Suppliers of all information systems intended for processing client and patient records are obliged to notify Valvira of all information systems to be deployed for production use. All such systems are also subject to the key requirements for social welfare and healthcare information systems. The requirements concern functionality, interoperability and data security. In the systems linking to the Kanta Services and in other systems to be certified, some of the requirements are verified through certification.
Part of the certification process consists of joint testing and a data security assessment between Kela’s Kanta Services and an assessment body approved by the Finnish Communications Regulatory Authority, Traficom.
After an approved data security assessment, the system or intermediary service is awarded a certificate of conformity as prescribed by the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare, which is mandatory for all systems linking to the Kanta Services. The data security assessment is renewed after a set period, before the previous approval or certificate of conformity expires. In this context, it shall also be ensured that the system has undergone the necessary joint testing.
Certification must also be renewed if significant changes are made to the system or the requirements are substantially changed.
All organisations that provide social welfare and healthcare services and which process client and patient data electronically, as well as those acting as Kanta intermediary services, shall draw up a data security plan, which is also linked to the key requirements for deployed information systems.
Oversight and responsibilities
The suppliers of the data system or providers of the data system service are responsible for the classification, conformity, notification to Valvira and, where necessary, certification of their own system.
Organisations providing or organising social welfare and healthcare services are responsible for creating a data security plan, for in-house control regarding data security and data protection, and for ensuring that systems are used in compliance with the regulations. The systems must be used in accordance with their intended use and the supplier’s instructions.
The Finnish Institute for Health and Welfare of Finland (THL) publishes and maintains regulations and guidelines on key requirements and in-house control based on legislation, decrees and national specifications. Kela carries out the joint testing of all systems linking to the Kanta Services. Valvira oversees and promotes the use of information systems in accordance with their intended use and their conformity, and also compiles a public register of social welfare and healthcare information systems.
- THL’s Regulations and guidelines (in Finnish)
- Notifications to Valvira submitted by information system and intermediary services providers (in Finnish)
Data security plan
The obligation to draw up a data security plan applies to all social welfare and healthcare service providers, pharmacies and Kanta intermediary service providers. The regulation concerning the data security plan and a template for this can be found on THL's Regulations and guidelines page. The data security plan replaces the previous in-house control plan for data protection, data security and the use of information systems in accordance with the previous Client Data Act.
At the time of submitting its notification to Valvira or when seeking certification, the supplier of a social welfare and healthcare information system must provide a description of its intended use and of its conformity to the operational requirements applicable to the system. The notification is submitted using a system form which is based on harmonised classification. The minimum requirements of systems produced for different intended uses are specified through national profiles.
The regulation, profiles and system form concerning key requirements are available on THL’s Regulations and guidelines page.
As a part of certification, all systems linking to the Kanta Services must pass Kela’s joint testing procedure before the system is deployed for production use.
Data security assessment
As a part of certification, all systems linking to the Kanta Services and Kanta intermediary services must pass an assessment by a data security assessment body. After an approved data security assessment, the system or technical Kela intermediary service is awarded a certificate of conformity as prescribed by the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare, which is mandatory for all systems linking to the Kanta Services. The certificate of conformity is valid until the end of the specified set period. The costs of data security assessments are met by each system supplier or intermediary service provider itself.
THL’s Regulations and guidelines page provides the regulations on the classification and certification of information systems, as well as the key requirements. The regulation on key requirements includes key functions, data content and data security requirements for information systems intended for the processing of client and patient data.
- THL’s Regulations and guidelines (in Finnish)
- Accredited information security assessment bodies (National Cyber Security Center)
Training materials on the key requirements for and certification of social welfare and healthcare information systems are available on THL’s training materials page:
- Koulutusmateriaalit / Tiedonhallinta sosiaali- ja terveysalalla [Educational materials / Information management in social welfare and healthcare; in Finnish] (thl.fi)