The NEN 7510 is the official Dutch standard for setting up and implementing information security management systems for organizations working with healthcare patient data. The standard became mandatory for healthcare institutions and providers starting on January 1, 2018, offering further interpretation and accountability under Article 32 of the GDPR.  

This article covers the NEN 7510, what it means for healthcare providers, and how you can stay compliant with GDPR and other government regulations.  

What is the NEN 7510

NEN 7510 is a set of free standards, outlining practices and mandatory requirements for processing personal data, with an emphasis on confidentiality and accountability. The NEN 7510, 7512, and 7513 offer additional interpretation of requirements in light of the needs of healthcare providers. It also offers measures and standards to identify risks to ensure the confidentiality, availability, and integrity of secured data. The standards also ensure that data owners can decide what information can be shared, and to which providers.  

It also means:  

  • All healthcare institutions must have a Data Protection Officer (DPO) (article 9, article 2) 
  • The National Communication Point for Healthcare, VECOZO, requires software suppliers in the healthcare sector to demonstrate their products comply with NEN 7510, 7512, and 7513.

Essentially, the NEN 7510 comprises additional personal privacy and confidentiality regulations for healthcare providers, in addition to the GDPR. Once certified, your organization is included in the NEN 7510 register, which is available to the public. Your organization does not have to be NEN 7510 certified to be compliant.  

Is the NEN 7510 Mandatory?

Yes. The NEN 7510 was put into place under law by the Supplementary Provisions for Data Processing in Healthcare Act (WABGVZ in Dutch), which came into force on Jan 1 of 2018. Organizations sharing, storing, creating, or processing private data for patients must comply with the regulation. The NEN 7510 is listed under Article 3 of the Order in Council (AMvB) (General Administrative Order, which means it falls under the supervision of the Healthcare Inspectorate (IGZ). This means the IGZ reviews and looks for NEN 7510 compliance when assessing whether healthcare institutions of any size are taking correct measures to maintain information security measures.  

Organizations are considered NEN 7510 compliant if they can demonstrate compliance with a certificate following an audit, which includes a pentest. All healthcare organizations, regardless of size or nature of business processes, are required to comply with the NEN 7510.  

NEN 7510 vs Other Compliance Standards

The NEN 7510 is just one of a number of data privacy standards available for healthcare organizations. This section compares the NEN 7510 with ISO 27001 / 2, DigiD, HIPAA, and others.  

NEN 7510 vs. ISO 27001/2 – Organizations operating on an international basis will likely prefer to use the ISO 27001/2. However, you are required, by law, to utilize the NEN 7510 in the Netherlands. The good news is that the NEN 7510 is very similar and complying with both is relatively easy.  

NEN 7510 vs GDPR – NEN 7510 supplements the GDR for caregivers and healthcare providers, under the stipulations delivered by Article 32 of the GDPR. Healthcare providers need NEN 7510 compliance to be GDPR compliant.  

NEN 7510 vs DigiD  – The NEN 7510 looks for patient data-specific information security standards. DigiD mandates communication standards. Any healthcare organization using DigiD needs both.  

NEN 7510 vs. HIPAA – HIPAA, like the NEN 7510, prescribes security measures with standard protocols and measures to protect client data. It is very similar to the NEN 7510. Organizations that work in the United States and the Netherlands must comply with both.  

Achieving NEN 7510 Compliance

Achieving NEN 7510 compliance means exhibiting to an auditor and to clients that you meet the standards listed in the free documentation provided by NEN. This process includes a pentest, equivalent to the ISO 27001 pentest, reviewing the security of IT security systems and networks. This certification must be handled by an independent and third party.  

If you’re working towards NEN 7510 compliance, you need to pentest your information security and systems. PentestHero has worked with medical providers for over a decade, delivering healthcare compliance pentests for DigiD, ISO 27001, GDPR, HIPAA, and NEN 7510. We have the experience to thoroughly assess your assets and standards to ensure full compliance, so you ace your audit and earn certification. Visit our Healthcare page to see how we handle pentests for medical organizations.