ASTM_E_1762_-_95_2013.pdf

Designation:E176295(Reapproved 2013)An American National StandardStandard Guide forElectronic Authentication of Health Care Information1This standard is issued under the fixed designation E1762;the number immediately following the designation indicates the year oforiginal adoption or,in the case of revision,the year of last revision.A number in parentheses indicates the year of last reapproval.Asuperscript epsilon()indicates an editorial change since the last revision or reapproval.1.Scope1.1 This guide covers:1.1.1 Defining a document structure for use by electronicsignature mechanisms(Section 4),1.1.2 Describing the characteristics of an electronic signa-ture process(Section 5),1.1.3 Defining minimum requirements for different elec-tronic signature mechanisms(Section 5),1.1.4 Defining signature attributes for use with electronicsignature mechanisms(Section 6),1.1.5 Describing acceptable electronic signature mecha-nisms and technologies(Section 7),1.1.6 Definingminimumrequirementsforuseridentification,access control,and other security requirementsfor electronic signatures(Section 9),and1.1.7 Outlining technical details for all electronic signaturemechanisms in sufficient detail to allow interoperability be-tween systems supporting the same signature mechanism(Section 8 and Appendix X1-Appendix X4).1.2 This guide is intended to be complementary to standardsunder development in other organizations.The determinationof which documents require signatures is out of scope,since itis a matter addressed by law,regulation,accreditationstandards,and an organizations policy.1.3 Organizations shall develop policies and procedures thatdefine the content of the medical record,what is a documentedevent,and what time constitutes event time.Organizationsshould review applicable statutes and regulations,accreditationstandards,and professional practice guidelines in developingthese policies and procedures.2.Referenced Documents2.1 ISO Standards:ISO 9594-8 1993:The Directory:Authentication Framework(also available as ITU-S X.509)2ISO 8825-1 1993:Specification of Basic Encoding Rules forASN.12ISO 7816 1993:IC Cards with Contacts2ISO 10036 1994:Contactless IC Cards22.2 ANSI Standards:ANSI X9.30 Part 3:Certificate Management for DSA,No-vember 1994(ballot copy)3ANSI X9.31 Part 3:Certificate Management for RSA,July1994(draft)3ANSI X9.31 Part 1:RSA Signature Algorithm,July 1994(ballot copy)(technically aligned with ISO/IEC 9796)3ANSI X9.30 Part 1:Digital Signature Algorithm,July 1994(ballot copy)(technically aligned with NIST FIPS PUB186)3ANSI X9F1,ANSI X9.45:Enhanced Management ControlsUsing Attribute Certificates,September 1994(draft)32.3 Other Standards:FIPS PUB 112:Standards on Password Usage,May 19854FIPS PUB 181:Secure Hash Standard,1994(technicallyaligned with ANSI X9.301)4FIPS PUB 186:Digital Signature Standard,1994(techni-cally aligned with ANSI X9.301)4PKCS#1:RSA Encryption Standard(version 1.5),Novem-ber 19935PKCS#5:Password-Based Encryption Standard,19945PKCS#7:Cryptographic Message Syntax Standard,199453.Terminology3.1 Definitions:3.1.1 access controlthe prevention of unauthorized use ofa resource,including the prevention of use of a resource in anunauthorized manner.3.1.2 accountabilitythe property that ensures that theactions of an entity may be traced uniquely to the entity.3.1.3 attributea piece of information associated with theuse of a document.1This guide is under the jurisdiction of ASTM Committee E31 on HealthcareInformatics and is the direct responsibility of Subcommittee E31.25 on HealthcareData Management,Security,Confidentiality,and Privacy.Current edition approved March 1,2013.Published March 2013.Originallyapproved in 1995.Last previous edition approved in 2009 as E176295(2009).DOI:10.1520/E1762-95R13.2Available from ISO,1 Rue de Varembe,Case Postale 56,CH 1211,Geneve,Switzerland.3Available from American National Standards Institute(ANSI),25 W.43rd St.,4th Floor,New York,NY 10036,http:/www.ansi.org.4Available from National Institute of Standards and Technology(NIST),100Bureau Dr.,Stop 1070,Gaithersburg,MD 20899-1070,http:/www.nist.gov.5Available from RSA Data Security,100 Marine Parkway,Redwood City,CA64065.Copyright ASTM International,100 Barr Harbor Drive,PO Box C700,West Conshohocken,PA 19428-2959.United States1 3.1.4 attribute certificatea digitally signed data structurethat binds a user to a set of attributes.3.1.5 authorizationverification that an electronicallysigned transaction is acceptable according to the rules andlimits of the parties involved.3.1.6 authorization certificatean attribute certificate inwhich the attributes indicate constraints on the documents theuser may digitally sign.3.1.7 availabilitythe property of being accessible anduseable upon demand by an authorized entity.3.1.8 computer-based patient record(CPR)the computer-based patient record is a collection of health informationconcerning one person linked by one or more identifiers.In thecontext of this guide,this term is synonymo