Information systems for social welfare and healthcare

Functional requirements apply to functions and data contents in the information system. These are rooted in the substantive legislation governing social welfare and healthcare services, such as the Medicines Act and the Act on the Status and Rights of Patients. The functionalities and data contents required of information systems are described in detail in the THL document Classification of essential requirements. This document can be found at the bottom of this page. The purpose for which the information system is used determines which functionalities and data contents must be implemented in it. 

The information system supplier must use the system form to describe the functionalities and data contents implemented in the system as appropriate for its purpose. If the system is in category A, the information system supplier must submit the system form:

• to Kela when signing up for the joint testing (categories A2 and A3),
• to the information security inspection body when signing up for information security inspection (categories A1, A2 and A3),
• to Valvira when entering the information system in the Astori register (categories A1, A2 and A3).

If the system is in category B, the information system service provider must submit the system form to Valvira when entering the information system in the Astori register. The minimum functional requirements for a category B information system are described in the profile Minimum functional requirements for systems intended for processing client or patient data issued by the National Institute for Health and Welfare (THL). This profile can be found at the bottom of this page.

The information given on the system form must be up to date and correct. They must also be consistent with the functions and data contents in the information system.

Further information on information systems in categories A and B is available on the page Classification of information systems.

Interoperability means that information systems to be linked to the Kanta Services must store patient or client data in such a way that those data can be retrieved by and displayed in another information system. Transferring client and patient data between various service providers in social welfare and healthcare through the Kanta Services will only be possible if the information systems transferring data are interoperable. Interoperability requires that the information systems to be linked to the Kanta Services must be implemented according to nationally defined specifications.

Interoperability is one of the essential requirements to be verified in the joint testing arranged by Kela that information systems in categories A2 and A3 must undergo. Kanta Services in category A3 are an exception, as they will not be separately joint tested. Further information on information system categories and classification can be found on the page Classification of information systems.

After an acceptably completed joint testing, Kela will issue a joint testing statement and report to the information system supplier. Kela joint testing is a service provided free of charge.

Any questions concerning joint testing must be addressed to Kela Joint Testing at [email protected].

Data security means that information systems used for processing client and patient data comply with the data security requirements relevant for their purpose in order to ensure the confidentiality, integrity and availability of client and patient data. Date security requirements safeguard the privacy protection of clients and patients. The data security requirements for information systems are described in detail in the document Classification of essential requirements issued by the National Institute for Health and Welfare (THL). This document can be found at the bottom of this page.

Confidentiality means that client and patient data can be accessed only by persons authorised to access them. In practice, confidentiality is ensured in a patient information system for instance by having the system verify that a care relationship exists before a user is allowed to access patient data.

Integrity means that client and patient data can only be amended by persons authorised to do so, which is verified for instance by the signature of the professional in question. Integrity also requires client and patient data to be up to date and unambiguous, meaning that there must be no discrepancies between the records in a patient information system and the corresponding records in the Kanta Services, for instance.

Availability means that client and patient data must be available to social welfare and healthcare personnel whenever they are needed. For instance, patient data stored in the Kanta Services must be retrievable by social welfare and healthcare service providers at all times.

A data security audit must be performed on category A information systems to verify compliance with data security requirements. This audit is performed by a Traficom-approved data security inspection body, which will issue a data security certificate and report on an acceptably completed data security audit to the information system supplier. The data security certificate is valid for a maximum of three years, and its validity can be extended by a maximum of three years at a time.

The information system supplier may choose which Traficom-approved inspection body it will invite to perform the data security audit. A data security audit performed by a data security inspection body is a service for which a fee is charged.

A data security audit performed by a data security inspection body is not required for category B information systems; instead, the information system supplier is responsible for ensuring that the information system complies with the essential requirements relevant for its purpose. The information system supplier may choose to commission a data security audit by an inspection body for a category B information system. When registering a category B information system, the information system supplier must affirm that the information system is compliant with the essential requirements relevant for its purpose on data security and privacy protection. The data security requirements for a category B information system are described in the profile Minimum functional requirements for systems intended for processing client or patient data issued by THL. This profile can be found at the bottom of this page.

The obligations of the information system supplier include but are not limited to:

• classifying the information system
• demonstrating compliance with requirements, which for category A systems means certification and for category B systems means a report explaining that the information system complies with the essential requirements relevant for its purpose
• enter the information system in the Astori register before it is deployed for production use
• monitoring and implementing the changes required to the information system in keeping with the time periods specified in legislation. Such changes may include adding a new functionality to the information system
• renewing the information security assessment  of any category A information systems so that the information security certificate is never out of date
• notifying Valvira about any substantial changes made to the information system and about termination of the use of the information system. This notification is to be made on the ‘Social welfare and health care information system registration’ page.
• notifying all service providers and pharmacies using the system of any significant nonconformities
• reporting to Valvira any nonconformities causing a significant information security risk and any significant disruption with a bearing on information security in the operating environments and information networks. A nonconformity notification may be submitted to Valvira on the Significant nonconformity page.
• verifying the validity of the identification devices used to identify individuals and IT devices that process customer data, as required in the Act on Strong Electronic Identification and Electronic Trust Services.

The obligations of social welfare and health care service providers and of pharmacies include but are not limited to: 

• use an information system which complies with the essential requirements, whose purpose is consistent with the service provider’s or pharmacy’s operations and which is registered in the Astori register.
• being obliged to become a user of the Kanta Services within the time periods given in legislation, if the service provider is using an information system intended for processing client and patient data
• being responsible for the correctness of the data entered in the Kanta Services
• deploying the new functionalities required by legislation within the time periods given
• keeping a register of users of client and patient information systems and defining user rights for social welfare and healthcare professionals in respect of accessing client and patient data
• compiling log data, separately for each register, on all use and transfer of client and patient data and of prescriptions, for the purpose of monitoring and oversight
• authoring and maintaining a data security plan covering data security, privacy protection and the use of information systems
• notify the information system service provider of any significant deviations from compliance with the essential requirements for the information system. A nonconformity notification must also be made to Valvira if the nonconformity poses a significant risk to client or patient safety or to information security. A nonconformity notification may be submitted to Valvira on the Significant nonconformity page.
• notifying the Data Protection Ombudsman of any privacy protection nonconformities in compliance with the essential requirements of the information system.
• reliably identifying the processor of client data, the IT devices used and the national information system services used
• verifying the validity of the identification devices used to identify individuals and IT devices that process customer data, as required in the Act on Strong Electronic Identification and Electronic Trust Services.