ASTM_E_2085_-_00a.pdf

Designation:E 2085 00aAn American National StandardStandard Guide onSecurity Framework for Healthcare Information1This standard is issued under the fixed designation E 2085;the number immediately following the designation indicates the year oforiginal adoption or,in the case of revision,the year of last revision.A number in parentheses indicates the year of last reapproval.Asuperscript epsilon(e)indicates an editorial change since the last revision or reapproval.1.Scope1.1 This guide covers a framework for the protection ofhealthcare information.It addresses both storage and transmis-sion of information.It describes existing standards used forinformation security which can be used in many cases,anddescribes which(healthcarespecific)standards are needed tocomplete the framework.Appropriate background informationon security(and particularly cryptography)is included.Theframework is designed to accommodate a very large(nationalor international),distributed user base,spread across manyorganizations,and it therefore recommends the use of certain(scaleable)technologies over others.1.2 Electronic information exchange and sharing of data inhas been the backbone of industries such as financial institu-tions for several years.Cost cutting measures and a real needfor sharing of information are driving healthcare servicestoward increased use of computer-based information systems.One of the requirements for the ability to share and exchangehealthcare information is that the information be protected.1.3 Selection of standards was performed using the follow-ing criteria,which are described in more detail in 4.2.1.3.1 Security requirements are defined in this framework,and(in some cases)in additional ASTM guidelines.1.3.2 ASTM standard specifications are used to defineprotocols and message formats in support of interoperability.1.3.3 Existing standards will be reused or extended when-ever possible.1.3.4 This framework does not address policy issues.ASTMSubcommittee E31.17 is writing standards that address theseissues.2.Referenced Documents2.1 ASTM Standards:E 1238 Specification for Transferring Clinical ObservationsBetween Independent Computer Systems2E 1384 Guide for Content and Structure of the Computer-Based Patient Record2E 1762 Guide for Electronic Authentication of HealthcareInformation2E 1985 Guide for User Authentication and Authorization2E 1986 Guide for Information Access Privileges to HealthInformation2E 2084 Specification for Authentication of Healthcare In-formation Using Digital Signatures2E 2086 Guide for Internet and Intranet Healthcare Security22.2IETF Standards:3RFC 1510 Kerberos Authentication ServiceRFC 1777 Lightweight Directory Access Protocol(v2)RFC 2251 Lightweight Directory Access Protocol(v3)RFCs 19011910 Simple Network Management ProtocolRFC 1945 Hypertext Transfer ProtocolRFC 1964 Kerberos v5 GSS-API MechanismRFC 2025 GSSAPI Simple Public Key Mechanism(SPKM)RFC 2078 Generic Security Services Application ProgramInterfaceRFC 2246 The TLS Protocol Version 1.0RFC 2401 Security Architecture for the Internet ProtocolRFC 2402 IP Authentication HeaderRFC 2403 The Use of HMAC-MD596 within ESP andAHRFC 2404 The Use of HMAC-SHA-196 within ESP andAHRFC 2406 IP Encapsulating Security Payload(ESP)RFC 2407 The Internet IP Security Domain of Interpreta-tion for ISAKMPRFC 2408 Internet Security Association and Key Manage-ment Protocol(ISAKMP)RFC 2409 The Internet Key Exchange(IKE)RFC 2440 OpenPGP Message FormatRFC 2451 The ESP CBC-Mode Cipher AlgorithmsRFC 2527 Internet X.509 Public Key Infrastructure Certifi-cate Policy and Certification Practices FrameworkRFC 2259 Internet X.509 Public Key Infrastructure Opera-tional ProtocolsLDAPv2RFC 2560 Internet X.509 Public Key Infrastructure OnlineCertificate Status ProtocolRFC 2630 Cryptographic Message SyntaxRFC 2631 Diffie-Hellman Key Agreement Method1This guide is under the jurisdiction of ASTM Committee E31 on HealthcareInformatics and is the direct responsibility of Subcommittee E31.20 on Data andSystem Security for Health Information.Current edition approved Oct.10,2000.Published November 2000.Originallypublished as E 208500.Last previous edition E 208500.2Annual Book of ASTM Standards,Vol 14.01.3Available online at ftp:/.1Copyright ASTM International,100 Barr Harbor Drive,PO Box C700,West Conshohocken,PA 19428-2959,United States.RFC 2632 S/MIME Version 3 Certificate HandlingRFC 2633 S/MIME Version 3 Message SpecificationRFC 2634 Enhanced Security Services for S/MIME2.3ISO Standards:4ISO 88241 Specification of Abstract Syntax Notions One(ASN.1)ISO 88251 Specification of Basic Encoding Rules forAbstract Syntax Notions One(ASN.1)ISO/IEC 74982 Security ArchitectureISO/IEC 8879 Standard Generalized Markup Language(SGML)ISO/IEC 9735 Electronic Data Interchange for Administra-tion,Commerce and Transport(EDIFACT)ApplicationLevel Syntax Rules(Parts 510)ISO/IEC 9595 Information TechnologyOpen Systems In-terconnectionCommon Management Information Ser-vice DefinitionISO/IEC 9