Information systems for healthcare and social welfare

Functional requirements refer to the functions and data contents implemented in the system. These are typically based on social welfare and healthcare legislation, such as the Medicines Act or the Act on the Status and the Rights of the Patient. The purpose of the information system determines which functions and data contents must be implemented in the system.  

The List of essential requirements document maintained by the Finnish Institute for Health and Welfare (THL) describes in more detail the functionalities and data contents required of the systems. The document is at the bottom of this page.  

The information system service supplier must complete a system form in which it describes the functionalities and data contents implemented in the system. The data in the form must be up to date and correct. The data must also correspond to the functionalities and data contents implemented in the system. 

Category A system 

If the system is a category A system, the information system service supplier submits a system form 

• to Kela when it signs the system up for joint testing (subcategories A2 and A3) 
• to an information security inspection body when it signs the information security up for an information security assessment (subcategories A1, A2 and A3) 
• to the Finnish Supervisory Agency as an attachment to the registration notification (subcategories A1, A2 and A3). 

Category B system

If the system is a Category B system, the information system service supplier submits a system form to the Finnish Supervisory Agency as an attachment to its registration notification.  

The minimum functional requirements for a Category B system are described in THL’s Minimum requirements profile for the processing of client or patient data. The profile is at the bottom of this page. 

The Classification of information systems for social welfare and healthcare page provides more detailed information on information systems belonging to categories A and B. 

Interoperability means that Kanta services and the systems connected to it can share and display client and patient data with one another. 

Interoperability makes it possible for various service providers to share client and patient data with one another through Kanta services. 

Interoperability requires that systems connected to Kanta services have been implemented in accordance with national regulations. 

Interoperability testing organised by Kela

Kela performs joint testing of systems belonging to subcategories A2 and A3. Kanta services belonging to subcategory A3, which are not separately joint tested, are an exception to this. Kela also performs joint testing of well-being applications belonging to category A.  

Kela will issue a joint testing statement and report to the information system service supplier on successfully completed joint testing. Joint testing is a free service. 

If you have any questions concerning joint testing, please send these to [email protected]. 

The purpose of the information security requirements is to ensure that client and patient information remains confidential, intact, and accessible. 

Confidentiality: client data is only available to those who have the right to see it. Confidentiality means, for example, that the patient information system checks whether there is a valid care relationship in place before the data can be viewed. 

Integrity: client data is up-to-date, correct, and consistent. In addition, client data can only be changed by persons authorised to do so, which is ensured with measures such as a healthcare or social welfare professional’s signature.  

Availability: client data is available to social welfare and healthcare when it is needed. For example, client data stored in Kanta services must always be available to social welfare and healthcare service providers. 

Information security requirements contribute to ensuring data protection for clients and patients.  

Information security assessment carried out by an inspection body 

Category A systems are subject to an information security assessment to verify compliance with information security requirements.  

The assessment is carried out by an information security inspection body approved by the Finnish Transport and Communications Agency, which issues an information security certificate and the related report to the information system service supplier. The certificate is valid for a maximum period of three years and may be renewed for a maximum period of three years at a time. 

The information system service supplier selects which inspection body approved by Traficom it will use in the assessment of information security. An information security assessment is a fee-based service. 

The obligations of an information system service supplier include: 

• Classification of the information system. 
• Demonstration of realisation of information system requirements, which in the case of Category A means certification and in the case of Category B a report on the information system meeting the essential requirements for its purpose. 
• Submission of a registration notification to the Finnish Supervisory Agency so that the system is registered in Astori before it is taken into production use. 
• Monitoring of changes and implementation of these in accordance with the deadlines specified in the provisions. A change may be something such as the implementation of a new function in an information system. 
• Carrying out a new information security assessment of a Category A system before the previous information security certificate expires. 
• Submission of notifications to the Finnish Supervisory Agency on any material changes to the system and when the use of the system is discontinued. Submission of a registration notification on the Registration of information systems for social welfare and healthcare page. 
• Notification of a significant nonconformity to all service providers and pharmacies using the system. 
• Submission of a nonconformity notification to the Finnish Supervisory Agency that may pose a significant risk to client or patient safety or information security and a significant information security incident affecting operating environments and information networks. Submit a nonconformity notification on the Significant nonconformity page. 
• Checks the validity of tokens used in the identification of persons and information technology devices processing client data as laid down in the Act on Identification and Trust Services. 

The obligations of a social welfare and healthcare service provider and pharmacy include:   

• Using a system that meets the essential requirements and is intended for the service provider’s and the pharmacy’s operations and whose data can be found in Astori. 
• Joining Kanta services within the deadlines specified in the regulations if they use a system for processing  client data. 
• Ensuring the accuracy of the client data stored in the Kanta services. 
• Introduction of new functions and data content required by regulations in accordance with given deadlines. 
• Keeping a register on the users of a client and patient information system and their access rights, and definition of the rights of social welfare and health care professionals to use client data. 
• Collection of register-specific log data on the use of client data and their disclosure for monitoring and enforcement purposes. 
• Preparation and maintenance of an information security plan related to information security and data protection as well as the use of information systems. 
• Notification of a significant nonconformity in the system to the information system service supplier, A notification must also be submitted to the Finnish Supervisory Agency if there is a nonconformity that poses a significant risk to client or patient safety or information security. Submit a nonconformity notification on the Significant nonconformity page.  
• Notifications to the Data Protection Ombudsman if there is a data protection nonconformity in the fulfilment of the system’s essential requirements. (tietosuoja.fi) 
• Reliable identification of the processor of client data as well as IT equipment and national information system services.  
• Checks the validity of tokens used in the identification of persons and information technology devices processing client data as laid down in the Act on Identification and Trust Services.