Categorization of social and healthcare information systems – what is an audit, and when is it required?
Providers of social and healthcare information systems must categorize their information systems in accordance with the provisions of the act on the electronic processing of client data in healthcare and social welfare (784/2021) and the regulations issued by the Finnish Institute for Health and Welfare (THL). The regulation related to the categorization and certification of social and healthcare information systems issued by THL in 2021 also brought about changes to the previous categorization.
Social and healthcare information systems are divided into categories A and B based on a number of factors, including their intended purpose and compatibility with the Kanta digital services for the social welfare and healthcare sector, and the nature of the customer information processed in the system. The system provider is responsible for selecting the category.
Categorization of social and healthcare information systems
The category selected for the information system determines what certification and registration measures need to be carried out on the system. Based on the new regulation (4/2021) issued by THL, the old category A has been divided into categories A1, A2 and A3. The definition of category B has also been narrowed. The regulation involves a three-year transition period.
Category A3 information systems must pass joint testing and a security audit. Patient record systems that are connected to the Kanta Services and used in healthcare, as well as customer information systems used in social care, belong to category A3.
Category A2 is for systems requiring joint testing and a security audit and are used for a limited information content or intended purpose and involve less strict requirements than the systems in category A3. For example, systems saving administrative information in the Kanta Services belong to category A2.
Category A1 is for systems requiring an external security audit but no joint testing. Category A1 information systems include services used for the transmission of customer information as well as systems or subsystems whose compatibility has been verified via another system but which involve security requirements the fulfilment of which needs to be verified.
For category B information systems, no joint testing or security audit is required. Category B is only possible for systems that do not require categorization into A1 based on their risk rating, functionalities or security solutions. For example, category B information systems may provide individual patient or customer information elements that are combined into patient records and customer documents using various interfaces.
What does a security audit include?
In practice, the new regulation means that many of the systems in the old category B will move to the new category A1 regardless of whether they are compatible with the Kanta Services or not. Because of the security audit requirement, the regulation may cause problems to many providers of social and healthcare information systems.
There is, however, no reason to be afraid of the audit, as it gives the perfect opportunity for a fresh perspective on your product and operations. The certificate often also helps increase sales. Social and healthcare organizations must ensure that the information systems they use meet the requirements and are correctly categorized for the intended purpose. Information system certificates help in this.
At its simplest, the A1 audit includes an interview and the verification of agreed requirements with documentation and a demonstration. It is advisable to prepare for the audit by carefully reading the requirements and making sure that the required functions and documentation are in place and up to date.
The audit is also an iterative process. If any problems or needs for change are detected during the audit, the institution carrying out the audit will report them. This gives the system provider the opportunity to make changes and additions. In other words, there is no need to endlessly hone the system in advance – it is enough to have everything implemented and documented sufficiently well.
Atostek ERA is an A3-certified system. ERA takes care of the Kanta features and their joint testing, ensuring that they remain functional and up to date. ERA can also handle many of the security requirements related to category A1, so that the ERA certificate for them can be referred to in the audit. Atostek also offers audit consulting if you need help in the preparation for the audit and compilation of the required documents.
» ERA: The home for social welfare and healthcare data
Marjaana Karttunen
ERA Product Manager
045 6908 760
marjaana.karttunen@atostek.com