NF EN ISO 27789
Health informatics - Audit trails for electronic health records
ISO 27789:2013 specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger events and audit data, to keep the complete set of personal health information auditable across information systems and domains. It is applicable to systems processing personal health information which, complying with ISO 27799, create a secure audit record each time a user accesses, creates, updates or archives personal health information via the system. ISO 27789:2013 covers only actions performed on the EHR, which are governed by the access policy for the domain where the electronic health record resides. It does not deal with any personal health information from the electronic health record, other than identifiers, the audit record only containing links to EHR segments as defined by the governing access policy. It does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of data, which are dealt with by general computer security standards such as ISO/IEC 15408-2.
ISO 27789:2013 specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger events and audit data, to keep the complete set of personal health information auditable across information systems and domains.
It is applicable to systems processing personal health information which, complying with ISO 27799, create a secure audit record each time a user accesses, creates, updates or archives personal health information via the system.
ISO 27789:2013 covers only actions performed on the EHR, which are governed by the access policy for the domain where the electronic health record resides. It does not deal with any personal health information from the electronic health record, other than identifiers, the audit record only containing links to EHR segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of data, which are dealt with by general computer security standards such as ISO/IEC 15408-2.
<p>This document specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger events and audit data, to keep the complete set of personal health information auditable across information systems and domains.</p> <p>It is applicable to systems processing personal health information that create a secure audit record each time a user reads, creates, updates, or archives personal health information via the system.</p> <p>NOTE Such audit records at a minimum uniquely identify the user, uniquely identify the subject of care, identify the function performed by the user (record creation, read, update, etc.), and record the date and time at which the function was performed.</p> <p>This document covers only actions performed on the EHR, which are governed by the access policy for the domain where the electronic health record resides. It does not deal with any personal health information from the electronic health record, other than identifiers, the audit record only containing links to EHR segments as defined by the governing access policy.</p> <p>It does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of data, which are dealt with by general computer security standards such as ISO/IEC 15408 (all parts)<sup>[9]</sup>.</p> <p>Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.</p>
- Avant-proposiv
-
0 Introductionv
-
1 Domaine d'application1
-
2 Références normatives1
-
3 Termes et définitions1
-
4 Symboles et abréviations5
-
5 Exigences et usages des données d'expertise5
-
5.1 Exigences éthiques et formelles5
-
5.2 Usages des données d'expertise6
-
6 Événements déclencheurs7
-
6.1 Généralités7
-
6.2 Détails des types d'événements et de leur contenu7
-
7 Détails des enregistrements d'expertise8
-
7.1 Format d'enregistrement général8
-
7.2 Identification de l'événement déclencheur9
-
7.3 Identification de l'utilisateur12
-
7.4 Identification de point d'accès15
-
7.5 Identification de la source d'expertise16
-
7.6 Identification de l'objet participant18
-
8 Enregistrements d'expertise des événements individuels24
-
8.1 Événements d'accès24
-
8.2 Événements de requêtes25
-
9 Gestion sécurisée des données d'expertise27
-
9.1 Considérations de sécurité27
-
9.2 Sécuriser la disponibilité du système d'expertise27
-
9.3 Exigences de conservation27
-
9.4 Sécuriser la confidentialité et l'intégrité des historiques d'expertise27
-
9.5 Accès aux données d'expertise28
- Annexe A (informative) Scénarios d'expertise29
- Annexe B (informative) Services de rapport d'expertise36
- Bibliographie46
COBAZ is the simple and effective solution to meet the normative needs related to your activity, in France and abroad.
Available by subscription, CObaz is THE modular solution to compose according to your needs today and tomorrow. Quickly discover CObaz!
Request your free, no-obligation live demo
I discover COBAZ