scope:

This CEN Report is aimed at providing a basis for a planned European Standard on the same subject, work item Security Requirements for Intermittently Connected Devices. The reason for processing this document as a formal CEN Report is that it has been requested as immediate guidance to the current work of CEN TC224/WG12 in its preparation of standards specifying the mechanisms for implementing security requirements in systems using machine readable cards in health care. The scope of this report is also to serve as guidance, without being normative, to the many large projects using cards in health care for both patients, professionals and other persons working in the health care sector, presently under development in Europe. This report defines a framework of security requirements in systems with intermittently connected devices and discusses requirements for the following security services for ICD-systems: Data Integrity protection Data Origin and Entity Authentication Access Control Confidentiality protection The report defines security requirements on the ICD-interchange interface between an application system and an ICD-System. However, the overall security requirements can only be met if certain requirements on the devices themselves are also followed. Requirements for establishment of secure sessions with various types of ICDs as well as object related security services are defined. The report particularly defines how access to different types of data on intermittently connected devices could be restricted to different classes of health care persons (professionals and other types of personnel) or to the patients, especially when multinational access should be allowed. The rights to read, add, change and delete must be defined separately.