Designation:E1985−98(Reapproved2013)AnAmericanNationalStandardStandardGuideforUserAuthenticationandAuthorization1ThisstandardisissuedunderthefixeddesignationE1985;thenumberimmediatelyfollowingthedesignationindicatestheyearoforiginaladoptionor,inthecaseofrevision,theyearoflastrevision.Anumberinparenthesesindicatestheyearoflastreapproval.Asuperscriptepsilon(´)indicatesaneditorialchangesincethelastrevisionorreapproval.1.Scope1.1Thisguidecoversmechanismsthatmaybeusedtoauthenticatehealthcareinformation(bothadministrativeandclinical)userstocomputersystems,aswellasmechanismstoauthorizeparticularactionsbyusers.Theseactionsmayincludeaccesstohealthcareinformationdocuments,aswellasspecificoperationsonthosedocuments(forexample,reviewbyaphysician).1.2Thisguideaddressesbothcentralizedanddistributedenvironments,bydefiningtherequirementsthatasinglesystemshallmeetandthekindsofinformationwhichshallbetransmittedbetweensystemstoprovidedistributedauthentica-tionandauthorizationservices.1.3Thisguideaddressesthetechnicalspecificationsforhowtoperformuserauthenticationandauthorization.Theactualdefinitionofwhocanaccesswhatisbasedonorgani-zationalpolicy.2.ReferencedDocuments2.1ASTMStandards:2E1762GuideforElectronicAuthenticationofHealthCareInformationPS100ProvisionalSpecificationforAuthenticationofHealthcareInformationUsingDigitalSignatures2.2ANSIStandard:X9.45EnhancedManagementControlsUsingDigitalSig-naturesandAttributeCertificates32.3OtherStandards:ECMA1-219AuthenticationandPrivilegeAttributeSecurityApplicationswithRelatedKeyDistributionFunctions4FIPSPUB112PasswordUsage53.Terminology3.1Definitions:3.1.1accesscontrollist—apieceofaccesscontrolinformation,associatedwithatarget,thatspecifiestheinitia-torswhomayaccessthetarget.3.1.2capability—apieceofaccesscontrolinformation,associatedwithaninitiator,whichauthorizestheholdertoaccesssometarget.3.1.3claimant—partyrequestingauthentication;maybeapersonoradevice.3.1.4initiator—anentity(forexample,auser)whorequestsaccesstosomeobject.3.1.5prin...
