ISO/TS 17090-1:2002

TECHNICAL ISO/TS
SPECIFICATION 17090-1
First edition
2002-10-15
Health informatics — Public key
infrastructure —
Part 1:
Framework and overview
Informatique de santé — Infrastructure de clé publique —
Partie 1: Cadre et vue d'ensemble

Reference number
©
ISO 2002
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not
be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this
file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this
area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters
were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event
that a problem relating to it is found, please inform the Central Secretariat at the address given below.

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body
in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.ch
Web www.iso.ch
Printed in Switzerland
ii © ISO 2002 – All rights reserved

Contents Page
Foreword . iv
Introduction. v
1 Scope. 1
2 Normative references. 1
3 Terms and definitions. 2
3.1 Healthcare context terms . 2
3.2 Security services terms. 3
3.3 Public key infrastructure related terms . 6
4 Abbreviations . 9
5 Healthcare context . 9
5.1 Health PKI classes of actors . 9
5.2 Examples of actors . 10
5.3 Applicability of PKI to healthcare . 11
6 Requirements for security services in healthcare applications. 12
6.1 Healthcare characteristics. 12
6.2 Healthcare PKI technical requirements . 13
6.3 Separation of authentication from encipherment. 14
6.4 Health industry PKI security management framework. 14
6.5 Policy requirements for a healthcare PKI. 15
7 Public key cryptography. 15
7.1 Symmetric vs. asymmetric cryptography. 15
7.2 Digital certificates . 15
7.3 Digital signatures . 16
7.4 Protecting the private key . 16
8 PKI. 17
8.1 Components of a PKI. 17
8.2 Establishing identity using qualified certificates . 18
8.3 Establishing speciality and roles using identity certificates. 18
8.4 Using attribute certificates for authorization and access control . 19
9 Interoperability requirements . 20
9.1 Overview . 20
9.2 Options for setting up a healthcare PKI across jurisdictions . 20
9.3 Option usage . 22
Annex A (informative) Scenarios for the use of PKI in healthcare . 23
Bibliography. 32

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO
member bodies). The work of preparing International Standards is normally carried out through ISO technical
committees. Each member body interested in a subject for which a technical committee has been established has
the right to be represented on that committee. International organizations, governmental and non-governmental, in
liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical
Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.
The main task of technical committees is to prepare International Standards. Draft International Standards adopted
by the technical committees are circulated to the member bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the member bodies casting a vote.
In other circumstances, particularly when there is an urgent market requirement for such documents, a technical
committee may decide to publish other types of normative document:
— an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in an
ISO working group and is accepted for publication if it is approved by more than 50 % of the members of the
parent committee casting a vote;
— an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical
committee and is accepted for publication if it is approved by 2/3 of the members of the committee casting a
vote.
An ISO/PAS or ISO/TS is reviewed after three years with a view to deciding whether it should be confirmed for a
further three years, revised to become an International Standard, or withdrawn. In the case of a confirmed ISO/PAS
or ISO/TS, it is reviewed again after six years at which time it has to be either transposed into an International
Standard or withdrawn.
Attention is drawn to the possibility that some of the elements of this part of ISO/TS 17090 may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TS 17090-1 was prepared by Technical Committee ISO/TC 215, Health informatics.
ISO/TS 17090 consists of the following parts, under the general title Health informatics — Public key infrastructure:
 Part 1: Framework and overview
 Part 2: Certificate profile
 Part 3: Policy management of certification authority
Annex A of this part of ISO/TS 17090 is for information only.
iv © ISO 2002 – All rights reserved

Introduction
The healthcare industry is faced with the challenge of reducing costs by moving from paper-based processes to
automated electronic processes. New models of healthcare delivery are emphasizing the need for patient
information to be shared among a growing number of specialist healthcare providers and across traditional
organizational boundaries.
Healthcare information concerning individual citizens is commonly interchanged by means of electronic mail,
remote database access, electronic data interchange and other applications. The Internet provides a highly cost-
effective and accessible means of interchanging information, but it is also an insecure vehicle that demands
additional measures be taken to maintain the privacy and confidentiality of information. Threats to the security of
health information through unauthorized access (either inadvertent or deliberate) are increasing. It is essential to
have available to the healthcare system reliable information security services that minimize the risk of unauthorized
access.
How does the healthcare industry provide appropriate protection for the data conveyed across the Internet in a
practical, cost-effective way? Public key infrastructure (PKI) technology seeks to address this challenge.
PKI is a blend of technology, policy and administrative processes that enable the exchange of sensitive data in an
unsecured environment by the use of “public key cryptography” to protect information in transit and “certificates” to
confirm the identity of a person or entity. In healthcare environments, PKI uses authentication, encipherment and
digital signatures to facilitate confidential access to, and movement of, individual health records to meet both
clinical and administrative needs. The services offered by a PKI (including encipherment, information integrity and
digital signatures) are able to address many of these security issues. This is especially the case if PKI is used in
conjunction with an accredited information security standard. Many individual organizations around the world have
started to apply PKI for this purpose.
Interoperability of PKI technology and supporting policies, procedures and practices is of fundamental importance if
information is to be exchanged between organizations and between jurisdictions in support of healthcare
applications (for example between a hospital and a community physician working with the same patient).
Achieving interoperability between different PKI schemes requires the establishment of a framework of trust, under
which parties responsible for protecting an individual’s information rights may rely on the policies and practices
and, by extension, the validity of digital certificates issued by other established authorities.
Many countries are adopting PKIs to support secure communications within their national boundaries.
Inconsistencies will arise in policies and procedures between the certification authorities (CAs) and the registration
authorities (RAs) of different countries if PKI standards development activity is restricted to within national
boundaries.
PKI technology is still rapidly evolving in certain aspects that are not specific to healthcare. Important
standardization efforts and, in some cases, supporting legislation are ongoing. On the other hand, healthcare
providers in many countries are already using or planning to use PKI. This Technical Specification seeks to
address the need for guidance of these rapid international developments.
This three-part document is being issued in the Technical Specification series of publications (according to the
ISO/IEC Directives, Part 1, 3.1.1.1) as a prospective standard for the use of PKI in the field of healthcare because
there is an urgent need for guidance on how standards in this field should be used to meet an identified need. This
document is not to be regarded as an International Standard. It is proposed for provisional application so that
information and experience of its use in practice may be gathered. ISO/TC 215 intends to revise it into a full
International Standard after a three-year period.
This Technical Specification describes the common technical, operational and policy requirements that need to be
addressed to enable PKI to be used in protecting the exchange of healthcare information within a single domain,
between domains and across jurisdictional boundaries. Its purpose is to create a platform for global interoperability.
It specifically supports PKI enabled communication across borders, but could also provide guidance for the
establishment of healthcare PKIs nationally or regionally. The Internet is increasingly used as the vehicle of choice
to support the movement of healthcare data between healthcare organizations and is the only realistic choice for
cross-border communication in this sector.
This Technical Specification should be approached as a whole, with the three parts all making a contribution to
defining how PKIs can be used to provide security services in the health industry, including authentication,
confidentiality, data integrity and the technical capacity to support the quality of digital signature.
ISO/TS 17090-1 defines the basic concepts of a healthcare public key infrastructure (PKI) and provides a scheme
of interoperability requirements to establish a PKI enabled secure communication of health information.
ISO/TS 17090-2 provides healthcare specific profiles of digital certificates based on the International Standard
X.509 and the profile of this specified in IETF/RFC 2459 for different types of certificates.
ISO/TS 17090-3 deals with management issues involved in implementing and operating a healthcare PKI. It
defines a structure and minimum requirements for certificate policies (CPs) and a structure for associated
certification practice statements. This part is based on the recommendations of the IETF/RFC 2527, Internet X.509
Public Key Infrastructure Certificate Policy and Certification Practices Framework and identifies the principles
needed in a healthcare security policy for cross border communication. It also defines the minimum levels of
security required, concentrating on the aspects unique to healthcare.
Comments on the content of this document, as well as comments, suggestions and information on the application
of these technical specifications may be forwarded to the ISO/TC 215 secretariat: tsandler@astm.org and the WG4
secretariat w4sec215@medis.or.jp.
vi © ISO 2002 – All rights reserved

TECHNICAL SPECIFICATION ISO/TS 17090-1:2002(E)

Health informatics — Public key infrastructure —
Part 1:
Framework and overview
1 Scope
This part of ISO/TS 17090 defines the basic concepts of a healthcare public key infrastructure (PKI) and provides a
scheme of interoperability requirements to establish a PKI enabled secure communication of health information. It
also identifies the major stakeholders who are communicating in health, as well as the main security services
required for health communication where PKI may be required.
This part of ISO/TS 17090 gives a brief introduction to public key cryptography and the basic components of a
healthcare PKI. It further introduces different types of certificates, public key identity certificates and associated
attribute certificates, for relying parties, self-signed certification authority (CA) certificates, and CA hierarchies and
bridging structures.
2 Normative references
The following normative documents contain provisions which, through reference in this text, constitute provisions of
this part of ISO/TS 17090. For dated references, subsequent amendments to, or revisions of, any of these
publications do not apply. However, parties to agreements based on this part of ISO/TS 17090 are encouraged to
investigate the possibility of applying the most recent editions of the normative documents indicated below. For
undated references, the latest edition of the normative document referred to applies. Members of ISO and IEC
maintain registers of currently valid International Standards.
ISO 7498-2:1989, Information processing systems — Open Systems Interconnection — Basic Reference Model —
Part 2: Security Architecture
ISO/IEC 9594-8:2001, Information technology — Open Systems Interconnection — The Directory: Public-key and
attribute certificate frameworks — Part 8
ISO/TS 17090-2:2002, Health informatics — Public key infrastructure — Part 2: Certificate profile
ISO/TS 17090-3:2002, Health informatics — Public key infrastructure — Part 3: Policy management of certification
authority
ISO/IEC 17799:2000, Information technology — Code of practice for information security management
INTERNET-DRAFT October 1999 4.1, X.509 Attribute Certificate
3 Terms and definitions
For the purposes of this part of ISO/TS 17090, the following terms and definitions apply.
3.1 Healthcare context terms
3.1.1
application
identifiable computer running software process that is the holder of a private encipherment key
NOTE 1 Application, in this context, can be any software process used in healthcare information systems including those
without any direct role in treatment or diagnosis.
NOTE 2 In some jurisdictions, including software processes can be regulated medical devices.
3.1.2
device
identifiable computer controlled apparatus or instrument that is the holder of a private encipherment key
NOTE 1 This includes the class of regulated medical devices that meet the above definition.
NOTE 2 Device, in this context, is any device used in healthcare information systems, including those without any direct role
in treatment or diagnosis.
3.1.3
healthcare actor
regulated health professional, non-regulated health professional, sponsored healthcare provider, supporting
organization employee, patient/consumer, healthcare organization, device or application that acts in a health
related communication and requires a certificate for a PKI enabled security service
3.1.4
healthcare organization
officially registered organization that has a main activity related to healthcare services or health promotion
EXAMPLES Hospitals, Internet healthcare web site providers and healthcare research institutions.
NOTE 1 The organization is recognized to be legally liable for its activities but need not be registered for its specific role in
health.
NOTE 2 An internal part of an organization is called here an organizational unit, as in X.501.
3.1.5
non-regulated health professional
person employed by a healthcare organization who is not a health professional
EXAMPLES Receptionist or secretary who organizes appointments, or a business manager who is responsible for
validating patient health insurance.
NOTE The fact that the employee is not authorized by a body independent of the employer in his professional capacity
does, of course, not imply that the employee is not professional in conducting his services.
3.1.6
patient
consumer
person who is the receiver of health related services and who is an actor in a health information system
3.1.7
privacy
freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal
gathering and use of data about that individual
[ISO/IEC 2382-8:1998]
2 © ISO 2002 – All rights reserved

3.1.8
regulated health professional
person who is authorized by a nationally recognized body to be qualified to perform certain health services
EXAMPLES Physicians, registered nurses and pharmacists.
NOTE 1 The types of registering or accrediting bodies differ in different countries and for different professions. Nationally
recognized bodies include local or regional governmental agencies, independent professional associations and other formally
and nationally recognized organizations. They may be exclusive or non-exclusive in their territory.
NOTE 2 A nationally recognized body in this definition does not imply one nationally controlled system of professional
registration but, in order to facilitate international communication, it would be preferable for one nationwide directory of
recognized health professional registration bodies to exist.
3.1.9
sponsored healthcare provider
health services provider who is not a regulated professional in the jurisdiction of his/her practice, but who is active
in his/her healthcare community and sponsored by a regulated healthcare organization
EXAMPLES A drug and alcohol education officer who is working with a particular ethnic group, or a healthcare aid worker in
a developing country.
3.1.10
supporting organization
officially registered organization which is providing services to a healthcare organization, but which is not providing
healthcare services
EXAMPLES Healthcare financing bodies such as insurance institutions, suppliers of pharmaceuticals and other goods.
3.1.11
supporting organization employee
person employed by a supporting organization
EXAMPLES Medical records transcriptionists, healthcare insurance claims adjudicators and pharmaceutical order entry
clerks.
3.2 Security services terms
3.2.1
access control
means of ensuring that the resources of a data processing system can be accessed only by authorized entities in
authorized ways
[ISO/IEC 2382-8:1998]
3.2.2
accountability
property that ensures that the actions of an entity may be traced uniquely to the entity
[ISO 7498-2:1989]
3.2.3
asymmetric cryptographic algorithm
algorithm for performing encipherment or the corresponding decipherment in which the keys used for encipherment
and decipherment differ
[ISO 10181-1:1996]
3.2.4
authentication
process of reliably identifying security subjects by securely associating an identifier and its authenticator
[ISO 7498-2:1989]
NOTE See also data origin authentication and peer entity authentication.
3.2.5
authorization
granting of rights, which includes the granting of access based on access rights
[ISO 7498-2:1989]
3.2.6
availability
property of being accessible and useable upon demand by an authorized entity
[ISO 7498-2:1989]
3.2.7
ciphertext
data produced through the use of encipherment, the semantic content of which is not available
NOTE Adapted from ISO 7498-2:1989.
3.2.8
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or processes
[ISO 7498-2:1989]
3.2.9
cryptography
discipline which embodies principles, means and methods for the transformation of data in order to hide its
information content, prevent its undetected modification and/or prevent its unauthorized use
[ISO 7498-2:1989]
3.2.10
cryptographic algorithm
cipher
method for the transformation of data in order to hide its information content, prevent its undetected modification
and/or prevent its unauthorized use
[ISO 7498-2:1989]
3.2.11
data integrity
property that data has not been altered or destroyed in an unauthorized manner
[ISO 7498-2:1989]
3.2.12
data origin authentication
corroboration that the source of data received is as claimed
[ISO 7498-2:1989]
4 © ISO 2002 – All rights reserved

3.2.13
decipherment
decryption
process of obtaining, from a ciphertext, the original corresponding data
[ISO/IEC 2382-8:1989]
NOTE A ciphertext may be enciphered a second time, in which case a single decipherment does not produce the original
plaintext.
3.2.14
digital signature
data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit to prove
the source and integrity of the data unit and protect against forgery, e.g. by the recipient
[ISO 7498-2:1989]
NOTE See cryptography.
3.2.15
encipherment
encryption
cryptographic transformation of data to produce ciphertext
[ISO 7498-2:1989]
NOTE See cryptography.
3.2.16
identification
performance of tests to enable a data processing system to recognize entities
[ISO/IEC 2382-8:1998]
3.2.17
identifier
piece of information used to claim an identity, before a potential corroboration by a corresponding authenticator
[ENV 13608-1]
3.2.18
integrity
proof that the message content has not been altered, deliberately or accidentally, in any way during transmission
NOTE Adapted from ISO 7498-2:1989.
3.2.19
key
sequence of symbols that controls the operations of encipherment and decipherment
[ISO 7498-2:1989]
3.2.20
key management
generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy
[ISO 7498-2:1989]
3.2.21
non-repudiation
service providing proof of the integrity and origin of data (both in an unforgeable relationship), which can be verified
by any party
NOTE Adapted from ASTM [13].
3.2.22
private key
key that is used with an asymmetric cryptographic algorithm and whose possession is restricted (usually to only
one entity)
[ISO 10181-1:1996]
3.2.23
public key
key that is used with an asymmetric cryptographic algorithm and that can be made publicly available
[ISO 10181-1:1996]
3.2.24
role
set of behaviours that is associated with a task
3.2.25
security
combination of availability, confidentiality, integrity and accountability
[ENV 13608-1]
3.2.26
security policy
plan or course of action adopted for providing computer security
[ISO/IEC 2382-8:1998]
3.2.27
security service
service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of
data transfers
[ISO 7498-2:1989]
3.3 Public key infrastructure related terms
3.3.1
attribute authority
AA
authority which assigns privileges by issuing attribute certificates
[X.509]
3.3.2
attribute certificate
data structure, digitally signed by an attribute authority, that binds some attribute values with identification about its
holder
[X.509]
6 © ISO 2002 – All rights reserved

3.3.3
authority certificate
certificate issued to a certification authority or to an attribute authority
NOTE Adapted from X.509.
3.3.4
certificate
public key certificate
3.3.5
certificate distribution
act of publishing certificates and transferring certificates to security subjects
3.3.6
certificate extension
extension fields (known as extensions) in X.509 certificates that provide methods for associating additional
attributes with users or public keys and for managing the certification hierarchy
NOTE Certificate extensions may be either critical (i.e. a certificate-using system has to reject the certificate if it encounters
a critical extension it does not recognize) or non-critical (i.e. it may be ignored if the extension is not recognized).
3.3.7
certificate generation
act of creating certificates
3.3.8
certificate management
procedures relating to certificates, i.e. certificate generation, certificate distribution, certificate archiving and
revocation
3.3.9
certificate profile
specification of the structure and permissible content of a certificate type
3.3.10
certificate revocation
act of removing any reliable link between a certificate and its related owner (or security subject owner) because the
certificate is not trusted any more, even though it is unexpired
3.3.11
certificate holder
entity that is named as the subject of a valid certificate
3.3.12
certificate verification
verifying that a certificate is authentic
3.3.13
certification
procedure by which a third party gives assurance that all or part of a data processing system conforms to security
requirements
[ISO/IEC 2382-8:1998]
3.3.14
certification authority
CA
certificate issuer
authority trusted by one or more relying parties to create and assign certificates and which may, optionally, create
the relying parties' keys
NOTE 1 Adapted from ISO 9594-8:2001.
NOTE 2 Authority in the CA term does not imply any government authorization, but only denotes that it is trusted.
NOTE 3 Certificate issuer may be a better term, but CA is very widely used.
3.3.15
certificate policy
CP
named set of rules that indicates the applicability of a certificate to a particular community and/or class of
application with common security requirements
[IETF 2527]
3.3.16
certification practices statement
CPS
statement of the practices which a certification authority employs in issuing certificates
[IETF/RFC 2527]
3.3.17
public key certificate
PKC
X.509 public key certificates (PKCs) which bind an identity and a public key; the identity may be used to support
identity-based access control decisions after the client proves that it has access to the private key that corresponds
to the public key contained in the PKC
NOTE Adapted from IETF/RFC 2459.
3.3.18
public key infrastructure
PKI
infrastructure used in the relation between a key holder and a relying party that allows a relying party to use a
certificate relating to the key holder for at least one application using a public key dependent security service and
that includes a certification authority, a certificate data structure, means for the relying party to obtain current
information on the revocation status of the certificate, a certification policy and methods to validate the certification
practice
3.3.19
qualified certificate
certificate whose primary purpose is identifying a person with a high level of assurance in public non-repudiation
services
NOTE The actual mechanisms that will decide whether a certificate should or should not be considered to be a “qualified
certificate” in regard to any legislation are outside the scope of this Technical Specification.
3.3.20
registration authority
RA
entity that is responsible for identification and authentication of certificate subjects, but that does not sign or issue
certificates (i.e. an RA is delegated certain tasks on behalf of a CA)
[IETF/RFC 2527]
8 © ISO 2002 – All rights reserved

3.3.21
relying party
recipient of a certificate who acts in reliance on that certificate and/or digital signature verified using that certificate
[IETF/RFC 2527]
3.3.22
third party
party, other than data originator or data recipient, required to perform a security function as part of a
communication protocol
3.3.23
trusted third party
TTP
third party which is considered trusted for purposes of a security protocol
[ENV 13608-1]
NOTE This term is used in many ISO/IEC International Standards and other documents describing mainly the services of a
CA. The concept is, however, broader and includes services such as time-stamping and possibly escrowing.
4 Abbreviations
AA attribute authority
CA certification authority
CP certificate policy
CPS certification practice statement
CRL certificate revocation list
ECG electrocardiogram
EHR electronic health record
PKC public key certificate
PKI public key infrastructure
RA registration authority
TTP trusted third party
5 Healthcare context
5.1 Health PKI classes of actors
For the purposes of facilitating the discussion on PKI requirements, the following classes of actors are introduced.
This does not imply that other classes and definitions are not more appropriate in other contexts.
The focus here is on actors who are directly involved in a health related communication and may require a
certificate for a PKI enabled security service. The following actors are defined in 3.1.
Persons: regulated health professional;
non-regulated health professional;
patient/consumer;
sponsored healthcare provider;
supporting organization employee.
Organizations: healthcare organization;
supporting organization.
Other entities: devices;
regulated medical devices;
applications.
In addition to these actors, the PKI requires CAs and RAs to be part of the total system and these organizations are
important certificate holders in this infrastructure.
Some healthcare workers are associated with multiple healthcare organizations. There is a primary need in
healthcare to avoid duplicate or redundant registration with its inherent costs and multiplicity of certificates.
Within the healthcare context, the role of RAs is to identify the actor as either a valid health professional performing
a given role, or to identify a consumer as the person with rights to his or her own information. There also needs to
be a way of registering support staff for physicians in private practice (medical receptionists, billing clerks, file
clerks, etc.). Such individuals are not associated with institutions such as hospitals that are covered by national,
state or provincial health authorities.
5.2 Examples of actors
5.2.1 Regulated health professional
Examples of regulated health professionals are: physicians, dentists, registered nurses and pharmacists. There are
many different classifications of officially regulated/accredited professions in healthcare in different countries. It is
an important task for future ISO standardization to create a global mapping for this but, for the purposes of this
Technical Specification, it is assumed that only very broad classes can be recognized internationally. In
ISO/TS 17090-2:2002, a data structure is presented that allows a broad international classification to be used in
parallel with a more detailed defined classification that may be national or follow other jurisdictions, since regulated
health professionals are regulated in provinces or states in some countries.
5.2.2 Non-regulated health professional
Non-regulated health professionals are persons who are employed by a healthcare organization but who are not
regulated health professionals, and include medical secretaries and record assistants, transcription clerks (i.e.
those who type from a dictated voice recording), billing clerks and assistant nurses. For the purpose of this part of
ISO/TS 17090, it is important to include the relationship between the employing healthcare organization and the
employee in a certificate for security services. For the healthcare professionals, it is important to include the
relationship with the professional registration body in the PKI structure but a possible employment or other
affiliation of, for example, a physician may also be important.
10 © ISO 2002 – All rights reserved

There are many different types of roles or occupations of healthcare employees and this part of ISO/TS 17090
makes no attempt to provide a classification scheme.
NOTE The fact that the employee is not registered by a body independent of the employer in his professional capacity
does, of course, not imply that the employee is not professional in conducting his services.
5.2.3 Patient/consumer
The person who receives health related services is, in most cases, called the patient but, in some situations, it is
more appropriate, in the case of a healthy person and when considering the contractual relations with the
healthcare providers, to call such a person a consumer of health services. Only the patient/consumer who is also a
direct user of a health information system is considered in this context.
5.2.4 Sponsored healthcare provider
There are some types of persons who are providers of health services that are not regulated in the jurisdiction but
who are active in a community and where their professional role may be certified and sponsored by a registered
healthcare organization. Examples are, in some countries, midwives (who may be sponsored by obstetricians or
other physicians), physiotherapists of different types, various persons active in community care for disabled and
elderly (who may be sponsored by a general practitioner or a hospital).
5.2.5 Supporting organization employee
A supporting organization employee is a person who is working for a supporting organization and who is not a
regulated or non-regulated health professional.
5.2.6 Healthcare organization
Examples of officially registered organizations that have a main activity related to healthcare services or health
promotion are healthcare providers, healthcare financing bodies (insurance companies or administrators of
governmental public health financing) and healthcare research institutions.
5.2.7 Supporting organization
Supporting organizations perform services for healthcare organizations but do not perform direct healthcare
services.
5.2.8 Devices
Devices are equipment such as ECG machines, laboratory automation equipment and different portable diagnostic
aids that measure various physiological parameters of a patient; included also are computer devices such as
electronic mail servers, web servers and application servers.
5.2.9 Applications
Applications are computer software programs running on individual machines and/or networks. Within the
healthcare context, applications which may be part of a PKI could include integrated clinical management systems,
EHR applications, emergency department information system, imaging system, prescribing, drug profiling and
medication management systems.
5.3 Applicability of PKI to healthcare
This Technical Specification applies to the healthcare industry, both within and between national boundaries. It is
intended to cover public (government) health authorities, private healthcare providers across the entire range of
settings including hospitals, community health and general practice. It also applies to health insurance
organizations, healthcare educational institutions and health related activities (such as home care).
While the primary aim is to develop a framework where health professionals, healthcare organizations and insurers
can securely exchange health information, this Technical Specification is also intended to provide consumers with
the ability to securely access their own healthcare information. Transactions can take place with CAs and RAs
acting as trusted third parties to enable providers, insurers and consumers to exchange information, safe in the
knowledge that it is secure, protected and that, if integrity is breached, it will quickly become known.
Suitable applications within the healthcare PKI are:
a) secure electronic mail;
b) access requests by applications used by community based health professionals for patient information in
hospital based information systems;
c) access requests by applications used within hospital based information systems. Systems would include
patient administration, clinical management, pathology, radiology, dietary and other related information
systems;
d) billing applications, which require non-repudiation, message integrity, confidentiality and authentication of
patients, health service providers and health insurers, as well as (in some jurisdictions) fraud prevention;
e) tele-imaging applications, which require a reliable binding between an image and a patient identity, together
with authentication of the health professional;
f) remote access control applications, which have a particular need to verify authenticity, confidentiality and
integrity;
g) electronic prescription applications, which require all the security services of a PKI authenticity to check that
the prescription is verified as having originated from a particular health professional and is being filled for the
correct patient. Ensuring there are no errors in transmission requires the integrity service and auditability
requires the service of non-repudiation;
h) digitally signed patient consent documents;
i) transcription services across national boundaries;
j) other systems in accordance with local policies.
Local policies may exclude one or more of the above applications from participation in a PKI.
A set of scenarios where PKI could be applied is detailed in annex B.
6 Requirements for security services in healthcare applications
6.1 Healthcare characteristics
The healthcare industry has particular security needs that require special interpretation, which is the reason why
this Technical Specification has been developed. Particular characteristics of healthcare are as follows.
a) Health information is reusable and can exist for as long as (and longer than) the person it whom it refers.
b) There are significant health consumer and health service provider concerns to ensure health information
collected is used for health purposes and not for something else, unless the patient has given his/her explicit
consent to use such information (e.g. anonymous patient data may be used for training and planning
purposes).
c) There is a need to improve the health consumers' confidence in the ability of the health system to manage
their information.
12 © ISO 2002 – All rights reserved

d) There is a need for health professionals and organizations to meet security obligations in the context of health
strategies.
e) The need exists to ensure that health professionals, trading partners and relying parties in a healthcare PKI
have confidence in measures to ensure privacy and security of patient information.
The security issue in healthcare becomes more visible as personal health information is being increasingly stored
using electronic information systems instead of paper files. The first concern of the healthcare industry is to protect
the privacy and safety of the patient. In particular, this concern extends to the need to comply with relevant privacy
le
...