NEN 7510 audit for organisations that want to be demonstrably compliant

NEN 7510 is the Dutch standard for information security in healthcare. The standard describes how healthcare organisations manage the availability, integrity and confidentiality of patient data through a management system. NEN 7510 aligns with ISO 27001 and is supplemented by NEN 7512 (data exchange) and NEN 7513 (logging of access to patient records).

Healthcare providers are legally required to take appropriate technical and organisational measures to secure patient data. NEN 7510 (together with NEN 7512 and 7513) is the recognised way of meeting that obligation and is used by the Health and Youth Care Inspectorate (IGJ) as an assessment framework. In practice it is therefore effectively the standard for healthcare.

NEN 7510 uses the same methodology as ISO 27001, but is specifically tailored to healthcare. Where ISO 27001 is generally applicable, NEN 7510 adds healthcare-specific requirements around patient data, logging and data exchange. Organisations that already have ISO 27001 can move on to NEN 7510 conformity relatively easily.

The auditor assesses whether the healthcare organisation demonstrably manages information security: policy and risk analysis tailored to the healthcare context, role-based access management, logging in line with NEN 7513, security of data exchange, agreements with suppliers and the follow-up of incidents and improvement actions. They look for evidence in systems, log files and interviews.

NEN 7512 concerns the basis of trust for secure data exchange in healthcare: how organisations reliably share data with one another. NEN 7513 sets requirements for logging access to electronic patient records, so that it can be verified afterwards who viewed which data. Together with NEN 7510 they form the standards framework for information security in Dutch healthcare.

NEN 7510 focuses on the security of (patient) data, while the GDPR sets the broader privacy obligations. They reinforce one another: a NEN 7510-compliant management system provides much of the evidence that is also needed for GDPR compliance, such as access management, logging and risk control. For full privacy control, an additional privacy approach (for example via ISO 27701) is advisable.

A NEN 7510 gap analysis compares your current information security with the requirements of NEN 7510, 7512 and 7513. You gain insight into where you already comply and where the gaps lie, with priorities and a roadmap. It is the logical first step before you enter a formal audit or certification process.

As with ISO 27001, an internal audit should take place at least once a year, covering all elements within the certification cycle. With certification, periodic surveillance audits by the certification body follow. Logging and access reviews are ideally monitored more frequently and on a structural basis.