ISO 17090-4:2020

INTERNATIONAL ISO
STANDARD 17090-4
Second edition
2020-10
Health informatics — Public key
infrastructure —
Part 4:
Digital signatures for healthcare
documents
Informatique de la santé — Infrastructure clé publique —
Partie 4: Signatures numériques pour les documents des soins
médicaux
Reference number
©
ISO 2020
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definition . 1
4 Target of application . 2
4.1 Target system . 2
4.2 Generation process . 3
4.3 Verification process . 4
4.3.1 General. 4
4.3.2 Verification of ES . 4
4.3.3 Verification of ES-T . 6
4.3.4 Verification of ES-A . 7
4.4 CAdES specification .12
4.4.1 General.12
4.4.2 Long term signature profile .12
4.4.3 Representation of the required level .12
4.4.4 CAdES-T profile .13
4.4.5 CAdES-A profile .14
4.5 XAdES specification .15
4.5.1 General.15
4.5.2 Defined long-term signature profiles .15
4.5.3 Representation of the required level .16
4.5.4 Requirement for XAdES-T .16
4.5.5 Requirement for XAdES-A .18
4.6 PAdES Specification .19
4.6.1 General.19
4.6.2 Defined long term signature profiles .19
4.6.3 Representation of the required level .20
4.6.4 Requirement for PAdES-T .20
4.6.5 Requirement for PAdES-A .23
Annex A (informative) Use cases.24
Bibliography .27
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
This second edition cancels and replaces the first edition (ISO 17090-4:2014), which has been
technically revised. The main changes compared to the previous edition are as follows:
— update of the reference standard and addition of PAdES definitions.
A list of all parts in the ISO 17090 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2020 – All rights reserved

Introduction
The healthcare industry is faced with the challenge of reducing costs by moving from paper-based
processes to automated electronic processes. New models of healthcare delivery are emphasizing the
need for patient information to be shared among a growing number of specialist healthcare providers
and across traditional organizational boundaries.
Healthcare information concerning individual citizens is commonly interchanged by means of
electronic mail, remote database access, electronic data interchange, and other applications. The
Internet provides a highly cost-effective and accessible means of interchanging information but it
is also an insecure vehicle that demands additional measures be taken to maintain the privacy and
confidentiality of information. Threats to the security of health information through unauthorized
access (either inadvertent or deliberate) are increasing. It is essential that reliable information security
services that minimize the risk of unauthorized access be available to the healthcare system.
How does the healthcare industry provide appropriate protection for the data conveyed across the
Internet in a practical, cost-effective way? Public Key Infrastructure (PKI) and digital certificate
technology seeks to address this challenge.
The proper deployment of digital certificates requires a blend of technology, policy, and administrative
processes that enable the exchange of sensitive data in an unsecured environment by the use of public
key cryptography to protect information in transit and certificates to confirm the identity of a person
or entity. In healthcare environments, this technology uses authentication, encipherment and digital
signatures to facilitate confidential access to, and movement of, individual health records to meet
both clinical and administrative needs. The services offered by the deployment of digital certificates
(including encipherment, information integrity and digital signatures) are able to address many of
these security issues. This is especially the case if digital certificates are used in conjunction with
an accredited information security standard. Many individual organizations around the world have
started to use digital certificates for this purpose.
Interoperability of digital certificate technology and supporting policies, procedures, and practices
is of fundamental importance if information is to be exchanged between organizations and between
jurisdictions in support of healthcare applications (for example between a hospital and a community
physician working with the same patient).
Achieving interoperability between different digital certificate implementations requires the
establishment of a framework of trust, under which parties responsible for protecting an individual’s
information rights might rely on the policies and practices and, by extension, on the validity of digital
certificates issued by other established authorities.
Many countries are deploying digital certificates to support secure communications within their
national boundaries. Inconsistencies will arise in policies and procedures between the Certification
Authorities (CAs) and the Registration Authorities (RAs) of different countries if standards development
activity is restricted to within national boundaries.
Digital certificate technology is still evolving in certain aspects that are not specific to healthcare.
Important standardization efforts and, in some cases, supporting legislation are ongoing. On the
other hand, healthcare providers in many countries are already using or planning to use digital
certificates. This document seeks to address the need for guidance to support these rapid international
developments.
The Internet is increasingly used as the vehicle of choice to support the movement of healthcare data
between healthcare organizations and is the only realistic choice for cross-border communication in
this sector.
The ISO 17090 series, contributes to defining how digital certificates can be used to provide security
services in the healthcare industry, including authentication, confidentiality, data integrity, and the
technical capacity to support the quality of digital signature.
This document is in line with ISO/ETSI standards for long-term signature formats to improve and
guarantee interoperability in the healthcare field.
There is no limitation regarding the data format and the subject for which the signature is created.
vi © ISO 2020 – All rights reserved

INTERNATIONAL STANDARD ISO 17090-4:2020(E)
Health informatics — Public key infrastructure —
Part 4
...