DIN Standards Committee Medicine
DIN EN ISO 27789
Health informatics - Audit trails for electronic health records (ISO 27789:2013); German version EN ISO 27789:2013
Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO 27789:2013); Deutsche Fassung EN ISO 27789:2013
Electronic health records on treated persons may reside in many different information systems within and across organizational or even jurisdictional boundaries. To keep track of all actions that involve records on a particular subject of care, a common framework is a prerequisite. For audit trails for electronic health records which have been divided between different systems a common framework is required to keep the complete set of personal health information auditable. This document specifies this common framework in terms of audit trigger events and audit data. In accordance with ISO 27799 information systems containing personal health information shall create a secure audit record each time a user accesses, creates, updates or archives personal health information via the system. Such audit records, at a minimum, uniquely identify the user, uniquely identify the subject of care, identify the function performed by the user (record creation, access, update, etcetera), and record the date and time at which the function was performed. The scope covers only actions performed on the electronic health records. These actions are governed by the access policy for the domain where the electronic health record resides. Audit trails can help to find out if the access policy is met. Apart from identifiers audit trails specified in this standard contain no personal health information. The audit record only contains links to electronic health record segments as defined by the governing access policy. The scope of this document does not cover the specification and use of audit logs for system management and system security purposes, such as the detection of performance problems, application flaw, or support for a reconstruction of data. These aspects are already dealt with in general computer security standards such as ISO/IEC 15408. This standard contains examples for services for safe audit logs. The committee responsible for this standard is NA 063-07-04 AA "Sicherheit" ("Safety") at DIN.