The distributed architecture of shared care information systems is increasingly based on networks. For meeting the interoperability challenge, the use of standardised user interfaces, tools and protocols, which ensures platform independence, is growing and consequently the number of really open information systems based on corporate networks and virtual private networks has also been rapidly growing during the last couple of years.
This multi part International Standard defines privilege management and access control services required for communication and use of distributed health information across policy domain boundaries.
The document introduces principles and specifies services needed for managing privileges and access control. It specifies the necessary component based concepts and is intended to support their technical implementation. It will not specify the use of these concepts in particular clinical process pathways.
This International Standard is strongly related to other ISO/TC 215 work such as ISO 17090 “Public Key Infrastructure”, ISO 22857 “Health Informatics – Guidelines on data protection to facilitate transborder flows of personal health information” and ISO 21091 ”Health informatics - Directory services for security, communications and identification of professional and patient”. It is also related to the work in progress on ISO/TS 21298 “Health informatics – Functional and structural roles”.
This International Standard is intended to support the needs of healthcare information sharing across unaffiliated providers of healthcare, healthcare organisations, health insurance companies, their patients, staff members and trading partners.
This International Standard is intended to support inquiries from both individuals and application systems.
This multi part International Standard Specification defines methods for managing authorisation and access control to data and/or functions. It accommodates policy bridging. It is based on a conceptual model where local authorisation servers and cross border directory and policy repository services can assist access control in various applications (software components). The policy repository provides information on rules for access to various application functions based on roles and other attributes.
The directory service enables identification of the individual user. The granted access will be based on four aspects:
The authenticated identification of the user
The rules for access to a specific information object including purpose of use
The rules regarding authorisation attributes linked to the user provided by the authorisation manager
The functions of the specific application
This International Standard should be used in a perspective ranging from a local situation to a regional or national. One of the key points in these perspectives is to have organisational criteria combined with authorisation profiles agreed upon from both the requesting and delivering side in a written Policy Agreement.
The International Standard supports collaboration between several authorisation managers that may operate over organisational and policy borders. The collaboration is defined in a Policy Agreement, signed by all involved organisations, and constitutes the set of rules for the operation.
In Part1, a documentation format is proposed, as a template for representing the Policy Agreement, which makes it possible to obtain comparable documentation from all parties involved in the information exchange.
This International Standard excludes platform-specific and implementation details. It does not specify technical communication services and protocols which have been established in other standards. It also excludes authentication techniques.