ISO 27789:2013 pdf download.Health informatics – – Audit trails for electronic health records.
ISO 27789 specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger events and audit data, to keep the complete set of personal health information auditable across information systems and domains.
It is applicable to systems processing personal health information which, complying with 150 27799, create a secure audit record each time a user accesses, creates, updates or archives personal health information via the system.
NOTE Such audit records, at a minimum, uniquely identify the user, uniquely identify the subject of care, identify the function performed by the user (record creation, access, update, etc.), and record the date and time at which the function was performed.
ISO 27789 covers only actions performed on the EHR, which are governed by the access policy for the domain where the electronic health record resides. It does not deal with any personal health information from the electronic health record, other than identifiers, the audit record only containing links to EHR segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of data, which are dealt with by general computer security standards such as ISO/IEC 15408-2.L9i
Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 8601:2004, Data elements and interchange formats — Information interchange — Representation of dates and times
ISO 27799:2008, Health informatics — Information security management in health using JSO/IEC 27002
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security requirements
[ISO/IEC 27000:2012, definition 2.1]
3.2
access policy
definition of the obligations for authorizing access to a resource
3.3
accountability
principle that individuals, organizations and the community are responsible for their actions and may be required to explain them to others
[ISO 15489-1:2001, definition 3.2]
3.4
audit
systematic and independent examination of accesses, additions or alterations to electronic health records to determine whether the activities were conducted, and the data were collected, used, retained or disclosed according to organizational standard operating procedures, policies, good clinical practice, and applicable regulatory requirement(s)
3.5
audit archive
archival collection of one or more audit logs
3.6
audit data
data obtained from one or more audit records
3.7
audit log
chronological sequence of audit records, each of which contains data about a specific event
3.8
audit record
record of a single specific event in the life cycle of an electronic health record
3.9
audit system
information processing system that maintains one or more audit logs.ISO 27789 pdf download.