Security Standardization at ISO and CEN

1. Security Standardization at ISO and CEN Bernd Blobel Deputy Head of Delegation to ISO and CEN HL7 Security TC Sessions at Group Meeting in Cologne 2007

2. Work Plan for Working Group 4 Meetings in Montreal • Voting Results and Previous Work Arising from Last Meeting In Geneva • ISO DTS 25238 Health informatics — Classification of safety risks from health software (CLARISK)Sent to ISO for publication • ISO DTR 27809 Health informatics Measures for ensuring patient safety of health softwareDTR approved for publication Next steps to be discussed in the Risk Task Group meeting • CEN 13606 part 4 Health informatics — Electronic health record communication — Part 4: Security requirements and distribution rulesStill awaiting distribution for voting as a new work item proposal (form 4) targeting a technical specification • ISO/DTS 21298  "Health informatics – Functional and structural roles"Still awaiting vote at a draft technical specification HL7 Security TC Sessions at Group Meeting in Cologne 2007

3. Previous Standards of the Working Group Now Needing Review • 22857 Health informatics -- Guidelines on data protection to facilitate trans-border flows of personal health information Due for 3 year review • Approved Work Items to Be Pursued in Task Group Meetings • ISO DTS 21547 Health Informatics — Security Requirements for Archiving of Electronic Health Records Part 1: Principles and requirementsand ISO DTR 21547 Health Informatics — Security Requirements for Archiving of Electronic Health Records Part 2: GuidelinesApproved work items. HL7 Security TC Sessions at Group Meeting in Cologne 2007

4. ISO/DIS 27799 "Health informatics – security management in health using ISO/IEC 17799’ DIS ballot successful. Final draft to be approved by working group and then submitted for vote as an FDIS • ISO DTS 25237 Health Informatics – Pseudonymisationdraft approved prepare to be sent to ISO for publication • ISO CD 27789 Health informatics - Audit trails for electronic health recordsapproved work item • ISO DTS 22600 Health informatics – Privilege management and access control (PMAC)Part 3: Implementations HL7 Security TC Sessions at Group Meeting in Cologne 2007

5. Approved New Work Items • ISO/NWIP/DTS #29321 Health Informatics: Application of Risk Mangement to the Manufacture of Health Softwareapproved as a new work item (NWI) with the following experts: • To be discussed during risk task force meeting Wednesday morning (9:00) • ISO/NWIP/DTR #29322 Health Informatics: Guidance on Risk Evaluation and Management in the Deployment and Use of Health Softwareapproved as NWI • To be discussed during risk task force meeting Wednesday morning (9:00) • For both these items, CEN central secretariat agree to have Vienna Agreement with CEN lead for both work items. Doing so, both the TR and TS can be published within CEN and ISO. •  Need resolution for VA on 29321 and 29322 HL7 Security TC Sessions at Group Meeting in Cologne 2007

6. Proposed New Work Items • NWIP for a TR: Health informatics — Dynamic on-demand virtual private network for health information infrastructure • NWIP for TR: Health informatics - The information security management guide for remote maintenance services for medical devices and health information systems • Joint Work With Working Group 5 • Health professional cardsWorking group 4 to assist to our colleagues in working group 5 on the security aspects of this new work. • Joint Work With Working Group 1 • Identity management: health provider identity HL7 Security TC Sessions at Group Meeting in Cologne 2007

7. Contact Bernd Blobel Ph.D., Associate Professor Head, eHealth Competence Center University of Regensburg Medical Center Franz-Josef-Strauss-Allee 11 D-93042 Regensburg Germany Email: bernd.blobel@klinik.uni-regensburg.de Email: bernd.blobel@ehealth-cc.de Phone: +49-941-944 6769 Fax: +49-941-944 6766 http://www.ehealth-cc.de HL7 Security TC Sessions at Group Meeting in Cologne 2007