iTeh Standards logo
EURUSD
Your shopping cart is empty.
SIST

SIST EN ISO 27789:2021

(Main)

Health informatics -- Audit trails for electronic health records (ISO 27789:2021)

Health informatics -- Audit trails for electronic health records (ISO 27789:2021)

This document specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger events and audit data, to keep the complete set of personal health information auditable across information systems and domains.
It is applicable to systems processing personal health information that create a secure audit record each time a user reads, creates, updates, or archives personal health information via the system.
NOTE       Such audit records at a minimum uniquely identify the user, uniquely identify the subject of care, identify the function performed by the user (record creation, read, update, etc.), and record the date and time at which the function was performed.
This document covers only actions performed on the EHR, which are governed by the access policy for the domain where the electronic health record resides. It does not deal with any personal health information from the electronic health record, other than identifiers, the audit record only containing links to EHR segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of data, which are dealt with by general computer security standards such as ISO/IEC 15408 (all parts)[9].
Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.

Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO 27789:2021)

Informatique de santé -- Historique d'expertise des dossiers de santé informatisés (ISO 27789:2021)

Le présent document définit un cadre commun pour les pistes d'audit des dossiers de santé informatisés (DSI), en termes d'événements déclencheurs d'audit et de données d'audit, afin de conserver l'ensemble complet des informations personnelles de santé auditables, quels que soient les systèmes et les domaines d'information.
Le présent document s'applique aux systèmes de traitement des informations personnelles de santé qui créent un enregistrement d'audit sécurisé chaque fois qu'un utilisateur crée des informations personnelles de santé, qu'il les lit, qu'il les met à jour ou qu'il les archive par le biais du système.
NOTE       Au minimum, ces enregistrements d'audit identifient de manière unique l'utilisateur, identifient de manière unique le sujet de soins, identifient la fonction exécutée par l'utilisateur (création d'un dossier, lecture d'un dossier, mise à jour d'un dossier, etc.) et enregistrent la date et l'heure auxquelles la fonction a été exécutée.
Le présent document ne couvre que les actions effectuées sur le dossier de santé informatisé, qui sont régies par une politique d'accès propre au domaine dans lequel s'inscrit le dossier de santé informatisé. Il ne traite d'aucune information personnelle de santé issue de dossiers de santé informatisés, à l'exception des identifiants, les enregistrements d'audit ne contenant que des liens pointant vers des segments du DSI, tels que définis par la politique d'accès applicable.
Le présent document ne couvre pas non plus la spécification et l'utilisation des journaux d'audit à des fins de gestion et de sécurité du système, par exemple, la détection des problèmes de performance, des failles au niveau des applications, ou le support de reconstruction des données, qui sont traités par les normes de sécurité informatique générales, telles que l'ISO/IEC 15408 (toutes les parties)[9].
L'Annexe A donne des exemples de scénarios d'audit. L'Annexe B donne un aperçu des services de journal d'audit.

Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise (ISO 27789:2021)

General Information

Status
Published
Public Enquiry End Date
18-Jun-2020
Publication Date
14-Nov-2021
ICS
35.240.80 - IT applications in health care technology
Technical Committee
ITC - Information technology
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
04-Nov-2021
Due Date
09-Jan-2022
Completion Date
15-Nov-2021
Ref Project
EN ISO 27789:2021 - Health informatics - Audit trails for electronic health records (ISO 27789:2021)

Relations

Replaces
SIST EN ISO 27789:2013 - Health informatics - Audit trails for electronic health records (ISO 27789:2013)
Effective Date
01-Dec-2021
SIST EN ISO 27789:2021SIST EN ISO 27789:2021
PreviousNext
Standard
SIST EN ISO 27789:2021
English language
56 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-december-2021
Nadomešča:
SIST EN ISO 27789:2013
Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise (ISO
27789:2021)
Health informatics -- Audit trails for electronic health records (ISO 27789:2021)
Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO
27789:2021)
Informatique de santé -- Historique d'expertise des dossiers de santé informatisés (ISO
27789:2021)
Ta slovenski standard je istoveten z: EN ISO 27789:2021
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EN ISO 27789
EUROPEAN STANDARD
NORME EUROPÉENNE
October 2021
EUROPÄISCHE NORM
ICS 35.240.80 Supersedes EN ISO 27789:2013
English Version
Health informatics - Audit trails for electronic health
records (ISO 27789:2021)
Informatique de santé - Historique d'expertise des Medizinische Informatik - Audit-Trails für
dossiers de santé informatisés (ISO 27789:2021) elektronische Gesundheitsakten (ISO 27789:2021)
This European Standard was approved by CEN on 15 August 2021.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2021 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 27789:2021 E
worldwide for CEN national Members.

Contents Page
European foreword . 3

European foreword
This document (EN ISO 27789:2021) has been prepared by Technical Committee ISO/TC 215 "Health
informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics” the
secretariat of which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by April 2022, and conflicting national standards shall be
withdrawn at the latest by April 2022.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO 27789:2013.
Any feedback and questions on this document should be directed to the users’ national standards
body/national committee. A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO 27789:2021 has been approved by CEN as EN ISO 27789:2021 without any modification.

INTERNATIONAL ISO
STANDARD 27789
Second edition
2021-10
Health informatics — Audit trails for
electronic health records
Informatique de santé — Historique d'expertise des dossiers de santé
informatisés
Reference number
ISO 27789:2021(E)
ISO 27789:2021(E)
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
ISO 27789:2021(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 5
5 Requirements and uses of audit data.5
5.1 Ethical and formal requirements . 5
5.1.1 General . 5
5.1.2 Access policy . 5
5.1.3 Unambiguous identification of information system users. 6
5.1.4 User roles . 6
5.1.5 Secure audit records . 6
5.2 Uses of audit data . 6
5.2.1 Governance and supervision . 6
5.2.2 Subjects of care exercising their rights . 7
5.2.3 Evidence and retention requirements . 7
6 Trigger events . 7
6.1 General . 7
6.2 Details of the event types and their contents . 8
6.2.1 Access events to the personal health information . 8
6.2.2 Query events to the personal health information . 8
7 Audit record details . 8
7.1 The general record format . 8
7.2 Trigger event identification . . . 10
7.2.1 Event ID . 10
7.2.2 Event action code . 11
7.2.3 Event date and time . 11
7.2.4 Event outcome indicator .12
7.2.5 Event type code .12
7.3 User identification .12
7.3.1 User ID . 12
7.3.2 Alternative user ID .13
7.3.3 User name .13
7.3.4 User is requestor .13
7.3.5 Role ID code . 13
7.3.6 Purpose of use . 14
7.4 Access point identification .15
7.4.1 Network access point type code . 15
7.4.2 Network access point ID . 16
7.5 Audit source identification . 16
7.5.1 Overview . 16
7.5.2 Audit enterprise site ID . 17
7.5.3 Audit source ID . . . 17
7.5.4 Audit source type code . 17
7.6 Participant object identification . 18
7.6.1 Overview . 18
7.6.2 Participant object type code . 19
7.6.3 Participant object type code role . 19
7.6.4 Participant object data life cycle and record entry lifecycle events .20
7.6.5 Participant object ID type code . 22
7.6.6 Participant object Permission PolicySet . 23
iii
ISO 27789:2021(E)
7.6.7 Participant object sensitivity . 23
7.6.8 Participant object ID . 24
7.6.9 Participant object name . 24
7.6.10 Participant object query . 24
7.6.11 Participant object detail, Participant object description . 24
8 Audit records for individual events .25
8.1 Access events . 25
8.2 Query events . 26
9 Secure management of audit data .28
9.1 Security considerations .28
9.2 Securing the availability of the audit system .28
9.3 Retention requirements .29
9.4 Securing the confidentiality and integrity of audit trails .29
9.5 Access to audit data .29
Annex A (informative) Audit scenarios .30
Annex B (informative) Audit log services .36
Bibliography .45
iv
ISO 27789:2021(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics, in collaboration
with the European Committee for Standardization (CEN) Technical Committee CEN/TC 251, Health
informatics, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna
Agreement).
This second edition cancels and replaces the first edition (ISO 27789: 2013), which has been technically
revised.
The main changes are as follows:
— harmonization between audit record format and DICOM format;
— review of the content in Annex A;
— review of the chart in Annex B;
— bibliography update.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
ISO 27789:2021(E)
Introduction
0.1  General
Personal health information is regarded by many as among the most confidential of all types of personal
information and protecting its confidentiality is essential to maintain the privacy of subjects of care. In
order to protect the consistency of health information, it is also important that its entire life cycle be
fully auditable. Health records should be created, processed and managed in ways that guarantee the
integrity and confidentiality of their contents and that support legitimate control by subjects of care in
how the records are created, used and maintained.
Trust in electronic health records requires physical and technical security elements along with data
integrity elements. Among the most important of all security requirements to protect personal health
information and the integrity of records are those relating to audit and logging. These help to ensure
accountability for subjects of care who entrust their information to electronic health record (EHR)
systems. They also help to protect record integrity, as they provide a strong incentive to users of such
systems to conform to organizational policies on the use of these systems.
Effective audit and logging can help to uncover misuse of EHR systems or EHR data and can help
organisations and subjects of care obtain redress against users abusing their access privileges. For
auditing to be effective, it is necessary that audit trails contain sufficient information to address a wide
variety of circumstances (see Annex A).
Audit logs are complementary to access controls. The audit logs provide a means to assess conformity
with organizational access policy and can contribute to improving and refining the policy itself. But as
such a policy needs to anticipate the occurrence of unforeseen or emergency cases, analysis of the audit
logs becomes the primary means of ensuring access control for those cases.
This document is strictly limited in scope to logging of events. Changes to data values in fields of
an EHR are presumed to be recorded in the EHR database system itself and not in the audit log. It is
presumed that the EHR system itself contains both the previous and updated values of every field. This
is consistent with contemporary point-in-time database architectures. The audit log itself is presumed
to contain no personal health information other than identifiers and links to the record.
Electronic health records on an individual person can reside in many different information systems
within and across organisational or even jurisdictional boundaries. To keep track of all actions that
involve records on a particular subject of care, a common framework is a prerequisite. This document
provides such a framework. To support audit trails across distinct domains, it is essential to include
references in this framework to the policies that specify the requirements within the domain,
such as access control rules and retention periods. Domain policies may be referenced implicitly by
identification of the audit log source.
0.2 Benefits of using this document
Standardization of audit trails on access to electronic health records aims at two goals:
— ensuring that information captured in an audit log is sufficient to clearly reconstruct a detailed
chronology of the events that have shaped the content of an electronic health record;
— ensuring that an audit trail of actions relating to a subject of care’s record can be reliably followed,
even across organizational domains.
This document is intended for those responsible for overseeing health information security or privacy
and for healthcare organizations and other custodians of health information seeking guidance on audit
trails, together with their security advisors, consultants, auditors, vendors and third-party service
providers.
0.3  Related standards on electronic health record audit trails
vi
ISO 27789:2021(E)
This document builds upon, and is consistent with, the work begun in RFC 3881 with respect to access
to the EHR. This document also builds upon and is consistent with the content in ISO/TS 21089:2018.
vii
INTERNATIONAL STANDARD ISO 27789:2021(E)
Health informatics — Audit trails for electronic health
records
1 Scope
This document specifies a common framework for audit trails for electronic health records (EHR), in
terms of audit trigger events and audit data, to keep the complete set of personal health information
auditable across information systems and domains.
It is applicable to systems processing personal health information that create a secure audit record
each time a user reads, creates, updates, or archives personal health information via the system.
NOTE Such audit records at a minimum uniquely identify the user, uniquely identify the subject of care,
identify the function performed by the user (record creation, read, update, etc.), and record the date and time at
which the function was performed.
This document covers only actions performed on the EHR, which are governed by the access policy
for the domain where the electronic health record resides. It does not deal with any personal health
information from the electronic health record, other than identifiers, the audit record only containing
links to EHR segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system
security purposes, such as the detection of performance problems, application flaw, or support for
a reconstruction of data, which are dealt with by general computer security standards such as ISO/
[9]
IEC 15408 (all parts) .
Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 27799:2016, Health informatics — Information security management in health using ISO/IEC 27002
ISO 8601-1, Date and time — Representations for information interchange — Part 1: Basic rules
ISO/TS 21089:2018, Health informatics — Trusted end-to-end information flows
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/TS 21089:2018 and the
following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
ISO 27789:2021(E)
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements
[SOURCE: ISO/IEC 27000:2018, 3.1]
3.2
access policy
definition of the obligations for authorizing access to a resource
3.3
accountability
obligation of an individual or organization to account for its activities, for completion of a deliverable
or task, accept responsibility for those activities, deliverables or tasks, and to disclose the results in a
transparent manner
[SOURCE: ISO/TS 21089:2018, 3.3.1]
3.4
agent
entity that takes programmed actions, such as software or a device
[SOURCE: ISO/TS 21089:2018, 3.6.4]
3.5
alert
what is sent when the monitor service notices that a series of events matches a pattern
3.6
audit
independent review and examination of records and activities to assess the adequacy of system
controls, to ensure compliance with established policies and operational procedures, and to recommend
necessary changes in controls, policies or procedures
[SOURCE: ISO/TS 21089:2018, 3.20]
3.7
audit archive
archival collection of one or more audit logs
3.8
audit data
data obtained from one or more audit records
3.9
audit log
chronological sequence of audit records, each of which contains data about a specific event
3.10
audit record
record of a single specific event in the life cycle of an electronic health record
3.11
audit system
information processing system that maintains one or more audit logs
ISO 27789:2021(E)
3.12
audit trail
chronological record of system activities that is sufficient to enable the reconstruction, reviewing and
examination of the sequence of environments and activities surrounding or leading to an operation, a
procedure, or an event in a transaction from its inception to final results
[SOURCE: GCST]
3.13
authentication
provision of assurance that a claimed characteristic of an entity is correct
[SOURCE: ISO/IEC 27000:2018, 3.5]
3.14
authorization
granting of rights, which includes the granting of access based on access rights
[SOURCE: ISO/IEC 2382:2015, 2126256, modified — Notes to entry deleted.]
3.15
availability
property of being accessible and useable upon demand by an authorized entity
[SOURCE: ISO/IEC 27000:2018, 3.7]
3.16
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
[SOURCE: ISO/IEC 27000:2018, 3.10]
3.17
coordinated universal time
UTC
time scale which forms the basis of a coordinated radio dissemination of standard frequencies and time
signals
Note 1 to entry: UTC corresponds exactly in rate with international atomic time, but differs from it by an integral
number of seconds.
[SOURCE: IEC 60050-713:1998, 05-20]
3.18
data integrity
property of data whose accuracy and consistency are preserved regardless of changes made
[SOURCE: ISO 2382:2015, 2126247, modified — Notes to entry deleted.]
3.19
electronic health record
EHR
repository of (organized sets of) information regarding the health status of a subject of care, in
computer processable form
[SOURCE: ISO/TR 20514:2005, 2.11, modified — Text in parenthesis added.]
3.20
electronic health record segment
EHR segment
part of an electronic health record that constitutes a distinct resource for the access policy
ISO 27789:2021(E)
3.21
identification
process of recognizing the attributes that identify the object
[SOURCE: ISO 16678:2014, 2.1.7]
3.22
identifier
one or more characters used to identify or name a data element and possibly to indicate certain
properties of that data element
[SOURCE: ISO/IEC 2382:2015, 2121623]
3.23
information security
preservation of confidentiality, integrity and availability of information
[SOURCE: ISO/IEC 27000:2018, 3.28]
3.24
integrity
property of accuracy and completeness
[SOURCE: ISO/IEC 27000:2018, 3.36]
3.25
object identifier
OID
globally unique identifier for an information object
Note 1 to entry: The object identifiers used in this document refer to code systems. These code systems can be
defined in a standard or locally defined per implementation. The object identifier is specified using the Abstract
Syntax Notation One (ASN.1) defined in ISO/IEC 8824-1 and ISO/IEC 8824-2.
3.26
policy
set of rules related to a particular purpose
Note 1 to entry: A rule can be expressed as an obligation, an authorization, a permission or a prohibition.
[SOURCE: ISO 19101-2:2018, modified — Note 1 to entry added]
3.27
privilege
capacity assigned to an entity by an authority
3.28
records management
field of management responsible for control of creation, receipt, maintenance, use and disposition of
records, including processes for capturing and maintaining evidence of and information about business
activities and transactions in the form of records
[SOURCE: ISO 15489-1:2016, 3.15, modified]
3.29
role
set of competences and/or performances associated with a task
3.30
security policy
plan or course of action adopted for providing computer security
[SOURCE: ISO/IEC 2382:2015, 2126246, modified — Notes to entry deleted.]
ISO 27789:2021(E)
3.31
sensitivity
measure of the potential or perceived potential to abuse or misuse data about subjects or to harm them
3.32
subject of care
person or defined groups of persons receiving or registered as eligible to receive healthcare services or
having received healthcare services
Note 1 to entry: For example, a patient, client, customer, or health plan member.
[SOURCE: ISO/TS 17975:2015, modified — Note to entry added.]
3.33
user
person or other entity authorized by a provider to use some or all of the services provided by the
provider
Note 1 to entry: Also, human being using the system to issue requests to objects in order to get them to perform
functions in the system on his/her behalf.
[SOURCE: COACH; OMG]
4 Abbreviated terms
HL7 ® Health Level Seven
EV Enumerated Value
5 Requirements and uses of audit data
5.1 Ethical and formal requirements
5.1.1 General
Healthcare providers have their professional ethical responsibilities to meet. Among these are protecting
the privacy of subjects of care and documenting the findings and activities of care. Restricting access to
health records and ensuring their appropriate use are both essential requirements in healthcare and in
many jurisdictions, these requirements are set down in law.
Secure audit trails of access to electronic health records can support conformity with professional
ethics, organizational policies and legislation, but they are not sufficient in themselves to assess
completeness of an electronic health record.
5.1.2 Access policy
Access to the audit trail shall be governed by an access policy. This policy should be determined by the
organization responsible for maintaining the audit log.
The access policy shall be in accordance with ISO 27799:2016, 9.1.1.
NOTE 1 The access policy is presumed to define an EHR segment structure.
NOTE 2 In the audit record the access policy is identified by the audit log source.
[6]
Guidance on specifying and implementing access policies can be found in ISO 22600 (all parts). A field
“Participant object Permission PolicySet” is defined in 7.6.6 to support referencing the actual policies in
the audit record.
ISO 27789:2021(E)
5.1.3 Unambiguous identification of information system users
The audit trails shall provide sufficient data to unambiguously identify all authorized health information
system users. Users of the information system can be persons, but also other entities.
The audit trails shall provide sufficient data to determine which authorized users and external systems
have accessed or been sent health record data from the system.
5.1.4 User roles
The audit trail shall show the role of the user while performing the recorded action on personal health
information.
Information systems processing personal health information should support role-based access control
capable of mapping each user to one or more roles, and each role to one or more system functions, as
recommended in ISO 27799:2016, 9.2.3.
[4]
Functional and structural roles are documented in ISO 21298. Additional guidance on privilege
[6]
management in health is given by ISO 22600 (all parts) .
5.1.5 Secure audit records
Secure audit records, in accordance with ISO 27799:2016, 12.4.1, shall be created each time personal
health information is read, created, updated, or archived. The audit records shall be maintained by
secure records management.
5.2 Uses of audit data
5.2.1 Governance and supervision
The audit trails shall provide data to enable responsible authorities to assess conformity with the
organization’s policy and to evaluate its effectiveness.
This implies
— detecting unauthorized access to health records,
— evaluating emergency access, and
— detecting abuse of privileges.
and support for:
— documenting access across domains, and
— evaluation of access policies.
NOTE Full assessment of conformity with the organization’s policy can require additional data that is not
contained in the audit record, such as user information, permission tables or records on physical entry to secured
rooms. See Annex B for audit log services.
The audit trails shall provide sufficient data to determine all access within a defined time period to the
records of subjects of care, by a specified user.
The audit trails shall provide sufficient data to determine all access within a defined time period to the
records of subjects of care, that are marked to be at elevated risk of privacy breaches.
ISO 27789:2021(E)
5.2.2 Subjects of care exercising their rights
The audit trails shall provide sufficient data to subjects of care to enable
— assessing which authorized user(s) have accessed his/her health record and when,
— assessing accountability for the content of the record,
— determination of conformity with the subject of care's consent directives on access to or disclosure
of the subject of care's data, and
— determination of emergency access (if any) granted by a user to the subject of care's record, including
the identification of the user, time of access and location where accessed from.
5.2.3 Evidence and retention requirements
The audit trails shall hold data [(that care providers can use as documentary evidence)] to determine
which actions were taken (create, look-up, read, correct, update, extract, output, archive, etc.) in relation
to the information as well as when and by whom.
Audit records shall be retained in accordance with the retention policy as specified in 9.3.
The following documents provides guidance and further information:
— ISO/TS 21089;
[20]
— ISO/HL7 10781.
6 Trigger events
6.1 General
The audit events (trigger events) that cause the audit system to generate audit records are defined
according to each health information system’s scale, purpose, and the contents of privacy and security
policies. As the scope of this document is limited to personal health information, only trigger events
relating to access and query of such information are specified here.
In order to generate the audit records that satisfy the requirement derived from Clause 5, i.e. “when”,
“who”, “whose”, audit records shall be generated for the following two events:
— Access events to personal health information;
— Query events about personal health information.
Examples of out-of-scope events are:
a) Start and stop events of the application program;
b) Authentication events involving authentication of users;
c) Input and output events from/to the external environment;
d) Access events to information other than personal health information;
e) Security alert events related to the application programs;
f) Access events to the audit log preserved in the application programs;
g) Events generated by the operating system, middleware and so on;
h) Access events generated by using system utilities;
ISO 27789:2021(E)
i) Physical connection/disconnection events of equipment to the network;
j) Start/stop events of the protection systems such as anti-virus protection systems;
k) Software update events involving software modification or patch programs.
6.2 Details of the event types and their contents
6.2.1 Access events to the personal health information
In this document, the access to the personal health information is regarded as an audit event. Here
“Access” means the creation, reading, update, deletion of data. The contents of the audit log provide
the information about the access “when”, “who” and “access to whose” data to be protected. Table 1
describes the contents in access events.
Table 1 — Access events
Event Contents
When,
Access events to the personal health
Who,
information
Access to whose
6.2.2 Query events to the personal health information
Querying an EHR database in order to obtain personal health information is regarded as an auditable
event. The query event is the query action itself, the reference to the personal health information
resulting from the query is regarded as the access event. The contents of the audit record provide the
information about the query “when”, “who” and “what condition for querying”. Table 2 describes the
contents in query events.
Table 2 — Query events
Event Contents
When,
Query events to the personal health infor-
Who,
mation
What condition for querying
7 Audit record details
7.1 The general record format
Table 3 describes the general format of the audit records. Regarding to the record contents of each
[13] [1]
event, see Clause 8. The record format is defined after RFC 3881 and ISO 12052(DICOM PS3.15) ,
with addition of the optional fields PurposeOfUse and ParticipantObjectPolicySet.
ISO 27789:2021(E)
Table 3 — General format of the audit records
Type Field name Option Description Additional info.
Event relat- EventID M ID for the audited event
ed
Type of action per-
EventActionCode M formed during the audit-
(1)
ed event
Date/time of the audited
EventDateTime M See 7.2
event occurrence
Success or failure of the
EventOutcomeIndicator U
event
The category of the
EventTypeCode U
event
User related ID for the person or
UserID M
process
(1.2)
Alternative ID for
AlternateUserID U
user or process
UserName U Name of user or process
Indicator that the user is
See 7.3
UserIsRequestor U
or is not the requestor
Specification of the role
RoleIDCode U the user plays when per-
forming the event
Code for the purpose of
PurposeOfUse U
use of the data accessed
Type of
NetworkAccessPointTypeCode U
network access point
See 7.4
ID for network
NetworkAccessPointID U
access point
Audit sys- Site ID of
AuditEnterpriseSiteID U
tem related
audit enterprise
(1)
Unique ID
See 7.5
AuditSourceID M
of audit source
Type code of audit
AuditSourceTypeCode U
source
Participant Code for the participant
object re- object type
ParticipantObjectTypeCode M
lated
(0.N)
Multiplicity:
(1) :Only 1 exists,
(0.1)  :0 or 1 exists,
(1.2)  :1 or 2 exist(s)
(0.N)  :0 to N exist(s)
Optionality:
M   :Mandatory
MC  :Conditional Mandatory
U    :Optional
M/U :Mandatory or Optional related to events
-----------------
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

SIST
SIST EN ISO/IEEE 11073-10701:2025(Main)
Health informatics - Device interoperability - Part 10701: Point-of-care medical device communication - Metric provisioning by participants in a Service-oriented Device Connectivity (SDC) system (ISO/IEEE 11073-10701:2024)
EN ISO/IEEE 11073-10701:2025

This standard specifies a set of Participant Key Purposes (PKPs) pertaining to metric data exchange for the Service-oriented Device Connectivity (SDC) series of standards. PKPs are role-based sets of requirements for products in order to support safe, effective, and secure interoperability in medical IT networks at point-of-care environments such as the intensive care unit (ICU), operating room (OR) or other acute care settings. This standard specifies both product development process and technical requirements.

  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 11073-10700:2025(Main)
Health informatics - Device interoperability - Part 10700: Point-of-care medical device communication - Standard for base requirements for participants in a Service‐oriented Device Connectivity (SDC) system (ISO/IEEE 11073-10700:2024)
EN ISO/IEEE 11073-10700:2025

This standard specifies the base set of Participant Key Purposes (PKPs) for the Service-oriented Device Connectivity (SDC) series of standards. PKPs are role-based sets of requirements for products in order to support safe, effective, and secure interoperability in medical IT networks at point-of-care environments such as the intensive care unit (ICU), operating room (OR) or other acute care settings. This standard specifies both product development process and technical requirements.

  • Standard
    59 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEEE 11073-10472:2025(Main)
Health informatics - Device interoperability - Part 10472: Personal Health Device Communication - Device Specialization - Medication Monitor (ISO/IEEE 11073-10472:2024)
EN ISO/IEEE 11073-10472:2025

Within the context of the ISO/IEEE 11073 family of standards for device communication, this standard establishes a normative definition of the communication between medication monitoring devices and managers (e.g., cell phones, personal computers, personal health appliances, set top boxes) in a manner that enables plug-and-play interoperability. It leverages appropriate portions of existing standards, including ISO/IEEE 11073 terminology, information models and application profile. It specifies the use of specific term codes, formats, and behaviors in telehealth environments restricting ambiguity in base frameworks in favor of interoperability. This standard defines a common core of communication functionality for medication monitors. In this context, medication monitors are defined as devices that have the ability to determine and communicate (to a manager) measures of a user’s adherence to a medication regime.

  • Standard
    82 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEEE 11073-10425:2025(Main)
Health informatics - Device interoperability - Part 10425: Personal Health Device Communication - Device Specialization- Continuous Glucose Monitor (CGM) (ISO/IEEE 11073-10425:2024)
EN ISO/IEEE 11073-10425:2025

This standard establishes a normative definition of communication between personal health continuous glucose monitor (CGM) devices (agents) and managers (e.g., cell phones, personal computers, personal health appliances, set top boxes) in a manner that enables plug-and-play interoperability. It leverages work done in other ISO/IEEE 11073 standards including existing terminology, information profiles, application profile standards, and transport standards. It specifies the use of specific term codes, formats, and behaviors in telehealth environments, restricting optionality in base frameworks in favor of interoperability. This standard defines a common core of communication functionality of CGM devices. In this context, CGM refers to the measurement of the level of glucose in the body on a regular (typically 5 minute) basis through a sensor continuously attached to the person.

  • Standard
    85 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEEE 11073-10103:2025(Main)
Health informatics - Device interoperability - Part 10103: Nomenclature, implantable device, cardiac (ISO/IEEE 11073-10103:2025)
EN ISO/IEEE 11073-10103:2025

This document extends the base nomenclature provided in ISO/IEEE 11073-10101:2020  to support terminology for implantable cardiac devices. Devices within the scope of this nomenclature are implantable devices such as pacemakers, defibrillators, devices for cardiac resynchronization therapy, and implantable cardiac monitors. This nomenclature defines the terms necessary to convey a clinically relevant summary of the information obtained during a device interrogation. The nomenclature extensions may be used in conjunction with other IEEE 11073 standard components (e.g., ISO/IEEE 11073-10201 [B2] ) or with other standards, such as Health Level Seven International (HL7).

  • Standard
    145 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEEE 11073-10471:2025(Main)
Health informatics - Device interoperability - Part 10471: Personal Health Device Communication - Device Specialization - Independent Living Activity Hub (ISO/IEEE 11073-10471:2024)
EN ISO/IEEE 11073-10471:2025

Within the context of the ISO/IEEE 11073 family of standards for device communication, this standard establishes a normative definition of the communication between independent living activity hubs and managers (e.g., cell phones, personal computers, personal health appliances, and set top boxes) in a manner that enables plug-and-play interoperability. It leverages appropriate portions of existing standards, including ISO/IEEE 11073 terminology and information models. It specifies the use of specific term codes, formats, and behaviors in telehealth environments restricting ambiguity in base frameworks in favor of interoperability. This standard defines a common core of communication functionality for independent living activity hubs. In this context, independent living activity hubs are defined as devices that communicate with simple situation monitors (binary sensors), normalize information received from the simple environmental monitors, and provide this normalized information to one or more managers. This information can be examined, for example, to determine when a person’s activities/behaviors have deviated significantly from what is normal for them such that relevant parties can be notified. Independent living activity hubs will normalize information from the following simple situation monitors (binary sensors) for the initial release of the proposed standard: fall sensor, motion sensor, door sensor, bed/chair occupancy sensor, light switch sensor, smoke sensor, (ambient) temperature threshold sensor, personal emergency response system (PERS), and enuresis sensor (bed-wetting).

  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 27269:2025(Main)
Health informatics - International patient summary (ISO 27269:2025)
EN ISO 27269:2025

This document defines the core data set for a concise international patient summary (IPS), which supports continuity of care for a person and assists with coordination of their care.
This document provides an abstract definition of a patient summary from which derived models are implementable.
This document does not cover the workflow processes of data entry, data collection, data summarization, subsequent data presentation, assimilation, or aggregation. Furthermore, this document does not cover the summarization act itself, i.e. the intelligence, skills and competences, that results in the data summarization workflow. It is not an implementation guide that is concerned with the various technical layers beneath the application layer. Representation by various coding schemes, additional structures and terminologies are not part of this document.

  • Standard
    94 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 17523:2025(Main)
Health informatics - Requirements for electronic prescriptions (ISO 17523:2025)
EN ISO 17523:2025

The scope of this document is constrained to the content of the electronic prescription (ePrescription) itself, the digital document which is issued by a prescribing healthcare professional and received by a dispensing healthcare professional. The prescribed medicinal product is to be dispensed through an authorized healthcare professional with the aim of being administered to a human patient. The ePrescription in the administrative workflow of reimbursement is not covered in this document.
This document specifies the requirements that apply to ePrescriptions. It describes generic principles that are considered important for all ePrescriptions.
This document is applicable to ePrescriptions of medicinal products for human use. Although other kinds of products (e.g. medical devices, wound care products) can be ordered by means of an ePrescription, the requirements in this document are aimed at medicinal products that have a market authorization and at pharmaceutical preparations which are compounded in a pharmacy.
This document does not limit the scope to any setting (community, institutional) and leaves it to the national bodies to decide on this matter.
This document specifies a list of data elements that can be considered as essential for ePrescriptions, depending on jurisdiction or clinical setting (primary healthcare, hospital, etc.). Ensuring the authenticity of these data elements is in scope and will have impact on the requirements of information systems.
Other messages, roles and scenarios (e.g. validation of a prescription, administration, medication charts, EHR of the patient, reimbursement of care and dispensed products) are not covered in this document, because they are country-specific or region-specific, due to differences in culture and in legislation of healthcare. However, requirements and content of ePrescriptions within the context of jurisdictions have a relationship with these scenarios. This document also does not cover the way in which ePrescriptions are made available or exchanged, and the process of prescribing itself.
The logistic process of prescribing itself is not part of the scope. A prescription can either be sent (pushed) to a dispenser or either be retrieved (pulled) at the dispenser. However, the requirement for the prescription is described, that it will be able to function in both environments.

  • Standard
    32 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 10781:2025(Main)
Health Informatics - HL7 Electronic Health Records-System Functional Model, Release 2.1 (EHR FM) (ISO 10781:2023)
EN ISO 10781:2025

The HL7 EHR System Functional Model provides a reference list of functions that may be present in an Electronic
Health Record System (EHR-S). The function list is described from a user perspective with the intent to enable
consistent expression of system functionality. This EHR-S Functional Model, through the creation of Functional
Profiles for care settings, realms, services and specialties, enables a standardized description and common
understanding of functions sought or available in a given setting (e.g., intensive care, cardiology, office practice
in one country or primary care in another country).
The HL7 EHR-S Functional Model defines a standardized model of the functions that may be present in EHR
Systems. From the outset, a clear distinction between the EHR as a singular entity and systems that operate on
the EHR – i.e., EHR Systems is critical. This Standard makes no distinction regarding implementation - the EHRS
described in a Functional Profile may be a single system or a system of systems. Within the normative sections
of the Functional Model, the term “system” is used generically to cover the continuum of implementation options.
This includes “core” healthcare functionality, typically provided by healthcare-specific applications that manage
electronic healthcare information. It also includes associated generic application-level capabilities that are
typically provided by middleware or other infrastructure components. The latter includes interoperability and
integration capabilities such as location discovery and such areas as cross application workflow. Interoperability
is considered both from semantic (clear, consistent and persistent communication of meaning) and technical
(format, syntax and physical connectivity) viewpoints. Further, the functions make no statement about which
technology is used, or about the content of the electronic health record. The specifics of 'how' EHR systems are
developed or implemented is not considered to be within the scope of this model now or in the future. This EHRS
Functional Model does not address or endorse implementations or technology, nor does it include the data
content of the electronic health record.
Finally, the EHR-S Functional Model supports research needs by ensuring that the data available to researchers
follow the required protocols for privacy, confidentiality, and security. The diversity of research needs precludes
the specific listing of functions that are potentially useful for research.
This Functional Model is not:
• a messaging specification
• an implementation specification
• a conformance specification
• an EHR specification
• a conformance or conformance testing metric
• an exercise in creating a definition for an EHR or EHR-S
It is important to note that the EHR-S Function Model does not include a discussion of clinical processes or the
interaction of the healthcare actors. However, ISO 13940 Health Informatics – System of Concepts to Support
Continuity of Care, is an international standard that does outline key principles and processes in the provision of
healthcare. It is recommended that users of the EHR-S FM refer to this standard for clinical processes that EHR
systems support.
This EHR-S Functional Model package includes both Reference and Normative sections. Table 1 explains the
differences between Reference and Normative sections.Each section within this document is clearly labeled "Normative" if it is normative. For example, in section 5
(Overview) section 5.3 is normative. In section 7, Conformance Clause; sections 7.1 through 7.6 are normative.
In the external Annex A, Function List, the Function ID, Function Name, Function Statement, and Conformance
Criteria components are Normative in this Functional Model.

  • Standard
    79 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN/TS ISO 5615:2025(Main)
Health informatics - Accelerating safe, effective and secure remote connected care and mobile health through standards-based interoperability solutions addressing gaps revealed by pandemics (ISO/TS 5615:2025)
CEN ISO/TS 5615:2025

This document reviews the structural changes that have been precipitated by the COVID-19 pandemic in Remote Connected Care and Mobile Health (RCC-MH). The impact of the COVID-19 pandemic on care settings such as home and community care, acute care and outpatient care are reviewed discussing how well these healthcare environments were prepared to address the encountered connectivity challenges from a standards point of view. The current standards landscape is reviewed and gaps are identified leading to recommendations for future standards work.

  • Technical specification
    101 pages
    English language
    sale 10% off
    e-Library read for
    1 day