NEN 7510 standard
The NEN 7510 standard, developed by the Royal Netherlands Standardization Institute, is an information security management system that sets a framework for organizing and safeguarding information security within a healthcare setting. Organizations in the Netherlands that process patient health information must demonstrate compliance with the requirements set out in the NEN 7510 standard to protect data of patients adequately.
NEN is based on ISO 27001:2013 but introduces 3 additional new controls along with additional specific control measures that supplement the ISO standard.
ISO 27001 is the international standard which is recognized globally for implementing and maintaining an Information Security Management System that effectively manages risks to the security of information held. ISO 27001 is suitable for all organizations who wish to guarantee information security such as data centers, system operators and software as a service (SaaS) suppliers.
Nuance Cloud services are fully ISO 27001 certified. Certificates are available upon request.
NEN 7510 requires 3 additional control measures compared to ISO 27001:2013
- 184.108.40.206 Health information systems must uniquely identify healthcare recipients
- 220.127.116.11 Health information systems must enable validation of output data
- 18.104.22.168 publicly available health data must be archived and protected to prevent unauthorized changes
Customers in the Dutch healthcare sector using Nuance Cloud solutions are required to establish that they comply with NEN 7510.
Nuance itself, is not subject to NEN 7510. Nonetheless the Nuance Information Security Management System (ISMS) undergoes various periodic certifications and audits, which cover the requirements of NEN 7510 including the specific control measures. The Nuance ISMS has been assessed by an external third-party and is deemed equivalent to NEN 7510.
NEN 7512 supplements the NEN 7510 standard. In scope is electronic communication in healthcare, between healthcare professionals and healthcare organizations themselves and with patients, clients, healthcare insurers and other parties involved in healthcare.
NEN 7513 is a further additional elaboration to NEN 7510 and provides clear guidance on providing information about who has had access to the electronic patient record. Principally covering logging, the standard covers healthcare professionals, administrators of personal health information, along with their system suppliers and those responsible for the privacy and security of the patient record.
NEN 7510 in addition has named a specific care control measure across 33 existing ISO control measures supplementing, for example, user access management controls with specific considerations to those who have access to patient health information.
NEN 7512: Nuance Dragon Medical™ solutions process data in France, the UK and Germany and are thus not applicable for NEN certification. However, Nuance products demonstrably meet the security requirements for network connections outlined in NEN 7512 as data is highly encrypted both in transit and at rest.
NEN 7513: Nuance Dragon Medical™ solutions are not applicable for NEN certification. Nonetheless, Nuance does demonstrably meet the requirements with required to logging as outlined in NEN 7513 as Nuance uses a third-party logging tool that is both SOC2 and ISO 27001 certified.
A: Demonstrating NEN compliance is the responsibility of the Healthcare organization (the “customer”). Typically, a customer will assess their control environment including their technological and organizational eco-system who may or may not include a cloud vendor. A third-party auditor then reviews and certifies the overall ISMS for NEN 7510 compliance. The Nuance NEN7510 Equivalence report provides the necessary control overview of Nuance products within your clinical setting but cannot cover end-to-end compliance within your organization.
A: Nuance Cloud services are ISO 27001 compliant with certificates available, in Dutch if needed. Furthermore, Nuance does make available a NEN equivalence report which details the additional control measures that are also required by NEN 7510.
A: Nuance Dragon Medical™ solutions process data in France, the UK and Germany and are thus not applicable for NEN 7512 certification. However, Nuance products demonstrably meet the security requirements for network connections outlined in NEN 7512 as data is highly encrypted both in transit and at rest as evidenced by Nuance HIPAA compliance.
A: Nuance Dragon Medical™ solutions are not applicable for NEN certification. Nonetheless, Nuance does demonstrably meet the requirements with required to logging as outlined in NEN 7513 as Nuance uses a third-party logging tool that is SOC2, HIPAA and ISO 27001 certified. Further information is available upon request.