What does NEN 7510 mean?

NEN 7510 is a Dutch information security standard for medical institutions such as hospitals, GP practices, and dental practices. NEN 7510 provides rules to ensure that all sensitive patient information is stored and processed securely, including between care providers.

What does NEN 751x mean?

In addition to the general NEN 7510 standard for information security in healthcare institutions, this series of standards includes several specific standards. Examples are NEN 7512 (electronic data processing) and NEN 7513 (logging of activities). The series as a whole is sometimes referred to as NEN 751x.

What is the difference between ISO 27001 and NEN 7510?

ISO 27001 is a general, widely used, international standard for establishing an information security management system. NEN 7510 uses the same structure, but can be used to set up an information security management system within healthcare. NEN 7510 is therefore comparable to ISO 27001 at a high level, but with more specific requirements around medical systems and data.

Is NEN 7510 certification mandatory?

Certification is not mandatory, but healthcare institutions are required to demonstrate that their information security complies with the NEN 7510 standard. A structured and transparent way to do this is through certification. Both the Health Care Inspectorate (IGZ), patients, health insurers, and partners can then see at a glance that the organisation meets all requirements.

What is NEN 7510-1+A1?

NEN 7510 consists of two parts, NEN 7510-1 and NEN 7510-2. NEN 7510-1 also includes, as an annex, a table A1 with controls. The main text of NEN 7510-1 and that table A1 form the normative part of NEN 7510 against which you can certify. NEN 7510-2 is more informative. That is why one sometimes refers specifically to NEN 7510-1+A1.

What is NEN 7510? A Guide to Dutch Healthcare Security

Cross-border partnerships in healthcare define modern IT operations. If your organisation provides software, services, or data processing to Dutch healthcare institutions, you have likely encountered a specific requirement in your contract: Compliance with NEN 7510.

For UK IT managers, this often causes confusion. It looks like ISO 27001, but the specifics are stricter. This guide demystifies the standard and outlines how Identity and Access Management (IAM) is the most efficient route to compliance.

What is NEN 7510?

NEN 7510 is the strictly enforced standard for information security within the Dutch healthcare sector. While it relies heavily on the international ISO/IEC 27001 framework, it extends these general controls with specific requirements tailored to the protection of patient health information (PHI).

NEN 7510 acts as "ISO 27001 Plus." It takes the global baseline of information security and applies a rigorous healthcare filter. Where ISO 27001 might require "secure logging," NEN 7510 mandates specific logging retention periods and privacy safeguards relevant to medical records.

Why This Matters to UK Organisations

Compliance is mandatory for the entire chain of care. The Dutch Health and Youth Care Inspectorate (IGJ) enforces this standard not just on hospitals and GPs, but on any external party processing patient data.

If you are a UK-based SaaS provider, managed service provider (MSP), or data processor working with Dutch clients, you fall under this scope. Your Dutch partners cannot legally outsource data processing to you unless you can demonstrate NEN 7510 compliance. The most transparent method to prove this is formal certification.

The Structure: How NEN 7510 Works

The standard operates on the same high-level structure as ISO 27001 but is divided into two distinct parts.

1. NEN 7510-1 (The Normative)

This is the rulebook. It states exactly what an organisation must do. It outlines the management system (ISMS) requirements and includes "Annex A," a list of mandatory controls based on risk.

2. NEN 7510-2 (The Informative)

This is the guidance. It provides the "how." If Part 1 states you must "control access to health data," Part 2 offers practical implementation advice, similar to ISO 27002.

Key Differences from General Security

NEN 7510 introduces healthcare-specific controls that general standards miss.

Asset Return: ISO 27001 requires employees to return laptops. NEN 7510 adds strict protocols for sanitising local health data from those devices immediately.
Access Context: Access rights must be determined not just by identity, but by the care relationship between the provider and the patient.

The Role of Risk Management

Compliance is not a checklist; it is a risk-based cycle. You cannot secure everything equally.

Risk Analysis: You must identify specific risks to patient data, such as unauthorised viewing of files by non-treating staff.
Statement of Applicability: You determine which controls from the NEN 7510 list are necessary to mitigate those specific risks.
PDCA Cycle: You must implement a Plan-Do-Check-Act cycle to ensure controls remain effective as threats evolve.

Why Manual IAM Fails NEN 7510

NEN 7510 places extreme weight on access control. The standard demands that you grant access strictly based on the "Need-to-Know" principle and revoke it the moment it is no longer required.

In many organisations, this is a manual process handled by the Service Desk. This creates compliance gaps.

Accumulation of Rights: An employee moves roles but keeps old permissions. Under NEN 7510, this is a major non-conformity.
Slow Revocation: A leaver remains in the system for days after departure.
Lack of Evidence: Auditors require logs of who granted access and why. Emails and tickets are insufficient proof.

The Comparison: Manual Process vs. Automated Governance

Feature	Manual Process (Service Desk)	Automated Governance (HelloID)
User Registration	High Risk (Human error in data entry)	Automated via HR Source
Access Management	High Risk (Toxic combinations of rights)	Role-Based Access Control (RBAC)
User Revocation	Critical Risk (Leaver access remains active)	Instant disablement on contract end
Audit Trail	Poor (Fragmented tickets/emails)	Centralised, immutable audit logs

The Solution: HelloID for NEN 7510 Compliance

Tools4ever’s HelloID provides the technical framework to satisfy NEN 7510 access controls without burdening your IT staff.

1. Enforcing Least Privilege

HelloID links directly to your HR system or Source of Truth. It detects a user’s role and provisions only the access required for that specific job function. This satisfies the strict NEN 7510 requirement for role-based limitation of access.

2. Automated "Joiner, Mover, Leaver" Logic

Joiners: Day 1 access is standardised.
Movers: When a user changes departments, HelloID strips old permissions before adding new ones, preventing "access creep."
Leavers: Access is revoked automatically on the contract end date, mitigating the highest risk factor in the audit.

3. The Audit Trail

NEN 7510 auditors demand data. HelloID logs every attribute change, permission grant, and login attempt. When the auditor asks for evidence of your access control procedure, you can generate a report in seconds.

NEN 7510 checklist

NEN 7510 checklist for IAM capabilities

When setting up an ISMS based on NEN 7510 you will assess for each control whether it is relevant to you and must be implemented. For a significant number of those controls, Identity and Access Management now plays a role. For example, you want at the level of individual employees, and as much as possible based on someone’s role, to determine which applications and data a person should have access to. You also want to streamline access requests by users and other account processes in a controlled manner and, depending on someone’s profile and user context, apply Multi-Factor Authentication where necessary. Last but not least you want to automatically log all individual administrative actions and login attempts for potential audit trails.

Many security professionals therefore assess their existing IAM solution for its suitability for their NEN 7510 plans. As an aid, Tools4ever has produced a whitepaper (NEN 7510 and the role of Identity Management) made. In it you will find a comprehensive introduction to this healthcare standard and we delve deeper into the role of Identity Management in information security within healthcare institutions. A useful tool alongside this is our NEN 7510 checklist. For each NEN 7510 control it describes whether IAM functionality is required for it and how a modern IAM solution can best support the security requirements. We describe this in the checklist using our own HelloID platform.