ISO 17090-3:2021 Health informatics — Public key infrastructure —Part 3: Policy management of certification authority

标准简介

Health informatics — Public key infrastructure —Part 3: Policy management of certification authority由国际标准化组织(International Organization for Standardization，简称ISO)于2021‑03‑09发布，适用于国际范围。

标准截图

 

标准文档说明

标准文档类型为Health informatics — Public key infrastructure —Part 3: Policy management of certification authority高清PDF版本（文字版），标准文档内可进行搜索，可以复制原文，可粘贴。

标准部分原文

INTERNATIONAL STANDARD ISO 17090-3:2021

Health informatics — Public key infrastructure —

Part 3: Policy management of certification authority

1 Scope

This document gives guidelines for certificate management issues involved in deploying digital certificates in healthcare. It specifies a structure and minimum requirements for certificate policies, as well as a structure for associated certification practice statements.

This document also identifies the principles needed in a healthcare security policy for cross-border communication and defines the minimum levels of security required, concentrating on aspects unique to healthcare.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 170901‑ :2021 , Health informatics — Public key infrastructure — Part 1: Overview of digital certificate services

ISO 170902‑ :2015 , Health informatics — Public key infrastructure — Part 2: Certificate profile

ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security controls

IETF/RFC 3647, Internet  X.509  Public  Key  Infrastructure  Certificate  Policy  and  Certification 

Practices Framework

IETF/RFC 4211, Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 170901‑ apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https://www.iso.org/obp

— IEC Electropedia: available at http://www.electropedia.org/

4 Abbreviations

AA attribute authority

CA certification authority

CP certificate policy

ISO 17090-3:2021

CPS certification practice statement

CRL certificate revocation list

OID object identifier

PKC public key certificate

PKI public key infrastructure

RA registration authority

TTP trusted third party

5 Requirements for digital certificate policy management in a healthcare context

5.1 General

Deployment of digital certificates in healthcare shall meet the following objectives in order to be effective in securing the communication of personal health information:

— the reliable and secure binding of unique and distinguished names to individuals, organizations, applications and devices that participate in the electronic exchange of personal health information;

— the reliable and secure binding of professional roles in healthcare to individuals, organizations and applications that participate in the electronic exchange of personal health information, insofar as those roles may be used as the basis of role-based access control to such health information;

— (optionally) the reliable and secure binding of attributes to individuals, organizations, applications and devices that participate in the electronic exchange of personal health information, insofar as those attributes may further the secure communication of health information.

The above objectives shall be accomplished in a manner that maintains the trust of all who rely upon the integrity and confidentiality of personal health information that is securely communicated by use of digital certificates.

To do this, each CA issuing digital certificates for use in healthcare shall operate according to an explicit set of publicly stated policies that promote the above objectives.

5.2 Need for a high level of assurance

The security services that are required for health applications are specified in Clause 6 of ISO 170901‑ :2021 . For each of these security services (authentication, integrity, confidentiality, digital signature, authorization, access control), a high level of assurance is required.

5.3 Need for a high level of infrastructure availability

Emergency healthcare is a round-the-clock endeavour and the ability to obtain certificates, revoke certificates and check revocation status is in no way bound by the normal working hours of most businesses. Unlike e-commerce, healthcare imposes high availability requirements on any deployment of digital certificates that will be relied upon to secure the communication of personal health information.

5.4 Need for a high level of trust

Unlike electronic commerce (where a vendor and a customer are often the only parties to an electronic transaction and are reliant upon its security and integrity), healthcare applications that store or transmit personal health information may implicitly require the trust of the patients whose information

网盘链接

百度网盘：https://pan.baidu.com/s/19DrXLMigAxYFke6mD8D9gQ
提取码：bfw4