Why healthcare institutions are extra vulnerable
Healthcare data behaves differently from regular office files
Imagine: it is Tuesday morning. A nurse tries to open the EHR system and gets an error message. The GP wants to view a patient file — impossible. The day treatment schedule is on an encrypted system. Care continues, but without the information healthcare providers need. This is not a theoretical scenario. Healthcare institutions are the most frequently targeted organisations in the Netherlands when it comes to ransomware. And most victims assumed beforehand: our supplier handles that. A healthcare institution holds far more than just data. Disrupted access to patient information has direct consequences for the safety of care — and the legal and regulatory consequences that follow are significant.
Why healthcare institutions are extra vulnerable
Healthcare data behaves differently from office files
Most healthcare institutions work with multiple systems simultaneously: an EHR, a scheduling system, medical equipment and office environments. Every system is a potential attack surface. According to the NCSC, the healthcare sector is year after year one of the most attacked sectors. An EHR record is not a standalone file but a database with internal references. Restoring one table without the rest makes the record unusable. Continuity is not optional: in healthcare, downtime can mean medication is not administered or wrong decisions are made.
The misconception that costs many institutions dearly
The EHR supplier does not fully handle your backup
"Our EHR supplier takes care of the backup." We hear this often. And it is not correct. The supplier ensures the availability of their application but the responsibility for backing up the underlying data lies with the healthcare institution itself in most contracts. Check your data processing agreement. A proper NEN 7510-compliant backup requires that you as an institution can demonstrably control where data is stored, how long it is retained and how you retrieve it.
What a proper backup actually does
The 3-2-1 rule as the baseline standard
The widely accepted standard is the 3-2-1 rule: 3 copies of your data on 2 different storage media with 1 copy fully isolated. For a healthcare institution: a daily backup of all systems including the EHR database for fast recovery, a weekly full backup physically separated, and a cloud backup with immutable storage for ransomware protection. An immutable backup cannot be modified or deleted after writing — not even by someone with administrator rights. If ransomware strikes on Wednesday you can restore to Monday. RPO: how much data loss is acceptable? RTO: how quickly does your institution need to be operational again?
NEN 7510 and GDPR: what this means in practice
Compliance requirements for healthcare institutions
Healthcare institutions fall under NEN 7510, the Dutch standard for information security in healthcare. The IGJ can request proof of your information security policy in the event of an incident. You must be able to demonstrate that backups are made and tested regularly, that data stays within the EU, and who has access to it. Minimum retention periods: active patient records daily with 90 days of version history, closed records 20 years (WGBO), administration minimum 7 years. A backup is for fast recovery. An archive is for long-term retention. Both are required — and they are separate systems.
Five steps to get this sorted
Even without a large IT department
Map your systems
Which systems contain patient data? EHR, scheduling system, email, medical equipment. Ask each supplier who is responsible for the backup.
Define your RPO and RTO
The EHR requires a different recovery time than your email archive. Determine what is acceptable per system and document it in an information security plan.
Choose a NEN 7510-certified solution
Verify that the provider is demonstrably certified and stores data on Dutch soil. They must be able to provide a data processing agreement.
Test your backup every quarter
A backup you have never tested is not a backup. Restore a test environment every quarter and verify that records are intact and readable.
Document the recovery process
Who does what when things go wrong? Who calls the supplier? This document must be available offline — not on the server that just went down.
Frequently Asked Questions
Frequently asked questions from healthcare institutions
Ready to secure your patient data?
Schedule a 15-minute demo and see how straightforward a NEN 7510-compliant backup for your institution can be.
Contact us Book a demo