ISO 17090-1:2008

INTERNATIONAL ISO
STANDARD 17090-1
First edition
2008-02-15
Health informatics — Public key
infrastructure —
Part 1:
Overview of digital certificate services
Informatique de santé — Infrastructure de clé publique —
Partie 1: Vue d'ensemble des services de certificat numérique

Reference number
©
ISO 2008
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2008
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2008 – All rights reserved

Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 2
3.1 Healthcare context terms. 2
3.2 Security services terms . 3
3.3 Public key infrastructure related terms. 6
4 Abbreviations . 9
5 Healthcare context. 10
5.1 Certificate holders and relying parties in healthcare. 10
5.2 Examples of actors. 10
5.3 Applicability of digital certificates to healthcare.12
6 Requirements for security services in healthcare applications . 12
6.1 Healthcare characteristics . 12
6.2 Digital certificate technical requirements in healthcare . 13
6.3 Separation of authentication from encipherment . 14
6.4 Health industry security management framework for digital certificates. 15
6.5 Policy requirements for digital certificate issuance and use in healthcare . 15
7 Public key cryptography . 15
7.1 Symmetric vs asymmetric cryptography . 15
7.2 Digital certificates. 16
7.3 Digital signatures. 16
7.4 Protecting the private key. 16
8 Deploying digital certificates. 17
8.1 Necessary components . 17
8.2 Establishing identity using qualified certificates . 18
8.3 Establishing speciality and roles using identity certificates . 19
8.4 Using attribute certificates for authorization and access control . 20
9 Interoperability requirements . 20
9.1 Overview . 20
9.2 Options for deploying healthcare digital certificates across jurisdictions . 21
9.3 Option usage . 22
Annex A (informative) Scenarios for the use of digital certificates in healthcare. 23
Bibliography . 35

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 17090-1 was prepared by Technical Committee ISO/TC 215, Health informatics.
This first edition cancels and replaces the Technical Specification (ISO/TS 17090-1:2002), which has been
revised and brought to the status of International Standard.
ISO 17090 consists of the following parts, under the general title Health informatics — Public key
infrastructure:
⎯ Part 1: Overview of digital certificate services
⎯ Part 2: Certificate profile
⎯ Part 3: Policy management of certification authority
iv © ISO 2008 – All rights reserved

Introduction
The healthcare industry is faced with the challenge of reducing costs by moving from paper-based processes
to automated electronic processes. New models of healthcare delivery are emphasizing the need for patient
information to be shared among a growing number of specialist healthcare providers and across traditional
organizational boundaries.
Healthcare information concerning individual citizens is commonly interchanged by means of electronic mail,
remote database access, electronic data interchange and other applications. The Internet provides a highly
cost-effective and accessible means of interchanging information, but it is also an insecure vehicle that
demands additional measures be taken to maintain the privacy and confidentiality of information. Threats to
the security of health information through unauthorized access (either inadvertent or deliberate) are increasing.
It is essential to have available to the healthcare system, reliable information security services that minimize
the risk of unauthorized access.
How does the healthcare industry provide appropriate protection for the data conveyed across the Internet in a
practical, cost-effective way? Public key infrastructure (PKI) and digital certificate technology seek to address
this challenge.
The proper deployment of digital certificates requires a blend of technology, policy and administrative
processes that enable the exchange of sensitive data in an unsecured environment by the use of “public key
cryptography” to protect information in transit and “certificates” to confirm the identity of a person or entity. In
healthcare environments, this technology uses authentication, encipherment and digital signatures to facilitate
confidential access to, and movement of, individual health records to meet both clinical and administrative
needs. The services offered by the deployment of digital certificates (including encipherment, information
integrity and digital signatures) are able to address many of these security issues. This is especially the case if
digital certificates are used in conjunction with an accredited information security standard. Many individual
organizations around the world have started to use digital certificates for this purpose.
Interoperability of digital certificate technology and supporting policies, procedures and practices is of
fundamental importance if information is to be exchanged between organizations and between jurisdictions in
support of healthcare applications (for example between a hospital and a community physician working with
the same patient).
Achieving interoperability between different digital certificate implementations requires the establishment of a
framework of trust, under which parties responsible for protecting an individual’s information rights may rely on
the policies and practices and, by extension, the validity of digital certificates issued by other established
authorities.
Many countries are deploying digital certificates to support secure communications within their national
boundaries. Inconsistencies will arise in policies and procedures between the certification authorities (CAs)
and the registration authorities (RAs) of different countries if standards development activity is restricted to
within national boundaries.
Digital certificate technology is still evolving in certain aspects that are not specific to healthcare. Important
standardization efforts and, in some cases, supporting legislation are ongoing. On the other hand, healthcare
providers in many countries are already using or planning to use digital certificates. ISO 17090 seeks to
address the need for guidance of these rapid international developments.
ISO 17090 describes the common technical, operational and policy requirements that need to be addressed to
enable digital certificates to be used in protecting the exchange of healthcare information within a single
domain, between domains and across jurisdictional boundaries. Its purpose is to create a platform for global
interoperability. It specifically supports digital certificate-enabled communication across borders, but could
also provide guidance for the national or regional deployment of digital certificates in healthcare. The Internet
is increasingly used as the vehicle of choice to support the movement of healthcare data between healthcare
organizations and is the only realistic choice for cross-border communication in this sector.
ISO 17090 should be approached as a whole, with the three parts all making a contribution to defining how
digital certificates can be used to provide security services in the health industry, including authentication,
confidentiality, data integrity and the technical capacity to support the quality of digital signature.
This part of ISO 17090 defines the basic concepts underlying the use of digital certificates in healthcare and
provides a scheme of interoperability requirements to establish digital certificate-enabled secure
communication of health information.
ISO 17090-2 provides healthcare-specific profiles of digital certificates based on the international standard
X.509 and the profile of this, specified in IETF/RFC 3280 for different types of certificates.
ISO 17090-3 deals with management issues involved in implementing and using digital certificates in
healthcare. It defines a structure and minimum requirements for certificate policies (CPs) and a structure for
associated certification practice statements. ISO 17090-3 is based on the recommendations of the
informational IETF/RFC 3647, and identifies the principles needed in a healthcare security policy for cross
border communication. It also defines the minimum levels of security required, concentrating on the aspects
unique to healthcare.
Comments on the content of this document, as well as comments, suggestions and information on the
application of these standards, may be forwarded to the ISO/TC 215 secretariat at adickerson@himss.org or
WG4 convenor, Ross Fraser, and WG4 secretariat at w4consec@medis.or.jp.

vi © ISO 2008 – All rights reserved

INTERNATIONAL STANDARD ISO 17090-1:2008(E)

Health informatics — Public key infrastructure —
Part 1:
Overview of digital certificate services
1 Scope
This part of ISO 17090 defines the basic concepts underlying use of digital certificates in healthcare and
provides a scheme of interoperability requirements to establish a digital certificate-enabled secure
communication of health information. It also identifies the major stakeholders who are communicating health-
related information, as well as the main security services required for health communication where digital
certificates may be required.
This part of ISO 17090 gives a brief introduction to public key cryptography and the basic components needed
to deploy digital certificates in healthcare. It further introduces different types of digital certificate — identity
certificates and associated attribute certificates for relying parties, self-signed certification authority (CA)
certificates, and CA hierarchies and bridging structures.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 17090-2, Health informatics — Public key infrastructure — Part 2: Certificate profile
ISO 17090-3:2008, Health informatics — Public key infrastructure — Part 3: Policy management of
certification authority
ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security
management
IETF/RFC 3126, Electronic Signature Formats for long term electronic signatures
IETF/RFC 3161, Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)
IETF/RFC 3281, An Internet Attribute Certificate Profile for Authorization
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1 Healthcare context terms
3.1.1
application
identifiable computer running software process that is the holder of a private encipherment key
NOTE 1 Application, in this context, can be any software process used in healthcare information systems including
those without any direct role in treatment or diagnosis.
NOTE 2 In some jurisdictions, including software, processes can be regulated medical devices.
3.1.2
device
identifiable computer-controlled apparatus or instrument that is the holder of a private key
NOTE 1 This includes the class of regulated medical devices that meet the above definition.
NOTE 2 Device, in this context, is any device used in healthcare information systems, including those without any
direct role in treatment or diagnosis.
3.1.3
healthcare actor
regulated health professional, non-regulated health professional, sponsored healthcare provider, supporting
organization employee, patient/consumer, healthcare organization, device or application that acts in a health-
related communication and requires a certificate for a digital certificate-enabled security service
3.1.4
healthcare organization
officially registered organization that has a main activity related to healthcare services or health promotion
EXAMPLES Hospitals, Internet healthcare web site providers and healthcare research institutions.
NOTE 1 The organization is recognized to be legally liable for its activities but need not be registered for its specific
role in health.
NOTE 2 An internal part of an organization is called here an organizational unit, as in X.501.
3.1.5
non-regulated health professional
person employed by a healthcare organization, but who is not a regulated health professional
EXAMPLES Medical receptionist who organizes appointments or nurses' aid who assists with patient care.
NOTE The fact that the employee is not authorized by a body independent of the employer in his professional
capacity does not, of course, imply that the employee is not professional in conducting his services.
3.1.6
patient
consumer
person who is the receiver of health-related services and who is an actor in a health information system
3.1.7
privacy
freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or
illegal gathering and use of data about that individual
[ISO/IEC 2382-8:1998, definition 08.01.23]
2 © ISO 2008 – All rights reserved

3.1.8
regulated health professional
person who is authorized by a nationally recognized body to be qualified to perform certain health services
EXAMPLES Physicians, registered nurses and pharmacists.
NOTE 1 The types of registering or accrediting bodies differ in different countries and for different professions.
Nationally recognized bodies include local or regional governmental agencies, independent professional associations and
other formally and nationally recognized organizations. They may be exclusive or non-exclusive in their territory.
NOTE 2 A nationally recognized body in this definition does not imply one nationally controlled system of professional
registration but, in order to facilitate international communication, it would be preferable for one nationwide directory of
recognized health professional registration bodies to exist.
3.1.9
sponsored healthcare provider
health services provider who is not a regulated health professional in the jurisdiction of his/her practice, but
who is active in his/her healthcare community and sponsored by a regulated healthcare organization
EXAMPLES A drug and alcohol education officer who is working with a particular ethnic group, or a healthcare aid
worker in a developing country.
3.1.10
supporting organization
officially registered organization that is providing services to a healthcare organization, but which is not
providing healthcare services
EXAMPLES Healthcare financing bodies such as insurance institutions, suppliers of pharmaceuticals and other goods.
3.1.11
supporting organization employee
person employed by a healthcare organization or a supporting organization
EXAMPLES Medical records transcriptionists, healthcare insurance claims adjudicators and pharmaceutical order
entry clerks.
3.2 Security services terms
3.2.1
access control
means of ensuring that the resources of a data processing system can be accessed only by authorized
entities in authorized ways
[ISO/IEC 2382-8:1998, definition 08.04.01]
3.2.2
accountability
property that ensures that the actions of an entity may be traced uniquely to the entity
[ISO 7498-2:1989, definition 3.3.3]
3.2.3
asymmetric cryptographic algorithm
algorithm for performing encipherment or the corresponding decipherment in which the keys used for
encipherment and decipherment differ
[ISO/IEC 10181-1:1996, definition 3.3.1]
3.2.4
authentication
process of reliably identifying security subjects by securely associating an identifier and its authenticator
NOTE See also data origin authentication.
3.2.5
authorization
granting of rights, which includes the granting of access based on access rights
[ISO 7498-2:1989, definition 3.3.10]
3.2.6
availability
property of being accessible and useable upon demand by an authorized entity
[ISO 7498-2:1989, definition 3.3.11]
3.2.7
ciphertext
data produced through the use of encipherment, the semantic content of which is not available
NOTE Adapted from ISO 7498-2:1989.
3.2.8
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities or processes
[ISO 7498-2:1989, definition 3.3.16]
3.2.9
cryptography
discipline that embodies principles, means and methods for the transformation of data in order to hide its
information content, prevent its undetected modification and/or prevent its unauthorized use
[ISO 7498-2:1989, definition 3.3.20]
3.2.10
cryptographic algorithm
cipher
method for the transformation of data in order to hide its information content, prevent its undetected
modification and/or prevent its unauthorized use
3.2.11
data integrity
property that data have not been altered or destroyed in an unauthorized manner
[ISO 7498-2:1989, definition 3.3.21]
3.2.12
data origin authentication
corroboration that the source of data received is as claimed
[ISO 7498-2:1989, definition 3.3.22]
4 © ISO 2008 – All rights reserved

3.2.13
decipherment
decryption
process of obtaining, from a ciphertext, the original corresponding data
[ISO/IEC 2382-8:1998, definition 08.03.04]
NOTE A ciphertext can be enciphered a second time, in which case a single decipherment does not produce the
original plain text.
3.2.14
digital signature
data appended to, or cryptographic transformation of, a data unit that allows a recipient of the data unit to
prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient
[ISO 7498-2:1989, definition 3.3.26]
NOTE See cryptography.
3.2.15
encipherment
encryption
cryptographic transformation of data to produce ciphertext
[ISO 7498-2:1989, definition 3.3.27]
NOTE See cryptography.
3.2.16
identification
performance of tests to enable a data processing system to recognize entities
[ISO/IEC 2382-8:1998, definition 08.04.12]
3.2.17
identifier
piece of information used to claim an identity, before a potential corroboration by a corresponding
authenticator
[ENV 13608-1]
3.2.18
integrity
proof that the message content has not been altered, deliberately or accidentally, in any way during
transmission
NOTE Adapted from ISO 7498-2:1989.
3.2.19
key
sequence of symbols that controls the operations of encipherment and decipherment
[ISO 7498-2:1989, definition 3.3.32]
3.2.20
key management
generation, storage, distribution, deletion, archiving and application of keys in accordance with a security
policy
[ISO 7498-2:1989, definition 3.3.33]
3.2.21
non-repudiation
service providing proof of the integrity and origin of data (both in an unforgeable relationship), which can be
verified by any party
3.2.22
private key
key that is used with an asymmetric cryptographic algorithm and whose possession is restricted (usually to
only one entity)
[ISO/IEC 10181-1:1996, definition 3.3.10]
3.2.23
public key
key that is used with an asymmetric cryptographic algorithm and that can be made publicly available
[ISO/IEC 10181-1:1996, definition 3.3.11]
3.2.24
role
set of behaviours that is associated with a task
3.2.25
security
combination of availability, confidentiality, integrity and accountability
[ENV 13608-1]
3.2.26
security policy
plan or course of action adopted for providing computer security
[ISO/IEC 2382-8:1998, definition 08.01.06]
3.2.27
security service
service, provided by a layer of communicating open systems, which ensures adequate security of the systems
or of data transfers
[ISO 7498-2:1989, definiton 3.3.51]
3.3 Public key infrastructure related terms
3.3.1
attribute authority
AA
authority that assigns privileges by issuing attribute certificates
3.3.2
attribute certificate
data structure, digitally signed by an attribute authority, that binds some attribute values with identification
about its holder
6 © ISO 2008 – All rights reserved

3.3.3
authority certificate
certificate issued to a certification authority or to an attribute authority
3.3.4
certificate
public key certificate
3.3.5
certificate distribution
act of publishing certificates and transferring certificates to security subjects
3.3.6
certificate extension
extension fields (known as extensions) in X.509 certificates which provide methods for associating additional
attributes with users or public keys and for managing the certification hierarchy
NOTE Certificate extensions can be either critical (i.e. a certificate-using system has to reject the certificate if it
encounters a critical extension it does not recognise) or non-critical (i.e. it can be ignored if the extension is not
recognised).
3.3.7
certificate generation
act of creating certificates
3.3.8
certificate management
procedures relating to certificates, i.e. certificate generation, certificate distribution, certificate archiving and
revocation
3.3.9
certificate profile
specification of the structure and permissible content of a certificate type
3.3.10
certificate revocation
act of removing any reliable link between a certificate and its related owner (or security subject owner)
because the certificate is not trusted any more, even though it is unexpired
3.3.11
certificate holder
entity that is named as the subject of a valid certificate
3.3.12
certificate verification
act of verifying that a certificate is authentic
3.3.13
certification
procedure by which a third party gives assurance that all or part of a data processing system conforms to
security requirements
[ISO/IEC 2382-8:1998, definition 08.01.18]
3.3.14
certification authority
CA
certificate issuer
authority trusted by one or more relying parties to create and assign certificates and which may, optionally,
create the relying parties' keys
NOTE 1 Adapted from ISO/IEC 9594-8:2001.
NOTE 2 Authority in the CA term does not imply any government authorization, but only denotes that it is trusted.
NOTE 3 Certificate issuer may be a better term, but CA is very widely used.
3.3.15
certificate policy
CP
named set of rules which indicates the applicability of a certificate to a particular community and/or class of
application with common security requirements
[IETF/RFC 3647]
3.3.16
certification practice statement
CPS
statement of the practices that a certification authority employs in issuing certificates
[IETF/RFC 3647]
3.3.17
public key certificate
PKC
X.509 public key certificates (PKCs) that bind an identity and a public key
NOTE 1 The identity can be used to support identity-based access control decisions after the client proves that they
have access to the private key that corresponds to the public key contained in the PKC.
NOTE 2 Adapted from IETF/RFC 3280.
3.3.18
public key infrastructure
PKI
infrastructure used in the relation between a key holder and a relying party, which allows a relying party to use
a certificate relating to the key holder for at least one application using a public-key-dependent security
service and which includes a certification authority, a certificate data structure, means for the relying party to
obtain current information on the revocation status of the certificate, a certification policy and methods to
validate the certification practice
3.3.19
qualified certificate
certificate whose primary purpose is identifying a person with a high level of assurance in public non-
repudiation services
NOTE The actual mechanisms that will decide whether a certificate should or should not be considered to be a
“qualified certificate” in regard to any legislation are outside the scope of this part of ISO 17090.
8 © ISO 2008 – All rights reserved

3.3.20
registration authority
RA
entity that is responsible for identification and authentication of certificate subjects, but that does not sign or
issue certificates (i.e. an RA is delegated certain tasks on behalf of a CA)
[IETF/RFC 3647]
3.3.21
relying party
recipient of a certificate who acts in reliance on that certificate and/or digital signature verified using that
certificate
[IETF/RFC 3647]
3.3.22
third party
party, other than data originator or data recipient, required to perform a security function as part of a
communication protocol
3.3.23
trusted third party
TTP
third party that is considered trusted for purposes of a security protocol
[ENV 13608-1]
NOTE This term is used in many ISO/IEC International Standards and other documents describing mainly the
services of a CA. The concept is, however, broader and includes services such as time-stamping and possibly escrowing.
4 Abbreviations
AA attribute authority
CA certification authority
CP certificate policy
CPS certification practice statement
CRL certificate revocation list
ECG electrocardiogram
EHR electronic health record
PKC public key certificate
PKI public key infrastructure
RA registration authority
TTP trusted third party
5 Healthcare context
5.1 Certificate holders and relying parties in healthcare
For the purposes of facilitating the discussion on digital certificate requirements, the following classes of
actors are introduced. This does not imply that other classes and definitions are not more appropriate in other
contexts.
The focus here is on actors who are directly involved in a health-related communication and may require a
certificate for a PKI-enabled security service. The following actors are defined in 3.1.
Persons: regulated health professional;
non-regulated health professional;
patient/consumer;
sponsored healthcare provider;
supporting organization employee.
Organizations: healthcare organization;
supporting organization.
Other entities: devices;
regulated medical devices;
applications.
In addition to these actors, the wide-scale deployment of digital certificates requires CAs and RAs to be part of
the total system and these organizations become important certificate holders in their own right.
Some healthcare workers are associated with multiple healthcare organizations. There is a primary need in
healthcare to avoid duplicate or redundant registration with its inherent costs and multiplicity of certificates.
Within the healthcare context, the role of RAs is to identify the actor as either a valid health professional
performing a given role, or to identify a consumer as the person with rights to his or her own information.
There also needs to be a way of registering support staff for physicians in private practice (medical
receptionists, billing clerks, file clerks, etc.). Such individuals are not associated with institutions such as
hospitals that are covered by national, state or provincial health authorities.
5.2 Examples of actors
5.2.1 Regulated health professional
Examples of regulated health professionals are physicians, dentists, registered nurses and pharmacists.
There are many different classifications of officially regulated/accredited professions in healthcare in different
countries. It is an important task for future ISO standardization to create a global mapping for this, but, for the
purposes of this part of ISO 17090, it is assumed that only very broad classes can be recognised
internationally. In ISO 17090-2, a data structure is presented that allows a broad international classification to
be used in parallel with a more detailed defined classification that may be national or follow other jurisdictions,
since regulated health professionals are regulated in provinces or states in some countries.
10 © ISO 2008 – All rights reserved

5.2.2 Non-regulated health professional
Non-regulated health professionals are persons who are employed by a healthcare organization, but who are
not regulated health professionals, and include medical secretaries and record assistants, transcription clerks
(i.e. those who type from a dictated voice recording), billing clerks and assistant nurses. For the purpose of
this part of ISO 17090, it is important to include the relationship between the employing healthcare
organization and the employee in a certificate for security services. For the healthcare professionals, it is
important to include the relationship with the professional registration body in the structure of the digital
certificate but a possible employment or other affiliation of, for example, a physician may also be important.
There are many different types of role or occupation of healthcare employees and this part of ISO 17090
makes no attempt to provide a classification scheme.
NOTE The fact that the employee is not registered by a body independent of the employer in his professional
capacity does, of course, not imply that the employee is not professional in conducting his services.
5.2.3 Patient/consumer
The person who receives health-related services is, in most cases, called the patient but, in some situations, it
is more appropriate, in the case of a healthy person and when considering the contractual relations with the
healthcare providers, to call such a person a consumer of health services. Only the patient/consumer who is
also a direct user of a health information system is considered in this context.
5.2.4 Sponsored healthcare provider
There are some types of person who are providers of health services and who are not regulated in the
jurisdiction but who are active in a community and where their professional role may be certified and
sponsored by a registered healthcare organization. Examples are, in some countries, midwives (who may be
sponsored by obstetricians or other physicians), physiotherapists of different types, various persons active in
community care for the disabled and elderly (who may be sponsored by a general practitioner or a hospital).
5.2.5 Supporting organization employee
A supporting organization employee is a person who is working for a supporting organization and who is not a
regulated or non-regulated health professional.
5.2.6 Healthcare organization
Examples of officially registered organizations that have a main activity related to healthcare services or
health promotion are healthcare providers, healthcare financing bodies (insurance companies or
administrators of governmental public health financing) and healthcare research institutions.
5.2.7 Supporting organization
Supporting organizations perform services for healthcare organizations but do not perform direct healthcare
services.
5.2.8 Devices
Devices are equipment such as ECG machines, laboratory automation equipment and different portable
diagnostic aids that measure various physiological parameters of a patient; also included are computer
devices such as electronic mail servers, web servers and application servers.
5.2.9 Applications
Applications are computer software programs running on individual machines and/or networks. Within the
healthcare context, applications relying upon digital certificates could include integrated clinical management
systems, EHR applications, emergency department information systems, imaging systems, prescribing, drug
profiling and medication management systems.
5.3 Applicability of digital certificates to healthcare
This part of ISO 17090 applies to the healthcare industry, both within and between jurisdictional boundaries. It
is intended to cover public (government) health authorities, private and public healthcare providers across the
entire range of settings including hospitals, community health, and general practice. It also applies to health
insurance organizations, healthcare educational institutions and health-related activities (such as home care).
While the primary aim is to develop a framework where health professionals, healthcare organizations and
insurers can securely exchange health information, this part of ISO 17090 is also intended to provide
consumers with the ability to securely access their own healthcare information. Transactions can take place
with CAs and RAs acting as trusted third parties to enable providers, insurers and consumers to exchange
information, safe in the knowledge that it is secure, protected and that, if integrity is breached, it will quickly
become known.
Suitable applications of digital certificates within healthcare are:
a) secure electronic mail;
b) access requests by applications used by community-based health professionals for patient information in
hospital-based information systems;
c) access requests by applications used within hospital-based information systems (systems would include
patient administration, clinical management, pathology, radiology, dietary and other related information
systems);
d) billing applications, which require non-repudiation, message integrity, confidentiality and authentication of
patients, health service providers and health insurers, as well as (in some jurisdictions) fraud prevention;
e) tele-imaging applications, which require a reliable binding between an image and a patient identity,
together with authentication of the health professional;
f) remote access control applications, which have a particular need to verify authenticity, confidentiality and
integrity;
g) electronic prescription applications, which require all the security services that digital certificates can offer,
to check that the prescription is verified as having originated from a particular health professional (origin
authentication) and is being filled for the correct patient;
h) digitally signed patient consent documents;
i) transcription services across national or jurisdictional boundaries;
j) other systems in accordance with local policies.
Local policies may exclude one or more of the above applications from relying upon, or otherwise making use
of, digital certificates.
A set of scenarios where digital certificates could be applied is detailed in Annex A.
6 Requirements for security services in healthcare applications
6.1 Healthcare characteristics
The healthcare industry has particular security needs that require special interpretation, which is the reason
why this part of ISO 17090 has been developed. Particular characteristics of healthcare are as follows.
a) Health information is re-usable and can exist for as long as (and longer than) the person to whom it refers.
This creates a special need for long-term preservation of digital signatures, and a valuable role for the
time-stamp technology that can support this.
12 © ISO 2008 – All rights reserved

b) There are significant health consumer and health service provider concerns to ensure that health
information collected is used for health purposes and not for something else, unless the patient has given
his/her explicit consent to use such information (e.g. anonymous patient data may be used for training
and planning purposes).
c) There is a need to improve the health consumers' confidence in the ability of the health system to
manage their information.
d) There is a need for health professionals and organizations to meet security obligations in the context of
health strategies.
e) The need exists to ensure that health professionals, trading partners and relying parties making use of
digital certifcates have confidence in measures to ensure privacy and security of patient information.
The security issue in healthcare becomes more visible as personal health information is being increasingly
stored using electronic information systems instead of paper files. The first concern of the healthcare industry
is to protect the privacy and safety of the patient. In particular, this concern extends to the need to comply with
relevant privacy legislation in respect of trans-border health information flows. If an information system is
going to be used by both healthcare professionals and consumers/patients, it shall be trusted. For this reason,
meeting the need for privacy and security is critical for healthcare information systems.
6.2 Digital certificate technical requirements in healthcare
6.2.1 General
Major security threats that need to be addressed in healthcare information and communication systems are
unauthorized access gained through stealing the private key of a legitimate certificate holder and then
masquerading as that certificate holder. Such unauthorized access can lead to the healthcare information
itself being altered, lost or replicated. Digital certificates used in combination with a security standard, such as
ISO/IEC 27002, can significantly reduce the risk of unauthorized access.
Digital certificates provide the only combination of policy, procedures and technology that offers all the
services of authentication, integrity, confidentiality and digital signature. Within the healthcare context, the use
of digital certificates enables healthcare providers and consumers, who may not know each other, to
communicate securely and with confidence, by electronic means, through a chain of trust.
Digital certificates can offer security services for which the health industry has a particular need. These
services and their application to healthcare are described in more detail in 6.2.2 to 6
...