1、Designation:E198598(Reapproved 2013)An American National StandardStandard Guide forUser Authentication and Authorization1This standard is issued under the fixed designation E1985;the number immediately following the designation indicates the year oforiginal adoption or,in the case of revision,the ye
2、ar of last revision.A number in parentheses indicates the year of last reapproval.Asuperscript epsilon()indicates an editorial change since the last revision or reapproval.1.Scope1.1 This guide covers mechanisms that may be used toauthenticate healthcare information(both administrative andclinical)u
3、sers to computer systems,as well as mechanisms toauthorize particular actions by users.These actions mayinclude access to healthcare information documents,as well asspecific operations on those documents(for example,reviewby a physician).1.2 This guide addresses both centralized and distributedenvir
4、onments,by defining the requirements that a singlesystem shall meet and the kinds of information which shall betransmitted between systems to provide distributed authentica-tion and authorization services.1.3 This guide addresses the technical specifications forhow to perform user authentication and
5、 authorization.Theactual definition of who can access what is based on organi-zational policy.2.Referenced Documents2.1 ASTM Standards:2E1762 Guide for Electronic Authentication of Health CareInformationPS100 Provisional Specification for Authentication ofHealthcare Information Using Digital Signatu
6、res2.2 ANSI Standard:X9.45 Enhanced Management Controls Using Digital Sig-natures and Attribute Certificates32.3 Other Standards:ECMA1-219 Authentication and PrivilegeAttribute SecurityApplications with Related Key Distribution Functions4FIPS PUB 112 Password Usage53.Terminology3.1 Definitions:3.1.1
7、 access control lista piece of access controlinformation,associated with a target,that specifies the initia-tors who may access the target.3.1.2 capabilitya piece of access control information,associated with an initiator,which authorizes the holder toaccess some target.3.1.3 claimantparty requestin
8、g authentication;may be aperson or a device.3.1.4 initiatoran entity(for example,a user)who requestsaccess to some object.3.1.5 principallegitimate owner of an identity.3.1.6 security labelaccess control information bound toinitiators and targets.The initiator and target labels are com-pared to dete
9、rmine if access is allowed.3.1.7 targetan entity(for example,a file or document)thatmay be accessed by an initiator.3.1.8 verifieranother party seeking to authenticate princi-pal.3.2 Acronyms:3.2.1 ACIAccess Control Information3.2.2 ACLAccess Control List3.2.3 ADFAccess Control Decision Function3.2.
10、4 ADIAccess Control Decision Information3.2.5 AEFAccess Control Enforcement Function3.2.6 PINPersonal Identification Number4.Significance and Use4.1 This guide has three purposes:4.1.1 To serve as a guide for developers of computersoftware that provides or makes use of authentication andauthorizatio
11、n processes,4.1.2 To serve as a guide to healthcare providers who areimplementing authentication and authorization mechanisms,and1This guide is under the jurisdiction of ASTM Committee E31 on HealthcareInformatics and is the direct responsibility of Subcommittee E31.25 on HealthcareData Management,S
12、ecurity,Confidentiality,and Privacy.Current edition approved March 1,2013.Published March 2013.Originallyapproved in 1998.Last previous edition approved in 2005 as E1985 98(2005).DOI:10.1520/E1985-98R13.2For referenced ASTM standards,visit the ASTM website,www.astm.org,orcontact ASTM Customer Servic
13、e at serviceastm.org.For Annual Book of ASTMStandards volume information,refer to the standards Document Summary page onthe ASTM website.3Available from American National Standards Institute,11 W.42nd St.,13thFloor,New York,NY 10036.4Available from ECMA International,Rue du Rhone 114,CH,1204,Geneva.
14、5Available from National Technical Information Service,U.S.Department ofCommerce,Springfield,VA.http:/csrc.nist.gov or www.ntis.gov.Copyright ASTM International,100 Barr Harbor Drive,PO Box C700,West Conshohocken,PA 19428-2959.United States1 4.1.3 Tobeaconsensusstandardonthedesign,implementation,and
15、 use of authentication and authorizationmechanisms.4.2 Additional standards will define interoperable protocolsand message formats that can be used to implement thesemechanisms in a distributed environment,using specific com-mercial technologies such as digital signatures.5.User Authentication5.1 Au
16、thentication ensures the identity of a user.Thelegitimate owner of an identity is known as a principal.Authentication occurs when a claimant has presented a prin-cipals identity and claims to be that principal.Authenticationallows the other party(verifier)to verify that the claim islegitimate.5.2 Requirements:5.2.1 Users shall be authenticated for access to healthinformation.5.2.2 Users may be authenticated at the system,subsystem,application,or medical record level.5.2.3 Users shall be authenti