What exactly does NEN 7510 entail?
Designed for healthcare institutions, NEN 7510 lays out the measures you need to take to manage information security. An important part of this is awareness. According to the standard, all employees - and where relevant, contractors as well - must receive appropriate training upon commencement of employment. In addition, regular refresher training on information security policies and procedures is mandatory.
Why is security awareness in healthcare important?
Did you know that in 2023, a whopping 25,694 data breaches were reported to the Personal Data Authority? Even more shocking: the healthcare sector takes the crown with 8,929 reports. And those are just the reported cases. The reality is that many data breaches never come to light. Yet the healthcare sector is not even in the top 10 most reported cyberattacks.
It shows how vulnerable the healthcare industry is, especially when it comes to human error. 90% of incidents are caused by employees. So they play the most important in securing sensitive data, which is precisely why security awareness is so important. We need to invest in awareness, not only to mitigate legal risks, but especially to ensure patient privacy and security.
The NEN 7510 standard requirements regarding awareness
In the NEN 7510 standard there are several components of Security Awareness. For example, management measure A.7.2.2. The standard asks that organizations where personal health information is processed ensure that both new and existing employees are regularly briefed on information security procedures. This includes third-party contractors, researchers, students and volunteers. If these procedures are not followed, employees must be informed of disciplinary consequences.
A.7.2.2 Awareness, education and training
Management measure: All employees of the organization and, as relevant, contractors should receive appropriate awareness education and training and regular refresher training on organizational policies and procedures as relevant to their positions.
Care-specific measure: Organizations that process personal health information should ensure that information security education and training is provided when inducting new employees and that regular updates of organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information.
The standard also specifically calls for training of employees when they join your organization. That way, when they come on board, they are already familiar with the information security policies within the organization and have been made aware of the risks of not complying with them.
Security awareness also relevant to other management measures
In addition, the standard states that it is important to take sufficient measures for the risks from your risk analysis. Consider malware, continuity, incident reporting or controlling your suppliers.
We'll take as an example limiting malware and making your employees aware of it. This means taking several actions, including:
- Make sure employees always install the latest updates and patches, and create sufficient network separation.
- Set clear rules for installing software.
- Implement detection capabilities so that suspicious activity is noticed early.
- Develop a response plan to determine what to do in the event of a malware infection.
- Strengthen endpoint security, such as by encrypting devices.
- Limit the use of removable media, such as USB sticks, in line with measure A.8.3 of the standard.
- Manage and restrict access to data and files.
What measures can you take to increase security awareness?
It is important to start with awareness training when new employees are hired. But this training should be an ongoing process. By offering training throughout the year, employees can continue to guard against new threats such as phishing and ransomware.
A powerful tool here is Guardey, a platform that trains employees through game elements. This makes training not only instructive, but also fun and effective, allowing employees to get better and better at recognizing cyber risks. This keeps them alert and the organization better protected against potential data breaches
Start training your team now for the price of a cup of coffee! ☕
