top of page
Logo

Information Security in Healthcare: What is NEN 7510 and Why is it on Everyone's Agenda?

  • Mar 20
  • 5 min read

A practical guide for healthcare organisations, data protection officers, information security officers and IT managers.

What is NEN 7510?

NEN 7510 is the Dutch standard for information security in healthcare. The standard describes what measures healthcare organisations must take to ensure the availability, integrity and confidentiality of patient information.

The standard was developed specifically for the healthcare sector and takes into account the unique characteristics of healthcare processes: the sensitivity of medical data, the complex chain of care providers and suppliers, and the high demands placed on system availability.

NEN 7510 consists of two parts:

  • NEN 7510-1 describes the requirements and forms the basis for certification.

  • NEN 7510-2 contains the controls, an extensive set of practical measures that give substance to the requirements in part 1. Together they form a framework that enables healthcare organisations to manage information security in a structured and demonstrable way.

The Relationship Between NEN 7510 and ISO 27001

Anyone familiar with ISO 27001, the international standard for information security, will recognise NEN 7510. That is no coincidence.

NEN 7510 is built on the foundations of ISO 27001. The structure, approach and terminology are largely the same. Where ISO 27001 is a generic standard applicable to any sector and any type of organisation, NEN 7510 is a sector-specific translation for Dutch healthcare.

In practical terms this means three things: First, NEN 7510 encompasses ISO 27001. Organisations that comply with NEN 7510 broadly also comply with ISO 27001, because the healthcare-specific requirements include and extend the generic requirements of ISO 27001. Second, NEN 7510 adds healthcare-specific requirements, covering areas such as access to electronic patient records, the exchange of medical data, processor agreements with healthcare suppliers and the specific role of the data protection officer in healthcare organisations. Third, ISO 27001 certification is not a substitute for NEN 7510. A healthcare organisation that holds ISO 27001 certification does not automatically comply with NEN 7510. The healthcare-specific additions require additional measures and documentation.

For organisations already working with ISO 27001, the step towards NEN 7510 is relatively small. The foundation is already in place, but the healthcare-specific extensions require focused attention.

Who Does NEN 7510 Apply To?

NEN 7510 applies to all organisations active in healthcare that process patient information. In practice this covers a broad spectrum.

  • Hospitals and clinics are the most well-known target group, but the standard reaches beyond hospital walls.

  • GP practices and health centres process sensitive medical information on a daily basis.

  • Home care organisations deal with distributed working environments, staff working from patients' homes and systems accessed via multiple devices.

  • Mental health institutions handle particularly sensitive data where confidentiality carries extra weight.

  • Laboratories and diagnostic centres exchange medical data with a large number of parties, making them a critical link in the healthcare chain.

  • Suppliers and IT service providers working for healthcare organisations are increasingly required by contract to demonstrably comply with NEN 7510 or to support their clients in doing so.

In practice, NEN 7510 has become a contractual obligation for many healthcare organisations, imposed by health insurers, hospital groups or other principals in the chain. The standard is on the agenda, not always because organisations choose it themselves, but because the chain requires it.

The Hard Numbers

In November 2023, the Dutch Health and Youth Care Inspectorate (IGJ) published the results of a study into NEN 7510 compliance at Dutch hospitals. The outcome was telling: only 54 of the 77 hospitals examined demonstrably complied with the standard.

Not startups. Not small practices. Full-scale hospitals, with IT departments, data protection officers and established security and compliance budgets.

The problem is not that healthcare organisations are unwilling to comply. The problem is the gap between knowing the standard and demonstrably meeting it.

Policies are stored somewhere on a server, or spread across multiple locations, and nobody knows exactly where. Risk assessments were carried out once, years ago. Suppliers signed a processor agreement, but are they actually reviewed periodically? Incident procedures exist, but staff do not know where to report a security incident.

This is not a matter of bad intentions. It is the reality of a sector that already has more than enough on its plate.


What Goes Wrong in Practice?

Based on gap assessments at healthcare organisations, the same issues come up time and again:

  • Risk assessments are carried out once and never updated.

  • Suppliers with access to the electronic patient record are not periodically reviewed on information security.

  • Incident procedures are documented but unknown to staff.

  • Policies exist on the server but do not live within the organisation.

  • And there is no demonstrability: measures are in place, but there is no evidence that they actually work.

NEN 7510 does not demand perfection. It demands demonstrability and continuous improvement. That starts with knowing where you stand.

NEN 7512 and NEN 7518: The Broader Standards Family

NEN 7510 does not stand alone. It is part of a broader family of standards for information security in healthcare. NEN 7512 goes a level deeper than NEN 7510. Where NEN 7510 describes the general requirements for information security, NEN 7512 focuses specifically on the trust framework for data exchange, describing the conditions under which care providers and healthcare organisations may exchange information with one another.

NEN 7518 is a specification of NEN 7512 and focuses specifically on the digital identification of healthcare professionals: who is permitted to log in to which system, and how is that proven quickly and securely. NEN 7518 is particularly relevant right now, as the Dutch Wet Diaz is currently before parliament and will make NEN 7518 the legal framework for digital access in healthcare. The UZI card, which many healthcare professionals currently use, will eventually be replaced as a result.

How Do You Get Started?

An effective NEN 7510 trajectory always starts with a gap assessment: what is already in place, what is missing and what are the biggest risks? This is followed by a risk assessment as the foundation, implementation of the required measures and the establishment of a cycle of continuous monitoring and improvement.

An effective trajectory consists of roughly six steps:

  1. Define the scope. Which systems, processes and locations fall within the ISMS? A clear scope prevents the project from becoming too large and ensures focus.

  2. Carry out a gap assessment. What already meets the standard? What is missing? What is the current state of risk assessments, policies, supplier management and incident procedures?

  3. Draw up a risk assessment. A current, documented risk assessment is the foundation of the ISMS. Without this foundation, the rest of the system cannot be built.

  4. Implement measures. Based on the risk assessment, controls are selected and put in place. NEN 7510-2 provides an extensive set of controls for this purpose.

  5. Make policies and procedures demonstrable. Policies must not just exist, they must be active. Staff must know them, understand them and act accordingly.

  6. Continuous monitoring and improvement. NEN 7510 is not a project with an end date. It is a cycle in which risk assessments are periodically reviewed, suppliers are assessed, and incidents are recorded and analysed.

Conclusion

For the Dutch healthcare sector, NEN 7510 is not optional. It is an obligation. But knowing the standard and demonstrably complying with it are two fundamentally different things.

In practice, many healthcare organisations have implemented the standard on paper, but the system does not function in reality. Risk assessments become outdated. Suppliers are not reviewed. Staff do not know the procedures.

The solution starts with an honest look at where you stand. Not to tick a box, but to genuinely put your organisation's information security in order, for the patients who depend on the safety of their data.

Because ultimately, information security in healthcare is not about standards and certificates. It is about people.

 
 
bottom of page