Welcome to Protify.

In accordance with cookie legislation and our privacy policy, we only place strictly necessary functional cookies. 😊

For visitor analysis, we use Google Analytics (also cookieless). May we also place some Google Analytics analytical cookies to gain a better understanding?

The amendments to NEN 7510

Written by Danielle de Vaal

Informative

NEN 7510 is the Dutch standard for information security in healthcare. It was almost identical to ISO27001, but supplemented with healthcare-specific control measures. For IT service providers with customers in the healthcare sector who purchased general IT services, NEN 7510 certification was relatively easy to obtain alongside ISO27001. This made it an interesting certificate for these IT service providers to demonstrate to customers in the healthcare sector that they handle their data with reliability and integrity.

Stricter legal and regulatory requirements

Since November this year, it has become more complicated to obtain this certificate. The Accreditation Council (the organisation that checks and guarantees the services provided by certification bodies) has decided that during external audits, more attention should be paid to the laws and regulations section. It has stipulated that NEN 7510-certified IT service providers must not only comply with the laws and regulations directly applicable to their own organisation, but also with those of their (healthcare) clients. This legislation must be made transparent at article level and actually implemented within the organisation achieving NEN 7510 certification.

The changes in practice

To illustrate the practical implications, let’s take as an example an IT service provider that provides an Office365 environment to a physiotherapy practice. This environment is used for support activities, i.e. not actively processing personal health information. Because it cannot be excluded that personal health information is still stored in the Office365 environment, despite the use of an SPD, the IT service provider must comply with the healthcare-specific laws and regulations as applicable to this physiotherapy practice. Indeed, as a supplier, the IT service provider is co-responsible for the availability, integrity and confidentiality of the Office365 environment. It also has access to this environment and, as a result, may in exceptional cases come into contact with personal health information. For these reasons, therefore, there is joint responsibility.

Examples of laws and regulations that IT service providers must now comply with are:

  • Medical Treatment Agreement Act;
  • Supplementary provisions processing personal data in healthcare act;
  • Decree on electronic data processing by healthcare providers;
  • Care Quality, Complaints and Disputes Act;
  • Youth Act;
  • Social Support Act.

To meet this requirement, specific measures regarding logging, access management, encryption and retention periods must be implemented. It should also be demonstrated that these measures are actually implemented.

To opt for NEN 7510 certification or not?

For IT service providers of specific solutions related to the healthcare domain, NEN 7510 certification will of course continue to apply. Customers can expect these providers to be aware of specific laws and regulations and to take them into account while delivering their product or service. Protify advises other IT service providers against obtaining NEN 7510 certification in many cases. This is because in practice, we experience that only a very small percentage of IT service providers come into contact with customers’ personal health information. After all, access to this data is almost never necessary for providing the services as an IT service provider. As a result, in many cases, the extra work and organisational changes required to obtain NEN 7510 certification no longer outweigh the benefits of obtaining it.

Demonstration of relevant requirements

If an IT service provider chooses not to obtain NEN 7510 certification, it may be of interest to clients in the healthcare sector to demonstrate to them that the relevant requirements of NEN 7510 are met. Protify has developed an overview for its clients that indicates which healthcare-specific control measures apply to the IT service provider. These control measures can be fleshed out during the design and implementation of a management system (ISMS) for the purpose of ISO 27001 certification. The way in which they are implemented can then be explained in a matrix. This way, IT service providers can still demonstrate that a secure environment can be provided.

More information on NEN 7510 for your organisation?

If you have any questions after reading this article, or want to know what Protify can do for your organisation, please contact us.

Avatar photo

Danielle de Vaal

As operations manager, Daniëlle is the link between clients, processes and the team. With a pragmatic approach and a coaching mindset, she supports clients with complex issues and steers the team accordingly.

Other articles on our website

ISAE 3402: insight and assurance in outsourced services

The advantages and disadvantages of ISO 9001