BS ISO 17090-3:2008 - Health informatics. Public key infrastructure. Policy management of certification authority – BSI British Standards
Essential maintenance work will be carried out on BSI Shop over the weekend of 12 and 13 June 2021. BSI Shop will be operational during this time but you might experience slowness for a very brief period of time. Please accept our apologies for any inconvenience this may cause.

BS ISO 17090-3:2008

Health informatics. Public key infrastructure. Policy management of certification authority

Status : Withdrawn, Superseded   Published : May 2008 Replaced By : BS ISO 17090-3:2021

*To ask about withdrawn titles contact the
Customer Relations, +44 345 086 9001

BS ISO 17090-3:2008 Health informatics. Public key infrastructure. Policy management of certification authority

BS ISO 17090-3 is the international standards that  gives guidelines for certificate management issues involved in deploying digital certificates in healthcare. It specifies a structure and minimum requirements for certificate policies, as well as a structure for associated certification practice statements.

This part of BS ISO 17090 also identifies the principles needed in a healthcare security policy for cross-border communication and defines the minimum levels of security required, concentrating on aspects unique to healthcare.

BS ISO 17090 describes the common technical, operational and policy requirements that need to be addressed to enable digital certificates to be used in protecting the exchange of healthcare information within a single domain, between domains and across jurisdictional boundaries. Its purpose is to create a platform for global interoperability. It specifically supports digital certificate enabled communication across borders, but could also provide guidance for the national or regional deployment of digital certificates in healthcare.

The healthcare industry is faced with the challenge of reducing costs by moving from paper based processes to automated electronic processes. New models of healthcare delivery are emphasizing the need for patient information to be shared among a growing number of specialist healthcare providers and across traditional organizational boundaries.

Healthcare information concerning individual citizens is commonly interchanged by means of electronic mail, remote database access, electronic data interchange and other applications. The Internet provides a highly cost-effective and accessible means of interchanging information, but it is also an insecure vehicle that demands additional measures be taken to maintain the privacy and confidentiality of information. Threats to the security of health information through unauthorized access (either inadvertent or deliberate) are increasing.

It is essential to have available to the healthcare system reliable information security services that minimize the risk of unauthorized access.

What's in BS ISO 17090-1?

  • The basic concepts underlying the use of digital certificates in healthcare
  • Provides a scheme of interoperability requirements to establish digital certificate-enabled secure communication of health information
  • Outlines on the management issues involved in implementing and using digital certificates in healthcare
  • Defines a structure and minimum requirements for certificate policies (CPs) and a structure for associated certification practice statements
  • Identifies the principles needed in a healthcare security policy for cross border communication
  • Defines the minimum levels of security required, concentrating on the aspects unique to healthcare.

How does the healthcare industry provide appropriate protection for the data conveyed across the Internet in a practical, cost-effective way? Public key infrastructure (PKI) and digital certificate technology seek to address this challenge.

The proper deployment of digital certificates requires a blend of technology, policy and administrative processes that enable the exchange of sensitive data in an unsecured environment by the use of “public key cryptography” to protect information in transit and “certificates” to confirm the identity of a person or entity.

In healthcare environments, this technology uses authentication, encipherment and digital signatures to facilitate confidential access to, and movement of, individual health records to meet both clinical and administrative needs. The services offered by the deployment of digital certificates (including encipherment, information integrity and digital signatures) are able to address many of these security issues. This is especially the case if digital certificates are used in conjunction with an accredited information security standard. Many individual organizations around the world have started to use digital certificates for this purpose.

Interoperability of digital certificate technology and supporting policies, procedures and practices is of fundamental importance if information is to be exchanged between organizations and between jurisdictions in support of healthcare applications (for example between a hospital and a community physician working with the same patient).

Achieving interoperability between different digital certificate implementations requires the establishment of a framework of trust, under which parties responsible for protecting an individual’s information rights may rely on the policies and practices and, by extension, the validity of digital certificates issued by other established authorities.

Many countries are deploying digital certificates to support secure communications within their national boundaries. Inconsistencies will arise in policies and procedures between the certification authorities (CAs) and the registration authorities (RAs) of different countries if standards development activity is restricted to within national boundaries.

Digital certificate technology is still evolving in certain aspects that are not specific to healthcare. Important standardization efforts and, in some cases, supporting legislation are ongoing. On the other hand, healthcare providers in many countries are already using or planning to use digital certificates. ISO 17090 seeks to address the need for guidance of these rapid international developments.

The Internet is increasingly used as the vehicle of choice to support the movement of healthcare data between healthcare organizations and is the only realistic choice for cross-border communication in this sector.

BS ISO 17090 should be approached as a whole, with the three parts all making a contribution to defining how digital certificates can be used to provide security services in the health industry, including authentication, confidentiality, data integrity and the technical capacity to support the quality of digital signature.

Contents of BS ISO 17090-3 includes:

  • Introduction 
  • Scope
  • Normative references
  • Terms and definitions
  • Abbreviations
  • Requirements for digital certificate policy management in a healthcare context
  • Need for a high level of assurance
  • Need for a high level of infrastructure availability
  • Need for a high level of trust
  • Need for Internet compatibility
  • Need to facilitate evaluation and comparison of CPs
  • Structure of healthcare CPs and healthcare CPSs
  • General requirements for CPs
  • General requirements for CPSs
  • Relationship between a CP and a CPS
  • Applicability
  • Minimum requirements for a healthcare CP
  • General requirements
  • Publication and repository responsibilities
  • Identification and authentication
  • Certificate life-cycle operational requirements
  • Physical controls
  • Technical security controls
  • Certificate, CRL and OCSP profiles
  • Compliance audit
  • Other business and legal matters
  • Model PKI disclosure statement
  • Structure of PKI disclosure statement
  • Bibliography

Buy Part 2 of this standard

BS ISO 17090-2:2008  Health informatics. Public key infrastructure. Certificate profile is also available.

Standard NumberBS ISO 17090-3:2008
TitleHealth informatics. Public key infrastructure. Policy management of certification authority
StatusWithdrawn, Superseded
Publication Date30 May 2008
Confirm Date06 September 2018
Withdrawn Date22 March 2021
Normative References(Required to achieve compliance to this standard)IETF/RFC 3647, IETF/RFC 4211, ISO 17090-2:2008, ISO/IEC 27002, ISO 17090-1:2008
Informative References(Provided for Information)ISO/IEC 15945, ENV 13608-1, FIPS-140-2, ISO/IEC 13335-1, ISO/IEC 2382-8:1998, ISO/IEC 14516, ISO/IEC 7498-2:1989, ISO/IEC 9594-8:2001, IETF/RFC 3280, IETF/RFC 3739, SAA MP75:1996, IETF/RFC 2510, ISO/IEC 8824-1:2002, ISO/IEC 10181-1:1996
Replaced ByBS ISO 17090-3:2021
ReplacesDD ISO/TS 17090-3:2002
International RelationshipsISO 17090-3:2008
Draft Superseded By05/30138513 DC
DescriptorsCertificates of conformity, Keys (cryptographic), Data security, Medical technology, Information exchange, Computer networks, Information transfer, Health services, Cryptography, Policy, Data processing, Internet
Title in FrenchInformatique de santé. Infrastructure de clé publique. Gestion politique d'autorité de certification
Title in GermanMedizinische Informatik. Public-Key-Infrastruktur. Policymanagement von Zertifizierungsinstanzen
ISBN978 0 580 55746 0
File Size468 KB

*To ask about withdrawn titles contact the
Customer Relations, +44 345 086 9001
 Your basket
Your basket is empty

Multi-user access to over 3,500 medical device standards, regulations, expert commentaries and other documents

Worldwide Standards
We can source any standard from anywhere in the world

Develop a PAS

Develop a fast-track standardization document in 9-12 months


Access, view and download standards with multiple user access, across multiple sites with BSOL