Information security and data protection requirements for social welfare and healthcare procurements

It is easiest and most efficient to take account of the information security and data protection of an information system already when the procurement of the system is planned. Thorough procurement planning can prevent security breaches and help to avoid costly remediation measures. A list of information security and data protection requirements for social and health care sector procurements was developed as part of the National Emergency Supply Agency’s Cyber Health project in 2018–2019. The use of the list requires some familiarisation with the topic from the organisation considering procurement. The list is not intended to be attached as such to an invitation to tender.


Free to use – under a few conditions

The Cyber Health project published the list under a Creative Commons 4.0 license (CC BY 4.0) (external link). This means that you can use the list for whatever purposes you wish, edit it as you wish and distribute it as you wish under the following conditions:

  • Name – You must state the source appropriately, provide a link to the licence and indicate any changes you have made. You may do the aforementioned things in any reasonable way, but you may not imply that the licensor recommends you or your use of the work.
  • No other restrictions – You may not impose any legal or technical restrictions that legally prevent others from doing anything that is permitted by the licence.

A good practice but not an official guideline

The list of information security and data protection requirements represents a common understanding of good practices by health and social services cyber and information security experts, but it is not an official guideline or recommendation. The Cyber Health project involved a considerable effort to include examples of how the information security and data protection objectives could be implemented with particular attention to those officially required from information systems and devices used in the healthcare sector.

Versions and editions

The National Cyber Security Centre Finland (NCSC-FI) provides public access to the Finnish and English versions of the list on this website. The language versions are consistent with each other. The latest edition of each version is available on this website. If you wish to gain access to an earlier edition, please contact the NCSC-FI. Contact details are provided below.

The Finnish version is particularly useful for examining and selecting requirements for procurement with medical experts who are not familiar with English cyber security and data protection vocabulary. It is recommendable to provide the supplier of the procured product with requirements extracted from the English version as most social welfare and health care sector products are marketed by international companies. As such companies may encounter difficulties when processing invitations to tender in Finnish, providing them with Finnish instructions could increase the risk of errors.

The NCSC-FI also provides access to a slide presentation that familiarises organisations planning the procurement of an information system or a device with the list to enable using it in a productive and expedient manner. Don’t forget to read the speaker’s notes! The NCSC-FI accepts comments and alteration proposals concerning the list and the related training material. The NCSC-FI processes them regularly with the ISAC group for the social welfare and health care sector and publishes new editions of the list and the training material as required.


Contact us at .


The list is based on Jari Seppälä’s original work carried out at the Tampere University of Technology and Tampere University as well as on the National Emergency Supply Agency’s COREQ-VE project on the information security of industrial automation (2011–2012).