ISO/TR 21548:2010

TECHNICAL ISO/TR
REPORT 21548
First edition
2010-02-01
Health informatics — Security
requirements for archiving of electronic
health records — Guidelines
Informatique de santé — Exigences de sécurité pour l'archivage
des dossiers de santé électroniques — Lignes directrices

Reference number
©
ISO 2010
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2010 – All rights reserved

Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Terms and definitions .1
3 Abbreviated terms .1
4 eArchive and eArchiving process .2
4.1 eArchive.2
4.2 eArchiving process .2
4.3 Backup and recovery .4
5 Environment of the eArchive .4
6 Responsibilities and policies .5
6.1 General .5
6.2 Responsibilities .5
6.3 Policies .7
7 Design and implementation of secure eArchiving process for EHRs .9
7.1 General discussion .9
7.2 Analysis of the business model.10
7.3 Identification of impact of ethical and legal requirements.11
7.4 Risk analysis of existing systems and the developed system.11
8 Implementation of security requirements.12
9 Security and privacy protection controls and instruments for archiving of EHRs .14
9.1 Tasks of the eArchive .14
9.2 Tasks of EHR system.15
9.3 Selection of security instruments.16
9.4 Privacy protection instruments .17
9.5 Audit-log.17
9.6 Security instruments.17
9.7 Administrative instruments.22
9.8 Metadata .22
9.9 Registration service .25
9.10 Destroying of records .25
9.11 Managing the security of EHRs with dynamic content .25
10 Education and training.25
Annex A (informative) Summary of additional guidelines .26
Bibliography.30

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that
which is normally published as an International Standard (“state of the art”, for example), it may decide by a
simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely
informative in nature and does not have to be reviewed until the data it provides are considered to be no
longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TR 21548 was prepared by Technical Committee ISO/TC 215, Health informatics.
iv © ISO 2010 – All rights reserved

Introduction
This Technical Report is an informative report that provides additional guidance for implementation of
requirements set by ISO/TS 21547. This Technical Report provides a guideline and method to select (from the
requirements defined by ISO/TS 21547) a platform or domain-specific set of requirements fulfilling regulatory
and normative requirements. The platform can be local, regional, national or cross-border. This Technical
Report is planned to be used together with ISO/TS 21547.
This Technical Report provides guidelines that are intended as a supplement to ISO/TS 21547. The summary
of additional guidelines is shown in the Annex A. This Technical Report defines a practical method and
describes practical tools which can be used both in the development and management of eArchives fulfilling
security requirements set by ISO/TS 21547. Most of those tools are not healthcare specific, but the selection
and the implementation of security services and tools should always meet general and healthcare domain-
specific requirements set by national legislation, norms and ethical codes.

TECHNICAL REPORT ISO/TR 21548:2010(E)

Health informatics — Security requirements for archiving
of electronic health records — Guidelines
1 Scope
This Technical Report is an implementation guide for ISO/TS 21547. This Technical Report will provide a
methodology that will facilitate the implementation of ISO/TS 21547 in all organizations that have the
responsibility to securely archive electronic health records for the long term. This Technical Report gives an
overview of processes and factors to consider in organizations wishing to fulfil requirements set by
ISO/TS 21547.
2 Terms and definitions
For purposes of this document, the terms and definitions listed in ISO/TS 21547 apply.
3 Abbreviated terms
⎯ CDA Clinical documentation architecture
⎯ EHR Electronic health record
⎯ GP General practitioner
⎯ HIS Hospital information system
⎯ HL7 Health level 7
⎯ ISMS Information security management system
⎯ PKI Public Key Infrastructure
⎯ LAN Local area network
⎯ PACS Picture Archiving and Communication System
⎯ TTP Trusted Third Party
⎯ XML Extensible Mark-up Language
⎯ VPN Virtual Private Network
4 eArchive and eArchiving process
4.1 eArchive
In healthcare an archive is defined as being an organization that intends to preserve health records for access
and use for an identified group of consumers for a regulated period of time. An electronic archive (eArchive)
preserves information in digital format. An eArchive has the responsibility of making information available in a
correct and independently understandable form over a long period of time. To make this possible, the
eArchive stores not only the data but also meta-information (e.g. representation, description, content and
context information of the data, links between components and required preservation information).
Typically, an eArchive receives and stores fixed content of data (e.g. EHRs or parts of them) with associated
metadata and policies. An alternative is to use the weeding method – the EHR system moves selected EHRs
to a secondary storage area of the EHR system and stores the needed meta-information (including security
rules) in a separate repository.
A typical method of storing fixed content of data is to preserve documents with associated metadata such as
HL7, CDA or XML documents.
Digital archiving has a strong dependence on software. New file formats, software and platforms succeed
each other rapidly and digital material requires constant maintenance in order to retain accuracy.
An eArchive can be a centralized organization or it can be federated (ISO/TS 21547:—, 6.2). In healthcare,
the narrative patient record and images are typically archived separately (for example X-ray pictures are
preserved by dedicated PACS-systems or by a RIS, ECGs and other bio-signals by their own dedicated
systems).
The eArchive can serve only one dedicated user (e.g. one hospital or GP) in such a way that only health
records created by this organization are preserved. On the other hand, one technical eArchive can store
health records on behalf of many EHR systems. The federated eArchive can store records having the same
security and preservation policy or it can preserve records having different security policies. In the latter case,
the eArchive can be seen technically as one archive, but from a security point of view it includes many logical
EHR-archives.
In practice, an eArchive can be a separate archive (“a secondary storage”) or an EHR system can manage all
archiving functions without a separate technical eArchive. In the latter case the EHR system should meet
security requirements set by national legislation and principles and requirements defined in ISO/TS 21547.
4.2 eArchiving process
ISO/TS 21547 has already defined that eArchiving is a holistic and long-term process. During this process,
health records are moved between the EHR systems and the eArchive (the eArchive itself can be an external
repository or a place in the EHR system where fixed records are stored). Figure 1 shows one practical model,
where information is extracted from the local EHR-system database and transferred (in the form of
documents) to the eArchive. The eArchive can also disclose preserved documents, which can be either
viewed by end users or restored to the local database.

2 © ISO 2010 – All rights reserved
...