Health informatics - Security and privacy requirements of EHR systems for use in conformity assessment (ISO/TS 14441:2013)

ISO/TS 14441 examines electronic patient record systems at the clinical point of care that are also interoperable with EHRs. Hardware and process controls are out of the scope. This Technical Specification addresses their security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment. ISO/IEC 15408 (all parts) defines ?targets of evaluation? for security evaluation of IT products. This Technical Specification includes a cross-mapping of 82 security and privacy requirements against the Common Criteria categories in ISO/IEC 15408 (all parts). The point-of-service (POS) clinical software is typically part of a larger system, for example, running on top of an operating system, so it must work in concert with other components to provide proper security and privacy. While a Protection Profile (PP) includes requirements for component security functions to support system security services, it does not specify protocols or standards for conformity assessment, and does not address privacy requirements. This Technical Specification focuses on two main topics: a) Security and privacy requirements (Clause 5). Clause 5 is technical and provides a comprehensive set of 82 requirements necessary to protect (information, patients) against the main categories of risks, addressing the broad scope of security and privacy concerns for point of care, interoperable clinical (electronic patient record) systems. These requirements are suitable for conformity assessment purposes. b) Best practice and guidance for establishing and maintaining conformity assessment programs (Clause 6). Clause 6 provides an overview of conformity assessment concepts and processes that can be used by governments, local authorities, professional associations, software developers, health informatics societies, patients? representatives and others, to improve conformity with health software security and privacy requirements. Annex A provides complementary information useful to countries in designing conformity assessment programs such as further material on conformity assessment business models, processes and other considerations, along with illustrative examples of conformity assessment activities in four countries. Policies that apply to a local, regional or national implementation environment, and procedural, administrative or physical (including hardware) aspects of privacy and security management are outside the scope of this Technical Specification. Security management is included in the scope of ISO 27799.

Medizinische Informatik - Sicherheits- und Datenschutzanforderungen für die Konformitätsprüfung von EGA-Systemen (ISO/TS 14441:2013)

Diese Technische Spezifikation untersucht Systeme zur elektronischen Patientenerfassung an klinischen Versorgungsstellen, die auch mit EGAs (Elektronische Gesundheitsakte) interoperabel sind. Hardware- und Prozesskontrollen liegen außerhalb des Anwendungsbereichs. Diese Technische Spezifikation stellt deren Sicherheit und den Datenschutz durch die Festlegung von Sicherheits- und Datenschutzanforderungen sicher und gibt Richtlinien und bewährte Methoden für die Konformitätsbewertung an.
ISO/IEC 15408 (alle Teile) legt „Evaluationsgegenstände“ für die Bewertung der Sicherheit von IT-Produkten fest. Diese Technische Spezifikation enthält eine Gegenüberstellung der 82 Kernanforderungen in Bezug auf die Sicherheit und den Datenschutz und der Common-Critera-Kategorien aus ISO/IEC 15408 (alle Teile). Die klinische Software der Point-Of-Service-Systeme (POS) ist normalerweise Teil eines größeren Systems und wird z. B. auf einem Betriebssystem ausgeführt. Deshalb muss sie zusammen mit anderen Komponenten funktionieren, damit die Sicherheit und der Datenschutz sichergestellt werden können. Während ein Schutzprofil (PP) Anforderungen für Sicherheitsfunktionen von Komponenten für die Unterstützung von Systemsicherheitsdiensten umfasst, werden keine Protokolle oder Standards für die Konformitätsbewertung sowie keine Datenschutzanforderungen festgelegt.
Diese Technische Spezifikation konzentriert sich auf zwei Hauptthemen:
a) Sicherheits- und Datenschutzanforderungen (Abschnitt 5). Abschnitt 5 ist technisch orientiert und stellt eine umfangreiche Zusammenstellung von 19 Anforderungen bereit, die erforderlich sind, um Informationen (Patienten) vor den Hauptkategorien von Risiken zu schützen; dabei werden der breite Anwendungsbereich von Sicherheits- und Datenschutzaspekten für Versorgungsstellen und interoperable klinische Systeme (zur elektronischen Patientenerfassung) berücksichtigt. Diese Kernanforderungen werden anschließend in Form von Anforderungsgruppen/Profilen, die für Konformitätsbewertungszwecke geeignet sind, näher ausgeführt.
b) Bewährte Methoden und Anleitung zur Einrichtung und Wartung von Programmen zur Konformitäts-bewertung (Abschnitt 6). Abschnitt 6 gibt einen Überblick über Konzepte und Prozesse der Konformitätsbewertung, die von Regierungen, Lokalbehörden, Berufsverbänden, Softwareentwicklern, Gesellschaften für medizinische Informatik, Vertretern von Patienten und anderen Personen eingesetzt werden können, um eine höhere Konformität mit Sicherheits- und Datenschutzanforderungen für Software im Gesundheitswesen zu erreichen. Anhang A enthält ergänzende Informationen, die für Länder nützlich sind, die Programme zur Konformitätsbewertung entwickeln, z. B. weiterführendes Material zu Geschäftsmodellen zur Konformitätsbewertung, Prozessen der Konformitätsbewertung und anderen Betrachtungen sowie anschauliche Beispiele für Konformitätsbewertungsaktivitäten in vier Ländern.
Richtlinien, die lokale, regionale oder nationale Anwendung in der Umwelt finden sowie verfahrenstechnische, administrative und physikalische Aspekte (einschließlich Hardware) der Sicherheits- und Datenschutzverwaltung, liegen außerhalb des Anwendungsbereiches dieser Technischen Spezifikation. Sicherheitsmanagement ist in ISO 27799 beinhaltet.

Informatique de santé - Sécurité et exigences d'intimité des systèmes de EHR pour l'évaluation de la conformité (ISO/TS 14441:2013)

Zdravstvena informatika - Zahteve za varnost in zasebnost sistemov EHR (elektronski zdravstveni zapis) pri ocenjevanju skladnosti (ISO/TS 14441:2013)

General Information

Status
Published
Publication Date
16-Feb-2014
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
06-Jan-2014
Due Date
13-Mar-2014
Completion Date
17-Feb-2014

Relations

Buy Standard

Technical specification
TS CEN ISO/TS 14441:2014
English language
122 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST-TS CEN ISO/TS 14441:2014
01-marec-2014
Zdravstvena informatika - Zahteve za varnost in zasebnost sistemov EHR
(elektronski zdravstveni zapis) pri ocenjevanju skladnosti (ISO/TS 14441:2013)
Health informatics - Security and privacy requirements of EHR systems for use in
conformity assessment (ISO/TS 14441:2013)
Informatique de santé - Sécurité et exigences d'intimité des systèmes de EHR pour
l'évaluation de la conformité (ISO/TS 14441:2013)
Ta slovenski standard je istoveten z: CEN ISO/TS 14441:2013
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST-TS CEN ISO/TS 14441:2014 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TS CEN ISO/TS 14441:2014

---------------------- Page: 2 ----------------------

SIST-TS CEN ISO/TS 14441:2014

TECHNICAL SPECIFICATION
CEN ISO/TS 14441

SPÉCIFICATION TECHNIQUE

TECHNISCHE SPEZIFIKATION
December 2013
ICS 35.240.80
English Version
Health informatics - Security and privacy requirements of EHR
systems for use in conformity assessment (ISO/TS 14441:2013)
Informatique de santé - Sécurité et exigences d'intimité des Medizinische Informatik - Sicherheits- und
systèmes de EHR pour l'évaluation de la conformité Datenschutzanforderungen für die Konformitätsprüfung von
(ISO/TS 14441:2013) EGA-Systemen (ISO/TS 14441:2013)
This Technical Specification (CEN/TS) was approved by CEN on 7 April 2013 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their
comments, particularly on the question whether the CEN/TS can be converted into a European Standard.

CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available
promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/TS)
until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2013 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN ISO/TS 14441:2013 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST-TS CEN ISO/TS 14441:2014
CEN ISO/TS 14441:2013 (E)
Contents Page
Foreword .3
2

---------------------- Page: 4 ----------------------

SIST-TS CEN ISO/TS 14441:2014
CEN ISO/TS 14441:2013 (E)
Foreword
This document (CEN ISO/TS 14441:2013) has been prepared by Technical Committee ISO/TC 215 “Health
informatics” in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of
which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria, Croatia, Cyprus,
Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany,
Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland,
Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
Endorsement notice
The text of ISO/TS 14441:2013 has been approved by CEN as CEN ISO/TS 14441:2013 without any
modification.


3

---------------------- Page: 5 ----------------------

SIST-TS CEN ISO/TS 14441:2014

---------------------- Page: 6 ----------------------

SIST-TS CEN ISO/TS 14441:2014
TECHNICAL ISO/TS
SPECIFICATION 14441
First edition
2013-12-15
Health informatics — Security and
privacy requirements of EHR systems
for use in conformity assessment
Informatique de santé — Sécurité et exigences d’intimité des systèmes
de EHR pour l’évaluation de la conformité
Reference number
ISO/TS 14441:2013(E)
©
ISO 2013

---------------------- Page: 7 ----------------------

SIST-TS CEN ISO/TS 14441:2014
ISO/TS 14441:2013(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2013 – All rights reserved

---------------------- Page: 8 ----------------------

SIST-TS CEN ISO/TS 14441:2014
ISO/TS 14441:2013(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviations. 9
5 Security and privacy requirements . 9
5.1 General . 9
5.2 Theoretical foundation . 9
5.3 Privacy and security requirements .12
5.4 Common Criteria .28
6 Best practice and guidance for establishing and maintaining conformity
assessment programs .30
6.1 Concepts .31
6.2 Conformity assessment processes .33
Annex A (informative) Conformity assessment programs — Design considerations and illustrative
examples from member countries as of 2010 .36
Annex B (informative) Comparison of jurisdictional requirements .54
Bibliography .112
© ISO 2013 – All rights reserved iii

---------------------- Page: 9 ----------------------

SIST-TS CEN ISO/TS 14441:2014
ISO/TS 14441:2013(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
In other circumstances, particularly when there is an urgent market requirement for such documents, a
technical committee may decide to publish other types of document:
— an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical
experts in an ISO working group and is accepted for publication if it is approved by more than 50 %
of the members of the parent committee casting a vote;
— an ISO Technical Specification (ISO/TS) represents an agreement between the members of a
technical committee and is accepted for publication if it is approved by 2/3 of the members of the
committee casting a vote.
An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for
a further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or
ISO/TS is confirmed, it is reviewed again after a further three years, at which time it must either be
transformed into an International Standard or be withdrawn.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TS 14441 was prepared by Technical Committee ISO/TC 215, Health informatics.
iv © ISO 2013 – All rights reserved

---------------------- Page: 10 ----------------------

SIST-TS CEN ISO/TS 14441:2014
ISO/TS 14441:2013(E)

Introduction
As local, regional and national EHR infostructures develop, electronic patient record systems are
being implemented at the many points of care where patients are seen [point-of-service (POS) clinical
systems]. In addition to institutional settings like hospitals, where the systems in various departments
(e.g. nursing units) are typically integrated into a single patient record, smaller single purpose systems
such as electronic medical records (EMRs) are also being implemented in physician offices and other
non-institutional settings such as public health where the sophistication of the systems and the local
IT support infrastructure is much less. As countries begin to connect these POS clinical systems to
EHR infostructures (or directly exchange clinical information with other POS clinical systems through
system-to-system communications), the security and privacy of these systems becomes much more
critical and complex than when the systems operated in a disconnected or ‘stand-alone’ state. To
ensure the required standards are implemented correctly into these systems, so that they will securely
interact with EHR infostructures and maintain the privacy of patient information, many countries
are implementing certification and conformance testing programs to provide objective evidence of
conformity with these requirements.
This Technical Specification identifies the security and privacy requirements, harvested from the above
mentioned standards and international experiences, which should be in place for conformance testing
for interoperable POS clinical (electronic patient record) systems interfacing with EHRs.
The POS clinical systems profiled receive, store, process, display and communicate clinical data and
administrative actions, as well as information related to system users (demographics, personal).
The systems are always accessed by authorized and authenticated users. These users are:
— health professionals that input, access and use patient data, clinical procedures, and statistics;
— administrative users that input and read patient’s personal and demographics data, administrative
and statistical information;
— administrators that control users power, perform backups, provide system configuration, including
security ones;
— auditors that read audit trails;
— other EHR systems that input and receive data;
— subjects of care and their substitute decision makers, who may have restricted access to input and
retrieve authorized data.
Key assumptions that apply for compliant POS clinical systems are as follows:
— the Target of Evaluation (TOE) comprises commercial off the shelf (COTS), governmental, proprietary
and free and open source software;
— authenticated users recognize the need for a secure IT environment;
— authenticated users can be trusted to comply with the organization’s security policy;
— business security processes are implemented with due regard for what can (and cannot) be
reasonably accomplished in a clinical setting;
— competent security administration is carried out in relation to the system’s installation and ongoing
operations.
This Technical Specification draws from international standards, which have been developed by
ISO/TC 215 for EHRs, as well as other ISO standards such as such as ISO/IEC 27001 and the ISO/IEC 17000
series of standards developed by the ISO Committee on conformity assessment (CASCO). This Technical
Specification also reflects the experience that various countries have had to date in implementing
certification and conformance testing programs in addressing privacy and security requirements in the
© ISO 2013 – All rights reserved v

---------------------- Page: 11 ----------------------

SIST-TS CEN ISO/TS 14441:2014
ISO/TS 14441:2013(E)

context where electronic patient record (clinical) systems at the point of care are interoperable with
regional and national EHRs.
This Technical Specification includes:
— security and privacy requirements that should be met to ensure that information is protected as
well as the main categories of attack;
— discussion of the theoretical foundations underpinning the requirements;
— guidance on best practice for establishing and maintaining conformity assessment programs;
— description of the conformity assessment process, including the key concepts and processes.
Annex A provides more detailed information on conformity assessment models and processes, plus
examples of conformity assessment programs in four example countries at a point in time (2010).
Annex B provides a detailed examination of the privacy and security requirements in place in five
jurisdictions at the time that this Technical Specification was written. This analysis was used to derive
the security and privacy requirements in Clause 5.
This Technical Specification is to be used by agencies which accredit or operate programs for certifying
health software products through conformity assessment against privacy and security standards,
software suppliers demonstrating their compliance with those requirements, and purchasers of those
systems who want assurance that the requirements have been met.
vi © ISO 2013 – All rights reserved

---------------------- Page: 12 ----------------------

SIST-TS CEN ISO/TS 14441:2014
TECHNICAL SPECIFICATION ISO/TS 14441:2013(E)
Health informatics — Security and privacy requirements of
EHR systems for use in conformity assessment
1 Scope
This Technical Specification examines electronic patient record systems at the clinical point of care that
are also interoperable with EHRs. Hardware and process controls are out of the scope. This Technical
Specification addresses their security and privacy protections by providing a set of security and privacy
requirements, along with guidelines and best practice for conformity assessment.
ISO/IEC 15408 (all parts) defines “targets of evaluation” for security evaluation of IT products. This
Technical Specification includes a cross-mapping of 82 security and privacy requirements against the
Common Criteria categories in ISO/IEC 15408 (all parts). The point-of-service (POS) clinical software is
typically part of a larger system, for example, running on top of an operating system, so it must work in
concert with other components to provide proper security and privacy. While a Protection Profile (PP)
includes requirements for component security functions to support system security services, it does not
specify protocols or standards for conformity assessment, and does not address privacy requirements.
This Technical Specification focuses on two main topics:
a) Security and privacy requirements (Clause 5). Clause 5 is technical and provides a comprehensive
set of 82 requirements necessary to protect (information, patients) against the main categories of
risks, addressing the broad scope of security and privacy concerns for point of care, interoperable
clinical (electronic patient record) systems. These requirements are suitable for conformity
assessment purposes.
b) Best practice and guidance for establishing and maintaining conformity assessment programs
(Clause 6). Clause 6 provides an overview of conformity assessment concepts and processes that can
be used by governments, local authorities, professional associations, software developers, health
informatics societies, patients’ representatives and others, to improve conformity with health
software security and privacy requirements. Annex A provides complementary information useful
to countries in designing conformity assessment programs such as further material on conformity
assessment business models, processes and other considerations, along with illustrative examples
of conformity assessment activities in four countries.
Policies that apply to a local, regional or national implementation environment, and procedural,
administrative or physical (including hardware) aspects of privacy and security management are outside
the scope of this Technical Specification. Security management is included in the scope of ISO 27799.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17000, Conformity assessment — Vocabulary and general principles
ISO 27799:2008, Health informatics — Information security management in health using ISO/IEC 27002
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
© ISO 2013 – All rights reserved 1

---------------------- Page: 13 ----------------------

SIST-TS CEN ISO/TS 14441:2014
ISO/TS 14441:2013(E)

3.1
accountability
principle that individuals, organizations, and the community are responsible for their actions and may
be required to explain them to others
[SOURCE: ISO 15489-1:2001, definition 3.2]
Note 1 to entry: This requires that all users of PHI be traceable.
3.2
access control
a means of ensuring that the resources of a data processing system can be accessed only by authorized
entities in authorized ways
[SOURCE: ISO/IEC 2382-8:1998, definition 08.04.01]
3.3
accreditation body
authoritative body that performs accreditation
Note 1 to entry: The authority of an accreditation body is generally derived from government.
[SOURCE: ISO/IEC 17000:2004, definition 2.6]
3.4
anonymization
process that removes the association between the identifying data set and the data subject
[SOURCE: ISO/TS 25237:2008, definition 3.2]
3.5
asset
anything that has value to the organization
Note 1 to entry: In the context of health information security, information assets include health information, IT
services, hardware, software, communications facilities, media, IT facilities, and medical devices that record or
report data.
Note 2 to entry: Adapted from ISO/IEC 27000:2012, definition 2.4.
3.6
assurance
result of a set of compliance processes through which an organization achieves confidence in the status
of its information security management
3.7
attestation
issue of a statement, based on a decision following review, that fulfilment of specified requirements has
been demonstrated
Note 1 to entry: The resulting statement, referred to in this Technical Specification as a “statement of conformity”,
conveys the assurance that the specified requirements have been fulfilled. Such an assurance does not, of itself,
afford contractual or other legal guarantees.
Note 2 to entry: See also scope of attestation.
Note 3 to entry: Adapted from ISO/IEC 17000:2004, definition 5.2.
2 © ISO 2013 – All rights reserved

---------------------- Page: 14 ----------------------

SIST-TS CEN ISO/TS 14441:2014
ISO/TS 14441:2013(E)

3.8
audit
systematic, independent, documented process for obtaining records, statements of fact or other relevant
information and assessing them objectively to determine the extent to which specified requirements
are fulfilled
Note 1 to entry: While “audit” applies to management systems, “assessment” applies to conformity assessment
bodies as well as more generally.
[SOURCE: ISO/IEC 17000:2004, definition 4.4]
3.9
availability
property of being accessible and usable upon demand by an authorized entity
[SOURCE: ISO/IEC 27000:2012, definition 2.10]
3.10
certification
third-party attestation related to products, processes, systems or persons
Note 1 to entry: Adapted from ISO/IEC 17000:2004, definition 5.5.
3.11
compliance
the action of doing what is necessary to meet a specified requirement
3.12
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
[SOURCE: ISO 7498-2:1989, definition 3.3.16]
3.13
conformity assessment
demonstration that specified requirements relating to a product, process, system, person or organization
are fulfilled
Note 1 to entry: Adapted from ISO/IEC 17000:2004, definition 2.1.
3.14
conformity assessment system
rules, procedures and management for carrying out conformity assessment
Note 1 to entry: Conformity assessment systems may be operated at international, regional, national or sub-
national level.
[SOURCE: ISO/IEC 17000:2004, definition 2.7]
3.15
data subject
person to whom data refer
Note 1 to entry: In this Technical Specification, a data subject refers to a single person (versus persons).
3.16
entity
natural or legal person, public authority or agency or any other body
Note 1 to entry: In the context outside the scope of this Technical Specification, an entity may refer to a natural
person, animal, organization, active or passive object, device or group of such items that has an identity.
© ISO 2013 – All rights reserved 3

---------------------- Page: 15 ----------------------

SIST-TS CEN ISO/TS 14441:2014
ISO/TS 14441:2013(E)

3.17
first-party conformity assessment activity
conformity assessment activity that is performed by the person or organization that provides the object
Note 1 to entry: See also second-party conformity assessment activity, and third-part conformity assessment
activity.
Note 2 to entry: Adapted from ISO/IEC 17000:2004, definition 2.2.
3.18
health information system
repository of information regarding the health of a subject of care in computer-processable form, stored
and transmitted securely, and accessible by multiple authorized users
[SOURCE: ISO 27799:2008, definition 3.1.2]
Note 1 to entry: It has a commonly agreed logical information model which is independent of EHR (electronic
health record) systems.
Note 2 to entry: Its primary purpose is the support of continuing, efficient and quality integrated healthcare and
it contains information which is retrospective, concurrent and prospective.
3.19
healthcare
any type of services provided by professionals or paraprofessionals with an impact on health status
[SOURCE: European Parliament, 1998, as cited by WHO]
3.20
health organization
organization involved in the direct provision of health activities
Note 1 to entry: Adapted from ISO/TR 20514:2005, definition 2.21.
3.21
health professional
person who is authorized by a recognised body to be qualified to perform certain health duties
Note 1 to entry: Adapted from ISO 17090-1:2008, definition 3.1.8.
Note 2 to entry: The defined term is often “healthcare professional”. A convention has been adopted in this
Technical Specification whereby the term “healthcare” is abbreviated to “health” when used in an adjectival form.
When used in a noun form, the word “care” is retained but as a separate word (e.g. delivery of healthcare).
3.22
identity
set of attributes which make it possible to recognize, contact or locate the subject of care
3.23
identifiable person
one who can be identified, directly or indirectly, in particular by reference to an identification number
or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
[SOURCE: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement of
such data]
3.24
identification
recognition of a person in a particular domain by a set of his or her attributes
4 © ISO 2013 – All rights reserved

---------------------- Page: 16 ----------------------

SIST-TS CEN ISO/TS 14441:2014
ISO/TS 14441:2013(E)

3.25
information governance
processes by which an organization obtains assurance that the risks to its information, and thereby the
operational capabilities and integrity of the organization, are effectively identified and managed
3.26
information privacy
rights and obligations of individuals and organizations with respect to the collection, use, retention,
disclosure and disposal of personal information
[SOURCE: Adapted from the definition of privacy in the Generally Accepted Privacy Principles of the
American Institute of Certified Public Accountants and the Chartered Accountants of Canada]
3.27
information security
preservation of confidentiality, integrity and availability of information
Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability
can also be involved.
[SOURCE: ISO/IEC 27000:2012, definition 2.30]
3.28
inspection
examination of a product design, product, process or installation and determination of its conformity
with specific requirements or, on the basis of professional judgment, with general requirements
Note 1 to entry: Inspection of a process may include inspection of persons, facilities, technology and methodology.
[SOURCE: ISO/IEC 17000:2004, definition 4.3]
3.29
personal health information
PHI
information about an identifiable person that relates to the physical or mental health of the individual,
or to provision of health services to the individual
Note 1 to entry: Such information may include a) information about the registration of the individual for the
provision of health services, b) information about payments or eligibility for health care in respect to the individual,
c) a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes,
d) any information about the individual that is collected in the course of the provision of health services to the
individual, e) information derived from the testing or examination of a body part or bodily substance, and f)
identification of a person (e.g. a health professional) as provider of healthcare to the individual.
Note 2 to entry: Personal health information does not include information that, either by itself or when combined
with other information available
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.