Ransomware and NEN 7510: Why Your Internal Audit Is Missing the 'Kill Switch'
Posted by
Rob Veen
Summary for the quick reader: A traditional NEN 7510 internal audit often focuses on policy documentation (compliance), while modern ransomware attacks target human and technical vulnerabilities (security). Data from Z-CERT shows that 37% of affected healthcare organizations need more than a month to recover. This article analyzes the critical gaps between the paper standard and digital reality, and how you can use your internal audit to safeguard actual patient safety.
Possessing a NEN 7510 certificate creates peace of mind within many healthcare organizations. The management report is green, the procedures are documented, and the external auditor is satisfied.
However, there is a risky discrepancy between compliance (meeting the standard) and security (resilience against attacks). A traditional internal audit checks whether you have a policy for incident management. A modern attack group, such as LockBit or Clop, checks whether you are actually able to restore your primary processes after complete encryption.
In this article, we discuss why a document-driven internal audit does not protect you against current threat scenarios and how you shift the focus to actual risk control.
The hard data: Why 'Compliance' is not enough
The urgency is not theoretical. According to Cybersecurity in Healthcare 2024 from Z-CERT, the nature of threats has fundamentally changed. The goal of criminals has shifted from data theft to operational disruption in order to maximize pressure to pay.
Z-CERT's statistics paint a sobering picture for organizations that are only 'in control' on paper:
Recovery time: 37% of affected organizations need more than a month to fully recover.
Backups: In 95% of successful ransomware attacks, the backups are compromised or encrypted.
Costs: The average costs of recovery and business interruption far exceed the amount of the ransom.
The Health and Youth Care Inspectorate (IGJ) has stated in its Digital Care Assessment Framework (May 2024) that it will test more strictly on the assurance of security, not just the design. An internal audit that ignores this reality may comply with the letter of the standard, but it fails in the spirit of the law: guaranteeing patient safety.
3 Critical 'Audit Gaps' in NEN 7510
Where do traditional internal audits fall short? Below we analyze the three biggest differences between what the auditor usually asks and what the real threat requires.
1. From Backup Policy to 'Immutable Storage'
NEN 7510 Control Measure A8.13 (Information backup) requires that backup copies be made.
The traditional audit: "Is there a backup policy?"
The auditor sees a document, checks a box, and moves on.The real risk: Ransomware scans the network specifically for backup servers to encrypt them first. A policy document does not stop encryption.
The necessary test: Your internal audit must verify whether the backups are 'immutable' (cannot be changed). Can an administrator with root access delete the backup? If so, a hacker can too. In addition, the 'Time-to-Restore' must be tested: how long does it actually take to restore 5TB of EHR data?
2. From Network Diagram to 'Lateral Movement' & Zero Trust
NEN 7510 Control Measure A8.22 (Network segregation) requires that groups of information services, users, and information systems are separated.
The traditional audit: "Is there a network diagram?"
A drawing made five years ago is shown. Check mark.The real risk: Through outdated edge equipment (IoMT - Internet of Medical Things) or a phishing email on a reception PC, attackers try to move laterally through the network (Lateral Movement).
The necessary test: In the new NEN 7510:2024, specific attention is asked for the Zero Trust principle. Especially in cloud-based work, a simple firewall is not enough. The audit must ask for evidence of segregation tests: Is it technically possible to connect from the guest network to the database of the hospital information system?
3. From Logging to Monitoring (NEN 7513)
NEN 7513 prescribes detailed logging.
The traditional audit: "Are the log files kept according to the retention period?"
The real risk: The Dutch Data Protection Authority reports that the healthcare sector remains a leader in incidents. Many data breaches are only discovered months later.
The necessary test: Logging without active monitoring is only digital forensic material for after the disaster. The internal audit must check whether alerting is in place. Does an alarm go off at the IT department if 500 patient records are requested at 3:00 a.m.?
Paper Audit vs. Security Audit
The table below shows how AuditDirect translates the new NEN 7510:2024 standard into practice.
NEN 7510 Component | The 'Check List' Question (Paper Security) | The 'Security' Question (AuditDirect Approach) |
Backups (A8.13) | "Do we make a backup every day?" | "Are backups immutable and how do the RTO/RPO requirements relate to the tested backup frequency?" |
Access security (A5.15 - A5.18) | "Is there a password policy?" | "Is MFA enforced for all external access? And which Service Accounts have unnoticed access to critical components?" |
Incident management (A5.24 - A5.28) | "Is there a procedure in the manual?" | "Does the night shift know who to call if records are massively encrypted or downloaded at night?" |
Suppliers (A5.19 - A5.22) | "Have we performed a supplier assessment (score 1-5)?" | "Which supplier has administrator rights in our environment? Have we tested whether their security is in order?" |
Definitions
To prevent misunderstandings during your internal audit, AuditDirect defines the following terms as they should be tested in practice:
Immutable Backup: A backup that cannot be changed or deleted by anyone - not even system administrators - for a set period.
Lateral Movement: The technique by which an attacker, after entering through an unimportant system (for example, a printer or reception PC), moves through the network in search of crown jewels (patient data).
RTO (Recovery Time Objective): The maximum allowable time that a system (such as the EHR) may be unavailable before patient safety is put at risk.
RPO (Recovery Point Objective): The maximum allowable amount of data loss measured in time. (For example: after a crash, we accept at most the loss of the last 15 minutes of changes).
The AuditDirect Vision: Practical and Secure
At AuditDirect, we believe that a NEN 7510 certificate should be a logical result of a secure organization, not a goal in itself. We perform internal audits with the perspective of both the auditor and the security specialist.
We do not only help you meet the external auditor's requirements, but also make sure you have an honest answer to the question: "Are my patient data really safe?"
Do you want an internal audit that looks beyond the checklist and exposes real risks?
👉 View our approach to NEN 7510 Internal Audits
Frequently Asked Questions: Compliance versus Real Safety
Why does an NEN 7510 certificate provide a false sense of security against ransomware?
A certificate often confirms that the policies and procedures exist on paper (compliance). However, modern attack groups such as LockBit focus on technical execution and human error (security). Where an auditor ticks a box for the existence of an incident management plan, an attacker tests whether you can actually recover after full encryption. Having the certificate creates peace of mind, but the digital reality is that 37% of organizations need more than a month to recover after an attack.
What is the biggest risk with traditional backup checks during an audit?
Traditional audits often only check whether a backup policy exists. The real risk is that ransomware specifically looks for backup servers to encrypt them first. In 95% of successful attacks, backups are compromised. An effective audit should therefore check for Immutable Storage (non-changeable storage) that cannot even be deleted by administrators with root access.
How will the IGJ’s oversight change in 2024 in the area of digital care?
According to the Digital Care Assessment Framework (May 2024), the Health and Youth Care Inspectorate (IGJ) will carry out stricter assessments. The focus is shifting from the mere 'design' (is it on paper?) to the actual embedding of safety in practice. The aim is to genuinely ensure patient safety rather than only meeting the letter of the standard.
What is the crucial difference between logging (NEN 7513) and active monitoring?
Logging without active monitoring is, according to the text, merely "digital forensic material for after the disaster." Although NEN 7513 requires detailed logging, healthcare institutions often only discover data breaches months later. A secure approach requires alerting: a system that immediately sends an alert to the IT department when patient records are requested in large numbers at unusual times (for example, 3:00 a.m.).
How do RTO and RPO determine a healthcare organization's recovery capacity?
These concepts are essential for assessing the 'Time-to-Restore' during an audit: RTO (Recovery Time Objective) - The maximum amount of time a system (such as the EHR) may be down before patient safety is put at risk. RPO (Recovery Point Objective) - The amount of data loss that is acceptable (for example, a maximum of 15 minutes of changes). An audit must verify whether the technical infrastructure can actually meet these requirements when restoring large amounts of data.
Consulted Sources:
Z-CERT (2024). Cybersecurity in Healthcare 2024. z-cert.nl
Health and Youth Care Inspectorate (IGJ). Assessment Framework Digital Care (May 2024). igj.nl
Dutch Data Protection Authority. Data Breach Report. autoriteitpersoonsgegevens.nl
