2. THEME 1: Infrastructure for digital health
2.1 Semantic interoperability as a foundation for the European Health Data Space
Sari Palojoki and Riikka Vuokko, Ministry of social affairs and health Finland
In clinical practice, interoperable EHRs enable healthcare professionals to gather, store, and communicate essential patient information securely across care settings, thus supporting coordinated and patient-centered care.
The European Health Data Space (EHDS) Regulation emphasizes the importance of interoperability between health information systems across Member States. Ensuring that health data can be exchanged and accessed across borders, while maintaining its meaning and reliability, is central to safe and efficient care delivery. (EU COM 2025) Moreover, the Interoperable Europe regulation (EU 2024/903) entered into force in April 2024, and its goal is to promote the interoperability of Europe-wide digital public services in cross-border operations. The regulation is part of a wider European digitalization framework, which includes various data areas, such as the European Health Data Space. The European Interoperability Framework (EIF) further supports interoperability that entails four levels: legal, organizational, semantic and technical interoperability (Communication (COM(2017)134)). In this paper, main focus is on semantic interoperability.
Semantic interoperability refers to the ability of different systems and professionals to exchange and interpret information consistently, based on shared data models, standards, and clinical terminologies. It facilitates the exchange and use of health data documented in Electronic Health Records (EHRs) without loss of meaning. The EHDS regulation aims to strengthen the semantic development of health data and promote common frameworks for data exchange as well as availability and quality of data. The use of standardized terminologies, such as SNOMED CT, has shown potential to improve data quality, interoperability, and patient safety, while also enabling the reuse of data for secondary purposes such as research and public health. (Vuokko, Vakkuri ja Palojoki 2023)
In clinical practice, interoperable EHRs enable healthcare professionals to gather, store, and communicate essential patient information securely across care settings, thus supporting coordinated and patient-centred care. (Palojoki, Lehtonen, Vuokko 2024, also Palojoki, Vakkuri, Vuokko 2021) Well-designed data models may further enhance how information is structured and utilized in EHRs. Data models ensure that patient information is comprehensive, up-to-date, and reliable, and they enable the effective use of advanced methods like clinical decision support and artificial intelligence. Approaches for enhancing clinical data availability should be carefully designed and economically sustainable to achieve long-term benefits. (STM 2025)
Semantic interoperability, therefore, forms a cornerstone for a data-driven and knowledge-based health system. By ensuring that health information can be exchanged and understood unambiguously across different systems and care settings, it enables healthcare professionals to make informed decisions, coordinate care effectively. Beyond supporting efficient care delivery, semantic interoperability also facilitates innovation in digital health, allowing new tools, artificial intelligence applications, and clinical decision support systems to operate on high-quality, standardized data. Moreover, it grounds the required foundation to further promote safe and ethical secondary use of health data, for example, for research, and public health surveillance. In this way, semantic interoperability underpins the broader objectives of the European Health Data Space, helping to create a sustainable, patient-centered, and knowledge-driven health ecosystem across Europe. (Vuokko, Vakkuri, Palojoki 2022)
References
Communication (COM(2017)134). Communication from the Commission to The European Parliament, The Council, The European Economic and Social Committee and The Committee of The Regions. European Interoperability Framework – Implementation Strategy. Brussels, 23.3.2017. COM(2017) 134 final. https://eur-lex.europa.eu/resource.html?uri=cellar:2c2f2554-0faf-11e7-8a35-01aa75ed71a1.0017.02/DOC_1&format=PDF
EU COM 2025. Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847. http://data.europa.eu/eli/reg/2025/327/oj
Palojoki S, Lehtonen L, Vuokko R. Semantic Interoperability of Electronic Health Records: Systematic Review of Alternative Approaches for Enhancing Patient Information Availability. JMIR Med Inform. 2024 Apr 25;12:e53535. doi: 10.2196/53535. PMID: 38686541; PMCID: PMC11066539.
Palojoki S, Vakkuri A, Vuokko R. The European Cross-Border Health Data Exchange: Focus on Clinically Relevant Data. Stud Health Technol Inform. 2021 May 27;281:442–446. doi: 10.3233/SHTI210197. PMID: 34042782.
STM 2025. Selvitys kansainvälisistä tietomalleista: Tietomallit terveydenhuollon ensiokäytössä. [Report on international data models: Data models in the primary use of health data] Sosiaali- ja terveysministeriön raportteja ja muistioita 2025:17. http://urn.fi/URN:ISBN:978-952-00-4416-9
Vuokko R, Vakkuri A, Palojoki S. Systematized Nomenclature of Medicine - Clinical Terminology (SNOMED CT) Clinical Use Cases in the Context of Electronic Health Record Systems: Systematic Literature Review. JMIR Med Inform. 2023 Feb 6;11:e43750. doi: 10.2196/43750. PMID: 36745498; PMCID: PMC9941898.
Vuokko R, Vakkuri A, Palojoki S. Preliminary Exploration of Main Elements for Systematic Classification Development: Case Study of Patient Safety Incidents. JMIR Form Res 2022;6(3):e35474. URL: https://formative.jmir.org/2022/3/e35474. DOI: 10.2196/35474
2.1.1 Leveraging Digital Health and EHDS in the Nordics: Towards breaking down the barriers between healthcare systems and health ecosystems
Arild Faxvaag, Norwegian University of Science and Technology, Norway, and Jarmo Reponen, University of Oulu, Finland
Health authorities in the Nordic countries were early at exploring the use of information and communication technologies to improve upon their healthcare systems. Each nation succeeded in creating legal and financial frameworks for these systems to be developed and in organising sector-wide implementation projects for the systems to be taken into use (Table 1). Today, the Nordic countries are living proof that it is possible to build and implement digital health systems on a national level (Table 1).
Table 1 Health information systems and infrastructure in use in the Nordic countries.
Denmark | Finland | Iceland | Norway | Sweden | |
Health record systems | ☑ | ☑ | ☑ | ☑ | ☑ |
Health registries | ☑ | ☑ | ☑ | ☑ | ☑ |
National patient portals | ☑ | ☑ | ☑ | ☑ | ☑ |
Laboratory information systems | ☑ | ☑ | ☑ | ☑ | ☑ |
Imaging information systems | ☑ | ☑ | ☑ | ☑ | ☑ |
Health information exchange | ☑ | ☑ | ☑ | ☑ | ☑ |
Leveraging e-Health investments
As of 2025, many Nordic countries have embarked on using their digital health systems and infrastructures to bring about healthcare system reforms. Citizens can now use the national-level patient portals as a digital front-door to the healthcare system. Likewise, patient portal features enable citizens to take a more active role in their own care (Eriksen et al. 2024, Faxvaag et al. 2024). Another important component of contemporary e-health policies in the Nordic countries is to build a knowledge economy on top of the digital health data that have accumulated in the national-level health registries. The Nordic AI Center, recently established by the Nordic Council of Ministers, is the latest manifestation of this trend (Nordic Council of Ministers 2025).
Towards breaking down borders between healthcare systems and health ecosystems
With the EHDS, the EU has set the stage for health information exchange and for citizens to be provided healthcare in any European country. Furthermore, EHDS constitutes a legal framework for building a knowledge economy on top of health and healthcare data in Europe.
The defining function of a healthcare system is to provide valuable care by applying the most appropriate knowledges and skills on the health-related problems at hand. With the EHDS, Europe might finally be able to build the health ecosystem that is needed to provide healthcare systems with the knowledges, skills, medicines and tools that are needed to provide truly valuable care (Figure 1), (Faxvaag et al 2025).
Figure 1 Healthcare system and health ecosystem value chains (Faxvaag et al 2025).
The Nordic countries, with their strong track record of collaboration, knowledge exchange and standardisation are uniquely positioned to take a leading role in preparing for the EHDS. The Nordic countries should build on their profound digital health experiences to substantiate a Nordic health ecosystem that is deeply integrated with their healthcare systems and where the citizens can take an even more active and empowered part.
References
Eriksen J, Bidstrup Hjermitslev C, Tuulikki V, Harðardóttir GA, Koch S, Faxvaag A, et al. A Nordic survey to monitor citizens use and experience with eHealth [Internet]. Nordisk Ministerråd; 2023 [cited 2025 Sept 1]. Available from: https://urn.kb.se/resolve?urn=urn:nbn:se:norden:org:diva-12999
Faxvaag A, Reponen J, Hardardottir GA, Vehko T, Viitanen J, Eriksen J, et al. Towards Accountable E-Health Policies in the Nordic Countries. In: Digital Health and Informatics Innovations for Sustainable Health Care Systems [Internet]. IOS Press; 2024 [cited 2025 May 16]. p. 339–43. Available from: https://ebooks.iospress.nl/doi/10.3233/SHTI240413
Faxvaag A, Eriksen J, Golburean O, Harðardóttir GA, Kodahl Hjermitslev C, Lintvedt O, et al. Nordic eHealth Benchmarking: Towards a Digitally Supported Health Ecosystem [Internet]. Nordisk Ministerråd; 2025 [cited 2025 May 16]. Available from: https://urn.kb.se/resolve?urn=urn:nbn:se:norden:org:diva-13595
Nordic Council of Ministers approve funding for a Nordic-Baltic AI Center. Nordic Council of Ministers, News 18.6.2025. Available from: https://www.norden.org/en/news/nordic-council-ministers-approve-funding-nordic-baltic-ai-center
2.2 Implementation of the secondary use of health data at the national level in Europe: Benefits of deployment and possible Nordic approaches
Joni Komulainen, Ministry of Social Affairs and Health Finland
Nordic countries though advantage in the secondary use of health data are data quality, statistical power, public trust and shared challenges seem to be timelines, regulatory fragmentation, data restrictions. The national progress reports and the capacity building report show that the Nordics are in very different stages of implementation of both the primary use of electronic health data and the secondary use of health data. Experiences of the secondary use of health data in the Nordics can benefit the larger implementation of the secondary use in Europe though.
The secondary use of health data has benefitted the Nordic countries for a long time. The high-quality health records, dating even from the 1950´s, structured data, electronic health records, national ID number and trust of the citizens, have been enablers and benefitted the secondary use of health data in the Nordics. On 5th March 2025, the European Health Data Space (EHDS) Regulation was officially published in the Official Journal of the European Union. (2025/327) It entered into force on 26 March 2025, marking the beginning of the transition phase towards application. The EHDS regulation will be a cornerstone of the European Health Union and it is the first common EU data space dedicated to a specific sector as part of the European strategy for data. The EHDS Regulation enables health and certain health related data to be reused for public interest, policy support, and scientific research purposes. It fosters a health-specific data environment that supports a single market for digital health services and products. Additionally, the regulation establishes a harmonised legal and technical framework for electronic health record (EHR) systems, fostering interoperability, innovation, and the smooth functioning of the internal market. (European Commission 2025a)
Finland's foundation for secondary data use rests on the Act on the Secondary Use of Health and Social Data (552/2019). (STM 2019) It modernized national legislation in line with EU General Data Protection Regulation (GDPR) and set requirements to safeguard privacy while ensuring smooth data access for research, policy, and innovation. The act aimed to reduce bureaucratic hurdles and accelerate data approvals. Central to this framework is Findata, a national data permit authority, acting as a "one-stop shop" for data access requests, streamlining the interaction between data controllers and users, and even providing secure processing environments. Finland has developed an infrastructure of technical, semantical, organisational, and regulatory framework for the secondary use of health and social data, to enable high-quality health research, but even Finland has challenges regarding the new centralized "one-stop shop" model for secondary use and thus there is governmental proposal in the Parliament to amend the current legislation in order to find a more flexible model for the secondary use of health data. (87/2025)
Regarding the experience the Nordics have in the field of the secondary use of health data, there are some lessons learned that could be benefitting the implementation of the new secondary use legislation and secondary use of health data in general in Europe and furthermore clarify the benefits of the large-scale secondary use of health data. (European Commission 2025b) One possibility is to explore Nordic model.
A recent survey conducted by the eHealth Network on the Capacity Building of Primary Use of Health Data in Member States (European Commission 2025c) may also benefit in evaluating of the readiness of the implementation of secondary use of health data in Europe. EHDS regulation is a starting point for secondary use project, VALO project that is funded by the Nordic Council of Ministers. VALO proposes a Nordic model of collaboration in the secondary use of health data (Sitra 2025).
As the Finnish and French secondary use legislation can been seen as inspiration for the modern European secondary use legislation, especial attention is paid to their experiences and plans for the implementation of the new European secondary use legislation. Benefits of the secondary use are explored from various reports and impact assessments that have been performed by the EU Commission and some of the Member States. Opinions and results in this article are also based on many stakeholder consultations and discussions in various fora in Finland, the Nordics and Europe.
Almost all the Member States are planning to build a centralized implementation of the EHDS Regulation. There are still though fragmented approaches because of the way they have been providing health care and secondary use of health data in their respective countries. There is common goal to implement the EHDS Regulation, but the challenges in each of the Member States are different and it seems very difficult to find a mutual model for the implementation.
Nordic countries’ advantages in the secondary use of health data are data quality, statistical power, and public trust. Shared challenges seem to be timelines, regulatory fragmentation, and data restrictions. The national progress reports and the capacity building report show that the Nordics are in very different stages of implementation of both the primary use of electronic health data and the secondary use of health data. Experiences of the secondary use of health data in the Nordics can benefit the larger implementation of the secondary use in Europe though.
Lessons learned from Finland include for example that successful ecosystem for the secondary use involves multiple stakeholders. Health data holders and providers include public and private healthcare providers, while data users encompass for example academic researchers, businesses, innovators, and public authorities using data for various purposes including clinical research, innovation, and policymaking. Finland has been bringing these together in an emerging ecosystem. The ecosystem also benefits from high-performance computing resources like the LUMI supercomputer, which supports AI research. (STM124:00/2022)
The experiences and results from France with a similar way of providing secondary use in their national Health Data Hub resemble the Finnish experiences. There are similar triumphs but also similar challenges. (Health Data Hub 2025) French Health Data Hub for example could benefit from Findata, to make secondary use process work more efficiently, as the process for the health data users seems to take on average 18 months in France and 51 calendar days using Findata in Finland. Finland could benefit the French experiences from having the Data Protection Authority and Ethical assessment part of the permitting process. (SWD/2022)
The implementation of the secondary use is a mutual challenge of all European countries. How will European countries learn from each other and benefit from the secure and safe way of the implementation of the European secondary use health legislation and at the same time gain the competitive advantage for Europe? The Nordic model could be built on enhancing the current co-operation and providing fora for the primary and secondary use ecosystem work. Most of all, even though health care is provided and secondary of health data use is arranged in different ways in the Nordic countries, valuable co-operation could be built on common metadata work and model, that could benefit not just the Nordics, but the wider implementation of the European secondary use regulation throughout Europe.
The benefits of the fora and ecosystem is not just to make the secondary use work within one country or the Nordics or the entire Europe, but to learn from each other in order to gain from the benefits of the secondary use, which in a nutshell are: better healthcare, better medicines, more efficient and fine-tuned processes, better products, better legislation, benefits the common European market etc. The benefits of the secondary use of health data seem to be the same in all the European countries. It will benefit all EU citizens, including patients, healthcare professionals, researchers, policymakers, and industry players. Most of all everybody in one form or another will benefit from the secondary use of health and the Nordic model: you, me, everybody.
References
2025/327. Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202500327
European Commission 2025a. European Health Data Space Regulation (EHDS). What is the EHDS Regulation about? Available from: https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space-regulation-ehds_en
STM 2019. Act of the Secondary Use of Health and Social Data. Ministry of social affairs and health, 26.4.2029. Available from: https://stm.fi/documents/1271139/1365571/The+Act+on+the+Secondary+Use+of+Health+and+Social+Data/a2bca08c-d067-3e54-45d1-18096de0ed76/The+Act+on+the+Secondary+Use+of+Health+and+Social+Data.pdf
87/2025. Regeringens proposition RP 87/2025 rd. Regeringens proposition till riksdagen med förslag till lag om ändring av lagen om sekundär användning av personuppgifter inom social- och hälsovården och till lagar som har samband med den. 12.9.2025. Available from: https://www.eduskunta.fi/SV/vaski/HallituksenEsitys/Sidor/RP_87+2025.aspx
European Commission 2025b. European Health Data Space Regulation (EHDS). Who benefits from EHDS? Available from: https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space-regulation-ehds_en#who-benefits-from-ehds
European Commission 2025c. Capacity Building Primary Use of Health Data in Member States. eHealth Network survey. Unpublished report by Anja Hirche, Strahil Birov.
Sitra 2025. Value from Nordic health data – VALO. Project introduction. Available from: https://www.sitra.fi/en/projects/value-from-nordic-health-data-valo/
STM124:00/2022. Sote tiedon toisiokäytön ekosysteemiryhmän asettaminen 2022–25. Ministry of Social Affairs and Health, Development project. Available from: https://stm.fi/en/project?tunnus=STM124:00/2022
Health Data Hub 2025. Health Data Hub. FAQ in English. Available from: https://www.health-data-hub.fr/page/faq-english
SWD/2022. Impact Assessment on the European Health Data Space. Directorate-General for Health and Food Safety, Background document, Strasbourg, SWD(2022) 131 final, 3.5.2022. Available from: https://health.ec.europa.eu/publications/impact-assessment-european-health-data-space_en
2.2.1 Health Data for Secondary Use in Sweden – National Principles and Preparations
Sofia Asp and Evelina Björkegren, Socialstyrelsen Sweden
Like the rest of the Nordic countries, Sweden has a long tradition of collecting data at the national level and is rich in health data. This has served us well, providing excellent conditions for register-based research and the development of a high-quality healthcare system. The National Board of Health and Welfare (Socialstyrelsen) maintains 13 national registers covering various aspects of public health, healthcare, and dental care. Other government agencies manage registers on, for example, vaccinations, infectious disease spread, care providers, or approved pharmaceuticals. In addition, Sweden has over 150 national quality registers that contain information on diagnoses and treatment outcomes for individuals. These are reported voluntarily by healthcare professionals to monitor and improve healthcare services.
Swedish healthcare is organized, financed, and governed by 21 regions, and local self-government is a strong principle within the Swedish administrative model. Currently, there is no national health data infrastructure in place that allows all regions to share necessary information. As a result, the Swedish eHealth Agency, E-hälsomyndigheten has been tasked by the Government to develop a national digital infrastructure, which will also prepare Sweden for the requirements of primary use under the European Health Data Space (EHDS).
Other major holders of health data include Sweden’s 290 municipalities, which are responsible for certain health services within local government operations, private companies, some of which are major care providers contracted by the regions, and of course, numerous research institutions. The implementation of EHDS in Sweden will thus take place in a context with many large data holders, each of whom must develop the knowledge, processes, and infrastructure necessary to comply with the regulation. To varying degrees, they will need national support.
In January 2024, the Ministry of Health and Social Affairs initiated a government inquiry (S 2024:A) to, among other things, propose how the responsibilities of the Health Data Access Body (HDAB) should be organized and how Swedish legislation should be aligned with EHDS. This resulted in three preparatory government assignments related to secondary use:
- An assignment to the National Board of Health and Welfare (Socialstyrelsen) to prepare to become the responsible body for access to health data under EHDS (S2025/00977),
- An assignment to the Health and Social Care Inspectorate (Inspektionen för vård och omsorg) to prepare to supervise and monitor compliance with EHDS (S2025/00980),
- An assignment to Statistics Sweden (Statistikmyndigheten SCB) to investigate the prerequisites for providing secure processing environments under EHDS (S2025/00975).
These assignments will lay the groundwork for how EHDS will be organized, built, and ultimately managed in Sweden. The final reports are due in June 2026. In parallel, work continues on proposing legislative amendments necessary to align Swedish law with EHDS.
EHDS will establish a new legal basis for processing health data and create an opportunity for centralized data access. The scenario Swedish authorities are preparing for involves the establishment of one single HDAB, responsible for receiving and managing data access requests from users. The designated HDAB is expected to be the National Board of Health and Welfare. The aim is to make the application process significantly simpler for users, compared to today. However, this also places high demands on the HDAB to avoid becoming a bottleneck in the future system. There will also be a need to address potential conflicts of interest, as the National Board of Health and Welfare will simultaneously act as a data holder and a data user.
The assignment given to Statistics Sweden to investigate how the responsibility for providing secure processing environments should be organized includes several important issues, such as the required analytical capacity and how collaboration with data holders, data users, and other HDAB authorities should be structured. Analytical methods are continuously evolving, and the demand for large datasets is growing every day. We need to future-proof the EHDS to meet upcoming needs and opportunities.
Looking Ahead
Since Sweden currently is establishing a common national infrastructure for health data, there is a unique opportunity to incorporate the EHDS requirements from the very beginning. This would enable effective integration between primary and secondary use of health data and ensure broad availability of data for secondary use. There are several advantages to this starting point, but the national transition must proceed at a pace that ensures timely implementation of EHDS in Sweden.
In summary, several key issues must be addressed for EHDS to achieve its intended impact, and these are likely common across all Member States. It involves establishing effective governance, collaboration, enhancing competencies, and building a scalable system that accommodates future technological developments and data needs. There is strong cooperation between stakeholders in the sector, and Sweden possesses a high level of technical competence and public trust in authorities. This provides a solid foundation on which to build a well-functioning system.
References
S2025/00977 Uppdrag till Socialstyrelsen att förbereda för att bli ansvarigt organ för tillgång till hälsodata enligt EHDS. Regeringsbeslut 15.5.2025. Socialdepartementet, Regeringen.
S2025/00980. Uppdrag till Inspektionen för vård och omsorg att förbereda för att övervaka och kontrollera regelefterlevnad enligt EHDS. Regeringsbeslut 15.5.2025. Socialdepartementet, Regeringen.
S2025/00975. Uppdrag till Statistiska centralbyrån att utreda förutsättningar för att tillhandahålla säkra behandlingsmiljöer enligt EHDS. Regeringsbeslut 15.5.2025. Socialdepartementet, Regeringen.
2.3 Cybersecurity for health data: EU frameworks and Finnish strategy
Jarkko Levasma, Ministry of Finance Finland
Within the EHDS framework, only EHR systems that comply with harmonized EU cybersecurity and interoperability standards may be placed on the market. These systems must support secure digital access for individuals, enabling them to control the sharing of their health data, including across borders.
Cybersecurity refers to the protection of networks and information systems, their users, and associated individuals from increasingly sophisticated cyber threats, incidents, and data breaches. In the context of health data, this protection is particularly critical due to the sensitivity and societal value of the information involved.
The European Health Data Space (EHDS) builds upon the regulatory foundations established by the General Data Protection Regulation (GDPR) and the NIS2 Directive. It introduces a set of binding obligations aimed at ensuring the secure processing, access, and exchange of health data across the EU. The overarching objective is to facilitate secure cross-border healthcare services and to strengthen the resilience of the EU’s digital health ecosystem.
The GDPR applies extraterritorially to any organization that offers goods or services to, or monitors the behavior of, individuals within the EU. It imposes strict data protection requirements and enforces compliance through substantial administrative penalties, thereby reinforcing accountability in data governance. Complementing this, the NIS2 Directive mandates that organizations operating in critical sectors implement comprehensive cybersecurity risk management practices, report significant incidents to national authorities, and ensure the security of their supply chains and manage vulnerabilities. It promotes cybersecurity awareness and training and establishes mechanisms for EU-wide coordination through the CSIRT network, EU-CyCLONe, and the NIS Cooperation Group.
Within the EHDS framework, only EHR systems that comply with harmonized EU cybersecurity and interoperability standards may be placed on the market. These systems must support secure digital access for individuals, enabling them to control the sharing of their health data, including across borders. Member States are required to establish national health data access bodies and to integrate with HealthData@EU, a secure EU-wide infrastructure for the secondary use of health data. Organizations must implement robust audit trails, access logging, and incident response mechanisms, and ensure that health data is minimized, pseudonymized or anonymized where appropriate, and encrypted during both transmission and storage.
Finland’s Cyber Security Strategy 2024–2035 aligns with these EU-level frameworks, reinforcing the secure handling of health data in both national and cross-border contexts. The strategy identifies health data as a critical information asset and emphasizes the need to develop cybersecurity capabilities within the healthcare sector. It promotes cross-sectoral collaboration among health authorities, cybersecurity agencies, and private service providers to manage risks associated with sensitive data processing. The strategy’s implementation plan outlines several concrete measures, including the creation of a national cybersecurity guidance database with sector-specific content for healthcare and social welfare, the execution of a risk assessment during EHDS implementation to ensure compliance with EU cybersecurity standards, the classification of critical systems and the adoption of a new ICT risk management model by wellbeing services counties, and the development of certification and cybersecurity requirements for healthcare systems.
2.3.1 Health Care Resilience and Cyber Security
Jyri Rajamäki, Laurea University of Applied Sciences, Finland
Digitalisation of health care has radically transformed how patient data is managed, care is delivered, and services are produced. The proliferation of Electronic Health Records (EHR), mobile health (mHealth), and various cyber-physical systems (CPS) has brought significant benefits, but also increased the vulnerability of systems to cyber threats. Cyber security is no longer merely a technical issue – it is a sociotechnical challenge where technology, people, and organisational processes form a complex, interconnected whole.
Traditional cyber security strategies have often focused on protecting individual technical components, such as firewalls, encryption, and system updates. However, these approaches are insufficient to address vulnerabilities in health care systems that arise from human error, outdated infrastructure, inadequate training, unclear policies, and poor communication. Cyberattacks like ransomware do not only target technology – they exploit human behaviour and organisational weaknesses. (Ewoh & Vartiainen 2024)
Cyber Security as a Sociotechnical Phenomenon
Sociotechnical systems (STS) theory provides a framework in which cyber security is viewed holistically, optimising technical, social, and procedural factors together. In the health care context, STS offers a lens to understand cyber security not just as a technical problem, but as a complex interaction between people, technology, and processes. Vulnerabilities often stem from a security design reality gap, where technical solutions fail to consider social and organisational dimensions. Therefore, cyber security solutions must be co-designed to account for all three dimensions. (Ewoh & Vartiainen 2024.)
Science of Cyber Security
When examining cyber security as a science, Edgar & Manz (2017) propose that cyber space consists of the following interconnected components:
Data : I nformation processed, stored, and transmitted within systems. In health care, this includes patient records, diagnoses, treatment plans, and lab results.Technology : Infrastructure, systems, and devices that enable data processing. This includes EHR systems, IoMT devices, cloud services, and mobile applications.People : Users, professionals, patients, and administrators interacting with technology and data. Their actions, skills, culture, and decision-making impact system security.
In health care, Edgar & Manz’s framework helps illustrate how cyber security is a sociotechnical issue. Data is particularly sensitive (PHI – Protected Health Information), and its protection is essential for patient safety and trust. Technology may be outdated or poorly integrated, increasing vulnerabilities (e.g., the Finnish health data breach, psychotherapy center Vastaamo case). People may unknowingly pose risks (phishing, negligence) or intentionally (insider threats), but they are also key to building resilience.
Building Resilience – From Control to Coordination
With digitalisation, health care systems have evolved into increasingly complex cyber-physical networks (CPS), where technology, people, and processes are tightly interconnected. This development challenges traditional cyber security thinking, which has largely relied on internal control and technical safeguards within individual organisations. As systems become more interdependent and networked, internal control alone is no longer sufficient to secure critical operations.
Traditionally, organisations have tried to protect themselves from external threats by building technical “walls” such as firewalls, closed networks, and access restrictions. Security is seen as an internal matter managed within the organisation. This model works in limited and static environments but does not address the dynamic nature and interdependencies of modern CPS networks.
Resilience thinking views cyber security as an ecosystem-level challenge, where threats can spread through networks and affect multiple actors simultaneously. Therefore, a shift from control to coordination is needed. Maintaining cyber security and resilience requires collaboration, information sharing, and a Common Operational Picture (COP) among various stakeholders – hospitals, technology providers, authorities, and patients. COP enables a comprehensive understanding of the situation, supporting decision-making and resource allocation.
Coordination-based resilience also emphasizes Cognitive Situational Awareness (CSA) – the continuous ability to observe, understand, and anticipate the system’s state. COP and CSA do not emerge within a single organisation but require open information exchange and cooperation across the CPS network. Resilience is not built through isolated control but through coordinated action, flexibility, and the ability to recover from disruptions. (Rajamäki 2024.)
Digital Twins as Enablers of Resilience
With advances in AI and machine learning, Digital Twins (DT), Cognitive Digital Twins (CDT), and Virtual Human Twins (VHT) are emerging as enablers of future resilience. Digital Twins are virtual replicas of physical systems, enabling real-time monitoring, analysis, and simulation. In health care, DT technology can be used for hospital operations planning, care pathway optimisation, and immunisation strategy development. More advanced CDTs can autonomously learn, analyse, and support decision-making, making them especially valuable in managing disruptions.
VHTs model both biological and non-biological aspects of humans. They enable personalised care, ethical decision-making, and patient-centeredness. VHT research offers insights into CPS resilience development, as humans are more complex than technical systems. (Rajamäki 2024.)
Ethical Perspective on Data Utilisation
Cyber security and resilience are not only technical or operational issues but also ethical responsibilities. Rather than merely protecting health care data, it must be actively and responsibly utilised. Responsible use of patient data, ethical application of AI, and transparency in decision-making are key principles. VHTs enable ethically informed care that considers patient values and choices. DTs and VHTs support predictive care, resource optimisation, and personalised services. Sharing data across CPS systems enhances holistic resilience and promotes global well-being. By integrating these considerations, future health care professionals will be better equipped to navigate the ethical and cyber security complexities of AI, fostering responsible innovation, secure data practices, and resilient health care systems. (Rajamäki & Postolache 2024)
Conclusions
The resilience framework offers a holistic approach that integrates technological, human, and organisational dimensions. Digital Twins are not just technical innovations—they enable the health and resilience of both individuals and technical systems within the complex health care ecosystem. The framework challenges traditional control-based thinking and emphasizes collaboration, ethics, and the role of AI in the future of health care.
References
Edgar T, Manz D, Chapter 2 - Science and Cyber Security, Editor(s): Thomas W. Edgar, David O. Manz, Research Methods for Cyber Security, Syngress, 2017, Pages 33–62, ISBN 9780128053492, https://doi.org/10.1016/B978-0-12-805349-2.00002-9
Ewoh P, Vartiainen T, Vulnerability to Cyberattacks and Sociotechnical Solutions for Health Care Systems: Systematic Review, J Med Internet Res 2024;26:e46904, doi: 10.2196/46904 PMID: 38820579 PMCID: 11179043
Rajamäki J. Digital Twin Technology training and research in health higher education: a review. Explor Digit Health Technol. 2024;2:188–201. https://doi.org/10.37349/edht.2024.00021
Rajamäki J, Postolache O, Considering the Ethics of AI-Based Technologies in Biomedical and Health Informatics (BMHI) Education, International Conference on Interactive Collaborative Learning, Cham: Springer Nature Switzerland, 2024.