ISO/TS 6268-2:2025

Technical
Specification
ISO/TS 6268-2
First edition
Health informatics — Cybersecurity
2025-05
framework for telehealth
environments —
Part 2:
Cybersecurity reference model of
telehealth
Informatique de santé — Cadre en matière de cybersécurité pour
les environnements de télésanté —
Partie 2: Modèle de référence de cybersécurité pour la télésanté
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
3.1 Terms and definitions .1
3.2 Abbreviated terms .2
4 Cybersecurity reference model of telehealth service . 2
4.1 General .2
4.2 Components of the cybersecurity reference model of telehealth service .3
5 Telehealth service activities and threats . 4
5.1 General .4
5.2 Encounter .4
5.2.1 Description .4
5.2.2 Threats .4
5.3 Observation .5
5.3.1 Description .5
5.3.2 Threats .5
5.4 Intervention .5
5.4.1 Description .5
5.4.2 Threats .6
6 Security level of telehealth service . 6
6.1 Cybersecurity, safety and remote communication .6
6.2 The scheme of cybersecurity level in telehealth services .7
6.3 Methodology of defining security level in telehealth services .7
Annex A (informative) Use cases based on real-world telehealth in ISO 13131 . 9
Bibliography .12

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO’s adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
A list of all parts in the ISO 6268 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
Telehealth once provided a limited range of services to subjects of care in specific environments. However,
the scope of telehealth services is rapidly expanding through advanced information and communication
technologies (ICT) such as mobile-based, cloud-based and other network-based applications. Additionally,
emerging global pandemics have acutely increased the need to diagnose, prevent, monitor, treat or mitigate
diseases and injuries without face-to-face, in-person contact between subjects of care and care providers,
making telehealth a more commonly accepted medical practice.
These services are described as telehealth services because ICT are used to support healthcare activities.
Telehealth services can include but are not limited to telemedicine, telecare, mHealth (healthcare supported
by mobile devices), remote use of medical applications, tele-monitoring, tele-diagnostics and virtual care.
Examples of health services include but are not limited to tele-pathology, tele-dermatology, tele-cardiology,
tele-rehabilitation, tele-oncology and tele-orthopaedics. Healthcare activities that directly or indirectly
support care recipients include but are not limited to teleconsultation, telephone advice, health alarm
systems and health status monitoring at home. Telehealth services can support immediate healthcare
activities using synchronous communications services such as a telephone or video conversation, or delayed
health care activities using asynchronous communications services such as messaging services.
Furthermore, depending on the perspective, the subcategories of telehealth can also vary. Physicians might
categorize telehealth by medical specialties, such as tele-neurology or tele-orthopaedics, while healthcare
IT experts might focus on system topology and network configurations. When it comes to telehealth in
cybersecurity, telehealth actors, interactions between each actor, data flow, service environment and
technology should be considered. Therefore, establishing concepts and models of telehealth cybersecurity
would be the first step to build a framework for cybersecurity in telehealth environment.
Telehealth cybersecurity concepts and models serve as a baseline for the analysis of cybersecurity threats
and to determine countermeasures. Telehealth cybersecurity countermeasures need to consider not only
technical aspects, but also management and physical approaches to operating telehealth services. This is
because telehealth cybersecurity involves interactions between multiple actors situated in environments
with different levels of cybersecurity. The cybersecurity policies and processes act as variables that
influence the overall cybersecurity posture of telehealth.
People and physical requirements are addressed more deliberately in telehealth cybersecurity because
participants beyond the network cannot be controlled. Actors on this side cannot even apply a band-aid to
those on the other side. It will take time and effort to ensure that the quality of telehealth services matches
that of general healthcare services. Actors need to account for variables that arise from not being able to
see or directly address issues. Actors cannot know what is happening outside the camera’s view. Physically
occurring risks, such as break-in, theft, vandalism, disconnection and deception, are also critical issues that
need to be addressed in the telehealth environment.
The cybersecurity framework for telehealth environment is structured as follows;
— Part 1: Overview and concepts;
— Part 2: Cybersecurity reference models of telehealth;
— Part 3: Cybersecurity requirements for telehealth.
This document is the second part in the ISO 6268 series and it covers a telehealth cybersecurity reference
model of the overall security framework for systems and services applied to telehealth.

v
Technical Specification ISO/TS 6268-2:2025(en)
Health informatics — Cybersecurity framework for telehealth
environments —
Part 2:
Cybersecurity reference model of telehealth
1 Scope
This document provides a telehealth cybersecurity reference model of the overall security framework for
systems and services applied to telehealth. This document contains a general description of:
— factors of telehealth cybersecurity threats;
— relationships between security risks and safety risks in telehealth services;
— methodologies for defining security levels in telehealth services;
— a cybersecurity reference model of telehealth services.
Defining the specific type of telehealth services is not covered in this document.
2 Normative references
There are no normative references in this document.
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1.1
clinical procedure
activity for a subject of care or group of subjects of care with the objective to promote health
3.1.2
encounter
contact between health(care) participants for initiating clinical activity which includes patient enrolment,
making an appointment, patient reception and entering the consulting room

3.1.3
health information
information about a person relevant to their health
Note 1 to entry: According to the Health Insurance Portability and Accountability Act (HIPAA), health information
includes any information, whether oral or recorded in any form or medium, that a) is created or received by a healthcare
provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearing-house;
and b) relates to the past, present, or future physical or mental health or condition of an individual; the provision of
healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
[SOURCE: ISO 18308:2011, 3.28, modified — Note 1 to entry was added.]
3.1.4
intervention
activity intended to maintain or improve an individual’s health or functioning, or to alter the course of a
disease, disorder or condition for the better, or to restore function lost through disease or injury
[SOURCE: ISO/TR 11147:2023, 3.7, modified — “medical” was removed from the term.]
3.1.5
observation
information associated with a measurement and that provides a more complete understanding of a
measurement
EXAMPLE A temperature observation contains the numerical reading of a temperature sensor, the units of
measure, and the time at which the sensor was read.
[SOURCE: ISO/IEEE 11073-10206:2024, 3.1, modified — “generated by a personal health device (PHD)” was
removed from the definition; part of the original definition was moved to the Example.]
3.2 Abbreviated terms
AAMI association for the advancement of medical instrumentation
CIA confidentiality, integrity, and availability
COPD chronic obstructive pulmonary disease
EMR electric medical record
HDO health delivery organization
HIS hospital information system
ICU intensive care unit
IMDRF international medical device regulator forum
IT information technology
MD medical device
4 Cybersecurity reference model of telehealth service
4.1 General
Telehealth services are typically operated as part of an HDO’s overall healthcare services, with their
cybersecurity policies and processes inheriting those of the parent organization. Even in the case of telehealth
specialty centres, cybersecurity policies and processes of general HDOs should be tailored first, and the
additional enhanced controls for telehealth services should be applied. For this reason, the cybersecurity

reference model of telehealth services focuses only on telehealth service activities, classification processes
and considerations to ensure safe and secure telehealth services.
Managing gap between telehealth actors in different security-level environments is an important matter
of telehealth cybersecurity. Both telehealth service providers and telehealth platform providers should
take into account weak chain which is connected and interacted through the entire service processes. They
should establish compensation countermeasures to overcome gap of cybersecurity postures.
Compared to general medical practice, physical challenges and people challenges are significantly increased
rather than technical risks, as incidents in locations beyond the reach of direct physical intervention should
be addressed promptly. Actors participating in telehealth service should take into account the presence of
someone unauthorized outside the camera frame. Countermeasures should be taken against loss and theft
of medical devices (MDs) that contain sensitive patient data in public telehealth booths. System redundancy
and incident recovery strategy should be carefully designed against interruption of life-threatening service.
Valuable references for telehealth cybersecurity risk analysis include ISO/IEC 27005, AAMI TIR57 and
ISO/IEEE 11073-40101.
4.2 Components of the cybersecurity reference model of telehealth service
The telehealth service cybersecurity reference model is composed of, but not limited to, the following
elements:
— telehealth service activities (5.2, 5.3, 5.4);
— telehealth service cybersecurity classification (6.2);
— telehealth service cybersecurity risk analysis;
— the following telehealth cybersecurity requirements based on ISO 27799:
— organizational requirements;
— people requirements;
— physical requirements;
— technological requirements.
Figure 1 provides an overview of the components of the cybersecurity refence model of telehealth.
Figure 1 — Cybersecurity reference model of telehealth service

5 Telehealth service activities and threats
5.1 General
From the cybersecurity perspective, the focusing factors of telehealth service are healthcare provision
activities such as encounter, observation and intervention based on communication from remote location.
To analyse risks of telehealth services, the security threats associated with each telehealth activity
(encounter, observation, and intervention) as well as th
...