NEN 7510: Information security in Dutch healthcare
Information security plays an important role in many industries, not least in healthcare. This is where confidential medical data and patient information are managed and shared. It goes without saying that confidential information must not fall into the hands of unauthorised parties. In the healthcare system, this is easier said than done. The sector generates and processes huge volumes of data, and many parties are involved in the collection, storage and processing of that data – including healthcare providers, patients and health insurers, who together form an extensive network. If this information is not properly secured, it can have major consequences for both patients and healthcare providers.
NEN 7510
is a Dutch standard that sets requirements for
information security
in healthcare. It is derived from the international standard ISO 27001, the standard for information security. In the remainder of this blog, we will discuss NEN 7510 in more detail. We will also answer the following three questions:
- What are the benefits of NEN 7510?
- Is NEN 7510 mandatory?
- What are the requirements of NEN 7510 for information security in healthcare?
Is NEN 7510 mandatory?
NEN 7510 focuses on information security for all types of healthcare providers, such as hospitals, nursing homes and other healthcare institutions. It provides them with the tools they need. You may be wondering whether compliance with this standard is mandatory. Well, the short answer to that is yes; healthcare institutions must comply with NEN 7510 requirements. This also applies to other parties that process personal health information.
The Dutch regulations on use of the citizen service number (BSN) in healthcare state that healthcare organizations must comply with NEN 7510. These regulations are part of the Dutch act on the processing of personal data in healthcare (additional provisions). Also, by complying with NEN 7510, you largely also comply with the requirements of the GDPR (General Data Protection Regulation), which obliges organizations to adequately secure personal data.
Organizations that work with medical data and patient data must be able to demonstrate that they comply with NEN 7510. One way of doing this is through certification, though this is not mandatory. However, becoming certified is certainly a wise move. Besides the assurance that you meet the standard, there are other benefits to certification. For example, you can check whether your organization still complies with the requirements through annual audits. The auditor then reviews your work processes and systems, and you gain insights into where improvements are needed.
What are the requirements of NEN 7510 for information security in healthcare?
There are too many requirements specified in NEN 7510 to list them all in this blog, but we would like to give you a rough idea of what it entails. The standard is divided into two parts: the first part consists of ten chapters and is the same as ISO 27001. The second part consists of 18 chapters and contains requirements specific to the healthcare sector. This part is based on ISO 27002.
Risk management plays a major role in NEN 7510. If you don’t have a clear picture of the risks, you can’t take any further action. So, you need to know what the risks are, how big they are and what the consequences will be in the event of an incident. In addition to risk management, the standard also addresses control measures – which includes the development of an information security policy, access security and the management of information security. This way, you can implement the standard in your organization step by step. You can then decide whether you want to become NEN 7510-certified in order to meet the requirements for information security in healthcare.