Why a new version of the NEN 7510?
The NEN 7510 is closely linked to the international standards ISO 27001 and ISO 27799. In 2022 there has been an update of the ISO 27001, and this has direct consequences for the NEN 7510. To bring the NEN 7510 back in line with this updated international ISO 27001 standard, an update of the Dutch standard is necessary.
In addition, the revision of the care-specific ISO 27799 also played a role in the renewal. The renewal of ISO 27001 was in fact a good reason to take another look at the care-specific control measures of ISO 27799. These control measures did appear to need changing, partly because of the requirements from the NIS2. Several standards are involved in the upcoming changes within the NEN 7510.
What are the main changes?
The new NEN 7510 contains quite a few updates that affect healthcare institutions and other parties working with personal health information. Briefly, these are the most important changes:
- Additions to care-specific management measures: There are 14 additions to existing ISO measures and 8 additional measures specific to healthcare. These are the result of an international review and are designed to better meet current requirements around information security.
- New chapters for control measures: Whereas the old standard contained 117 control measures, the updated version has 101. These are now divided into four chapters: organization, people, physical and technology. This provides a more logical structure, but also requires adjustments from organizations currently working with the old standard.
- ISMS Adjustments: The information security system (ISMS) remains largely the same, but some new elements have been added. One notable new requirement is that healthcare organizations must be more explicit about whether or not they include legal and contractual information security requirements in their ISMS. This is a significant change that calls for greater clarity from organizations.
- Climate change: The impact of climate change on the organization, as included in the ISO standards, is now also integrated into the updated NEN 7510.
- Changes to Appendix A: The biggest changes are in Appendix A, where most of the management measures are described. New measures such as configuration management and information deletion present challenges, especially for organizations with proprietary IT systems.
What is the impact for healthcare facilities?
For many healthcare institutions, the arrival of the updated NEN 7510 feels like an extra burden. After years of investing time, resources and manpower to comply with the old standard, many changes must now be made again. This can be perceived as overwhelming, but the changes are necessary to stay compliant with the latest standards in information security.
Healthcare institutions that are already certified under the old NEN 7510 will have to transition to the new version in the coming years. This update brings both new control measures and the removal of some existing ones. For example, care-specific requirements around "screening" and the use of the "care relationship" as the basis for access to personal health information have been dropped. Similarly, the Information Security Management Forum (IBMF), which is present at many healthcare facilities, is no longer part of the new standard. What does return is the requirement to encrypt personal health information in backups.
The planning and transition period
Currently, the new standard is still in the consultation phase, which runs until Sept. 22, 2024. Experts have until then to provide feedback on the draft version of NEN 7510:2024. The final version is expected in December 2024, after which certification bodies can accredit themselves to perform audits. The first certificates according to the new standard are likely to be issued from April 2025.
There is expected to be a transition period during which organizations can move from the old to the new standard, similar to previous transitions of ISO standards. This means that an end date will likely be named (possibly sometime in 2028), then possibly pushed back to give everyone time to make the changes.
How to move forward?
As a healthcare institution, do you want to get started with the new NEN 7510? You can! Make sure you properly map out the new control measures and requirements and adjust your ISMS accordingly. It is wise not to wait until the new standard is officially in force, so that you are well prepared for the transition. We can also help you with this! Please feel free to contact us without obligation.
