NEN7510 for ICT services when and when not?

ICT organisaties die diensten leveren aan zorgaanbieders, daaraan wordt vaak geeist dat ze aan de NEN7510-1:2017 moeten voldoen. Maar is deze vraag wel juist en kan iedere ICT leverancier gecertificeerd worden op deze norm? Dit is een vraag die wij vaak krijgen en daarover dit nieuwsartikel. Een ICT leverancier die diensten levert aan een zorginstelling kan alleen een NEN7510 certificering behalen indien ze ook daadwerkelijk persoonlijke gezondheidsinformatie verwerken.

The definition according to 'handbook soldier' from NEN7510 is; Information about an identifiable individual relating to the physical or mental condition of, or the provision of healthcare services to, the individual in question, which may include:

(a) information on the registration of the person for the provision of healthcare services;

(b) information on payments or eligibility for care related to the person;

(c) a number, symbol or particular assigned to a person as a unique identifier of that person for medical purposes;

(d) any information about the person gathered during the provision of care services to the person;

(e) information derived from a test or examination of a body part or bodily substance; and

(f) identification of a person (e.g. a healthcare professional) as providing care to the person.

So an ICT service provider can only become NEN7510 certified if they thus process personal health information. But what is process then?

Here, the AVG in Article 4 explanation given. The AVG describes; any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

In a separate document (SAP-C025), the RvA has set requirements for ICT service providers managing health information. There must be an interface with the healthcare institution. this is to prevent organisations that do not process health information at all from still wanting to be certified. ISO27001 applies to these organisations. Furthermore, the SAP-C025 states that the Statement of Applicability must state the interfaces. If an organisation cannot do so, it is obvious from this that they cannot therefore be certified for NEN7510. Thus, excluding many healthcare-specific measures is not possible.

Conclusion; so importantly, the ICT service provider is a processor of the personal health information. Thus, merely storing and storing already provides an interface. Furthermore, the scope should make clear which activities, products and services relate to the management of personal health information and which are outsourced. The VVT should state for each management measure whether it is related to the interface.

DigiTrust is an active participant of the NEN consultation platform and in 2019 was the first Certifying Institution to be accredited on both the Healthcare and ICT cluster. So we have a lot of experience and knowledge in-house.

The DigiTrust back-office can always provide you with further information. A free consultation with an experienced lead auditor is also always possible. We have short communication lines and are always available for further information regarding the above requirements.