Information Security

Security Awareness in de zorg is enorm belangrijk én verplicht vanuit de NEN 7510

Security Awareness in de zorg is enorm belangrijk én verplicht vanuit de NEN 7510
If you work in healthcare, it probably hasn't escaped your notice that information security is a major priority these days. Given the enormous amount of personal health information that healthcare institutions process every day, it is important that every employee - from doctors to administration - understands the risks and knows how to protect against them. NEN 7510, the standard for information security in healthcare, plays an important role here.
This article was last updated on
9/12/2024

What exactly does NEN 7510 entail?

Designed for healthcare institutions, NEN 7510 lays out the measures you need to take to manage information security. An important part of this is awareness. According to the standard, all employees - and where relevant, contractors as well - must receive appropriate training upon commencement of employment. In addition, regular refresher training on information security policies and procedures is mandatory.

Why is security awareness in healthcare important?

Did you know that in 2023, a whopping 25,694 data breaches were reported to the Personal Data Authority? Even more shocking: the healthcare sector takes the crown with 8,929 reports. And those are just the reported cases. The reality is that many data breaches never come to light. Yet the healthcare sector is not even in the top 10 most reported cyberattacks.

It shows how vulnerable the healthcare industry is, especially when it comes to human error. 90% of incidents are caused by employees. So they play the most important in securing sensitive data, which is precisely why security awareness is so important. We need to invest in awareness, not only to mitigate legal risks, but especially to ensure patient privacy and security.

The NEN 7510 standard requirements regarding awareness

In the NEN 7510 standard there are several components of Security Awareness. For example, management measure A.7.2.2. The standard asks that organizations where personal health information is processed ensure that both new and existing employees are regularly briefed on information security procedures. This includes third-party contractors, researchers, students and volunteers. If these procedures are not followed, employees must be informed of disciplinary consequences.

A.7.2.2 Awareness, education and training

Management measure: All employees of the organization and, as relevant, contractors should receive appropriate awareness education and training and regular refresher training on organizational policies and procedures as relevant to their positions.

Care-specific measure: Organizations that process personal health information should ensure that information security education and training is provided when inducting new employees and that regular updates of organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information.

The standard also specifically calls for training of employees when they join your organization. That way, when they come on board, they are already familiar with the information security policies within the organization and have been made aware of the risks of not complying with them.

Security awareness also relevant to other management measures

In addition, the standard states that it is important to take sufficient measures for the risks from your risk analysis. Consider malware, continuity, incident reporting or controlling your suppliers.

We'll take as an example limiting malware and making your employees aware of it. This means taking several actions, including:

  • Make sure employees always install the latest updates and patches, and create sufficient network separation.
  • Set clear rules for installing software.
  • Implement detection capabilities so that suspicious activity is noticed early.
  • Develop a response plan to determine what to do in the event of a malware infection.
  • Strengthen endpoint security, such as by encrypting devices.
  • Limit the use of removable media, such as USB sticks, in line with measure A.8.3 of the standard.
  • Manage and restrict access to data and files.

What measures can you take to increase security awareness?

It is important to start with awareness training when new employees are hired. But this training should be an ongoing process. By offering training throughout the year, employees can continue to guard against new threats such as phishing and ransomware.

A powerful tool here is Guardey, a platform that trains employees through game elements. This makes training not only instructive, but also fun and effective, allowing employees to get better and better at recognizing cyber risks. This keeps them alert and the organization better protected against potential data breaches

Try Guardey 14 days free 🕹️

Start training your team now for the price of a cup of coffee! ☕

Request free demo
Kilian Houthuijzen
Commercial Manager & Partner
085 773 60 05
To news overview

Related articles

News
Why an AVG scan is important for your organization
read more
Customer case
Customer case study: cybersecurity week at GOOSE VPN
read more
KAM Certifications is now Fendix

We are a partner of

SGS
BSI
TUV
DEKRA
KIWA
Brand Compliance
LRQA
DNV
Digitrust