Paper-based healthcare prescriptions are more and more being replaced by e-prescriptions. Meanwhile, threats to the security of health information through unauthorized access are also increasing. It is essential for health services to deploy reliable information security measures that minimize the risk of unauthorized access, whether deliberate or inadvertent.

Ross Fraser, convenor of the ISO working group that developed the standard comments: ”ISO 17090 describes the technical, operational and policy requirements that need to be addressed to enable digital certificates to be used in protecting the exchange of healthcare information within a single healthcare organization, between organizations and across jurisdictional boundaries. Its purpose is to create a platform for global interoperability.”

Digital certificate technology addresses these challenges through the use of “public key cryptography” to protect information in transit and “digital certificates” to confirm the identity of the person or the device that sent the information.

In the healthcare environment, this technology uses authentication, encryption and digital signatures to facilitate confidential access to personal health records as well as secure movement of these records. The ultimate aim is to allow clinicians and healthcare administrators to best serve the interests of their patients.

The three-part standard can help users who are primarily interested in a specific aspect of digital certificate use in healthcare. Senior administrators will find an informative general overview in Part I. Technical implementation teams will find detailed technical information in Part 2. Business analysts and administrative implementation teams will find a detailed policy framework and administrative requirements to support implementation in Part 3.

  • ISO 17090-1 defines the basic concepts underlying the use of digital certificates in healthcare and provides a scheme of interoperability requirements to establish digital-certificate-enabled secure communication of health information.
  • ISO 17090-2 details the use made of digital certificates in the health industry and focuses, in particular, on specific healthcare issues relating to certificate profiles.
  • ISO 17090-3 deals with management issues involved in implementing and using digital certificates in healthcare. It defines a structure and minimum requirement for certificate policies and a structure for associated certification practice statements.

ISO 17090:2008 was developed by ISO technical committee ISO/TC 215, Health informatics working group WG 4, Security.

ISO 17090:2008, Health informatics – Public Key Infrastructure. Part 1: Overview of digital certificate services, and Part 3: Policy management of certification authority, cost 132 Swiss francs each and Part 2: Certificate profile, costs 114 Swiss francs. They are are available from ISO national member institutes (see the complete list with contact details) and from ISO Central Secretariat through the ISO Store or by contacting the Marketing & Communication department (see right-hand column).