Information security in healthcare is essential. Negligence can have major consequences for the safety of patients and their medical records. How do you show that you handle this data carefully and confidentially? A NEN 7510 certification gives confidence. You demonstrate that you handle this privacy-sensitive data correctly. You show your patients/clients, suppliers, health insurers and other stakeholders that you have taken the right measures to handle the information security risks when processing this data.
Brand Compliance carries out NEN 7510 certification under accreditation.
NEN 7510 meaning
The NEN 7510 provides guidelines and principles for determining, establishing and enforcing measures that healthcare institutions and other managers of personal health information must take to secure the information provision. NEN 7510 consists of a normative framework in the form of an information security management system (ISMS, Information Security Management System). A risk assessment is required to determine the required assurance of availability, integrity and confidentiality of the information. By implementing the information security management system including the control measures for each of the control objectives, an organization can meet the requirements established in a risk assessment. The standard thus provides a basis for confidence in the careful provision of information at and between the various organizations in the healthcare sector.
NEN 7510 certification
With a NEN 7510 certificate you show that you, as an organization, handle the information that is processed within your service provision responsibly. It proves that you have set up a management system that meets the standard. This standard means, among other things, that information security measures have been taken to guarantee the availability, integrity and confidentiality of the (personal health) information. The certificate is issued by an independent party after inspection and testing of your management system. For example, patients, clients, health insurers, MedMij and regulators can rely on you to handle (personal health) information responsibly.
The advantage of a certification is that it shows that your organization has implemented procedures to ensure the information security of patient data. In addition, the management system processes help your organization to better manage and continuously improve information security.
NEN 7510 certification requirements
The requirements of NEN 7510 are described in the standard. A number of requirements are described below so that you get an idea of what kind of requirements you must meet in order to be certified:
Information security: taking measures to ensure the availability, integrity and confidentiality of information.
Information security policy: a policy containing the obligations for employees with regard to the subject of information security.
Security organization: setting up an organizational structure and assigning responsibilities and authorities for the implementation and maintenance of information security measures.
Risk management: identifying, assessing, handling, managing and monitoring risks to the availability, integrity and confidentiality of information.
Physical access security: putting in place measures to protect physical access and the integrity, confidentiality and availability of information.
Logical security: implementing measures to allow only authorized users access to information.
Human resources policy: establishing and enforcing measures to ensure the safe use of information.
Education and training: providing adequate education and training to all persons involved to achieve a level of information security that meets the requirements of NEN 7510.
How to start with NEN 7510 certification?
Below you will find a NEN 7510 checklist, with the steps that are logically necessary to obtain a NEN 7510 certification:
Start with the NEN 7510 download (PDF). This can be purchased via, for example, the NEN.
Follow a training to obtain the necessary knowledge about NEN 7510. This is also possible through our BC Academy.
Implement the NEN 7510 management system in your organization and ensure that it meets the requirements of the standard.
Carry out an internal audit to check whether the system is working properly and to assess whether your system meets the standard requirements.
Management must review the results of the internal audit and take any corrective action. You record the conclusion about meeting the requirements in the management review.
Once you have determined that your organization meets the requirements, a Brand Compliance auditor will independently assess whether your management system meets the requirements of the standard.
If your organization meets the standard requirements, we provide you with a certificate.
NEN 7510 certification costs
The implementation starts with the purchase of the standard. The costs of the entire process depend on various factors. For example, the complexity of the processes, whether work is done in shifts, the extent to which matters are already in order within the organization, the number of FTEs and locations. The costs for the certification consist of the number of hours that Brand Compliance spends preparing the audit, the audit itself, the reporting and additional costs such as the certificate, administration and travel costs. The fastest way to calculate the costs starts with an introductory meeting.
For more information about everything related to certifications, we have set up our knowledge base, which includes a number of articles under ‘certification process‘.
NEN 7510 is intended for healthcare institutions and other personal health information managers, as well as security advisors, consultants, auditors, providers and external service providers responsible for overseeing the security of health information. The guidelines in NEN 7510 provide these organizations and individuals with the necessary information on how to securely manage and protect personal health information.
When is NEN 7510 required?
Often a NEN 7510 certification is not mandatory, but an organization has itself certified to prove itself to its stakeholders and to distinguish itself from the market. But there is also a possibility that one of the stakeholders does make the NEN 7510 certification mandatory. For example, it may be that a health insurer makes it mandatory for the affiliated healthcare organizations or that one of the suppliers makes it a requirement. An example of this is MedMij.
NEN 7510 is not explicitly mentioned in the GDPR, but the importance of security standards exists under the applicable regulations, such as the GDPR. It is mandatory within the healthcare sector to comply with NEN 7510 if the citizen service number (BSN) is used. Finally, the Dutch Data Protection Authority (AP) states in the current policy rules ‘Security of personal data’ that organizations are responsible for following security standards, citing NEN 7510 as an example.
What is the difference between ISO 27001 and NEN 7510?
The basis of both standards is the same. NEN 7510 is specific to organisations that process personal health information. This standard has named 3 additional controls and a care-specific controls for 33 existing control measures.
What is the difference between NEN 7510-1 and NEN 7510-2?
NEN 7510-1 contains the normative requirements for the management system. An information security management system is implemented by an organization as part of a strategic decision. Part 1 of the standard was prepared to provide requirements for establishing, implementing, maintaining and continuously improving an information security management system.
Part 2 of the standard provides an overview of recommended actions healthcare organizations can take to manage risk, including securing personal health information and implementing information systems management procedures. NEN 7510-2 provides healthcare institutions and other managers of personal health information with instructions on how to ensure the availability, integrity and confidentiality of this information.
What are NEN 7512 and NEN 7513?
The NEN 7512 relates to electronic communication in healthcare between healthcare providers and healthcare institutions, patients and clients, healthcare insurers, and other parties involved in healthcare. These requirements are prescribed by law and regulations and differ per process. NEN 7512 describes, among other things, the process to carry out a risk assessment for the exchange of data.
The NEN 7513 sets requirements for the system with which data relating to access to the electronic patient file is registered. These requirements make it possible to check the lawfulness of access control in the electronic patient file.
What is the importance of the GDPR within the NEN 7510?
The General Data Protection Regulation (GDPR) is a European regulation that relates to the protection of personal data. It is designed to give individuals control over their personal data and require organizations to handle this data in a secure and responsible manner.
The GDPR plays an important role within the NEN 7510 standard. Within the context of the NEN 7510 standard, healthcare institutions and other organizations in the health sector are obliged to comply with both the GDPR and the specific requirements of the standard. This means that they must protect the personal data they process in accordance with the GDPR guidelines and the additional requirements of NEN 7510.
The NEN 7510 standard contains specific security measures and guidelines for the processing of personal data in healthcare. These measures include, among other things, performing risk analyses, implementing appropriate technical and organizational measures, ensuring data confidentiality, determining access rights and reporting data breaches.
By complying with both the GDPR and the NEN 7510 standard, healthcare institutions can demonstrate that they respect the privacy of patients and process personal data in a secure manner. Adhering to these standards is vital to maintain the trust of patients and other stakeholders and to mitigate legal and financial risks.