GP emergency care threatens to fall behind on information security

In particular, mandatory independent information security assessments were missing or incomplete. As a result, it is unclear whether digital information at these organizations is protected and available as required. Since the investigation, all organizations that did not comply have taken measures. The IGJ expects them all to be fully compliant by 2026.

GP emergency care

Organizations providing GP emergency care are "GP service structures. In 2024 there were 49. They provide care in the Netherlands through about 100 GP emergency rooms. Patients can go there outside the practice hours of their own GP. In 2024, 15.7% (approximately 2.6 million) of the Dutch population visited a GP emergency room at least once. The GP emergency room uses digital information about patients, such as medical history. Good information security is of great importance. The inspectorate sees that the organizations are aware of this. A positive development is that there is more cooperation between healthcare providers and the use of external expertise.

NEN 7510

Everyone in healthcare must have confidence that data is secure and available when needed. The NEN 7510 sets requirements for healthcare providers working with digital systems. These include responsibility and management, access to data and making a risk analysis. They must be able to demonstrate that they are working according to the standard with an independent assessment. This is also mandatory for the Cybersecurity Act, which will soon come into effect.

Continued

The inspectorate is intensively monitoring and ensuring that all GP service structures demonstrably meet the NEN 7510 security standard by 2026.

The investigation into information security in GP emergency care is part of the IGJ's supervision of information security in health care. Previously, it conducted research at hospitals, mental health institutions and organizations in the care for the elderly and the disabled, among others.