iTeh Standards logo
EURUSD
Your shopping cart is empty.
SIST

SIST EN 12251:2005

(Main)

Health informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords

Health informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords

This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities.
This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as the only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health information.
This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities.

Medizinische Informatik - Sichere Nutzeridentifikation im Gesundheitswesen - Management und Sicherheit für die Authentifizierung durch Passwörter

Informatique de santé - Sécurité de l'identification de l'utilisateur des soins de santé - Gestion et sécurité de l'authentification des mots de passe

Zdravstvena informatika – Varna identifikacija uporabnikov v zdravstvenem varstvu – Upravljanje in varnost avtentikacije z gesli

General Information

Status
Published
Publication Date
31-Dec-2004
ICS
35.030 - IT Security
35.240.80 - IT applications in health care technology
Technical Committee
ITC - Information technology
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
01-Jan-2005
Due Date
01-Jan-2005
Completion Date
01-Jan-2005
Ref Project
EN 12251:2004 - Health informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords

Relations

Replaces
SIST ENV 12251:2003 - Health informatics - Secure user identification for health care - Management and security of authentication by passwords
Effective Date
22-Dec-2008

Overview

EN 12251:2004 - published by CEN - is a European health informatics standard titled Health informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords. It defines software-based requirements and procedures to strengthen user identification and password authentication in healthcare IT systems that rely on passwords as the sole authentication mechanism. The standard targets systems that handle sensitive, personally identifiable health information (for example electronic patient record systems, patient administration and laboratory systems) and excludes systems that use hardware tokens, smart cards or biometrics.

Key topics and technical requirements

EN 12251:2004 specifies practical controls for secure password management and authentication. Key technical topics include:

  • Unique identification and authentication: use of unique user identifiers and passwords to verify claimed identities.
  • Authentication before access: identification/authentication must precede any other interaction with the system.
  • User attribute association: ability to link site-defined attributes (name, affiliation) to each user identifier.
  • Log‑on messaging: site‑specifiable warning message about unauthorized use displayed during log-on.
  • Failure handling and lockout: site-specifiable limit on unsuccessful log-on trials (recommended: three) with alarms and temporary lockout actions.
  • Silent error reporting: log-on error feedback must not reveal which part (identifier or password) was incorrect.
  • Log‑on statistics: display last successful access time and number of failed attempts since then.
  • Password sharing controls: no explicit facilitation of password sharing; systems may permit reuse but must not disclose association.
  • Secure password storage: passwords stored in one‑way encrypted form; unencrypted passwords not retained.
  • No password logging: actual or attempted passwords or invalid identifiers should not be logged by default.
  • Password handling and lifecycle: suppression of password echo, user-changeable passwords with re-authentication, mandatory change of default passwords, initialised and temporary password mechanisms with enforced expiration.
  • Expiration and notification: site-specifiable expiration by time or uses (recommended: two months or 100 uses) with advance notification.
  • Guidance annexes: informative annexes cover complexity requirements, user responsibilities and secure password communication.

Applications

EN 12251:2004 is intended for implementation in healthcare software where passwords are the only authentication method. Typical applications:

  • Electronic health records (EHR/EMR) systems
  • Patient administration systems (PAS)
  • Laboratory Information Management Systems (LIMS)
  • Clinical order-entry and results-reporting systems

Adopting EN 12251 improves password security, reduces risk of unauthorized access to patient data and supports compliance and risk management in healthcare IT deployments.

Who should use this standard

  • Healthcare IT vendors and software developers
  • Hospital and clinic IT/security administrators
  • System integrators and implementers of EHR/LIMS/PAS
  • Procurement, compliance and privacy officers evaluating password-based authentication

Related standards

  • Normative reference: ISO 7498-2 (security architecture).
  • EN 12251 is a CEN/TC 251 health informatics standard and supersedes ENV 12251:2000.

Keywords: EN 12251:2004, health informatics, secure user identification, password management, authentication, healthcare IT systems, electronic patient record, password security.

SIST EN 12251:2005SIST EN 12251:2005
PreviousNext
Standard
SIST EN 12251:2005
English language
13 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Zdravstvena informatika – Varna identifikacija uporabnikov v zdravstvenem varstvu – Upravljanje in varnost avtentikacije z gesliMedizinische Informatik - Sichere Nutzeridentifikation im Gesundheitswesen - Management und Sicherheit für die Authentifizierung durch PasswörterInformatique de santé - Sécurité de l'identification de l'utilisateur des soins de santé - Gestion et sécurité de l'authentification des mots de passeHealth informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords35.240.80Uporabniške rešitve IT v zdravstveni tehnikiIT applications in health care technologyICS:Ta slovenski standard je istoveten z:EN 12251:2004SIST EN 12251:2005en01-januar-2005SIST EN 12251:2005SLOVENSKI
STANDARDSIST ENV 12251:20031DGRPHãþD

EUROPEAN STANDARDNORME EUROPÉENNEEUROPÄISCHE NORMEN 12251August 2004ICS 35.240.80 English versionHealth informatics - Secure User Identification for Health Care -Management and Security of Authentication by PasswordsInformatique de santé - Sécurité de l'identification del'utilisateur des soins de santé - Gestion et sécurité del'authentification des mots de passeMedizinische Informatik - Sichere Nutzeridentifikation imGesundheitswesen - Management und Sicherheit für dieAuthentifizierung durch PasswörterThis European Standard was approved by CEN on 21 June 2004.CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such nationalstandards may be obtained on application to the Central Secretariat or to any CEN member.This European Standard exists in three official versions (English, French, German). A version in any other language made by translationunder the responsibility of a CEN member into its own language and notified to the Central Secretariat has the same status as the officialversions.CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia,Slovenia, Spain, Sweden, Switzerland and United Kingdom.EUROPEAN COMMITTEE FOR STANDARDIZATIONCOMITÉ EUROPÉEN DE NORMALISATIONEUROPÄISCHES KOMITEE FÜR NORMUNGManagement Centre: rue de Stassart, 36
B-1050 Brussels© 2004 CENAll rights of exploitation in any form and by any means reservedworldwide for CEN national Members.Ref. No. EN 12251:2004: ESIST EN 12251:2005

Potential password complexity requirements.10 Annex B (informative)
User responsibilities.11 Annex C (informative)
Password communication.12 Bibliography.13
1 Scope This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities. This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as the only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health information. This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities. 2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 7498-2, Information processing systems – Open systems interconnection – Basic reference model – Part 2: Security architecture 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1
access control prevention of unauthorised use of a resource, including the prevention of use of a resource in an unauthorised manner 3.2 authentication process of verifying a claimed user identity, in this document on the basis of an entered user identifier and password 3.3 authentication information information used to establish the validity of a claimed identity [ISO 7498-2] 3.4
authorised user person who is given access rights to the system, i.e., person who is given a unique user identifier and an initial password, and by this is given
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

Frequently Asked Questions

SIST EN 12251:2005 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Health informatics - Secure User Identification for Health Care - Management and Security of Authentication by Passwords". This standard covers: This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities. This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as the only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health information. This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities.

This document is designed to improve the authentication of individual users of health care IT systems, by strengthening the automatic software procedures associated with the management of user identifiers and passwords, without resorting to additional hardware facilities. This document applies to all information systems (hereafter called systems) within the health care environment that handle or store sensitive person identifiable health information, using passwords as the only means of authenticating the entered user identifier, i.e., verifying the claimed identity of a user. Systems that fall within the scope of this document include for example electronic patient record systems, patient administrative systems and laboratory systems, containing personal health information. This document does not apply to systems outside the health care environment. Neither does it apply to systems within the health care environment that use other means of identification and authentication, such as smart cards, biometric methods or other technical facilities.

SIST EN 12251:2005 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security; 35.240.80 - IT applications in health care technology. The ICS classification helps identify the subject area and facilitates finding related standards.

SIST EN 12251:2005 has the following relationships with other standards: It is inter standard links to SIST ENV 12251:2003. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

You can purchase SIST EN 12251:2005 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.

This May Also Interest You

SIST
SIST EN ISO 13606-4:2019(Main)
Health informatics - Electronic health record communication - Part 4: Security (ISO 13606-4:2019)
EN ISO 13606-4:2019

This document describes a methodology for specifying the privileges necessary to access EHR data. This methodology forms part of the overall EHR communications architecture defined in ISO 13606-1.
This document seeks to address those requirements uniquely pertaining to EHR communications and to represent and communicate EHR-specific information that will inform an access decision. It also refers to general security requirements that apply to EHR communications and points at technical solutions and standards that specify details on services meeting these security needs.
NOTE       Security requirements for EHR systems not related to the communication of EHRs are outside the scope of this document.

  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 27799:2017(Main)
Health informatics - Information security management in health using ISO/IEC 27002 (ISO 27799:2016)
EN ISO 27799:2016

ISO 27799:2016 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
It defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard.
ISO 27799:2016 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information in their care.
It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information is always be appropriately protected.
ISO 27799:2016 and ISO/IEC 27002 taken together define what is required in terms of information security in healthcare, they do not define how these requirements are to be met. That is to say, to the fullest extent possible, ISO 27799:2016 is technology-neutral. Neutrality with respect to implementing technologies is an important feature. Security technology is still undergoing rapid development and the pace of that change is now measured in months rather than years. By contrast, while subject to periodic review, International Standards are expected on the whole to remain valid for years. Just as importantly, technological neutrality leaves vendors and service providers free to suggest new or developing technologies that meet the necessary requirements that ISO 27799:2016 describes.
As noted in the introduction, familiarity with ISO/IEC 27002 is indispensable to an understanding of ISO 27799:2016.
The following areas of information security are outside the scope of ISO 27799:2016:
a)   methodologies and statistical tests for effective anonymization of personal health information;
b)   methodologies for pseudonymization of personal health information (see Bibliography for a brief description of a Technical Specification that deals specifically with this topic);
c)   network quality of service and methods for measuring availability of networks used for health informatics;
d)   data quality (as distinct from data integrity).

  • Standard
    114 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN ISO/TS 14441:2014(Main)
Health informatics - Security and privacy requirements of EHR systems for use in conformity assessment (ISO/TS 14441:2013)
CEN ISO/TS 14441:2013

ISO/TS 14441:2013 examines electronic patient record systems at the clinical point of care that are also interoperable with EHRs. ISO/TS 14441:2013 addresses their security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment.
ISO/TS 14441:2013 includes a cross-mapping of 82 security and privacy requirements against the Common Criteria categories in ISO/IEC 15408 (all parts).

  • Technical specification
    122 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TP CEN/TR 15300:2006(Main)
Health informatics - Framework for formal modelling of healthcare security policies
CEN/TR 15300:2006

This CEN report specifies the starting point for working on some formalising tools that could be used by the healthcare actors to express, compare and validate local and/or network security policies.
Defining and validating a correct security policy encompass different activities such as expressing correctly
(i.e. without any ambiguity), formulating correctly (i.e. without any misinterpretation) and proving the correctness (i.e. without known failures or major lack) of the [to be formally modelled] security policy.
This CEN report does NOT intend at all to specify a UNIQUE or UNIVERSAL formal model that need to be used by the European healthcare community: it only indicates, as a first working step, some ways that could be followed to help that healthcare community to correctly and fruitfully manipulate the security policy concept(s) and the formal modelling techniques.
This CEN report does NOT intend to indicate an EXHAUSTIVE spectrum of all the published formal security policy models: it only gives a readable and understandable flavour of the most well-known formal models and also of the [maybe] most interesting ones from the healthcare activity and needs point of view. This CEN report is, in this very first version, divided in five parts:
o   Part #1 - Introduction to formal modelling: this clause summarises and justifies the following needs:
i.   need for policies, in general and for any context;
ii.   need for security policies, in any data processing context;
iii.   need for models (or modelling facilities) of security policies, in some generic system environments;
iv.   need for formal models (or formal modelling facilities) of security policies, in some sensitive areas;
v.   need for healthcare-oriented formal models of security policies, specialized to healthcare specificities.
o   Part #2 - Historical security policies and models: this clause explains and introduces the main objectives and concepts of the security policy modelling activity that seems to be of

  • Technical report
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 14484:2004(Main)
Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy
EN 14484:2003

This item will provide guidance on the data protection policy which should be implemented by organisations which are participants in international applications which involve transfer of person identifiable data across national borders and which require compliance with the EU Data Protection Directive.

  • Standard
    55 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
oSIST prEN 13608-3:2006
Health informatics - Security for healthcare communication - Part 3: Secure data channels
prEN 13608-3
  • Draft
    23 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
oSIST prEN 13608-1:2006
Health informatics - Security for healthcare communication - Part 1: Concepts and terminology
prEN 13608-1
  • Draft
    85 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
kSIST FprEN ISO 27799:2025(Main)
Health informatics - Information security controls in health based on ISO/IEC 27002 (ISO/FDIS 27799:2025)
FprEN ISO 27799

This document provides information security controls, including implementation guidance, for health organizations. It is based on ISO/IEC 27002:2022
In addition to generic ICT equipment and software used in many other environments, the scope of this document includes software and systems specifically for healthcare, such as electronic health record systems and medical devices incorporating health software. Such medical devices can be programmed or programmable and can contain software, firmware or both.
Other digital equipment (such as that for environmental and infection control, building management, and physical security), which can be used in premises where healthcare is provided, is also in scope.
This document applies to information in all its aspects, whatever form the information takes (including text and numbers, sound recordings, drawings, images and video), by whatever means it has been acquired or captured, whatever means are used to store it (such as printing or writing on paper or storage electronically), and whatever means are used to transfer or exchange it (orally, by hand, by post, movement of storage media, direct links or networking).
This document is for organizations of all types and sizes that provide healthcare or are custodians of personal health information for other reasons. The information that they are responsible for can be stored and processed in many possible ways and locations, including on premises or in the cloud, but remains in scope.
This document applies to all physical settings where healthcare is intended to be delivered, such as hospitals, clinics and other locations or facilities designated for healthcare purposes such as ambulances and mobile imaging or diagnostic units. It also applies to care provided elsewhere, such as in residential premises. In addition to the range of settings, this document applies to all methods of service provision including remote or virtual healthcare.

  • Draft
    82 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
oSIST prEN 13608-2:2006
Health informatics - Security for healthcare communication - Part 2: Secure data objects
prEN 13608-2
  • Draft
    22 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 81001-5-1:2022(Main)
Health software and health IT systems safety, effectiveness and security - Part 5-1: Security - Activities in the product life cycle (IEC 81001-5-1:2021)
EN IEC 81001-5-1:2022

This document defines the LIFE CYCLE requirements for development and maintenance of HEALTH SOFTWARE needed to support conformance to IEC 62443-4-1[11] – taking the specific needs for HEALTH SOFTWARE into account. The set of PROCESSES, ACTIVITIES, and TASKS described in this document establishes a common framework for secure HEALTH SOFTWARE LIFE CYCLE PROCESSES. An informal overview of activities for HEALTH SOFTWARE is shown in Figure 2.
[Figure 2]
[derived from IEC 62304:2006[8], Figure 2]
Figure 2 - HEALTH SOFTWARE LIFE CYCLE PROCESSES
The purpose is to increase the CYBERSECURITY of HEALTH SOFTWARE by establishing certain ACTIVITIES and TASKS in the HEALTH SOFTWARE LIFE CYCLE PROCESSES and also by increasing the SECURITY of SOFTWARE LIFE CYCLE PROCESSES themselves.
It is important to maintain an appropriate balance of the key properties SAFETY, effectiveness and SECURITY as discussed in ISO 81001-1[17].
This document excludes specification of ACCOMPANYING DOCUMENTATION contents.

  • Standard
    59 pages
    English language
    sale 10% off
    e-Library read for
    1 day