iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
SIST

oSIST prEN 13608-2:2006

Health informatics - Security for healthcare communication - Part 2: Secure data objects

Health informatics - Security for healthcare communication - Part 2: Secure data objects

Medizinische Informatik - Sicherheit für die Kommunikation im Gesundheitswesen - Teil 2: Sicherheit für Datenobjekte

Informatique de santé - Sécurité des communications dans le domaine de la santé - Partie 2 : objets de données sécurisés

Zdravstvena informatika – Varnost komuniciranja v zdravstvenem varstvu – 2. del: Varni podatkovni objekti

General Information

Status
Not Published
ICS
35.030 - IT Security
35.240.80 - IT applications in health care technology
Technical Committee
ITC - Information technology
Current Stage
98 - Abandoned project (Adopted Project)
Start Date
18-Jul-2025
Due Date
23-Jul-2025
Ref Project
prEN 13608-2 - Health informatics - Security for healthcare communication - Part 2: Secure data objects

Relations

Revised
SIST ENV 13608-2:2003 - Health informatics - Security for healthcare communication - Part 2: Secure data objects
Effective Date
18-Jan-2023
Revised
SIST ENV 13608-2:2003 - Health informatics - Security for healthcare communication - Part 2: Secure data objects
Effective Date
22-Dec-2008

Buy Standard

prEN 13608-2:2006prEN 13608-2:2006
PreviousNext
Draft
prEN 13608-2:2006
English language
22 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-februar-2006
Zdravstvena informatika – Varnost komuniciranja v zdravstvenem varstvu – 2. del:
Varni podatkovni objekti
Health informatics - Security for healthcare communication - Part 2: Secure data objects
Medizinische Informatik - Sicherheit für die Kommunikation im Gesundheitswesen - Teil
2: Sicherheit für Datenobjekte
Informatique de santé - Sécurité des communications dans le domaine de la santé -
Partie 2 : objets de données sécurisés
Ta slovenski standard je istoveten z: prEN 13608-2
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2005
ICS Will supersede ENV 13608-2:2000
English Version
Health informatics - Security for healthcare communication - Part
2: Secure data objects
Informatique de santé - Sécurité des communications dans
le domaine de la santé - Partie 2 : objets de données
sécurisés
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee CEN/TC 251.
If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations which
stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other language
made by translation under the responsibility of a CEN member into its own language and notified to the Management Centre has the same
status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia,
Slovenia, Spain, Sweden, Switzerland and United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to
provide supporting documentation.
: This document is not a European Standard. It is distributed for review and comments. It is subject to change without notice and
Warning
shall not be referred to as a European Standard.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2005 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN 13608-2:2005: E
worldwide for CEN national Members.

Contents Page
Foreword.3
Introduction .4
1 Scope .5
2 Normative references .5
3 Terms and definitions .5
4 Symbols and abbreviations .10
5 Requirements for Secure data objects.11
5.1 Overview.11
5.2 Security functions offered .11
5.3 Securing data .12
5.4 Unsecuring data.13
5.5 Approach to providing security functionality.13
5.6 SMTP .13
5.7 X.400.14
5.8 Other e-mail systems .14
6 Cryptographic algorithms for use with S/MIME CMS.14
6.1 DigestAlgorithmIdentifier.14
6.2 SignatureAlgorithmIdentifier .14
6.3 KeyEncryptionAlgorithmIdentifier .14
6.4 Attribute SignerInfo Type.15
6.5 ISO object identifiers.15
6.6 Content encryption algorithms .15
6.7 Digest algorithms.15
6.8 Asymmetric encryption algorithms .15
6.9 Signature algorithms.15
Annex A (informative) Plaintext recovery .16
A.1 Background.16
A.2 Technical description.16
A.3 Key recovery within CMS.17
Annex B (informative) X.400 <<><<>>> SMTP gatewaying .18
B.1 Introduction.18
B.2 Overview.18
B.3 Sequence of gateway transformations.19
Annex C (informative) Security wrapping overview.20
C.1 Overview.20
Annex D (informative) What can be secured ? .21
Bibliography .22

Foreword
This document (prEN 13608-2:2005) has been prepared by Technical Committee CEN/TC 251 “Health
informatics”, the secretariat of which is held by NEN.
This document is currently submitted to the CEN Enquiry.
This document will supersede ENV 13608-2:2000.
EN 13608 consists of the following parts, under the general title Health informatics — Security for Healthcare
Communication (SEC-COM):
 Part 1: Concepts and Terminology
 Part 2: Secure Data Objects
 Part 3: Secure Data Channels
This standard is designed to meet the demands of the Technical Report CEN/TC251/N98-110 Health
Informatics — Framework for security protection of health care communication.
This standard is drafted using the conventions of the ISO/IEC Directive Part 3.
Introduction
The use of data processing and telecommunications in health care must be accompanied by appropriate
security measures to ensure data confidentiality and integrity in compliance with the legal framework,
protecting patients as well as professional accountability and organizational assets. In addition, availability
aspects are important to consider in many systems.
In that sense, the multipart standard prEN 13608 has the intention of explaining and detailing to the healthcare
end user the different alternatives they have to cope with in terms of security measures that might be
implemented to fulfil their security needs and obligations. Incorporated within this is the standardization of
some elements related to the information communication process where they fall within the security domain.
In the continuity of the Framework for security protection of health care communication (CEN/TC251/N98-110),
hereafter denoted the Framework, whose CEN Report aimed at promoting a better understanding of the
security issues in relations to the healthcare IT-communication, this European standard shall aid in producing
systems to enable healthcare professionals and applications to communicate and interact securely and
therefore safely, legitimately, lawfully and precisely.
The multipart standard prEN 13608 is key communication security standard that can be generically applied to
a wide range of communication protocols and information system applications relevant to healthcare, though
they are neither complete nor exhaustive in that respect. This standard must be defined within the context and
scenarios defined by TC251 Work programme, in which the messaging paradigm for information system
interaction is one of the essentials, as was reflected by the Framework.
This Part 2 of the European standard on Security for Healthcare Communication describes how to secure
arbitrary octet strings that may be used in European healthcare. An arbitrary octet string might for example be
an EDIFACT message, a patient record, etc. Securing within the concepts contained within this European
standard include the preservation of data integrity, the preservation of confidentiality and accountability in
terms of authentication of both communicating parties.
This standard does not specify methods related to availability, storage or transportation of data, key
certificates or other infra-structural issues, nor does it cover application security aspects such as user
authentication.
NOTE This standard defines a methodology to secure the octet string to allow it to be transported securely over
insecure networks, independent of the underlying transportation system, e.g. e-mail or EDI system. The standard
encompasses mechanisms for encryption and digital signature, and will allow that these mechanisms are used
independently.
1 Scope
This European standard defines a standard way of securing healthcare objects. The objects are secured in
such a way that they can be transported over open, unsecured networks, or stored in open unsecured
repositories. An application is able to decide whether to apply any combination of encryption and digital
signature to an object.
In general this European standard does not consider the contents of the objects, but can be applied to any
octet string.
This European standard is based on existing security standards.
This European standard does not consider how the actual security is applied to the objects. A security
infrastructure is assumed, which is used for performing the actual security operations.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 8824, Information technology — Open Systems Interconnection — Specification of Abstract Syntax
Notation One (ASN.1) (Version 2 1991-04-24).
IETF RFC 3852, Internet Engineering Task Force: Cryptographic Message Syntax (CMS).
IETF RFC 3851, Internet Engineering Task Force: S/MIME version 3.1 Message Specification.
ISO 8824-1:1995, Information Technology — Open Systems Interconnection — Specification of Abstract
Syntax Notation One (ASN.1) — Part 1: Specification of the base notation.
PKCS#7, Cryptographic Message Syntax Version 1.5, RFC 2315.
MIXER-BPT, Mapping between CCIT X.400 and RFC-822/MIME Message Bodies, RFC-2157.
CCIT X.400, ITU Data Communication Networks: Message Handling Systems X.400.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
accountability
the property that ensures that the actions of an entity may be traced uniquely to the entity
[ISO 7498-2]
3.2
asymmetric cryptographic algorithm
an algorithm for performing encipherment or the corresponding decipherment in which the keys used for
encipherment and decipherment differ
[ISO 10181-1]
3.3
authentication
process of reliably identifying security subjects by securely associating an identifier and its authentica
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

SIST
SIST EN ISO 13606-4:2019(Main)
Health informatics - Electronic health record communication - Part 4: Security (ISO 13606-4:2019)
EN ISO 13606-4:2019

This document describes a methodology for specifying the privileges necessary to access EHR data. This methodology forms part of the overall EHR communications architecture defined in ISO 13606-1.
This document seeks to address those requirements uniquely pertaining to EHR communications and to represent and communicate EHR-specific information that will inform an access decision. It also refers to general security requirements that apply to EHR communications and points at technical solutions and standards that specify details on services meeting these security needs.
NOTE       Security requirements for EHR systems not related to the communication of EHRs are outside the scope of this document.

  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 27799:2017(Main)
Health informatics - Information security management in health using ISO/IEC 27002 (ISO 27799:2016)
EN ISO 27799:2016

ISO 27799:2016 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
It defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard.
ISO 27799:2016 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information in their care.
It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information is always be appropriately protected.
ISO 27799:2016 and ISO/IEC 27002 taken together define what is required in terms of information security in healthcare, they do not define how these requirements are to be met. That is to say, to the fullest extent possible, ISO 27799:2016 is technology-neutral. Neutrality with respect to implementing technologies is an important feature. Security technology is still undergoing rapid development and the pace of that change is now measured in months rather than years. By contrast, while subject to periodic review, International Standards are expected on the whole to remain valid for years. Just as importantly, technological neutrality leaves vendors and service providers free to suggest new or developing technologies that meet the necessary requirements that ISO 27799:2016 describes.
As noted in the introduction, familiarity with ISO/IEC 27002 is indispensable to an understanding of ISO 27799:2016.
The following areas of information security are outside the scope of ISO 27799:2016:
a)   methodologies and statistical tests for effective anonymization of personal health information;
b)   methodologies for pseudonymization of personal health information (see Bibliography for a brief description of a Technical Specification that deals specifically with this topic);
c)   network quality of service and methods for measuring availability of networks used for health informatics;
d)   data quality (as distinct from data integrity).

  • Standard
    114 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN ISO/TS 14441:2014(Main)
Health informatics - Security and privacy requirements of EHR systems for use in conformity assessment (ISO/TS 14441:2013)
CEN ISO/TS 14441:2013

ISO/TS 14441:2013 examines electronic patient record systems at the clinical point of care that are also interoperable with EHRs. ISO/TS 14441:2013 addresses their security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment.
ISO/TS 14441:2013 includes a cross-mapping of 82 security and privacy requirements against the Common Criteria categories in ISO/IEC 15408 (all parts).

  • Technical specification
    122 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TP CEN/TR 15300:2006(Main)
Health informatics - Framework for formal modelling of healthcare security policies
CEN/TR 15300:2006

This CEN report specifies the starting point for working on some formalising tools that could be used by the healthcare actors to express, compare and validate local and/or network security policies.
Defining and validating a correct security policy encompass different activities such as expressing correctly
(i.e. without any ambiguity), formulating correctly (i.e. without any misinterpretation) and proving the correctness (i.e. without known failures or major lack) of the [to be formally modelled] security policy.
This CEN report does NOT intend at all to specify a UNIQUE or UNIVERSAL formal model that need to be used by the European healthcare community: it only indicates, as a first working step, some ways that could be followed to help that healthcare community to correctly and fruitfully manipulate the security policy concept(s) and the formal modelling techniques.
This CEN report does NOT intend to indicate an EXHAUSTIVE spectrum of all the published formal security policy models: it only gives a readable and understandable flavour of the most well-known formal models and also of the [maybe] most interesting ones from the healthcare activity and needs point of view. This CEN report is, in this very first version, divided in five parts:
o   Part #1 - Introduction to formal modelling: this clause summarises and justifies the following needs:
i.   need for policies, in general and for any context;
ii.   need for security policies, in any data processing context;
iii.   need for models (or modelling facilities) of security policies, in some generic system environments;
iv.   need for formal models (or formal modelling facilities) of security policies, in some sensitive areas;
v.   need for healthcare-oriented formal models of security policies, specialized to healthcare specificities.
o   Part #2 - Historical security policies and models: this clause explains and introduces the main objectives and concepts of the security policy modelling activity that seems to be of

  • Technical report
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 12251:2005(Main)
Health informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords
EN 12251:2004

This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities.
This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as the only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health information.
This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities.

  • Standard
    13 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 14484:2004(Main)
Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy
EN 14484:2003

This item will provide guidance on the data protection policy which should be implemented by organisations which are participants in international applications which involve transfer of person identifiable data across national borders and which require compliance with the EU Data Protection Directive.

  • Standard
    55 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
oSIST prEN 13608-3:2006
Health informatics - Security for healthcare communication - Part 3: Secure data channels
prEN 13608-3
  • Draft
    23 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
oSIST prEN ISO 27799:2025(Main)
Health informatics - Information security management in health using ISO/IEC 27002 (ISO/DIS 27799:2025)
prEN ISO 27799

ISO 27799:2016 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
It defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard.
ISO 27799:2016 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information in their care.
It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information is always be appropriately protected.
ISO 27799:2016 and ISO/IEC 27002 taken together define what is required in terms of information security in healthcare, they do not define how these requirements are to be met. That is to say, to the fullest extent possible, ISO 27799:2016 is technology-neutral. Neutrality with respect to implementing technologies is an important feature. Security technology is still undergoing rapid development and the pace of that change is now measured in months rather than years. By contrast, while subject to periodic review, International Standards are expected on the whole to remain valid for years. Just as importantly, technological neutrality leaves vendors and service providers free to suggest new or developing technologies that meet the necessary requirements that ISO 27799:2016 describes.
As noted in the introduction, familiarity with ISO/IEC 27002 is indispensable to an understanding of ISO 27799:2016.
The following areas of information security are outside the scope of ISO 27799:2016:
a) methodologies and statistical tests for effective anonymization of personal health information;
b) methodologies for pseudonymization of personal health information (see Bibliography for a brief description of a Technical Specification that deals specifically with this topic);
c) network quality of service and methods for measuring availability of networks used for health informatics;
d) data quality (as distinct from data integrity).

  • Draft
    82 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
oSIST prEN 13608-1:2006
Health informatics - Security for healthcare communication - Part 1: Concepts and terminology
prEN 13608-1
  • Draft
    85 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 81001-5-1:2022(Main)
Health software and health IT systems safety, effectiveness and security - Part 5-1: Security - Activities in the product life cycle (IEC 81001-5-1:2021)
EN IEC 81001-5-1:2022

This document defines the LIFE CYCLE requirements for development and maintenance of HEALTH SOFTWARE needed to support conformance to IEC 62443-4-1[11] – taking the specific needs for HEALTH SOFTWARE into account. The set of PROCESSES, ACTIVITIES, and TASKS described in this document establishes a common framework for secure HEALTH SOFTWARE LIFE CYCLE PROCESSES. An informal overview of activities for HEALTH SOFTWARE is shown in Figure 2.
[Figure 2]
[derived from IEC 62304:2006[8], Figure 2]
Figure 2 - HEALTH SOFTWARE LIFE CYCLE PROCESSES
The purpose is to increase the CYBERSECURITY of HEALTH SOFTWARE by establishing certain ACTIVITIES and TASKS in the HEALTH SOFTWARE LIFE CYCLE PROCESSES and also by increasing the SECURITY of SOFTWARE LIFE CYCLE PROCESSES themselves.
It is important to maintain an appropriate balance of the key properties SAFETY, effectiveness and SECURITY as discussed in ISO 81001-1[17].
This document excludes specification of ACCOMPANYING DOCUMENTATION contents.

  • Standard
    59 pages
    English language
    sale 10% off
    e-Library read for
    1 day