Log files and NEN 7513: The "forgotten child" that leads to the highest GDPR fines
Posted by
Rob Veen
Summary for the quick reader: Many healthcare organizations focus on the new NEN 7510:2024 (policy), but neglect NEN 7513 (logging). This is an expensive mistake. The Dutch Data Protection Authority (AP) imposes its highest fines for being unable to trace unauthorized access to patient files (as in the HagaZiekenhuis case). An internal audit that only checks whether logging is 'on' misses the point. You must show that you actively monitor logging and detect irregularities. Without active control, logging is merely digital proof of your own negligence.
It is the least attractive topic in all of IT security: Logging.
It eats up storage space, slows systems down in the worst case, and nobody ever looks at it. Until something goes wrong.
When there is a data breach, or a VIP patient (a well-known Dutch person, a colleague, or a politician) is admitted, that boring log file becomes your only lifeline or your death warrant.
At AuditDirect, we see a troubling pattern. Organizations obtain their NEN 7510 certification based on policy documents, but fail technically in the implementation of NEN 7513 (Logging of actions in electronic patient records).
This article explains why this 'forgotten child' is life-threatening for your organization, including hard lessons from the Dutch Data Protection Authority.
The Hard Lesson of the 'Haga Fine' (Why this matters)
Let's start with the proof that this is not theoretical chatter.
In 2019, the Dutch Data Protection Authority (AP) imposed a fine of € 460,000 on HagaZiekenhuis.
The reason? Dozens of employees had looked without authorization in the file of a well-known Dutch person ('Barbie').
The hospital was not fined only because employees were curious. It was fined because the internal security of the logging failed on two points:
Authentication: It was not sufficiently clear who exactly logged in (shared accounts/insufficient 2FA).
Control: The hospital did not pro-actively review the log files. They only knew that unauthorized access had occurred after it appeared in the media.
This ruling created a legal precedent: logging without monitoring violates the GDPR. If you do not actively check who is looking in the files, you are in violation. Period.
What exactly is NEN 7513?
Many executives and even IT managers lump everything together. That is wrong.
NEN 7510:2024 is the management system. It says: "You must have policies to protect data."
NEN 7513 is the implementation. It specifies exactly which data you must record for every action in an electronic patient record (EHR/HIS).
According to NEN 7513, you must record per event:
WHO: The identity of the user (not 'System administrator', but 'J. Jansen').
WHO (Patient): The identity of the patient whose file was viewed.
WHEN: Date and time.
WHAT: The nature of the event (Viewing, Modification, Printing, Export).
WITH WHAT: The workstation or device.
Most systems do log this. The data is there. But often that is where it stops.
The 3 Deadly Mistakes in Your Current Logging Audit
If your internal auditor comes by and asks: 'Is logging on?', and you say 'Yes', and he ticks a box... then you had a worthless audit. Here are the three mistakes you really need to test.
1. The 'Write-Only' Trap
Many organizations treat logs as a black hole. Data goes in, and never comes out again.
The Risk: A hacker has been in your network for 180 days already (the average 'dwell time' before detection). He gradually erases his tracks. Because you never look, you only see the break-in when the ransomware is activated.
The AuditDirect Question: 'Show me the report from the latest sample check on unauthorized access. When did the Privacy Officer last investigate a strange access?'
2. The 'Technical Noise' (False Positives)
You turn logging on at 'Debug' level. Result: Millions of lines of log data per day.
The Risk: If you log everything, you see nothing. The proverbial needle in the haystack. Important signals (for example, 500 downloads at night) drown in the messages that the printer connection was successful.
The AuditDirect Question: 'How do we filter the logs? Which 'Use Cases' have we defined for alerts?'
3. The Chain Blind Spot (Vendors with Keys)
You use a SaaS solution (for example, ChipSoft, Nedap, Epic). You assume they take care of it.
The Risk: You are the Data Controller. But can you see what the vendor's administrators do? Often the vendor's support staff have 'super-admin' rights ('God mode') to help you with incidents. Is their behavior logged? And do you check whether they are looking in files without authorization?
The AuditDirect Question: 'Can we independently access the vendor's own audit trails, and how do we verify that administrator rights are not being abused?'
The 'Checklist' Audit vs. The 'GDPR-Proof' Audit
How do you know whether your current approach meets the strict requirements of the Dutch Data Protection Authority?
Topic | The Standard Internal Audit (Wrong) | The AuditDirect Approach (Right) |
Retention Period | 'Do we keep logs for 5 years?' | 'Are the logs on a separate server where system administrators cannot delete them (integrity)?' |
Control | 'Is there a review procedure?' | 'Show that intelligent access monitoring (algorithms) is actively used to find deviations.' |
Content | 'Is anything logged?' | 'Can we fully reconstruct the patient journey of patient X on day Y?' |
Alerting | Not addressed. | 'Does the CISO get an alert if a doctor opens files from a department where he does not work?' |
Technical Solution: SIEM for Non-IT People
You can no longer do this by hand (searching through Excel sheets is impossible). The solution the IGJ and AP are steering you toward is SIEM (Security Information and Event Management).
Many healthcare executives are put off by this: 'That sounds like a hundred-thousand-euro investment.'
That is not necessary. You do not need to build your own 'Cyber Defense Center'.
How do you solve this pragmatically?
Managed SIEM/SOC: For SMEs in healthcare, there are subscriptions (Security-as-a-Service). You pay per month/user. An external party watches your logs 24/7 and calls you only when it is truly serious.
Use what you already have: Do you work with Microsoft 365? The 'Sentinel' functionality can often be enabled relatively easily to at least monitor your office automation.
Business Logic Rules: Set simple rules within your EHR software (ask your vendor how to do this). For example:
The 'VIP' Rule: Alert if someone looks in the file of a well-known person or colleague.
The 'Volume' Rule: Alert if someone opens >50 records per hour.
The 'Time' Rule: Alert on login between 02:00 and 05:00 (unless on night shift).
If your internal audit does not check whether these rules exist and work, you are blind.
Glossary
Make sure you know these terms before you speak with the auditor (or the inspector).
Audit Trail: A chronological overview of system activities with enough detail to reconstruct the sequence of events.
SIEM: Software that collects log files from different sources and analyzes them for deviations.
Non-repudiation: The assurance that someone cannot deny having performed an action. In healthcare, this means logging in with a personal credential (such as a UZI pass) and no shared accounts.
Log Integrity: The guarantee that no one (not even the administrator) can delete log entries to erase traces.
Conclusion: Turn Your Log File into a Weapon
A data breach is unpleasant. A data breach you cannot explain because your logs are not in order is fatal for your reputation and your bank account.
Stop treating NEN 7513 as an administrative burden. It is your black box (like in an airplane). If something goes wrong, this is the only thing that tells you the truth.
At AuditDirect, we do not check your log processes with a checklist, but with scenarios.
'Suppose I am the ex-partner of an employee and I work in administration. How quickly do you notice that I am looking in my ex's file?'
If the answer is: 'We probably won't notice that', then you have work to do.
Do you want to know whether your organization is 'Haga-proof'?
Request an internal audit in which we specifically examine NEN 7513 logging and monitoring.
Frequently Asked Questions about Logging
1. How long do I need to keep log files according to NEN 7513?
There is a lot of confusion about this, but the rules are clear. The Decree on Electronic Data Processing by Healthcare Providers (Begz) states that log records must be kept for at least 5 years. Please note: during those 5 years, their integrity must be guaranteed. You must therefore be able to prove that the logs in year 4 have not been changed. An immutable log server is therefore very useful.
2. May I simply view employees' logs? (Employee privacy)
No, that is not allowed just like that ('sniffing around'). You need a protocol that states when logs may be viewed and by whom (for example, after a signal of a data breach). Although approval from the works council is not always strictly required for the technical side, it is very wise to align the protocol with the works council to create support.
3. Is NEN 7513 mandatory for small healthcare practices?
Yes. The GDPR does not make a distinction based on size when it comes to securing special personal data. Even an independent physiotherapist must be able to explain afterwards who looked into a file, and when.
Sources and References:
Personal Data Authority (AP). Personal data security dossier. autoriteitpersoonsgegevens.nl
Case law. Ruling by The Hague District Court (HagaZiekenhuis). rechtspraak.nl
NEN. Standard NEN 7513:2018. nen.nl
Government.nl. Decree on electronic data processing by healthcare providers (Begz).
