Classifying the criticality of the functions and information systems of social welfare and healthcare organisations

The central starting point of risk management is understanding what you are protecting and why. For this purpose, the National Emergency Supply Agency's project on cyber security in healthcare sector (Kyber-Terveys) drew up instructions on how to classify the criticality of functions and information systems of social welfare and healthcare organisations.

Social welfare and healthcare organisations have typically identified the information systems that are critical for their operation. Often, a service level has been determined for systems based on their criticality, and the system administrator provides support services for the service and the information systems behind it based on the service level.

The criticality assessment pilot projects implemented in the Kyber-Terveys project found that there is also a need to examine the criticality of services supporting the organisation’s core functions in addition to the criticality assessment of information systems. The pilots were targeted at two hospital districts. This guideline document does not describe the contents of the work done at these hospital districts; instead, the goal of the document is to offer general advice on how to develop criticality classification. The work was done as a part of the Kyber-Terveys project of the National Emergency Supply Agency.

Free to use – under a few conditions

The Kyber-Terveys project published these instructions under a Creative Commons Attribution 4.0 license (CC BY 4.0) (External link). This means that you can use the instructions for whatever purposes you wish, edit it as you wish and distribute it as you wish under the following conditions:

  • Attribution – You must give appropriate credit, provide a link to the licence and indicate if you made changes to the content. You may do the aforementioned things in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
  • No additional restrictions – You may not apply legal terms or technological measures that legally restrict others from doing anything that is permitted by the licence.

Comments, proposals and requests concerning the instructions

Contact us at