In the Interoperability Standards Advisory, a structure to capture necessary security patterns associated with interoperability needs is represented. To address public comments that requested a distinct security standards section the list below provides a number of sources to which stakeholders can look in order to find the latest applicable security standards. Note that this list is not meant to be exhaustive, and while every effort is made to ensure links are current, links may become outdated as organizations make changes to their websites.
- Security Pattern Catalog
- HIPAA Security regulations that are specific to healthcare
- HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework
- ASTM
- ASTM E1384-07 (2013) Standard Practice for Content and Structure of the Electronic Health Record (EHR)
- ASTM E1714-07(2013) Standard Guide for Properties of a Universal Healthcare Identifier (UHID)
- ASTM E1762 – 95 (2013) Standard Guide for Electronic Authentication of Health Care
- ASTM E1985-98(2013) Standard Guide for User Authentication and Authorization
- ASTM E1986 – 09 (2013) Standard Guide for Information Access Privileges to Health
- ASTM E2017-99 (2010) Standard Guide for Amendments to Health Information
- ASTM E2147-01(2013) Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems
- ASTM E2212-02a(2010) Standard Practice for Healthcare Certificate Policy
- ASTM E2595 - -07 (2013) Standard Guide for Privilege Management Infrastructure
- Information Organization for Standardization (ISO) Information Security Standards
- ISO/TS 14265:2011 Health Informatics - Classification of purposes forhttps://www.iso.org/standard/83447.html processing personal health information:
- ISO IT Security techniques – evaluation criteria for IT security, ISO/EC 15408 series
- ISO 17090-1:2013 Health Informatics - Public Key Infrastructure - Part 1: Overview of digital certificate services
- ISO 17090-2:2015 Health Informatics - Public key infrastructure -- Part 2: Certificate profile
- ISO 17090-3:2008 Health Informatics - Public key infrastructure - Part 3: Policy management of certification authority
- ISO/IS 17090-4 Health Informatics - Public key infrastructure-Part 4: Digital signatures for healthcare documents
- ISO/TS 17975:2015 Health Informatics - Principles and data requirements for consent in the Collection, Use or Disclosure of personal health information
- ISO/TR 21089:2004(en) Health Informatics — Trusted end-to-end information flows
- ISO 21091: 2013 Health Informatics - Directory services for healthcare providers, subjects of care and other entities
- ISO/TS 21298:2008 Health Informatics -- Functional and structural roles
- National Institute for Standards and Technology (NIST) Special Publications 800 Series
- NIST’s Federal Information Processing Standards (FIPS)
- NIST Special Publication 800-53. Security and Privacy Controls for Federal Information Systems and Organizations Revision 4. April 2013
- NIST Privacy Risk Management for Federal Information Systems. NISTIR 8062 Draft. May 2015
- NIST Special Publication: 800-63-2. Electronic Authentication Guideline. August 2013.
- NIST Digital Authentication Guideline, Special Publication 800-63-3, Public Draft, Q4 2016
- NIST FIPS PUB 202. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. August 2015.
- NIST SP 1800-a-e. Securing Electronic Health Records on Mobile Devices. July 2015. https://csrc.nist.gov/publications/detail/sp/1800-1/final and https://csrc.nist.gov/publications/detail/sp/1800-1/final
- NIST Guide for Conducting Risk Assessments, Special Publication 800-30 Revision 1
- NIST Framework for Improving Critical Infrastructure Cybersecurity, V1, February 2014
- NIST Framework for Improving Critical Infrastructure Cybersecurity, V1.1, April 2018
- NIST 800-53 Rev 4: Security & Privacy controls
- NIST SP 800-183: Network of 'Things'
- NIST SP 800-160: Systems Security Engineering
- NIST CSP 500-291: Cloud Computing
- NIST SP 1500-1: Big Data Interoperability
- OpenID Connect 1.0
- OAUTH 2.0
- OAuth 2.0 Dynamic Client Registration
- User-Managed Access (UMA) Profile of OAuth 2.0
- Integrating the Healthcare Enterprise (IHE)
- Cybersecurity Standards
- Consistent Time
- Enterprise User Authentication
- Cross-Enterprise User Assertion (XUA)
- Document Digital Signature
- Basic Patient Privacy Consents
- Advanced Patient Privacy Consents (APPC)
- Document Encryption
- Access Control
- Audit Trail and Node Authentication (ATNA)
- Template for XDS Affinity Domain Deployment Planning
- Mobile Care Services Discovery (mCSD)
- Internet User Authorization (IUA)
- Secure Retrieve (SeR)
- Enabling Document Sharing Health Information Exchange Using IHE Profiles Whitepaper
- HL7 CDA® R2 Implementation Guide: Patient-Friendly Language for Consumer User-Interfaces, Release 1
- HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1
- HL7 Healthcare Privacy and Security Classification System (HCS), Release 1
- HL7 Implementation Guide for CDA®, Release 2: Privacy Consent Directives, Release 2
- HL7 FHIR Security
- HL7 Version 3 Standard: Security and Privacy Ontology, Release 1Category: Privacy and Consent
- HL7 Version 3 Standard: Healthcare (Security and Privacy) Access Control Catalog, Release 3
- HL7 Version 3 Standard: Privacy, Access and Security Services (PASS) Access Control Services Conceptual Model, Release 1
- HL7 Version 3 Standard: Privacy, Access and Security Services; Security Labeling Service, Release 1 (SLS)
- Structured Threat Information Expression (STIX)
- Trusted Automated Exchange of Indicator Information (TAXII)
- SMART App Launch Framework
- Unified Data Access Profiles (UDAP)
- JWT-Based Client Authentication
- Tiered OAuth for User Authentication
- Dynamic Client Registration
- Mutual TLS Client Authentication
- Client Certifications and Endorsements
- Client Authorization Grants using JWTs
- UDAP Implementation Guide for Registration and Authorization of Consumer Facing Health Apps
- UDAP Implementation Guide for Registration and Authorization of Business-To-Business Health Apps
Comment
Submitted by John Moehrke on
Missing IHE specifications
The following IHE specifications on the Privacy and Security topic are missing
- The IHE IT Infrastructure technical white paper, Template for XDS Affinity Domain Deployment Planning outlines some of the issues that should be evaluated for inclusion in the local Policy creation and Risk Management decisions.
- The APPC Profile adds to the BPPC functionality the ability to include deviations from the base policy in a structured and coded format. Where BPPC is limited to agreement or not to a pre-defined policy, APPC allows for more fluid patient privacy consent function.
- organization directory (mCSD),
- user authentication/authorization (IUA)
- Consistent Time (CT).
- Secure Retrieve https://wiki.ihe.net/index.php/Secure_Retrieve
See the following section in the IHE HIE whitepaper
https://profiles.ihe.net/ITI/HIE-Whitepaper/index.html#7-security-and-privacy
Submitted by John Moehrke on
IHE - Cybersecurity Standards
The link under the text "IHE Cybersecurity Standards" does not reference an IHE specification.
For IHE the following link would be the most comprehensive https://wiki.ihe.net/index.php/Category:Security
Submitted by jeffcoughlin on
ISA Security Standards Recommendation
Given the current climate of increased cybersecurity threats, HIMSS recommends that ONC take steps to increase the visibility of the ISA security standards. With the security standards placed in the appendices due to the breadth of the material, it may be helpful to supply ISA users with a brief summary of the standards in the body of ISA that point to the greater detail in the appendices and serve as a visual roadmap for the resource. We believe this will help users grasp the importance of looking to ISA for cybersecurity standards as well as where to apply the standards.
HIMSS also emphasizes that we want to continue to be a resource to ONC moving forward on identifying the most widely-used cybersecurity standards by all stakeholders, including industry and academia. The need for a definitive resource on cybersecurity standards is not going to subside, and HIMSS wants to be helpful to ONC and the community-at-large in identifying the standards for consideration.
Submitted by juliemaas on
HL7 FHIR Security
The HL7 FHIR specification includes security considerations in the FHIR Security section. We propose that this be added as a Source in this sub-section.
Julie Maas, CEO, EMR Direct
Submitted by John Moehrke on
End-to-End security
IHE provides two solutions for End-to-End Security. Where End-to-End security enables an ultimate consuming system to confirm security of data regardless of the pathway the data took.
SOAP end-to-end security -- In this model the communications of the medical sensitive data are protected for confidentiality, integrity, and availability using WS-Security or AS4 security. This model is well suited when Intermediaries are needed to support cross-boarder policies. The AS4 configuration is mandated in the EU for cross-boarder flows.
Document Encryption (DEN) and Document Digital Signatures (DSG) -- In this model the document may be protected from the source to the ultimate destination using Document Encryption and Document Digital Signatures. This model does not require a single transport type, such as XDS or XCA end-to-end.
Importantly the use of DEN and DSG can be used together or independently. Where only Digital Signature is needed, one would only use DSG.