EN ISO 27789:2021
(Main)Health informatics - Audit trails for electronic health records (ISO 27789:2021)
Health informatics - Audit trails for electronic health records (ISO 27789:2021)
This document specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger events and audit data, to keep the complete set of personal health information auditable across information systems and domains.
It is applicable to systems processing personal health information that create a secure audit record each time a user reads, creates, updates, or archives personal health information via the system.
NOTE Such audit records at a minimum uniquely identify the user, uniquely identify the subject of care, identify the function performed by the user (record creation, read, update, etc.), and record the date and time at which the function was performed.
This document covers only actions performed on the EHR, which are governed by the access policy for the domain where the electronic health record resides. It does not deal with any personal health information from the electronic health record, other than identifiers, the audit record only containing links to EHR segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of data, which are dealt with by general computer security standards such as ISO/IEC 15408 (all parts)[9].
Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.
Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO 27789:2021)
Informatique de santé - Historique d'expertise des dossiers de santé informatisés (ISO 27789:2021)
Le présent document définit un cadre commun pour les pistes d'audit des dossiers de santé informatisés (DSI), en termes d'événements déclencheurs d'audit et de données d'audit, afin de conserver l'ensemble complet des informations personnelles de santé auditables, quels que soient les systèmes et les domaines d'information.
Le présent document s'applique aux systèmes de traitement des informations personnelles de santé qui créent un enregistrement d'audit sécurisé chaque fois qu'un utilisateur crée des informations personnelles de santé, qu'il les lit, qu'il les met à jour ou qu'il les archive par le biais du système.
NOTE Au minimum, ces enregistrements d'audit identifient de manière unique l'utilisateur, identifient de manière unique le sujet de soins, identifient la fonction exécutée par l'utilisateur (création d'un dossier, lecture d'un dossier, mise à jour d'un dossier, etc.) et enregistrent la date et l'heure auxquelles la fonction a été exécutée.
Le présent document ne couvre que les actions effectuées sur le dossier de santé informatisé, qui sont régies par une politique d'accès propre au domaine dans lequel s'inscrit le dossier de santé informatisé. Il ne traite d'aucune information personnelle de santé issue de dossiers de santé informatisés, à l'exception des identifiants, les enregistrements d'audit ne contenant que des liens pointant vers des segments du DSI, tels que définis par la politique d'accès applicable.
Le présent document ne couvre pas non plus la spécification et l'utilisation des journaux d'audit à des fins de gestion et de sécurité du système, par exemple, la détection des problèmes de performance, des failles au niveau des applications, ou le support de reconstruction des données, qui sont traités par les normes de sécurité informatique générales, telles que l'ISO/IEC 15408 (toutes les parties)[9].
L'Annexe A donne des exemples de scénarios d'audit. L'Annexe B donne un aperçu des services de journal d'audit.
Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise (ISO 27789:2021)
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-december-2021
Nadomešča:
SIST EN ISO 27789:2013
Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise (ISO
27789:2021)
Health informatics -- Audit trails for electronic health records (ISO 27789:2021)
Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO
27789:2021)
Informatique de santé -- Historique d'expertise des dossiers de santé informatisés (ISO
27789:2021)
Ta slovenski standard je istoveten z: EN ISO 27789:2021
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EN ISO 27789
EUROPEAN STANDARD
NORME EUROPÉENNE
October 2021
EUROPÄISCHE NORM
ICS 35.240.80 Supersedes EN ISO 27789:2013
English Version
Health informatics - Audit trails for electronic health
records (ISO 27789:2021)
Informatique de santé - Historique d'expertise des Medizinische Informatik - Audit-Trails für
dossiers de santé informatisés (ISO 27789:2021) elektronische Gesundheitsakten (ISO 27789:2021)
This European Standard was approved by CEN on 15 August 2021.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2021 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 27789:2021 E
worldwide for CEN national Members.
Contents Page
European foreword . 3
European foreword
This document (EN ISO 27789:2021) has been prepared by Technical Committee ISO/TC 215 "Health
informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the
secretariat of which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by April 2022, and conflicting national standards shall be
withdrawn at the latest by April 2022.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO 27789:2013.
Any feedback and questions on this document should be directed to the users’ national standards
body/national committee. A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO 27789:2021 has been approved by CEN as EN ISO 27789:2021 without any modification.
INTERNATIONAL ISO
STANDARD 27789
Second edition
2021-10
Health informatics — Audit trails for
electronic health records
Informatique de santé — Historique d'expertise des dossiers de santé
informatisés
Reference number
ISO 27789:2021(E)
ISO 27789:2021(E)
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
ISO 27789:2021(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 5
5 Requirements and uses of audit data.5
5.1 Ethical and formal requirements . 5
5.1.1 General . 5
5.1.2 Access policy . 5
5.1.3 Unambiguous identification of information system users. 6
5.1.4 User roles . 6
5.1.5 Secure audit records . 6
5.2 Uses of audit data . 6
5.2.1 Governance and supervision . 6
5.2.2 Subjects of care exercising their rights . 7
5.2.3 Evidence and retention requirements . 7
6 Trigger events . 7
6.1 General . 7
6.2 Details of the event types and their contents . 8
6.2.1 Access events to the personal health information . 8
6.2.2 Query events to the personal health information . 8
7 Audit record details . 8
7.1 The general record format . 8
7.2 Trigger event identification . . . 10
7.2.1 Event ID . 10
7.2.2 Event action code . 11
7.2.3 Event date and time . 11
7.2.4 Event outcome indicator .12
7.2.5 Event type code .12
7.3 User identification .12
7.3.1 User ID . 12
7.3.2 Alternative user ID .13
7.3.3 User name .13
7.3.4 User is requestor .13
7.3.5 Role ID code . 13
7.3.6 Purpose of use . 14
7.4 Access point identification .15
7.4.1 Network access point type code . 15
7.4.2 Network access point ID . 16
7.5 Audit source identification . 16
7.5.1 Overview . 16
7.5.2 Audit enterprise site ID . 17
7.5.3 Audit source ID . . . 17
7.5.4 Audit source type code . 17
7.6 Participant object identification . 18
7.6.1 Overview . 18
7.6.2 Participant object type code .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.