This Standard specifies a common framework for audit trails for electronic health records (EHR), in terms of audit trigger events and audit data, to obtain a complete set of auditable personal health information across information systems and domains.
What is DIN EN ISO 27789 about?
It is applicable to systems processing personal health information which, complying with ISO 27799, create a secure audit record each time a user accesses, creates, updates or archives personal health information via the system. Such audit records, at a minimum, uniquely identify the user, uniquely identify the subject of care, identify the function performed by the user (record creation, access, update, etc.), and record the date and time at which the function was performed.
Two informative annexes complete the standard: Annex A gives examples of audit scenarios, while Annex B gives an overview of audit log services.
What is its background?
Electronic health records on an individual person may reside in many different information systems within and across organizational or even jurisdictional boundaries. This Standard provides the common framework needed to keep track of all actions that involve records on a particular subject of care.
As far as possible, the Standard builds upon, and is consistent with, the work begun in the Internet Engineering Task Force (IETF) Request for Comment (RFC) 3881 with respect to access to electronic health records.
Who should buy this standard?
This Standard is intended for those responsible for overseeing health information security or privacy and for healthcare organizations and other custodians of health information seeking guidance on audit trails, together with their security advisors, consultants, auditors, vendors and third-party service providers.