ISO INTERNATIONAL STANDARD 22600-1 First edition 2014-10-01 Health informatics Privilege management and access control - Part 1: Overview and policy management Informatique de santé-Gestion de privileges et controle d'acces- Partie1:Vue d'ensembleetgestion des politiques Reference number IS022600-1:2014(E) LSO CopyihtInternatinal Organizationfor Standardization @IS02014 without license from IHS Not for Resale IS022600-1:2014(E) COPYRIGHTPROTECTEDDOCUMENT ISO2014 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56.CH-1211 Geneva 20 Tel. + 4122 749 01 11 Fax +41 22 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland @ IS0 2014 - All rights reserved No reproduction or networking permited without license from IHS Not for Resale IS0 22600-1:2014(E) Contents Page Foreword ..iv Introduction.. 1 Scope.. 2 Normative references ... 3 Terms and definitions 4 Abbreviatedterms ..4 5 Goalandstructureofprivilegemanagementandaccesscontrol 5.1 Goal of privilege management and access control .4 5.2 Structure of privilege management and access control 6 Policy agreement .9 6.1 Overview .9 6.2 Identification .10 6.3 Patient consent .10 6.4 Patient privacy. .10 6.5 Informationidentification .10 6.6 Information location 10 6.7 Informationintegrity ..11 6.8 Security. .11 6.9 Authorization .11 6.10 Rolestructures 11 6.11 Assignmentand attestationauthorities .11 6.12 Delegation rights. .11 6.13 Validitytime .11 6.14 Authenticationofusers/roles .12 6.15 Access. 12 6.16 Policyagreementvalidityperiod .12 6.17 Ethics .12 6.18 Secure audit trail .12 6.19 Audit check. .12 6.20 Riskanalysis ..12 6.21 Continuity and disaster management .13 6.22 Future system developments ..13 7 Documentation. ..13 AnnexA(informative)Exampleofadocumentationtemplate ..14 AnnexB (informative)Example ofan information exchangepolicy agreement ..21 Bibliography .27 ili thout license from IHS Not for Resale