NEN7510 for ICT services when and when not?

ICT organisations providing services to healthcare providers are often required to comply with NEN7510-1:2017. But is this demand correct and can any ICT supplier be certified to this standard? This is a question we often get and about that this news article. An ICT supplier providing services to a healthcare institution can only obtain NEN7510 certification if they actually process personal health information.

The definition according to 'handbook soldier' from NEN7510 is; Information about an identifiable individual relating to the physical or mental condition of, or the provision of healthcare services to, the individual in question, which may include:

(a) information on the registration of the person for the provision of healthcare services;

(b) information on payments or eligibility for care related to the person;

(c) a number, symbol or particular assigned to a person as a unique identifier of that person for medical purposes;

(d) any information about the person gathered during the provision of care services to the person;

(e) information derived from a test or examination of a body part or bodily substance; and

(f) identification of a person (e.g. a healthcare professional) as providing care to the person.

So an ICT service provider can only become NEN7510 certified if they thus process personal health information. But what is process then?

Here, the AVG in Article 4 explanation given. The AVG describes; any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

In a separate document (SAP-C025), the RvA has set requirements for ICT service providers managing health information. There must be an interface with the healthcare institution. this is to prevent organisations that do not process health information at all from still wanting to be certified. ISO27001 applies to these organisations. Furthermore, the SAP-C025 states that the Statement of Applicability must state the interfaces. If an organisation cannot do so, it is obvious from this that they cannot therefore be certified for NEN7510. Thus, excluding many healthcare-specific measures is not possible.

Conclusion; so importantly, the ICT service provider is a processor of the personal health information. Thus, merely storing and storing already provides an interface. Furthermore, the scope should make clear which activities, products and services relate to the management of personal health information and which are outsourced. The VVT should state for each management measure whether it is related to the interface.

DigiTrust is an active participant of the NEN consultation platform and in 2019 was the first Certifying Institution to be accredited on both the Healthcare and ICT cluster. So we have a lot of experience and knowledge in-house.

The DigiTrust back-office can always provide you with further information. A free consultation with an experienced lead auditor is also always possible. We have short communication lines and are always available for further information regarding the above requirements.