温馨提示:
1. 部分包含数学公式或PPT动画的文件,查看预览时可能会显示错乱或异常,文件下载后无此问题,请放心下载。
2. 本文档由用户上传,版权归属用户,汇文网负责整理代发布。如果您对本文档版权有争议请及时联系客服。
3. 下载前请仔细阅读文档内容,确认文档内容符合您的需求后进行下载,若出现内容与标题不符可向本站投诉处理。
4. 下载文档时可能由于网络波动等原因无法下载或下载错误,付费完成后未能成功下载的用户请联系客服处理。
网站客服:3074922707
TM_E_1985_
_98_2013
Designation:E198598(Reapproved 2013)An American National StandardStandard Guide forUser Authentication and Authorization1This standard is issued under the fixed designation E1985;the number immediately following the designation indicates the year oforiginal adoption or,in the case of revision,the year of last revision.A number in parentheses indicates the year of last reapproval.Asuperscript epsilon()indicates an editorial change since the last revision or reapproval.1.Scope1.1 This guide covers mechanisms that may be used toauthenticate healthcare information(both administrative andclinical)users to computer systems,as well as mechanisms toauthorize particular actions by users.These actions mayinclude access to healthcare information documents,as well asspecific operations on those documents(for example,reviewby a physician).1.2 This guide addresses both centralized and distributedenvironments,by defining the requirements that a singlesystem shall meet and the kinds of information which shall betransmitted between systems to provide distributed authentica-tion and authorization services.1.3 This guide addresses the technical specifications forhow to perform user authentication and authorization.Theactual definition of who can access what is based on organi-zational policy.2.Referenced Documents2.1 ASTM Standards:2E1762 Guide for Electronic Authentication of Health CareInformationPS100 Provisional Specification for Authentication ofHealthcare Information Using Digital Signatures2.2 ANSI Standard:X9.45 Enhanced Management Controls Using Digital Sig-natures and Attribute Certificates32.3 Other Standards:ECMA1-219 Authentication and PrivilegeAttribute SecurityApplications with Related Key Distribution Functions4FIPS PUB 112 Password Usage53.Terminology3.1 Definitions:3.1.1 access control lista piece of access controlinformation,associated with a target,that specifies the initia-tors who may access the target.3.1.2 capabilitya piece of access control information,associated with an initiator,which authorizes the holder toaccess some target.3.1.3 claimantparty requesting authentication;may be aperson or a device.3.1.4 initiatoran entity(for example,a user)who requestsaccess to some object.3.1.5 principallegitimate owner of an identity.3.1.6 security labelaccess control information bound toinitiators and targets.The initiator and target labels are com-pared to determine if access is allowed.3.1.7 targetan entity(for example,a file or document)thatmay be accessed by an initiator.3.1.8 verifieranother party seeking to authenticate princi-pal.3.2 Acronyms:3.2.1 ACIAccess Control Information3.2.2 ACLAccess Control List3.2.3 ADFAccess Control Decision Function3.2.4 ADIAccess Control Decision Information3.2.5 AEFAccess Control Enforcement Function3.2.6 PINPersonal Identification Number4.Significance and Use4.1 This guide has three purposes:4.1.1 To serve as a guide for developers of computersoftware that provides or makes use of authentication andauthorization processes,4.1.2 To serve as a guide to healthcare providers who areimplementing authentication and authorization mechanisms,and1This guide is under the jurisdiction of ASTM Committee E31 on HealthcareInformatics and is the direct responsibility of Subcommittee E31.25 on HealthcareData Management,Security,Confidentiality,and Privacy.Current edition approved March 1,2013.Published March 2013.Originallyapproved in 1998.Last previous edition approved in 2005 as E1985 98(2005).DOI:10.1520/E1985-98R13.2For referenced ASTM standards,visit the ASTM website,www.astm.org,orcontact ASTM Customer Service at serviceastm.org.For Annual Book of ASTMStandards volume information,refer to the standards Document Summary page onthe ASTM website.3Available from American National Standards Institute,11 W.42nd St.,13thFloor,New York,NY 10036.4Available from ECMA International,Rue du Rhone 114,CH,1204,Geneva.5Available from National Technical Information Service,U.S.Department ofCommerce,Springfield,VA.http:/csrc.nist.gov or www.ntis.gov.Copyright ASTM International,100 Barr Harbor Drive,PO Box C700,West Conshohocken,PA 19428-2959.United States1 4.1.3 Tobeaconsensusstandardonthedesign,implementation,and use of authentication and authorizationmechanisms.4.2 Additional standards will define interoperable protocolsand message formats that can be used to implement thesemechanisms in a distributed environment,using specific com-mercial technologies such as digital signatures.5.User Authentication5.1 Authentication ensures the identity of a user.Thelegitimate owner of an identity is known as a principal.Authentication occurs when a claimant has presented a prin-cipals identity and claims to be that principal.Authenticationallows the other party(verifier)to verify that the claim islegitimate.5.2 Requirements:5.2.1 Users shall be authenticated for access to healthinformation.5.2.2 Users may be authenticated at the system,subsystem,application,or medical record level.5.2.3 Users shall be authenti