EN 
NL 
DE 
Let me start with an open door; healthcare institutions have the primary task of delivering care. But we also all know that delivering care has changed enormously in recent years. The regulatory burden has grown enormously for the healthcare institution and specialist. Something that doesn't make anyone happy.
In May 2018, the government even launched a programme called (De)regulate care. To know whether the regulatory burden is actually reducing, the experience on this will be measured among healthcare providers and patients. In September 2019, the minister will give an update to the room on the results of this programme. In it, he writes that the regulatory burden has decreased somewhat, but that this is also a "tough issue" and multi-headed monster. Actually reducing rules does not yet give the desired result immediately. The minister indicates that a start has been made and there will continue to be the programme in all healthcare sectors in the coming period.
The question is, does complying with NEN7510 fall under this 'regulatory burden' perception? The answer to that is YES. Administrators and healthcare providers find information security a burden and even see it as a hindrance in their daily work. Quite understandable, as no healthcare provider is waiting for a pointless information security rule. Yet the question is whether having information security under control should fall under this feeling. Shouldn't it be seen differently?
The NEN7510 writes in the nom on this;
Maintaining the availability, integrity and confidentiality (BIV) of information is the overarching goal of information security. In healthcare, client privacy depends on maintaining the confidentiality of personal health information. To ensure this confidentiality, measures should also be taken to maintain data integrity.
The client safety depends even on the integrity of personal health information; incorrect information can result in illness, injury or even death.
A high level of availability is also a requirement for good care, where treatments are often time-critical. Not having information available can lead to very worrying situations.
Caregivers have their hearts set on caring. The fact is that they all also have an intrinsic motivation to always provide good care. With this said, it is strange that complying with NEN7510 is seen as regulatory pressure. Securing patient information is crucial to providing good care. Every healthcare provider finds it annoying if the patient's privacy is not secured, the healthcare provider cannot trust that the information is correct or the system is down and therefore work cannot be done. Securing information is not just an IT party. Of course, as a healthcare provider, you need to be able to trust that IT people have the technology under control. Unfortunately, this is often not the case.
Facts 2019
In 2019, the Personal Data Authority (AP) reported 26956 data breaches. The largest number of data breach reports within the healthcare sector came from hospitals (25%), pharmacies (20%) and foundations conducting population research (9%). Also noteworthy is that 67% of reported data breaches are about personal data being sent or issued to the wrong recipient.
And then that elephant...
Many healthcare institutions are well aware that they have to comply with NEN7510. However, what they do not know or realise is that in law; Decree on electronic data processing by healthcare providers states that a healthcare provider must be able to demonstrate this through an independent audit report.
Quote article 3.4.a: an organisation independent of the legal entity has determined after investigation that the legal entity and the system it manages comply with the provisions of NEN 7510 and NEN 7512 and has included that finding in an audit report prepared by that organisation on behalf of the legal entity;
Directors and BoDs know full well that we have to comply, but see this as 'that elephant' in the boardroom. Also, directors often think 'That they are safe though' If you've never faced an attack you tend to think the chances are only small. We have taken measures from a technical point of view anyway, we have done awareness sessions among staff. But there is no real compliance with NEN7510. And that poses an organisational, managerial but especially social risk. After all, patients, but also parents of children, have almost a blind trust in the healthcare provider. Demonstrable compliance remains 'stuck' with the management and board of directors. We have something, but then again we don't. We don't see certification as necessary. Even more burden and pressure for the organisation. And that is unfortunate, but also worrisome. The Haga incident is an example of this and could be prevented by a good ISMS. No nonsense measures but placed in the right context and own risks. A NEN7510 certification also addresses NEN7512 (data exchange) and NEN7513 (logging). So, given the blind trust of the patient, it is actually ethically wrong that things are not yet demonstrably in order. Just imagine criminals making off with your data.... <identiteitsfraude>
The moment things go really wrong, you are of course obliged to report this to the AP. They will then investigate and check whether NEN7510 is demonstrably being complied with. The AP works with IGJ in this respect. Having an impartial audit by a party that demonstrably has the right competences for this is then crucial. Because a NEN7510 audit conducted by a party that cannot demonstrate that they have the right competences is a meaningless audit report. To fill this in, you then quickly end up with a certifying body assessed and accredited by the Accreditation Council on the NEN7510. DigiTrust is accredited for both Healthcare and ICT service providers to do this type of audit.
I sincerely hope there will be a quick turnaround among all healthcare providers. Having a NEN7510 certification gives peace of mind and confidence. but is just a 'licence to operate' for a healthcare provider. Management and BoD need to start realising that securing patient data for confidentiality, integrity and availability is a prerequisite for delivering good care and not a "we'll do that another time...".
DigiTrust audits and certifies Healthcare Providers under accreditation on NEN7510 and ISO27001.
*** DigiTrust contributes to a secure digital world***
