Information security plan
All social and health care service providers, pharmacies and organisations acting as data intermediaries that process client and patient data electronically must draw up an information security plan that is also linked to the key requirements for the information systems used.
The regulation concerning the information security plan and a template for this can be found on THL’s Regulations and guidelines page (in Finnish, thl.fi).
Data security assessment
As a part of certification, all systems linking to the Kanta Services, wellbeing applications, Kanta intermediary services and other information systems that require certification must pass a data security assessment by an information security inspection body in accordance with the Client Data Act.
The data security certificate issued as a result of the data security assessment is valid for a maximum of three years. The data security assessment is subject to a fee, and the costs of data security assessments are met by each manufacturer or provider of an information system or a wellbeing application, or a provider of a technical intermediary service.
THL’s Regulations and guidelines page provides the regulations on the classification and certification of information systems, as well as the key requirements.
- Regulations and guidelines (in Finnish, thl.fi)
- Guidelines and application of health and social services information management (in Finnish, thl.fi)
- Inspection bodies accredited by Traficom (kyberturvallisuuskeskus.fi)
For more information:
- Queries related to the information security plan: sotetiedonhallinta@thl.fi