Cybersecurity in healthcare and social welfare

The obligations of the Cybersecurity Act apply to both public and private healthcare organisations that employ more than 50 people or have a turnover of more than EUR 10 million. These obligations also apply to organisations that are registered in Soteri as a service provider and service unit for healthcare services. 

For example, the Cybersecurity Act applies to the following operators:

• The wellbeing services counties, the City of Helsinki, and the HUS Group.
• Private service providers of healthcare services registered in Soteri that employ more than 50 people or have a turnover of more than EUR 10 million. The Cybersecurity Act also applies to private service providers who provide healthcare and social welfare services as referred to in the Act on the Supervision of Social Welfare and Health Care. 
• Nationally designated EU reference laboratories.

Although the scope of the Cybersecurity Act only covers healthcare service providers and EU reference laboratories in the healthcare sector, the Cybersecurity Act and its obligations apply to all operations of the organisation. What this means is that the physical premises, operating environment, information networks, and information systems must also comply with those obligations; they do not apply only to the organisation’s actions in providing the actual healthcare or reference laboratory services.

By comparison, the Cybersecurity Act does not apply for example to the following operators: 

• companies and individuals that manufacture patient and client information systems as referred to in the Act on the Processing of Client Data in Healthcare and Social Welfare, or information system service providers 
• companies and individuals that manufacture user environments as referred to in the Act on the Secondary Use of Health and Social Data 
• private service providers that only provide social welfare services 
• healthcare service providers with 50 or fewer employees and with a turnover of no more than EUR 10 million.

In certain scenarios, however, the Cybersecurity Act may be applied to healthcare service providers falling under the minimum threshold. This may happen for example if an operator is providing a service which is essential for maintaining critical functions in society at large or in the economy and which is not offered by any other operator.

More information on derogations can be found on the Traficom website.

At national level, the Finnish Supervisory Agency supervises compliance with the obligations of the Cybersecurity Act in the healthcare sector. The  Finnish Supervisory Agency conducts risk-based supervision of compliance with obligations. This may be ex ante or ex post supervision. 

• Ex ante supervision focuses on key operators and may involve document inspections or physical inspection visits. 
• Ex post supervision is usually triggered by a non-compliance notification submitted by an operator or another report received by the agency. 

The Finnish Supervisory Agency may impose the following sanctions on an operator:

• a warning 
• a binding order (e.g. a restriction on management activities or a requirement to rectify shortcomings by a given deadline) 
• reinforcing an order with a conditional fine 
• a proposal for a penalty fee, to be decided by a penalty fee committee to be set up at Traficom 
• The Finnish Supervisory Agency may obligate an operator to have a security audit focusing on cybersecurity risk management carried out.

The Finnish Supervisory Agency also provides general guidance on the obligations in the Cybersecurity Act and how to comply with them.

Under the Cybersecurity Act, an operator has the obligation to

• identify and manage cybersecurity risks 
• establish and update a risk management policy 
• adopt the risk management policy and execute risk management actions 
• prevent and minimise the impact of incidents that threaten cybersecurity on the organisation’s functions, continuity of operations, recipients of services and other services  
• report significant incidents and report on how they are managed 
• sign up for the list of operators and send notifications of any changes in details. 

For more information on the risk management obligations under the Cybersecurity Act, please visit the Traficom website.

An operator must identify, assess, and manage cybersecurity risks to the communications networks and information systems used in its operations or services. 

The purpose of risk management is to prevent or mitigate the impact of incidents on functions, continuity of operations, service recipients, and other services. Incidents are occurrences such as cyber-attacks and other telecommunications and system failures. 

The objective of risk identification is to ensure that the level of security of the communication networks and information systems used in operations or the providing of services and the level of risk management measures are adequate and proportionate to the risks and to the importance of the communication network or information system.

Any change in the number of personnel or the turnover of an organisation may have a bearing on its obligations under the Cybersecurity Act. Such changes must be entered in the list of operators when necessary. A change notification can be submitted using the same form as for signing up (in Finnish). 

The Cybersecurity Act provides for cybersecurity risk management measures. The National Cyber Security Centre at Traficom has prepared a recommendation for cybersecurity risk management measures for the authorities supervising compliance with the NIS Directive. Organisations may also use this recommendation as input for their risk management planning. 

Operators are required to devise and keep updated a risk management policy for cybersecurity in their organisation. 

An incident is considered significant if it

• has caused or may cause a serious disruption to services 
• causes financial losses to the operator concerned 
• has affected or may affect other operators in such a way as to cause substantial material or non-material damage.

If the incident relates to the essential requirements of an individual information system, it must be reported as an incident under the Act on the Processing of Client Data in Healthcare and Social Welfare.

For more information on significant incidents as per the Cybersecurity Act, see the Traficom website.