Information security and data protection requirements for social welfare and healthcare procurements
It is easiest and most efficient to take account of the information security and data protection of an information system already when the procurement of the system is planned. Thorough procurement planning can prevent security breaches and help to avoid costly remediation measures. A list of information security and data protection requirements for social and health care sector procurements was developed as part of the National Emergency Supply Agency’s Kyber-Terveys project in 2018–2019. The use of the list requires some familiarisation with the topic from the organisation considering procurement. The list is not intended to be attached as such to an invitation to tender.
Free to use – under a few conditions
The Kyber-Terveys project published the list under a Creative Commons Attribution 4.0 license (CC BY 4.0) (External link). This means that you can use the list for whatever purposes you wish, edit it as you wish and distribute it as you wish under the following conditions:
- Attribution – You must give appropriate credit, provide a link to the licence and indicate if you made changes to the content. You may do the aforementioned things in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
- No additional restrictions – You may not apply legal terms or technological measures that legally restrict others from doing anything that is permitted by the licence.
A good practice but not an official guideline
The list of information security and data protection requirements represents a common understanding of good practices by health and social services cyber and information security experts, but it is not an official guideline or recommendation. The Kyber-Terveys project involved a considerable effort to include examples of how the information security and data protection objectives could be implemented with particular attention to those officially required from information systems and devices used in the healthcare sector.
Versions and editions
The National Cyber Security Centre Finland (NCSC-FI) provides public access to the Finnish, Swedish and English versions of the list on this website. The language versions are consistent with each other. The latest edition of each version is available on this website. If you wish to gain access to an earlier edition, please contact the NCSC-FI. Contact details are provided below.
The Finnish and Swedish versions are particularly useful for examining and selecting requirements for procurement with local medical experts who are not familiar with English cyber security and data protection vocabulary. It is recommendable to provide the supplier of the procured product with requirements extracted from the English version as most social welfare and health care sector products are marketed by international companies. As such companies may encounter difficulties when processing invitations to tender in Finnish or Swedish, providing them with Finnish or Swedish instructions could increase the risk of errors.
The NCSC-FI also provides access to a slide presentation (only in Finnish) that familiarises organisations planning the procurement of an information system or a device with the list to enable using it in a productive and expedient manner. Don’t forget to read the speaker’s notes! The NCSC-FI accepts comments and alteration proposals concerning the list and the related training material. The NCSC-FI processes them regularly with the ISAC group for the social welfare and health care sector and publishes new editions of the list and the training material as required.
COMMENTS, PROPOSALS AND REQUESTS CONCERNING THE LIST OF REQUIREMENTS
Contact us at ncsc-fi@ncsc.fi.
LIST OF REQUIREMENTS AND TRAINING MATERIAL
The list is based on Jari Seppälä’s original work carried out at the Tampere University of Technology and Tampere University as well as on the National Emergency Supply Agency’s COREQ-VE project on the information security of industrial automation (2011–2012).