Skip to main content

Getting Started with NEN 7510

NEN 7510 is the Dutch standard for information security in healthcare. It is based on ISO 27001 and ISO 27002 but adds healthcare-specific requirements for protecting patient data (persoonlijke gezondheidsinformatie). NEN 7510 compliance is effectively mandatory for all Dutch healthcare organizations under the Wbp (now superseded by GDPR/AVG) and is referenced by the Dutch Healthcare Inspectorate (IGJ) and the Dutch Data Protection Authority (AP). NEN 7510 consists of two parts:
  • NEN 7510-1 - Management system requirements (based on ISO 27001)
  • NEN 7510-2 - Implementation guidance (based on ISO 27002, with healthcare-specific controls)
Supplementary standards NEN 7512 (electronic communication) and NEN 7513 (logging of access to patient data) provide additional requirements that are commonly implemented alongside NEN 7510. Matproof maps NEN 7510 requirements to controls, policies, and evidence workflows so you can demonstrate compliance to the IGJ and AP.
Activate NEN 7510 under Settings - Frameworks - NEN 7510. Controls are pre-populated based on NEN 7510-1 and the healthcare-specific extensions in NEN 7510-2.

Am I in Scope?

NEN 7510 applies to any organization that processes patient health information in the Netherlands:
  • Hospitals, clinics, and GP practices
  • Mental healthcare institutions
  • Pharmacies and laboratories
  • Health insurers
  • Municipal health services (GGD)
  • IT service providers that process health data for healthcare organizations
  • Home care and long-term care providers
If you provide IT systems or services that process patient data for Dutch healthcare organizations, you are expected to comply with NEN 7510 even if you are not a healthcare provider yourself. This is typically enforced through contractual requirements and data processing agreements.

NEN 7510 Structure

Since NEN 7510 is based on ISO 27001/27002, it follows a familiar structure with healthcare additions:
SectionTopicMatproof Module
Clauses 4-10Information security management system (ISMS) requirements (aligned to ISO 27001)Policies, Controls, Risk Management, Audit Programs
Annex A / NEN 7510-2Control objectives and controls, with healthcare-specific extensionsControls, Evidence
NEN 7512Trust framework for electronic communication of health informationControls
NEN 7513Logging requirements for access to patient recordsControls, Evidence

Key Healthcare-Specific Extensions

NEN 7510-2 adds or strengthens controls in these areas compared to ISO 27002:
  • Access control for patient data - role-based access, break-glass procedures for emergencies, automatic session timeouts
  • Logging and auditability - all access to patient records must be logged with who, when, what, and why (NEN 7513)
  • Data exchange - electronic exchange of patient data must meet trust requirements (NEN 7512)
  • Mobile devices - specific controls for tablets, smartphones, and portable media used in clinical settings
  • Physical security - controls for clinical environments where patient data is visible on screens or printed
1
Step 1 - Establish your ISMS
2
NEN 7510-1 requires a formal information security management system:
3
  • Define the ISMS scope - which systems, departments, and locations process patient data
  • Go to Policies - Generate and create your Information Security Policy
  • Assign an information security officer (informatiebeveiligingsfunctionaris)
  • Ensure management commitment is documented (board-level approval of the ISMS)
    • 4
    Step 2 - Conduct a risk assessment
    5
  • Go to Risk Management - New Risk Assessment
  • Identify all systems that process patient health information
  • Assess threats and vulnerabilities specific to your healthcare context
  • Include risks related to patient safety (not just data confidentiality)
  • Document risk treatment decisions and acceptance criteria
    • 6
    NEN 7510 places equal emphasis on availability and integrity of health data, not just confidentiality. A system outage that prevents access to patient records during treatment is a serious risk that must be assessed.
    7
    Step 3 - Implement NEN 7510-2 controls
    8
    Work through the controls in Controls - NEN 7510:
    9
  • Start with access control - implement role-based access to patient records, break-glass procedures for emergencies, and automatic session lockout
  • Implement logging per NEN 7513 - log all access to patient records including user identity, timestamp, patient identity, and type of access
  • Address mobile device and removable media controls for clinical staff
  • Implement physical security controls for treatment rooms, reception areas, and anywhere patient data is displayed
  • Address electronic data exchange per NEN 7512
    • 10
    NEN 7513 logging requirements are strict. Every access to a patient record - including read access - must be logged. Patients have the right to request an access log showing who viewed their data.
    11
    Step 4 - Generate healthcare-specific policies
    12
    In addition to the standard information security policies, NEN 7510 requires:
    13
  • Patient Data Access Control Policy (including break-glass procedures)
  • Mobile Device Policy for clinical environments
  • Electronic Health Data Exchange Policy
  • Logging and Audit Policy (aligned with NEN 7513)
    • 14
    Go to Policies - Generate to create these from the NEN 7510 templates.
    15
    Step 5 - Vendor and processor management
    16
  • Go to Vendor Risk and identify all IT vendors that process patient data
  • Ensure data processing agreements (verwerkersovereenkomsten) are in place per GDPR/AVG
  • Verify that vendors comply with NEN 7510 or equivalent standards
  • Conduct periodic assessments of vendor security practices
    • 17
    Step 6 - Staff awareness and training
    18
  • Go to People - Training
  • Assign information security awareness training to all staff with access to patient data
  • Include healthcare-specific scenarios (e.g., proper handling of patient data in clinical settings, responding to data requests, break-glass procedure usage)
  • Track completion and retain records as evidence
    • 19
    Step 7 - Internal audit and certification
    20
  • Go to Audit Programs - New Audit - NEN 7510
  • Audit against NEN 7510-1 ISMS requirements and applicable NEN 7510-2 controls
  • Include NEN 7512 and NEN 7513 controls in the audit scope
  • Document findings as Corrective Actions
  • If pursuing formal certification, engage an accredited audit body

    • Relationship to Other Standards

    StandardRelationship
    ISO 27001NEN 7510-1 is based on ISO 27001. An ISO 27001 certificate covers the ISMS foundation but does not address healthcare-specific controls.
    GDPR / AVGNEN 7510 compliance supports GDPR compliance for the security of processing (Article 32). The AP references NEN 7510 as the benchmark for healthcare data security.
    NEN 7512Specifies trust requirements for electronic health data exchange. Implement alongside NEN 7510 if your organization exchanges patient data electronically.
    NEN 7513Specifies logging requirements for access to patient records. Considered mandatory practice for all Dutch healthcare organizations.

    Next Steps