Because the NEN 7510 originated from ISO 27001, it is possible to become certified for both standards at the same time. In case an organisation is already ISO 27001 certified, it is relatively simple to add the NEN 7510 certification.
For whom is NEN 7510 relevant?
Obtaining the NEN 7510 certification is becoming an obligation for more and more healthcare institutions and organisations, especially when information systems are being connected to the LSP, Vecozo and MedMij.
Health care institutions are obliged by the General Data Protection Regulation (GDPR) to protect personal data sufficiently. This information should be protected within the whole chain, therefore the appeal to meet the NEN 7510 is becoming in demand for suppliers as well.
In the real world we not only find suppliers of healthcare information systems, but also suppliers of content management systems and even communication solutions and their ISO 27001 certification, hoping to obtain the NEN 7510- certification as an addition.
It is important to make sure that the certificate is useable for your customers. In other words, it should be clear (from the scope description and the Statement of Applicability, SoA) where medical data can be processed. Finally, the auditor will verify whether or not the extra demands from the NEN 7510 are being met.
As an example I would like to take measure A.9.4.1. (Constraint admission to information). ISO 27001 states that the means of accessing the information should be in line with the company’s policy. NEN 7510 defines on that these means should include two-factor authentication and that the access to patient records should be separated from any other data.
As a supplier it would be very easy to say ‘’But, I do not process patient records, so I won’t have to comply’’. However, it is important to see this matter from the perspective of your customer.
The supplier should consider the possibility that a health care institution will use it’s systems to save medical data. The system should support two-factor authentication. This is of course not necessary for al customers, but this should be offered to health care institutions, otherwise they won’t be able to comply with the lawfully demands.
To make sure the NEN-7510 certificate for the health institution is usable, this should appear unequivocally from the scope description on the certificate. For example by recording the addition ‘’Healthcare data can be processed in the content management system and are being sufficiently protected’’. On the SoA it can be pointed out that this control is included because of a contractual or even legal requirements.
Because the NEN 7510 norm concurs with the ISO 27001 in every way, this scope description and the SoA can still be used for both standards.
Even when you are not the supplier of a healthcare information system, obtaining a NEN 7510 certificate can still be relevant. For example, when you would like to have healthcare organizations within you circle of clients, or when it can not be excluded that your systems is being used to process personal health data.
To make sure the NEN 7510 certificate is usable for the target group it is important to identify in which areas healthcare data is processed, to have the right controls in place and to be transparent about this on the certificate and the SoA.