EN 
NL 
DE 
Healthcare institutions must comply with NEN7510, NEN7512 and NEN7513 since 15 December 2018. These standards are included in the 'Decree on electronic data processing by healthcare providers'. The Personal Data Authority (AP) monitors compliance.
IGJ also applies these standards when the quality of care is at stake due to insecure handling of personal health information. Inadequate information security is not only a threat to patient privacy, but also a threat to the availability, integrity and confidentiality of information systems. In many cases, without all information systems, care cannot continue uninterrupted. A hospital manages a complex ICT organisation in addition to the 'horizontal process'. During e-health inspection visits, IGJ expects the healthcare provider to be able to show the result of a recent independent assessment of the information security management system according to NEN 7510-1:2017.
So having an independent and impartial audit report is very valuable in demonstrating to IGJ whether the Information Security Management System (ISMS) is in order and meets the requirements of NEN7510. Having certification is thereby "the proof of the pudding" to all stakeholders, important for a socially important organisation.
NEN7510 accreditation
DigiTrust has a licence agreement with NEN. see: NEN website and an accreditation thereon with the RvA. By having this licence agreement in place, all certifying organisation commit to start the accreditation process, which in principle must be completed within 1 year of the publication of the NCS7510 (1/6/2019). This date has now expired and the RvA allows only limited postponement. DigiTrust, as the specialist in the Netherlands regarding audits and certification of information security, has its processes in order and was therefore the first to successfully go through this accreditation process with the RvA. See website COA. All other listed CBs are therefore also obliged to still complete this process with the RvA in the near future. If they fail to do so, they will no longer be allowed to perform NEN7510-1:2017 audits and certifications. It is therefore important for healthcare institutions and IT service providers to take timely action and choose the right certification body. Otherwise, they may find themselves in a situation of expired certification, which the CB cannot and should not renew. DigiTrust has already held accreditation on NEN7510:2017 since November 2019 and can help you schedule and achieve your recertification audits on time.
It was further established that certificates issued by certification bodies under accreditation for op old NEN 7510-2011 edition, expiring 1 June 2020. It is highly plausible that having a NEN7510:2017 certification under accreditation has more value for IGJ and AP, as these are issued under the supervision of the RvA.
Corona update: Due to the corona situation, the expiry period of the old NEN7510:2011 has been extended by 6months. This means that certifications on this standard will expire from 1 December 2020.
The practicalities you need to consider
To achieve NEN7510 certification, this standard must obviously be met. However, that is not enough. A Specific Accreditation Protocol (SAP) has been drawn up by the Accreditation Council for certification of management systems for information security in healthcare according to NEN 7510-1. (SAP-C025-NL) In this protocol, two clusters have been established;
- Z-cluster : Healthcare institutions
- B cluster: Managers of personal health information other than healthcare institutions
Within this document, there are additional requirements regarding the scope of the ISMS and the Declaration of Applicability (VVT). Furthermore, health information managers must have a demonstrable interface with the healthcare institution.
Contact our specialists, who can give you more information about this
