Over the coming months, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) will carry out random inspections of healthcare providers, focusing on data security and the proper handling of personal data. These inspections follow a recent announcement by the Minister of Health, Welfare and Sport (VWS). Healthcare providers are being urged to improve compliance with the legal frameworks for data security and to strengthen security awareness among staff.
The AP can take enforcement action even if no actual data breach or security incident has occurred, for example where information security measures are inadequately designed or implemented. For healthcare providers, this means it is time to critically assess how information security is organized and how it operates in practice within their organization.
Data security in healthcare falls short
It is no surprise that the AP is focusing on the healthcare sector. Healthcare providers process large volumes of health data. Under the General Data Protection Regulation (GDPR), such data qualifies as special category personal data. Stricter requirements apply to these data, particularly in relation to information security. Healthcare providers must implement appropriate technical and organizational measures and must also be able to demonstrate that these measures are genuinely effective.
Despite these stricter requirements, the healthcare sector has been a long-standing leader in the number of reported data breaches. This remained the case in 2024, as shown by the AP’s annual data breach report. A key driver is the rise in cyber threats. Medical data has a high value on the dark web, making healthcare providers an attractive target for ransomware attacks and identity fraud. A recent large-scale data breach in the healthcare sector, in which data relating to hundreds of thousands of patients ended up in the hands of cybercriminals, illustrates how significant these risks can be in practice.
At the same time, a substantial proportion of data breaches are not caused by external attacks, but by internal threats. Employees play a crucial role in handling personal data. In practice, it is often employees who cause incidents through unauthorised or careless actions. A recent example in the healthcare sector, where employees were dismissed after accessing more than a thousand patient records without a valid reason, once again underlines this risk.
What does the AP focus on?
Although the AP has not published its assessment criteria, the GDPR, previous investigations and enforcement decisions provide a clear indication of where the emphasis will lie. Below, we set out the legal framework per topic and explain what healthcare providers can do in practice to meet these requirements.
1. Access control to patient data
Employees may only have access to patient data to the extent necessary for the performance of their role (need-to-know). Excessively broad authorisations, the use of generic accounts and the absence of periodic reviews of access rights pose significant risks.
What can you do?
- Create or update an authorisation matrix.
- Periodically review who has access to patient records.
- Revoke unnecessary rights, with particular attention to temporary roles, role changes and employees leaving the organization.
2. Logging
Healthcare providers are required to log actions carried out in patient records. It must be possible to see which employee accessed or amended which patient data, and when. Attempts at unauthorised access must also be recorded. Incomplete logging or the failure to review log files on a regular basis increases the risk of unauthorised access and undetected misuse.
What can you do?
- Log all actions relating to patient records and retain these logs for at least five years from the date of the action.
- Record how and by whom logs are reviewed on a structural basis.
- Include in a sanctions policy how unlawful actions in patient records are handled.
3. Data breaches
The GDPR requires organizations to record data breaches in a data breach register and, where necessary, to notify the AP and/or the affected individuals in a timely manner. Failure to identify, record and evaluate data breaches in time leads to a lack of insight into structural vulnerabilities. This increases the risk that similar incidents will continue to occur.
What can you do?
- Keep the data breach register up to date and record every (suspected) incident, including the facts, consequences and corrective measures taken.
- Clearly set out who assesses, follows up on, and reports data breaches (to both the AP and affected individuals).
- Ensure that employees know how to recognize a (potential) data breach and where to report it.
4. Employee awareness and codes of conduct
The effectiveness of information security depends on how employees deal with it. Employees have daily access to patient data and therefore play a key role in protecting this data. It is essential that they recognize data security risks in time, are familiar with the applicable rules and are aware of their own responsibility. We discuss this topic in more detail in an earlier blog post.
What can you do?
- Ensure that employees are familiar with the basic principles of information security and their own role in this.
- Offer periodic training, such as e-learning modules or themed sessions.
- Establish clear codes of conduct, such as a clean desk policy and an obligation to report incidents.
- Consult the VWS Ministry’s Wegwijzer, which provides practical guidance on promoting information-secure behaviour within organizations.
5. Compliance with NEN standards
Healthcare providers are required to organize their information security in line with the applicable NEN standards 7510, 7512 and 7513. The obligations described above also arise from these standards. They translate legal requirements into concrete measures for risk management, secure data exchange and logging access to patient records. By working in accordance with these standards, healthcare organizations can demonstrate that their security measures are appropriate and auditable. The PDCA cycle (Plan-Do-Check-Act) helps healthcare providers to comply with the NEN standards on a structural basis, as explained below.
What can you do?
- Plan: carry out a baseline assessment to determine the current situation and draw up an information security policy based on this assessment. Next, perform a risk analysis and define appropriate security measures, clearly allocating responsibilities.
- Do: implement the technical and organizational measures and configure systems and processes in line with the information security policy. Instruct employees on their responsibilities and ensure they know how to handle data securely.
- Check: periodically assess whether the security measures remain appropriate and effective, for example through internal audits, incident registers and evaluations.
- Act: use the outcomes of these assessments to adjust and improve the policy.
If you are NEN certified, ensure that your certification documentation is complete and accurate.
Dawn raid policy and risks
Do you want to be well prepared for a possible inspection? At a minimum, make sure you have a clear dawn raid policy and an accompanying procedure in place, so you know exactly what to do if a regulator unexpectedly turns up at your doorstep. A dawn raid procedure sets out how your organization should act during an unannounced visit by a supervisory authority, including who must be informed, what information may and may not be shared, and how the visit should be documented.
This preparation is essential. If the AP identifies a breach of the data security requirements, it can take enforcement action. For healthcare providers, this creates a concrete risk of an administrative fine, a penalty payment order, a processing ban, a reprimand or a warning.
Healthcare providers, take action
The AP’s intensified supervision highlights the importance of robust data security in healthcare. Healthcare providers cannot rely on policies on paper alone; practical implementation is just as important. Use this moment to critically review your organization. Have risks been assessed recently, are the control measures still appropriate, and do employees know what is expected of them? To be properly prepared for future inspections, it is advisable to have a dawn raid policy in place. Acting now reduces the risk of incidents and sanctions.
Would you like to know where your organization stands, or do you need support in setting up your information security framework? Contact us.
