ISO/TS TECHNICAL SPECIFICATION 14441 First edition 2013-12-15 Health informatics Security and privacy requirements of EHR systems for use in conformity assessment Informatique de santé - Sécurité et exigences d'intimité des systemes de EHR pour I'évaluation de la conformité Reference number ISO/TS 14441:2013(E) ISO @IS02013 Not for Resale IS0/TS 14441:2013(E) COPYRIGHT PROTECTED DOCUMENT @ISO2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 : CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland @ IS0 2013 - All rights reserved Not for Resale IS0/TS 14441:2013(E) Contents Page Foreword .iv Introduction. ..V 1 Scope. ..1 2 Normative references 3 Terms and definitions ..1 4 Abbreviations. ..9 5 Security and privacy requirements .9 5.1 General .9 5.2 Theoretical foundation .9 5.3 Privacy and security requirements .12 5.4 Common Criteria 28 6 Best practice and guidance for establishing and maintaining conformity assessment programs .30 6.1 Concepts. 31 6.2 Conformity assessment processes 33 Annex A (informative) Conformity assessment programs - Design considerations and illustrative examples from member countries as of 2oio .36 Annex B (informative) Comparison of jurisdictional requirements ..54 Bibliography .112 ii thout license from IHS Not for Resale IS0/TS 14441:2013(E) Foreword Iso (the International Organization for Standardization) is a worldwide federation of national standards bodies (IsO member bodies). The work of preparing International Standards is normally carried out through IsO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with IsO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISo/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. In other circumstances, particularly when there is an urgent market requirement for such documents, a an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in an IsO working group and is accepted for publication if it is approved by more than 5o % of the members of the parent committee casting a vote; an ISso Technical Specification (Iso/Ts) represents an agreement between the members of a technical committee and is accepted for publication if it is approved by 2/3 of the members of the committee casting a vote. An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a further three years, revised to become an International Standard, or withdrawn. If the Iso/PAS or Iso/Ts is confirmed, it is reviewed again after a further three years, at which time it must either be transformed into an International Standard or be withdrawn. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. IsO shall not be held responsible for identifying any or all such patent rights. ISO/TS 14441 was prepared by Technical Committee ISO/TC 215, Health informatics. @ IS0 2013 - All rights reserved license from IHS Not for Resale IS0/TS 14441:2013(E) Introduction As local, regi