What does NEN 7510 mean?

NEN 7510 is a Dutch information security standard for medical institutions such as hospitals, primary care practices, and dental practices. NEN 7510 defines rules to ensure that all sensitive patient information is stored and processed securely, including between care providers.

What does NEN 751x mean?

In addition to the general NEN 7510 standard for information security in healthcare institutions, this series includes other specific standards. Examples are NEN 7512 (electronic data processing) and NEN 7513 (activity logging). The series as a whole is sometimes referred to as NEN 751x.

What is the difference between ISO 27001 and NEN 7510?

ISO 27001 is a general, widely used, international standard for establishing an information security management system. NEN 7510 uses the same structure but can be used to set up an information security management system within healthcare. NEN 7510 is therefore broadly comparable to ISO 27001, but with more specific requirements for medical systems and data.

Is NEN 7510 certification mandatory?

Certification is not mandatory, but healthcare institutions are required to demonstrate that their information security complies with the NEN 7510 standard. A structured and transparent way to do this is through certification. The Health Care Inspectorate (IGZ), patients, health insurers, and partners can then see at a glance that all requirements are met.

What is NEN 7510-1+A1?

NEN 7510 consists of two parts, NEN 7510-1 and NEN 7510-2. NEN 7510-1 also includes, as an annex, a table (A1) of controls. The main text of NEN 7510-1 and that table A1 form the normative part of NEN 7510 against which you can certify. NEN 7510-2 is more informative. That is why people sometimes explicitly refer to NEN 7510-1+A1.

NEN 7510

What is NEN 7510?

NEN 7510 is a Dutch standard for information security within healthcare. The standard is based on the international ISO/IEC 27001 standard for information security but has been adapted and expanded to align the security requirements as closely as possible with the healthcare sector in the Netherlands.

Is NEN 7510 mandatory?

Healthcare institutions process sensitive personal data of their clients and patients every day, and a data breach can have major impact. That is why NEN 7510 is mandatory for healthcare providers; the regulator IGJ (Dutch Health and Youth Care Inspectorate) requires them to demonstrate that they have an information security management system that complies with this security standard. As part of this, they must also have a continuity plan that is tested regularly. Moreover, this NEN 7510 obligation applies not only to healthcare institutions such as hospitals, primary care practices, dental practices, pharmacies, and so on. Parties that manage medical data on behalf of such institutions, such as Software-as-a-Service providers, must also be compliant with NEN 7510. The most transparent and professional way to demonstrate this is certification. We explain later in this article how you can prepare for this certification.

What does NEN 7510 entail?

As noted, NEN 7510 is based on the ISO/IEC 27001 standard. ISO 27001 helps organizations establish an information security management system, including the necessary controls. Such a system is also called an Information Security Management System (ISMS).

NEN 7510 is comparable to ISO 27001 but tailored specifically for healthcare organizations. To do so, NEN 7510 supplements the generic ISO 27001 guidelines with requirements specifically intended for healthcare institutions and medical data. With such healthcare-specific controls, careful handling of patient data can be ensured. NEN 7510 provides guidelines for secure access to that data, secure exchange between care providers, and proper logging of all data processing.

An example of a healthcare-specific control: ISO 27001 includes a general control that requires employees to return company assets, such as laptops, at the end of their employment. NEN 7510 adds extra rules to ensure that all personal health information on devices is always erased and that physical documents are also returned.

Information Security Management and Controls

With NEN 7510, you can implement information security at two levels:

Organization and processes around information security: Risk management is central to your information security. Based on a security risk assessment, you determine which risks apply in your organization. You then determine which risks must be addressed and which residual risks are acceptable. You must also set up a so-called Plan-Do-Check-Act cycle (PDCA) to regularly review the risk assessment and determine whether new or adjusted controls are required.
Detailed controls: NEN 7510 includes a list of about 120 controls. Each healthcare organization must determine, based on its own risk assessment, which controls must be implemented to adequately mitigate the security risks and comply with the standard.

NEN 7510-1 and NEN 7510-2

So far, we have discussed the NEN 7510 standard, but in fact the standard consists of two parts, NEN 7510-1 and NEN 7510-2:

NEN 7510-1 is normative: It provides the actual standard with which you as a healthcare organization must be compliant and against which you can be certified. The main text of NEN 7510-1 describes all organizational and process-related aspects of your information security. In addition, there is an Annex A with a table of all available controls that you must use, depending on the risks present.
NEN 7510-2 is informative: this document provides additional guidance that helps you elaborate the necessary measures and implement them. NEN 7510-2 includes the same controls as Annex A of NEN 7510-1, but NEN 7510-2 provides additional detail for each control on how to implement it. NEN 7510-1 describes what must be done, NEN 7510-2 helps you how to do it.

Here too, the structure of NEN 7510 and ISO 27001 is similar. ISO 27001 provides the standard for which you can certify, including a table of controls. ISO 27002 provides the supporting guidance.

NEN 7510 certification

How can your organization prepare for NEN 7510 certification? The risk-based approach is very helpful for your certification. Because the process starts with identifying the risks relevant to your organization, you not only know which controls you need to implement, these are also the measures an auditor will focus on during certification. A step-by-step plan can look as follows:

Initiation phase: You begin with your NEN 7510 download and build knowledge of the standard and the current status of information security. Inform and involve management and stakeholders. Draft an information security policy and have it approved by management. Establish the organizational framework for the next steps, secure funding (including NEN 7510 certification costs) and staff your ISMS project.
NEN 7510 risk assessment: Define a method to identify and assess risks. Based on this, you structurally identify, analyze, and assess all security risks. You then determine which risks are relevant and must be resolved and which are acceptable as residual risk.
NEN 7510 action plan: Based on the risk assessment, create a plan for implementing the required controls and changes. You record which specific controls apply in your organization in a 'Statement of Applicability NEN 7510' that will also be used during NEN 7510 certification. Implementing controls involves not only software and process changes, but also documentation, training, and employee awareness.
Implement the security measures: This is the execution of the NEN 7510 implementation plan you created earlier. You implement all required technical, organizational, and procedural measures. This protects patient data and ensures access control, encryption, incident response plans, security-aware employees, etc.
Internal audits: Plan internal NEN 7510 audits to assess the effectiveness of the implemented measures and adjust where necessary. Follow a structured audit approach to prepare the involved employees for the eventual external certification audit.
Preparation for NEN 7510 certification: Select an accredited certification body in time and make clear arrangements so that you know what to prepare for. Ensure that all documentation is available and that all processes and procedures are operational. Brief the managers and employees who may be interviewed.
External audit: Schedule the external audit with the accredited certification body you selected. During this audit, the certification body will assess whether your organization meets the requirements of NEN 7510. Such an audit is usually a combination of documentation review and interviews with responsible managers and operational staff.
Corrective action and NEN 7510 certificate: Based on the external audit, corrective actions may still be required. Once these have been completed and agreed with the certifying party, the NEN 7510 certificate can normally be issued, including the 'Statement of Applicability NEN 7510'.
Maintenance and continuous improvement: As part of your NEN 7510 ISMS you have also implemented a PDCA cycle (Plan-Do-Check-Act). This ensures ongoing monitoring, evaluation, and improvement of the ISMS so you continue to comply with the NEN 7510 standard.

checklist NEN 7510

NEN 7510 checklist for IAM capabilities

When setting up a NEN 7510-based Information Security Management System, you must assess for each control whether it is relevant and must be implemented. For a significant number of those controls, Identity and Access Management (IAM) now plays a role. For example, at the level of individual employees, and as much as possible based on a person's job role, you determine which applications and data that person should be able to access. You also want to streamline user access requests and other account processes in a controlled manner and, depending on the user profile and context, apply Multi-Factor Authentication where required. Finally, you want to log all administrative actions and login attempts automatically for potential audit trails.

Many security professionals therefore analyze their existing IAM solution for its suitability for their NEN 7510 plans. To support this, Tools4ever has created a white paper (NEN 7510 and the role of Identity Management). It provides a comprehensive introduction to this healthcare standard and explores the role of Identity Management in information security in healthcare organizations. A useful tool for this is our NEN 7510 checklist. For each NEN 7510 control, it explains whether IAM functionality is required and how a modern IAM solution can best support the security requirements. We describe this in the checklist using our own HelloID platform as the reference.