The renewed NEN 7510: what healthcare institutions need to know
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Why a new version of the NEN 7510?
The NO 7510 is closely linked to international standards ISO 27001 and ISO 27799. In 2022, there was an update to the ISO 27001, which has direct consequences for the NEN 7510. To get the NEN 7510 back in line with this renewed international ISO 27001 standard, an update to the Dutch standard is necessary.
In addition, the review of the healthcare-specific ISO 27799 also played a role in the innovation. Indeed, renewing ISO 27001 was a good reason to also take a look at the healthcare-specific control measures of ISO 27799. These control measures appeared to be in need of change, partly due to the requirements of the NIS2. For example, several standards are involved in the upcoming changes within the NEN 7510.
What are the most important changes?
The new NEN 7510 contains quite a few updates that affect healthcare institutions and other parties that work with personal health information. In short, these are the most important changes:
- Additions to care-specific control measures: There are 14 additions to the existing ISO measures and 8 additional measures that specifically focus on healthcare. These are the result of an international review and are intended to better meet current information security requirements.
- New chapters for control measures: Where the old standard contained 117 control measures, the updated version has 101, which are now divided into four chapters: organization, people, physical and technology. This provides a more logical structure, but also requires adjustments from organizations that are currently working with the old standard.
- Changes to the ISMS: The information security system (ISMS) remains largely the same, but some new elements have been added. A remarkable new requirement is that healthcare institutions must specify more explicitly whether or not they include legal and contractual information security requirements in their ISMS. This is an important change that requires more clarity from organizations.
- Climate change: The impact of climate change on the organization, as included in the ISO standards, has now also been integrated into the renewed NEN 7510.
- Changes to Appendix A: The biggest changes are in Appendix A, where most control measures are described. New measures such as configuration management and deleting information present challenges, especially for organizations with their own IT systems.
What is the impact for healthcare institutions?
For many healthcare institutions, the arrival of the renewed NEN 7510 feels like an extra burden. After years of investing in time, resources and manpower to meet the old standard, a lot of adjustments now need to be made again. This can be overwhelming, but the changes are necessary to remain compliant with the latest information security standards.
Healthcare institutions that are already certified according to the old NEN 7510 will have to switch to the new version in the coming years. This update involves both new control measures and the deletion of some existing ones. For example, care-specific requirements for “screening” and the use of the “care relationship” as a basis for access to personal health information have been removed. The Information Security Management Forum (IBMF), which is present in many healthcare institutions, is also no longer part of the new standard. What does come back is the obligation to encrypt personal health information in backups.
The planning and transition period
Currently, the new standard is still in the consultation phase, which will run until September 22, 2024. Until then, experts have the opportunity to provide feedback on the draft version of the NEN 7510:2024. The final version is expected in December 2024, after which certification bodies can accredit themselves to carry out audits. The first certificates under the new standard are likely to be issued from April 2025.
It is expected that there will be a transition period in which organizations can switch from the old to the new standard, similar to previous transitions from ISO standards. This means that an end date will probably be mentioned (possibly sometime in 2028), after which it may be postponed to give everyone time to make the changes.
What next?
As a healthcare institution, do you want to get started with the new NEN 7510? That's possible! Make sure you properly identify the new control measures and requirements and adjust your ISMS accordingly. It is wise not to wait until the new standard is officially in force, so that you will soon be well prepared for the transition. We can also help you with this! So feel free to take contact with us.
