The advent of the European directive NIS2 brings new requirements for cybersecurity and resilience of essential services in EU member states. As healthcare has been characterised as a ‘highly critical sector’, new requirements for cybersecurity within healthcare facilities and hospitals¹ also follow from this. While many organisations are already familiar with NEN 7510, the step to full NIS2 compliance is challenging and necessary. In this blog, we discuss five crucial steps to prepare your institution for NIS2.
¹ These requirements particularly apply to government institutions and companies that are essential to the economy and society. There are also specific criteria that take into account size and impact, such as organisation size > 250 employees or annual turnover > €50 million and balance sheet total of > €43 million (source: NCTV, https://www.nctv.nl/onderwerpen/cer–en-nis2-richtlijnen/wat-zijn-de-sectoren-en-criteria-die-bepalen-of-een-organisatie-onder-de-nis2-richtlijn-valt)
1. Understand the difference between NEN 7510 and NIS2
NEN 7510 is a Dutch standard that focuses on information security in healthcare. It provides guidelines for securing patient data and other sensitive information. However, NIS2 is a broader European directive that goes beyond NEN 7510 and aims to make organisations that are considered critical (such as healthcare institutions) more resilient to cyber threats.
While NEN 7510 provides a solid foundation, certification is not enough to fully comply with the requirements of NIS2. For full NIS2 compliance, healthcare institutions need to expand their measures to meet the additional requirements. It is therefore essential to understand and implement the differences and overlaps between the two standards.
2. Conduct a risk analysis and work towards NEN 7510 certification
NEN 7510 does provide an excellent starting point on the road to NIS2 compliance. The standards framework includes:
- Governance: Establishing policies and responsibilities.
- Risk management: Identifying, assessing, and managing risks.
- Information Security Management System (ISMS): A system for controlling information security.
Certification according to NEN 7510 helps your organisation build a solid foundation. Given the expected update of NEN 7510 due to NIS2, it is important to keep this certification in order and proactively keep abreast of the latest developments within the standard.
3. Strengthen Security Measures
In addition to the basic requirements of NEN 7510, NIS2 calls for strengthened security measures:
- Multifactor authentication (MFA): Ensure strong access control by implementing MFA, which helps prevent unauthorised access.
- Regular security audits and penetration tests: Conduct these to identify and remedy security weaknesses.
- Employee awareness training: Train your staff regularly on the latest cyber threats and security procedures to minimise human error.
4. Establish an Incident Response Plan
Being prepared for cyber incidents is a core component of NIS2 compliance. An effective incident response plan includes:
- Define roles and responsibilities: Clearly define who plays what role in a cyber incident.
- Regular testing: Test your plan regularly to ensure effectiveness and make adjustments where necessary.
- Communication procedures: Make sure everyone in the organisation knows how and when to respond to a cyber incident.
By following these steps, you can respond quickly and appropriately to cyber incidents, which helps minimise damage and recovery costs and time.
5. Cooperation and Information Exchange
NIS2’s strength also lies in collaboration:
- Collaborate with other healthcare organisations: Share information on cyber threats and incidents with other healthcare organisations and learn from each other’s experiences. Z-cert is also a good platform for this.
- Follow developments in cybersecurity: Keep abreast of the latest threats and best practices, and adapt your security measures accordingly.
Effective collaboration and information sharing can help increase joint resilience against cyber threats.
Conclusion
NIS2 brings significant changes to cybersecurity requirements in healthcare facilities and hospitals. By following the above five steps, healthcare organisations can not only comply with the new regulations, but also improve their overall cyber resilience. This way, you will be well prepared for the challenges posed by NIS2.
Action is required: Start preparing today to ensure your organisation is compliant and well protected against the growing threats of cyberspace. However, many organisations face difficulties in finding the right knowledge and experience to tackle this complex challenge. This is where Supply Value can offer support.
Supply Value has the expertise and resources to effectively guide healthcare organisations and hospitals through the implementation of NIS2 compliance. Whether you need help with the initial assessment, the implementation of security measures, or the creation of an incident response plan, we are ready to support your organisation.
Contact Supply Value today to find out how we can help your organisation make a smooth and effective transition to NIS2 compliance. Together, we will ensure that the organisation is optimally protected against increasing cyber threats and ready for the future!
—
¹ [NEN 7510 and NIS2 Comparison] (https://www.nen.nl/nen-7510)
² [NIS2 Directive Details] (https://www.europa.eu/nis2)
