Data protection and cybersecurity
Trust in security and data protection of health data and information systems requires that security and privacy are considered by all users, systems and organizations. Risks must be identified and managed, and privacy of personal and sensitive data respected across all organizations. Preparation for cyber-threats and countermeasures must be planned. Systems and infrastructures must be designed, implemented and operated in a way which provides sufficient level of security and privacy.
As the most important factor, social and health care professionals must have necessary skills and knowledge to be able to maintain high level of privacy and security, supported by the managers and data protection officers.
General national and international rules and legislation such as GDPR are complemented by social and health care specific laws, decrees and regulatory rules. More specific requirements make use of generic standards for information security as well as health and social care specific needs and solutions for access management and monitoring the use of personal data through logging requirements, for example.
Information security plans
National legislation mandates information security plans for all health and social service providers. These plans must be designed and used in daily health and social service operations. They are used in the production and use of health and social services data and use of information systems.
THL provides specific regulatory rules and templates for information security plans.
Security requirements
Common requirements related to several aspects of security are also a central part of essential requirements for social and health care information systems.