Essential requirements and certification
Essential requirements for and certification of Information systems for health and social care services are the main instruments of steering system development.
Information systems for health and social services are classified in two classes: A (certified) and B (not certified). Systems must comply with three categories of essential requirements based on national legislation. The categories are:
- Functionality
- Interoperability
- Security
Essential requirements
Functionality
Each system for health and social service data must be classified as class A (certified) or class B (not certified) system. A national catalogue of requirements for functions and data content provides shared requirements for systems. Many of these requirements are based on national specifications or application of international standards. Profiles for different purposes of use collect relevant requirements for different types of systems, such as EHR systems or pharmacy systems.
Interoperability
Interfaces between systems used by health and social service providers and Kanta infrastructure are based on national specifications and implementation guides of international standards such as HL7 CDA ja FHIR. Essential requirements related to connection to Kanta infrastructure and conformance to national data content and interface specifications are also basis for interoperability testing. Interoperability testing is included in certification of systems and performed jointly by Kela and system manufacturers, before a system may connect to Kanta services.
Security and data protection
Essential requirements related to information security are based on international and national standards and specifications for data security, authentication, identification, access management, access control, logging and systems security. Systems connected to Kanta services and other systems which high risk level must pass an external security audit as part of certification before entering daily use in health and social services.
Certification and registration
Certification of key systems: A (certified) or B (not certified)
Certification of interoperability and security is an essential part in ensuring operation of the national infrastructure as well as data protection and security of information management. Purpose of use in each system, risk assessment and functional requirements are basis right level of certification in different systems.
Registration of systems
All systems in classes A and B are registered to the supervisory authority Valvira, who has a public register to support supervision as well as acquisitions and updates of systems by social and health service providers. Conformance to the national regulations and evolving requirements must also be maintained.
