic health record
3.9
audit system
information processing system that maintains one or more audit logs
3.10
audit trail
collection of audit records from one or more audit logs relating to a specific subject of care or a specific
electronic health record
3.11
authentication
provision of assurance that a claimed characteristic of an entity is correct
[ISO/IEC 27000:2012, definition 2.8]
3.12
authorization
granting of privileges, which includes the granting of privileges to access data and functions
Note 1 to entry: Derived from ISO 7498-2: the granting of rights, which includes the granting of access based on
access rights.
3.13
authority
entity responsible for issuing certificates
3.14
availability
property of being accessible and useable upon demand by an authorized entity
[ISO/IEC 27000:2012, definition 2.10]
2 © ISO 2013 – All rights reserved

---------------------- Page: 14 ----------------------

SIST EN ISO 27789:2013
ISO 27789:2013(E)

3.15
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities or processes
[ISO/IEC 27000:2012, definition 2.13]
3.16
Coordinated Universal Time
UTC
time scale which forms the basis of a coordinated radio dissemination of standard frequencies and time
signals; it corresponds exactly in rate with international atomic time, but differs from it by an integral
number of seconds
[IEC 60050-713:1998]
3.17
data integrity
property that data have not been altered or destroyed in an unauthorized manner
[ISO 7498-2:1989, definition 3.3.21]
3.18
electronic health record
EHR
comprehensive, structured set of clinical, demographic, environmental, social and financial data in
electronic form, documenting the health care given to a single individual
[ASTM E1769:1995]
3.19
EHR segment
part of an EHR that constitutes a distinct resource for the access policy
3.20
identification
performance of tests to enable a data processing system to recognize entities
[ISO/IEC 2382-8:1998, definition 08.04.12 (as identitiy authentication, identity validation)]
3.21
identifier
piece of information used to claim an identity, before a potential corroboration by a corresponding
authenticator
3.22
information security
preservation of confidentiality, integrity and availability of information
[ISO/IEC 27000:2012, definition 2.30]
3.23
integrity
property of protecting the accuracy and completeness of assets
[ISO/IEC 27000:2012, definition 2.36]
© ISO 2013 – All rights reserved 3

---------------------- Page: 15 ----------------------

SIST EN ISO 27789:2013
ISO 27789:2013(E)

3.24
object identifier
OID
globally unique identifier for an information object
Note 1 to entry: The object identifiers used in this International Standard refer to code systems. These code
systems may be defined in a standard or locally defined per implementation. The object identifier is specified
using the Abstract Syntax Notation One (ASN.1) defined in ISO/IEC 8824-1 and ISO/IEC 8824-2.
3.25
policy
set of legal, political, organizational, functional and technical obligations for communication and cooperation
[ISO/TS 22600]
3.26
privilege
capacity assigned to an entity by an authority
3.27
records management
field of management responsible for the efficient and systematic control of the creation, receipt,
maintenance, use and disposition of records, including processes for capturing and maintaining evidence
of and information about business activities and transactions in the form of records
[ISO 15489-1, definition 3.16]
3.28
role
set of competences and/or performances associated with a task
3.29
sensitivity
measure of the potential or perceived potential to create harm to a data subject, or to be abused, or misused
3.30
security policy
plan or course of action adopted for providing computer security
[ISO/IEC 2382-8:1998, definition 08.01.06]
3.31
subject of care
person scheduled to receive, receiving or having received a health service
[ISO 18308:2011, definition 3.47]
3.32
user
person, device or program that uses an EHR system for data processing or health information exchange
4 Symbols and abbreviated terms
EHR Electronic Health Record
HL7 Health Level Seven International
OID Object Identifier
UTC Coordinated Universal Time
4 © ISO 2013 – All rights reserved

---------------------- Page: 16 ----------------------

SIST EN ISO 27789:2013
ISO 27789:2013(E)

5 Requirements and uses of audit data
5.1 Ethical and formal requirements
5.1.1 General
Healthcare providers have their professional ethical responsibilities to meet. Among these are protecting
the privacy of subjects of care and documenting the findings and activities of care. Restricting access to
health records and ensuring their appropriate use are both essential requirements in health care and in
many jurisdictions these requirements are set down in law.
Secure audit trails of access to electronic health records may support compliance with professional
ethics, organizational policies and legislation, but they are not sufficient in themselves to assess
completeness of an electronic health record.
5.1.2 Access policy
An organization responsible for maintaining an audit log shall identify the access policy governing all
accesses logged.
The access policy shall be in accordance with ISO 27799:2008, 7.8.1.2, Access control policy.
NOTE 1 The access policy is presumed to define an EHR segment structure.
NOTE 2 In the audit record the access policy is identified by the audit log source.
[6]
Guidance on specifying and implementing access policies can be found in ISO/TS 22600. A field
“Participant object Permission PolicySet” is defined in 7.6.6 to support referencing the actual policies in
the audit record.
5.1.3 Unambiguous identification of information system users
The audit trails shall provide sufficient data to unambiguously identify all authorized health information
system users. Users of the information system can be persons, but also other entities.
The audit trails shall provide sufficient data to determine which authorized users and external systems
have accessed or been sent health record data from the system.
5.1.4 User roles
The audit trail shall show the role of the user, while performing the recorded action on personal
health information.
Information systems processing personal health information should support role-based access control
capable of mapping each user to one or more roles, and each role to one or more system functions, as
recommended in ISO 27799:2008, 7.8.2.2, Privilege management.
[4]
Functional and structural roles are documented in ISO/TS 21298. Additional guidance on privilege
[6]
management in health is given by ISO/TS 22600, (all parts).
5.1.5 Secure audit records
Secure audit records shall be created each time personal health information is accessed, created,
updated or archived, in accordance with ISO 27799:2008, 7.7.10.2, Audit logging. The audit records shall
be maintained by secure records management.
© ISO 2013 – All rights reserved 5

---------------------- Page: 1
...

SLOVENSKI STANDARD
oSIST prEN ISO 27789:2011
01-marec-2011
Zdravstvena informatika - Revizijske sledi za elektronske zapise v zdravstvenem
varstvu (ISO/DIS 27789:2010)
Health informatics - Audit trails for electronic health records (ISO/DIS 27789:2010)
Medizinische Informatik - Audit Trails für elektronische Gesundheitsakten (ISO/DIS
27789:2010)
Informatique de santé - Historique d'expertise des dossiers de santé informatisés
(ISO/DIS 27789:2010)
Ta slovenski standard je istoveten z: prEN ISO 27789
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
oSIST prEN ISO 27789:2011 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO 27789:2011

---------------------- Page: 2 ----------------------
oSIST prEN ISO 27789:2011


EUROPEAN STANDARD
DRAFT
prEN ISO 27789
NORME EUROPÉENNE

EUROPÄISCHE NORM

December 2010
ICS 35.240.80
English Version
Health informatics - Audit trails for electronic health records
(ISO/DIS 27789:2010)
Informatique de santé - Historique d'expertise des dossiers Medizinische Informatik - Audit Trails für elektronische
de santé informatisés (ISO/DIS 27789:2010) Gesundheitsakten (ISO/DIS 27789:2010)
This draft European Standard is submitted to CEN members for parallel enquiry. It has been drawn up by the Technical Committee
CEN/TC 251.

If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations which
stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other language
made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland,
Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to
provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without notice and
shall not be referred to as a European Standard.


EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2010 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN ISO 27789:2010: E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------
oSIST prEN ISO 27789:2011
prEN ISO 27789:2010 (E)
Contents Page
Foreword .3

2

---------------------- Page: 4 ----------------------
oSIST prEN ISO 27789:2011
prEN ISO 27789:2010 (E)
Foreword
This document (prEN ISO 27789:2010) has been prepared by Technical Committee ISO/TC 215 "Health
informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of
which is held by NEN.
This document is currently submitted to the parallel Enquiry.
Endorsement notice
The text of ISO/DIS 27789:2010 has been approved by CEN as a prEN ISO 27789:2010 without any
modification.

3

---------------------- Page: 5 ----------------------
oSIST prEN ISO 27789:2011

---------------------- Page: 6 ----------------------
oSIST prEN ISO 27789:2011
DRAFT INTERNATIONAL STANDARD ISO/DIS 27789
ISO/TC 215 Secretariat: ANSI
Voting begins on: Voting terminates on:
2010-12-09 2011-05-09
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION • МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ • ORGANISATION INTERNATIONALE DE NORMALISATION
Health informatics — Audit trails for electronic health records
Informatique de la santé — Historique d'expertise des dossiers de santé informatisés
ICS 35.240.80

ISO/CEN PARALLEL PROCESSING
This draft has been developed within the International Organization for Standardization (ISO), and
processed under the ISO-lead mode of collaboration as defined in the Vienna Agreement.
This draft is hereby submitted to the ISO member bodies and to the CEN member bodies for a parallel
five-month enquiry.
Should this draft be accepted, a final draft, established on the basis of comments received, will be
submitted to a parallel two-month approval vote in ISO and formal vote in CEN.
In accordance with the provisions of Council Resolution 15/1993 this document is circulated in
the English language only.
Conformément aux dispositions de la Résolution du Conseil 15/1993, ce document est distribué
en version anglaise seulement.
To expedite distribution, this document is circulated as received from the committee secretariat.
ISO Central Secretariat work of editing and text composition will be undertaken at publication
stage.
Pour accélérer la distribution, le présent document est distribué tel qu'il est parvenu du
secrétariat du comité. Le travail de rédaction et de composition de texte sera effectué au
Secrétariat central de l'ISO au stade de publication.
THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE
REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.
©
International Organization for Standardization, 2010

---------------------- Page: 7 ----------------------
oSIST prEN ISO 27789:2011
ISO/DIS 27789
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall
not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the
unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
Copyright notice
This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted
under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be
reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, photocopying,
recording or otherwise, without prior written permission being secured.
Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's
member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Reproduction may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.
©
ii ISO 2010 – All rights reserved

---------------------- Page: 8 ----------------------
oSIST prEN ISO 27789:2011
ISO/DIS 27789
Contents Page
Foreword . v
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 5
5 Requirements and uses of audit data . 5
5.1 Ethical and formal requirements . 5
5.1.1 General . 5
5.1.2 Access policy . 5
5.1.3 Unambiguous identification of information system users . 6
5.1.4 User roles . 6
5.1.5 Secure audit records . 6
5.2 Uses of audit data . 6
5.2.1 Governance and supervision . 6
5.2.2 Subjects of care exercising their rights . 6
5.2.3 Healthcare provider's ethical or legal proof of action . 7
6 Trigger events . 7
6.1 General . 7
6.2 Details of the event types and their contents . 8
6.2.1 Access events to the personal health information . 8
6.2.2 Query events to the personal health information . 8
7 Audit record details . 8
7.1 The general record format . 8
7.2 Trigger event identification . 10
7.2.1 Event ID . 10
7.2.2 Event action code . 10
7.2.3 Event date and time . 11
7.2.4 Event type code . 11
7.3 User identification . 12
7.3.1 User ID . 12
7.3.2 Alternative user ID . 12
7.3.3 User name . 12
7.3.4 User is requestor . 12
7.3.5 Role ID code . 13
7.4 Access point identification . 14
7.4.1 Network access point type code . 14
7.4.2 Network access point ID . 14
7.5 Audit source identification . 15
7.5.1 Overview . 15
7.5.2 Audit enterprise site ID . 15
7.5.3 Audit source ID . 16
7.5.4 Audit source type code . 16
7.6 Participant object identification . 17
7.6.1 Overview . 17
7.6.2 Participant object type code. 17
7.6.3 Participant object type code role . 18
7.6.4 Participant object data life cycle . 19
© ISO 2010 – All rights reserved iii

---------------------- Page: 9 ----------------------
oSIST prEN ISO 27789:2011
ISO/DIS 27789
7.6.5 Participant object ID type code . 20
7.6.6 Participant object sensitivity . 21
7.6.7 Participant object ID . 21
7.6.8 Participant object name . 21
7.6.9 Participant object query . 21
7.6.10 Participant object detail . 22
8 Audit records for individual events . 22
8.1 Access events . 22
8.2 Query events . 24
9 Secure management of audit data . 25
9.1 Security considerations . 25
9.2 Securing the availability of the audit system . 26
9.3 Retention requirements . 26
9.4 Securing the confidentiality and integrity of audit trails . 26
9.5 Access to audit data . 26
Annex A (informative) Audit scenarios . 27
A.1 Overview . 27
A.2 Case of the disgruntled celebrity . 27
A.3 Case of the enforced legislative right to privacy (retrospective, not active) . 29
A.4 Case of a compromised server . 30
A.5 Case of a privileged user who abuses those privileges . 30
A.6 Case of misdirected test results . 30
A.7 Case of the wayward transactions . 31
A.8 Case of the disappearing audit records—Audit repository as target . 32
A.9 Case of a hacker creating fake audit records . 32
A.10 Case of a hacker sniffing audit records and uses them in a nefarious way . 32
A.11 Case of a strange (authorized/unauthorized) configuration change . 33
A.12 Case of a user trying to brute-force a password . 33
Annex B (informative) Audit log services . 34
B.1 Audit Logger Service . 35
B.2 Audit Record Generator Service . 35
B.3 Audit Event Catalog Service . 36
B.4 Audit Monitor Service . 37
B.5 Alert or Notification Service . 40
B.6 Audit Report Service . 41
B.7 Audit Analysis Service . 43
Bibliography . 44

iv © ISO 2010 – All rights reserved

---------------------- Page: 10 ----------------------
oSIST prEN ISO 27789:2011
ISO/DIS 27789
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 27789 was prepared by Technical Committee ISO/TC 215, Health informatics, Subcommittee SC , .
This second/third/. edition cancels and replaces the first/second/. edition (), [clause(s) / subclause(s) /
table(s) / figure(s) / annex(es)] of which [has / have] been technically revised.
© ISO 2010 – All rights reserved v

---------------------- Page: 11 ----------------------
oSIST prEN ISO 27789:2011
ISO/DIS 27789
Introduction
Personal health information is regarded by many as among the most confidential of all types of personal
information and protecting its confidentiality is essential if the privacy of subjects of care is to be maintained. In
order to protect the consistency of health information, it is also important that its entire life cycle be fully
auditable. Health records should be created, processed and managed in ways that guarantee the integrity and
confidentiality of their contents and that support legitimate control by subjects of care in how the records are
created, used and maintained.
Trust in electronic health records requires physical and technical security elements along with data integrity
elements. Among the most important of all security requirements to protect personal health information and
the integrity of records are those relating to audit and logging. These help to ensure accountability for subjects
of care who entrust their information to electronic health record (EHR) systems. They also help to protect
record integrity, as they provide a strong incentive to users of such systems to conform to organizational
policies on the use of these systems.
Effective audit and logging can help to uncover misuse of EHR systems or EHR data and can help
organisations and subjects of care obtain redress against users abusing their access privileges. For auditing
to be effective, audit trails must contain sufficient information to address a wide variety of circumstances (see
Annex A).
Audit logs are complementary to access controls. The audit logs provide a means to assess compliance with
organizational access policy and can contribute to improving and refining the policy itself. But as such a policy
must anticipate the occurrence of unforeseen or emergency cases, analysis of the audit logs will for those
cases become the primary means of ensuring access control.
This standard is strictly limited in scope to logging of events. Changes to data values in fields of an EHR are
presumed to be recorded in the EHR database system itself and not in the audit log. It is presumed that the
EHR system itself will contain both the previous and updated values of every field.This is consistent with
contemporary point-in-time database architectures.The audit log itself is presumed to contain no personal
health information other than identifiers and links to the record.
Electronic health records on an individual person may reside in many different information systems within and
across organisational or even jurisdictional boundaries. To keep track of all actions that involve records on a
particular subject of care, a common framework is a prerequisite. This standard provides such a framework.
To support audit trails across distinct domains it is essential to include references in this framework to the
policies that specify the requirements within the domain, such as access control rules and retention periods.
Domain policies may be referenced implicitly by identification of the audit log source.
Benefits of using this standard
Standardisation of audit trails on access to electronic health records will achieve two goals:
ensuring that information captured in an audit log is sufficient to clearly reconstruct a detailed chronology
of the events that have shaped the content of an electronic health record, and
ensuring that an audit trail of actions relating to a subject of care’s record can be reliably followed, even
across organizational domains.
vi © ISO 2010 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST prEN ISO 27789:2011
ISO/DIS 27789
Who should read this standard?
This standard is intended for those responsible for overseeing health information security or privacy and for
healthcare organizations and other custodians of health information seeking guidance on audit trails, together
with their security advisors, consultants, auditors, vendors and third-party service providers.

Comparision with related standards on electronic health record audit trails
This standard conforms to the requirements of ISO 27799:2008, Health informatics — Security management
in health using ISO/IEC 27002, insofar as they relate to auditing and audit trails.
Some readers may be familiar with Internet Engineering Task Force (IETF) Request for Comment (RFC) 3881
Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications [1].
(Readers not already familiar with IETF RFC 3881 need not refer to that document, as familiarity with it is not
required to understand this ISO standard). Informational RFC 3881, dated 2004-09 and no longer listed as
active in the IETF database, was an early and useful attempt at specifying the content of audit logs for
healthcare.To the extent possible, this ISO standard builds upon, and is consistent with, the work begun in
RFC 3881 with respect to access to the EHR.

A Note on Terminology
Several closely related terms are defined in section 3 (Terms and definitions). An audit log is a chronological
sequence of audit records; each audit record contains evidence of directly pertaining to and resulting from the
execution of a process or system function. As EHR systems can be complex aggregations of systems and
databases, there may be more than one audit log containing information on system events that have altered a
subject of care’s EHR. Although the terms audit trail and audit log are often used interchangeably, in this
standard the term audit trail will refer to the collection of all audit records from one or more audit logs that refer
to a specific subject of care or specific electronic health record or specific user. An audit system provides all
the information processing functions necessary to maintain one or more audit logs.

© ISO 2010 – All rights reserved vii

---------------------- Page: 13 ----------------------
oSIST prEN ISO 27789:2011

---------------------- Page: 14 ----------------------
oSIST prEN ISO 27789:2011
DRAFT INTERNATIONAL STANDARD ISO/DIS 27789

Health informatics — Audit trails for electronic health records
1 Scope
Electronic health records for subjects of care may reside in many different information systems within and
across organisational or jurisdictional boundaries. To keep track of all actions that involve records on a
particular subject of care, a common framework is a prerequisite.
Audit trails for electronic health records that are distributed across different systems need a common
framework to keep the complete set of personal health information auditable. This document specifies this
common framework in terms of audit trigger events and audit data.
ISO 27799 requires information systems containing personal health information to create a secure audit
record each time a user accesses, creates, u
...