Security awareness in healthcare is extremely important and mandatory under NEN 7510
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
What exactly does NEN 7510 mean?
NO 7510 is designed for healthcare institutions and specifies what measures you need to take to control information security. An important part of this is awareness. According to the standard, all employees — and where relevant, including contractors — must receive appropriate training upon commencement of employment. In addition, regular refresher courses on information security policies and procedures are mandatory.
Why is security awareness in healthcare important?
Did you know that no less than 25,694 data breaches were reported to the Data Protection Authority in 2023? Even more shocking: the healthcare sector comes out on top with 8,929 reports. And those are just the reported cases. The reality is that many data breaches never come to light. However, the healthcare sector is not even in the top 10 most reported cyber attacks.
It shows how vulnerable the healthcare sector is, especially when it comes to human error. 90% of incidents are caused by employees. So they play the most important role in securing sensitive data, which is why security awareness is so important. We need to invest in awareness, not only to reduce legal risks, but especially to ensure patient privacy and safety.
The NEN 7510 standards with regard to awareness
The NEN 7510 standard contains various parts of security awareness. For example, control measure A.7.2.2. The standard requires that organizations that process personal health information ensure that both new and existing employees are regularly informed about information security procedures. This also applies to third party contractors, researchers, students and volunteers. If these procedures are not complied with, employees must be informed of the disciplinary consequences.
A.7.2.2 Awareness, Education and Training
Control measure: All organization employees and, where relevant, contractors should receive appropriate awareness education and training and regular upskilling of organization policies and procedures, as relevant to their job.
Healthcare-specific measure: Organizations that process personal health information must ensure that information security education and training are provided when introducing new employees and that regular updates to the organization's security policies and procedures are provided to all employees and, where relevant, third party contractors, researchers, students, and volunteers who process personal health information.
In addition, the standard specifically requires training for employees when they join your organization. In this way, when they get on board, they are already familiar with the information security policy within the organization and are aware of the risks of not complying with them.
Security awareness also relevant to other control measures
In addition, the standard states that it is important to take sufficient measures for the risks from your risk analysis. Think about malware, continuity, reporting incidents or controlling your suppliers.
As an example, we'll take limiting malware and making your employees aware of it. This means you have to take multiple actions, including:
- Make sure employees always install the latest updates and patches, and create sufficient network separation.
- Set clear rules for installing software.
- Implement detection capabilities so that suspicious activity is detected early.
- Develop a response plan to determine what to do in the event of a malware infection.
- Strengthen endpoint security, for example by encrypting devices.
- Restrict the use of removable media, such as USB sticks, in line with measure A.8.3 of the standard.
- Control and restrict access to data and files.
What measures can you take to increase security awareness?
It is important to start with awareness training when new employees are hired. But this training must be an ongoing process. By offering training throughout the year, employees can continue to protect themselves against new threats such as phishing and ransomware.
A powerful tool for this is Guardey, a platform that trains employees through game elements. Also a Cybersecurity Awareness Escape Room is a good addition. This makes training not only educational, but also fun and effective, making employees increasingly better at recognizing cyber risks, keeping them alert and protecting the organization better against possible data breaches.
