Medical Information Systems (MIS) play an increasingly critical role in health care. They are sensitive with respect to security, privacy, safety and other quality attributes. MIS have been considered medical devices by regulators in many jurisdictions. However, the use of traditional device-focused certification methodology has been problematic for MIS. One reason for these problems is that MIS are dynamically evolving socio-technical systems and their quality attributes are not merely determined by software. The objective of this paper is to provide a better characterization of the concept of MIS and to propose a more effective methodology for certifying such systems. We illustrate our methodology with a real world case study.