What is the NEN7510 standard?

NEN7510 the Dutch standard variant is specifically focused on information security at healthcare institutions. It is based on the international ISO 27001 standard. The difference with the ISO 27001 is that the NEN7510 places extra emphasis on care processes and patient safety.

Who is the NEN7510 standard for?

A NEN 7510 certification is relevant for various health-related organizations. These organizations ensure the safe storage and processing of patient data. A few examples for whom the NEN7510 standard is relevant:

‍

1. Hospitals
2. GP surgeries
3. Pharmacies
4. Health insurers
5. Medical laboratories
6. Physical Therapy Practices
7. Dental practices
8. Care homes
9. Mental health care facilities
10. Medical software companies

Why is information security important in healthcare?

In the healthcare sector, the protection of sensitive information is very important. Think about: ‍

‍‍

1. Patient privacy: Medical records contain highly personal information about individuals' health.‍

2. Financial information: In addition to medical data, healthcare institutions also store patient financial information, such as billing, insurance and other financial transactions.‍

3. Integrity of care processes: Unauthorized access to or modification of medical data jeopardizes the quality of care.

Why the NEN 7510 standard?

The most common reason to obtain NEN 7510 certification is to demonstrate that, as a healthcare institution or healthcare provider (which processes medical data), you have your information security in order. By obtaining a NEN 7510 certificate, you demonstrate that the medical data is well protected. This way, you meet the requirements and expectations of customers, suppliers and other stakeholders.

Is NEN 7510 certification mandatory?

The Health Care and Youth Inspectorate (IGJ) wants to increase ICT safety and thus the information security of personal health information. By 2023, all hospitals must demonstrably comply with NEN 7510, and it is also possible that the Ministry of Health, Welfare and Sport will include the NEN 7510 standard in the revision of the European Network and Information Security Directive (NICHE 2), as this standard is a good tool to use for implementing this European Directive. In addition, all healthcare institutions must comply with the NEN 7510 standard when they process patients' BSN and use the care information system.

‍

It is also not without reason that a healthcare institution should comply with various laws and regulations:

‍

• AVG (General Data Protection Regulation).
• EGIZ (Electronic Data Protection in Healthcare Decision).
• Wbni (Network and Information Systems Security Act).
• The use of BSN in healthcare law.

‍

If the security of an ICT program is not in order, the healthcare institution, as responsible, does not comply with the NEN 7510 standard either. It is important that ICT suppliers comply with the NEN 7510 standard. Healthcare institutions and ICT suppliers can make agreements about this in a (processor) agreement.

ISO 27001 and NEN 7510

Comparing the standards shows that NEN 7510 actually complements the requirements and controls of ISO 27001/27002, specifically adapted for healthcare due to the critical nature of personal and medical information that can have a direct impact on individuals' health.

‍

In practice, this means:

‍

• The main structure of NEN 7510-1 (consisting of 7 chapters, numbered 4 to 10) is exactly the same as that of ISO 27001.
• In Appendix A, also known as Annex A, an additional health care specification is added to the 114 control measures of ISO 27001 in the NEN 7510 for 33 measures, sometimes several measures per point.
• In addition, NEN 7510 introduces three additional control measures in the chapter: “A.14 Acquisition, Development and Maintenance of Information Systems”.

‍

The specific differences between the NEN 7510 and the ISO 27001 standards are clearly marked in the NEN 7510 documentation, making it easy to identify them directly by only consulting the NEN 7510.

Additional standards: NEN 7512 and NEN 7513

In addition to the NEN 7510, there are also the NEN 7512 and NEN 7513, which set additional requirements:

‍

• NO 7512: this standard regulates secure electronic communication within the healthcare sector.
• NO 7513: this standard provides guidelines for logging and using logs to comply with legal obligations.

Need help implementing the NEN 7510 standard?

We have already helped various healthcare institutions with information security. From implementing the NEN 7510 standard to critical internal audits with comprehensive reporting.
‍

• RIB
  Storm works here as an interim specialist as a Data Protection Officer. He also assists the RIBW in implementing the NEN 7510 standard.
  ‍

• GGZ Western Noord-Brabant
  For the entire organization, Jelle carried out a GAP analysis to see what else is needed for a NEN 7510 certification.
  ‍

• Bravis hospital
  At Bravis hospital, Information Security Consultant, Kilian, provides the annual independent internal audit.
  ‍

• GAME
  SPL builds secure digital infrastructures and has many healthcare institutions as customers. The implementation of the NEN 7510 and ISO 27001 was therefore a logical question from her clientele.
  ‍

• Observe app
  The Waaremapp is a free, user-friendly and safe environment for exchanging observations with fellow GPs. Information security is of paramount importance; thanks to an implementation of the standard, they can demonstrate this.

‍

Like the above organizations, do you want to be guided or unburdened in implementing the NO 7510 norm? Check out our services or plan a free introduction.