Why a new version of the NEN 7510?
De NEN 7510 is nauw verbonden met de internationale normen ISO 27001 en ISO 27799. In 2022 is er een update geweest van de ISO 27001, en dat heeft directe gevolgen voor de NEN 7510. Om de NEN 7510 weer in lijn te krijgen met deze vernieuwde internationale ISO 27001 standaard, is een update van de Nederlandse norm noodzakelijk.
In addition, the revision of the care-specific ISO 27799 also played a role in the renewal. The renewal of ISO 27001 was in fact a good reason to take another look at the care-specific control measures of ISO 27799. These control measures did appear to need changing, partly because of the requirements from the NIS2. Several standards are involved in the upcoming changes within the NEN 7510.
What are the main changes?
The new NEN 7510 contains quite a few updates that affect healthcare institutions and other parties working with personal health information. Briefly, these are the most important changes:
- Additions to care-specific management measures: There are 14 additions to existing ISO measures and 8 additional measures specific to healthcare. These are the result of an international review and are designed to better meet current requirements around information security.
- New chapters for control measures: Whereas the old standard contained 117 control measures, the updated version has 101. These are now divided into four chapters: organization, people, physical and technology. This provides a more logical structure, but also requires adjustments from organizations currently working with the old standard.
- ISMS Adjustments: The information security system (ISMS) remains largely the same, but some new elements have been added. One notable new requirement is that healthcare organizations must be more explicit about whether or not they include legal and contractual information security requirements in their ISMS. This is a significant change that calls for greater clarity from organizations.
- Climate change: The impact of climate change on the organization, as included in the ISO standards, is now also integrated into the updated NEN 7510.
- Changes to Appendix A: The biggest changes are in Appendix A, where most of the management measures are described. New measures such as configuration management and information deletion present challenges, especially for organizations with proprietary IT systems.
What is the impact for healthcare facilities?
For many healthcare institutions, the arrival of the updated NEN 7510 feels like an extra burden. After years of investing time, resources and manpower to comply with the old standard, many changes must now be made again. This can be perceived as overwhelming, but the changes are necessary to stay compliant with the latest standards in information security.
Healthcare institutions that are already certified under the old NEN 7510 will have to transition to the new version in the coming years. This update brings both new control measures and the removal of some existing ones. For example, care-specific requirements around "screening" and the use of the "care relationship" as the basis for access to personal health information have been dropped. Similarly, the Information Security Management Forum (IBMF), which is present at many healthcare facilities, is no longer part of the new standard. What does return is the requirement to encrypt personal health information in backups.
The planning and transition period
Currently, the new standard is still in the consultation phase, which runs until Sept. 22, 2024. Experts have until then to provide feedback on the draft version of NEN 7510:2024. The final version is expected in December 2024, after which certification bodies can accredit themselves to perform audits. The first certificates according to the new standard are likely to be issued from April 2025.
There is expected to be a transition period during which organizations can move from the old to the new standard, similar to previous transitions of ISO standards. This means that an end date will likely be named (possibly sometime in 2028), then possibly pushed back to give everyone time to make the changes.
How to move forward?
Wil je als zorginstelling alvast aan de slag met de nieuwe NEN 7510? Dat kan! Zorg ervoor dat je de nieuwe beheersmaatregelen en eisen goed in kaart brengt en je ISMS daarop aanpast. Het is verstandig om niet te wachten tot de nieuwe norm officieel van kracht is, zodat je straks goed voorbereid bent op de transitie. Wij kunnen je hier ook bij helpen! Neem daarom gerust vrijblijvend contact met ons op.
