NEN 7510 the standard for information security in healthcare

What is the NEN7510 standard?

NEN7510 is the Dutch standard variant specifically focused on information security at healthcare institutions. It is based on the international ISO 27001 standard. The difference with ISO 27001 is that NEN7510 puts additional emphasis on care processes and patient safety.

‍

Who is the NEN7510 standard for?

A NEN 7510 certification is relevant to various healthcare-related organizations. These organizations ensure the secure storage and processing of patient data. Some examples for whom the NEN7510 standard is relevant:

1. Hospitals
2. GP practices
3. Pharmacies
4. Health Insurers
5. Medical laboratories
6. Physical Therapy Practices
7. Dental Practices
8. Nursing homes
9. Mental health facilities
10. Medical software companies

‍

Why is information security important in healthcare?

In the healthcare industry, the protection of sensitive information is critical. Consider: ‍

‍‍

1. Patient privacy: Medical records contain highly personal information about individuals' health.‍

2. Financial data: In addition to medical records, healthcare facilities also retain patient financial data, such as billing, insurance and other financial transactions.‍

3. Integrity of care processes: Unauthorized access to or alteration of medical data compromises the quality of care.

‍

Why the NEN 7510 standard?

The most common reason for obtaining a NEN 7510 certification is to demonstrate that you, as a healthcare institution or healthcare provider (which processes medical data), have your information security in order. By obtaining a NEN 7510 certificate you demonstrate that your medical data is well protected. With this you meet the requirements and expectations of customers, suppliers and other stakeholders.

‍

Is NEN 7510 certification mandatory?

The Healthcare and Youth Inspectorate (IGJ) wants to increase ICT safety and thus information security of personal health information. By 2023, all hospitals must demonstrably comply with NEN 7510. Furthermore, it is possible that the Ministry of Public Health VWS will include the NEN 7510 standard in the revision of the European Network and Information Security Directive(NIS2), since this standard is a good tool to use for the implementation of this European Directive. In addition, all healthcare institutions must comply with the NEN 7510 standard when processing patients' BSN and using healthcare information systems.

‍

It is also for good reason that a healthcare facility is supposed to comply with various laws and regulations:

• AVG (General Data Protection Regulation).
• EGIZ (Electronic Data Protection in Healthcare Decree).
• Wbni (Network and Information Systems Security Act).
• BSN Use in Healthcare Act.

‍

If the security of an ICT program is not in order, then the healthcare institution as the responsible party also does not comply with the NEN 7510 standard. It is important that ICT suppliers comply with the NEN 7510 standard. Healthcare institutions and ICT suppliers can make agreements about this in a (processor) agreement.

‍

ISO 27001 and NEN 7510

Comparing the standards, it appears that NEN 7510 actually complements the requirements and controls of the ISO 27001/27002, specifically adapted for healthcare because of the critical nature of personal and medical information that can have a direct impact on the health of individuals.

In practice, this means:

• The main structure of NEN 7510-1 (consisting of 7 chapters, numbered from 4 to 10) is exactly the same as that of ISO 27001.
• In Appendix A, also called Annex A, for the 114 management measures of ISO 27001 in the NEN 7510, an additional healthcare specification is added for 33 measures, sometimes multiple measures per item.
• In addition, the NEN 7510 introduces three additional control measures in the chapter: ''A.14 Acquisition, Development and Maintenance of Information Systems.''

The specific differences between the NEN 7510 and the ISO 27001 standards are clearly marked in the NEN 7510 documentation, making it easy to identify them directly just by consulting the NEN 7510.

‍

Supplementary standards: NEN 7512 and NEN 7513

In addition to NEN 7510, there are also NEN 7512 and NEN 7513, which have additional requirements:

• NEN 7512: This standard regulates secure electronic communications within the healthcare sector.
• NEN 7513: This standard provides guidelines for logging and the use of logs to meet legal obligations.

‍

Need help implementing the NEN 7510 standard?

We have already helped several healthcare institutions with information security. From implementing the NEN 7510 standard to critical internal audits with extensive reporting.
‍

• RIBW
  Storm works here as an interim specialist as Data Protection Officer. He also guides the RIBW during the implementation of the NEN 7510 standard.
  ‍

• GGZ Westelijk Noord-Brabant
  For the entire organization, Jelle conducted a GAP analysis to see what is still needed for NEN 7510 certification.
  ‍

• Bravis Hospital
  At Bravis Hospital, Information Security Consultant, Kilian, provides the annual independent internal audit.
  ‍

• SPL
  SPL builds secure digital infrastructures and has many healthcare institutions as clients. The implementation of the NEN 7510 and ISO 27001 was therefore a logical request from its clientele.
  ‍

• Observation app
  The Observer App is a free, user-friendly and secure environment to exchange observations with fellow GPs. Information security is paramount, thanks to an implementation of the standard they can demonstrate this.

‍

Like the organizations listed above, would you like to be guided or relieved when implementing the NEN 7510 standard? Check out our services or schedule a no-obligation meeting.