NEN 7510 without healthcare institution?

The standard NEN 7510 focuses on the following target groups:

• healthcare institutions;
• other administrators of personal health information.

In this article, we highlight a situation concerning the certification of the latter target group, referred to as ‘administrator’. This target group has healthcare institution(s) as its client, referred to as ‘healthcare client’.

Healthcare institution

Whereas it is obvious for healthcare institutions to process personal health information, this is not always the case for administrators. The situation may arise where an administrator is asked by a healthcare client to comply with NEN 7510, while the administrator has no other healthcare clients (yet).

Administrator

An administrator is eligible for a NEN 7510 certification if it can demonstrate that:

• Personal health information is processed;
• The Statement of Applicability contains healthcare-specific controls relevant to the processing of the personal health information, and which result from the information security risk assessment.

If your organization does not yet have a healthcare client, it is not yet processing personal health information. For this reason, your organization is not eligible for a NEN 7510 certificate.

Solution

There is a solution for the above situation. Your organization first chooses ISO 27001 certification. This already covers a large part of the NEN 7510 requirements. The service is then started and after a certain period the ISO 27001 certification is expanded with NEN 7510. You can read how to approach this extension in the article: How to expand with NEN 7510.

Do you have additional questions? Please contact one of our specialists. They will be happy to help you.