Information Security

Security awareness in de zorg is enorm belangrijk én verplicht vanuit de NEN 7510

If you work in healthcare, it probably hasn't escaped your notice that information security is a major priority these days. Given the enormous amount of personal health information that healthcare institutions process every day, it is important that every employee - from doctors to administration - understands the risks and knows how to protect against them. NEN 7510, the standard for information security in healthcare, plays an important role here.
This article was last updated on
9/4/2025

What exactly does NEN 7510 entail?

NEN 7510 is ontworpen voor zorginstellingen en legt vast welke maatregelen je moet treffen om informatiebeveiliging te beheersen. Een belangrijk onderdeel hiervan is bewustwording. Volgens de norm moeten alle medewerkers – en waar relevant, ook contractanten – een passende training krijgen bij indiensttreding. Daarnaast zijn regelmatige bijscholingen over het informatiebeveiligingsbeleid en procedures verplicht.

Why is security awareness in healthcare important?

Did you know that in 2023, a whopping 25,694 data breaches were reported to the Personal Data Authority? Even more shocking: the healthcare sector takes the crown with 8,929 reports. And those are just the reported cases. The reality is that many data breaches never come to light. Yet the healthcare sector is not even in the top 10 most reported cyberattacks.

It shows how vulnerable the healthcare industry is, especially when it comes to human error. 90% of incidents are caused by employees. So they play the most important in securing sensitive data, which is precisely why security awareness is so important. We need to invest in awareness, not only to mitigate legal risks, but especially to ensure patient privacy and security.

The NEN 7510 standard requirements regarding awareness

In de NEN 7510 norm zitten verschillende onderdelen van security awareness. Bijvoorbeeld beheersmaatregel A.7.2.2. De norm vraagt dat organisaties waar persoonlijke gezondheidsinformatie wordt verwerkt, ervoor zorgen dat zowel nieuwe als bestaande medewerkers regelmatig op de hoogte worden gebracht van informatiebeveiligingsprocedures. Dit geldt ook voor derde contractanten, onderzoekers, studenten en vrijwilligers. Bij het niet naleven van deze procedures moeten medewerkers op de hoogte worden gebracht van de disciplinaire gevolgen.

A.7.2.2 Awareness, education and training

Management measure: All employees of the organization and, as relevant, contractors should receive appropriate awareness education and training and regular refresher training on organizational policies and procedures as relevant to their positions.

Care-specific measure: Organizations that process personal health information should ensure that information security education and training is provided when inducting new employees and that regular updates of organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information.

The standard also specifically calls for training of employees when they join your organization. That way, when they come on board, they are already familiar with the information security policies within the organization and have been made aware of the risks of not complying with them.

Security awareness also relevant to other management measures

In addition, the standard states that it is important to take sufficient measures for the risks from your risk analysis. Consider malware, continuity, incident reporting or controlling your suppliers.

We'll take as an example limiting malware and making your employees aware of it. This means taking several actions, including:

  • Make sure employees always install the latest updates and patches, and create sufficient network separation.
  • Set clear rules for installing software.
  • Implement detection capabilities so that suspicious activity is noticed early.
  • Develop a response plan to determine what to do in the event of a malware infection.
  • Strengthen endpoint security, such as by encrypting devices.
  • Limit the use of removable media, such as USB sticks, in line with measure A.8.3 of the standard.
  • Manage and restrict access to data and files.

What measures can you take to increase security awareness?

It is important to start with awareness training when new employees are hired. But this training should be an ongoing process. By offering training throughout the year, employees can continue to guard against new threats such as phishing and ransomware.

Een krachtig hulpmiddel hierbij is Guardey, een platform dat medewerkers traint door middel van spelelementen. Ook een Cybersecurity Awareness Escape Room is een goede aanvulling. Dit maakt trainingen niet alleen leerzaam, maar ook leuk en effectief, waardoor medewerkers steeds beter worden in het herkennen van cyberrisico’s. Zo blijven ze alert en beschermt de organisatie zich beter tegen mogelijke datalekken.

Try Guardey 14 days free 🕹️

Start training your team now for the price of a cup of coffee! ☕

Request free demo
Kilian Houthuijzen
Commercial Manager & Partner
085 773 60 05
To news overview
KAM Certifications is now Fendix

We are a partner of