Kiwa certifies Amsterdam UMC for ISO 27001 and NEN 7510

There are few sectors where privacy and information security have a higher priority than in healthcare, where almost all processed and recorded data is confidential. Recently, Amsterdam UMC - the merger organization of AMC and VUmc - certified with Kiwa for the ISO 27001 and NEN 7510 standards. Marcel van der Haagen, data protection officer at Amsterdam UMC, elaborates on this.

Amsterdam UMC was established in 2018 after the administrative merger of two Dutch hospitals Academisch Medisch Centrum (AMC) and VUmc. The two locations of Amsterdam UMC, with a total of over 17,000 employees, work together to provide good and accessible healthcare. In addition, in collaboration with the associated universities, UVA and VU, skilled and motivated people are trained to become doctors, specialists or nurses. Amsterdam UMC aims to offer excellent academic patient care, conduct high-quality scientific research and provide top-level education and training.

Amsterdam UMC chose to have all processes involving personal data certified. This included processes related to patient care, research, education, training and business operations. The IT department of the AMC location was already ISO 27001 certified and the VUmc location was NEN 7510 certified. The new organization, Amsterdam UMC, decided to align both locations and have the entire organization certified against both ISO 27001 and NEN 7510.

What did this alignment mean for the combined certification process of ISO 27001/NEN 7510 at Amsterdam UMC?

Marcel van der Haagen: ‘Preparing Amsterdam UMC for the NEN 7510 and ISO 27001 certification was a very extensive project, but thanks to previous experiences with NEN 7510 and ISO 27001 certification processes, the invested time remained limited. For example, a privacy protection and information security management system, an ISMS, had already been operational for several years.’

Why did Amsterdam UMC decide to pursue ISO 27001 and NEN 7510 certification?

Marcel van der Haagen: ‘Amsterdam UMC wants to demonstrably have privacy protection and information security in order in accordance with laws and regulations and relevant security standards. It is therefore very important that the security of the data of millions of patients is guaranteed. Certification promotes the confidence of patients, research participants and other stakeholders in Amsterdam UMC.’

Why did you choose to certify with Kiwa?

Marcel van der Haagen: ‘From the outset, Kiwa actively thought along with Amsterdam UMC regarding the best approach of the certification process. We also worked together extremely smoothly and pleasantly during the audit. Kiwa's knowledge and experience in the field of information security and privacy protection in different industries are important for Amsterdam UMC in the independent evaluation during initial and periodic surveillance audits.’

What did the process look like?

Marcel van der Haagen: ‘It took us two years to prepare the organization for the integrated certification audit. Most of this time was spent harmonizing policies, procedures and guidelines for the AMC and VUmc locations. After the initial audit, a few minor non-conformities were identified, which we were able to resolve quickly. After the initial audit, the focus lies on ensuring that privacy protection and information security remains at a high level and even continually improves.’

Amsterdam UMC neemt certificaten in ontvangst.jpg

Photo: Amsterdam UMC receives the ISO 27001 and NEN 7510 certificates.

What is the added value of certification for Amsterdam UMC?

Marcel van der Haagen: ‘NEN 7510 is mandatory under certain legal regulations that apply in the Dutch healthcare sector. The standard is also the assessment framework used by the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority, red) when exercising supervision over compliance with the GDPR and other regulations relating to privacy protection and information security in healthcare. By demonstrably meeting the NEN 7510 standard, our organization also meets the requirements set by stakeholders and partners for secure data exchange. It is also an important means of managing risks such as reputational damage, fines and criminal prosecution.’

What does certification mean for your patients?

Marcel van der Haagen: ‘For Amsterdam UMC, it is very important that patients, research participants, partners and other stakeholders are able to trust on the fact that personal data is optimally protected. Certification contributes to that trust.’

How do you look back on the process?

Marcel van der Haagen: ‘It was an intensive and complex project, particularly because of the size of the two locations involved, AMC and VUmc. Harmonizing policies, procedures and guidelines, including their application in the far corners of the organization, was quite a challenge. The positive result of the initial certification audit was therefore truly “the icing on the cake” for Amsterdam UMC.’

Did certification also lead to increased awareness among employees?

Marcel van der Haagen: ‘During the certification process, you are in constant dialogue with the entire organization about privacy protection and information security and how it should be organized according to security, and internal, standards. The fact that this has led to increased safety awareness among our employees is already evident from the significant increase in the number of advisory requests in the areas of privacy and security.’

What developments do you foresee for the future?

Marcel van der Haagen: ‘Developments such as artificial intelligence and machine learning will play an important role in achieving Amsterdam UMC's strategic goals. Digital information is crucial in this regard, and therefore privacy protection and information security will only become more important. Amsterdam UMC aims to be innovative and leading in this field. The processing of personal data for patient care, research, education and training has to be lawful and compliant. In light of new technological and social developments, the systematic monitoring and management of privacy and information security risks is necessary. Protecting privacy and securing information is always about finding the right balance between patient safety, workability and compliance.’