What is a NEN 7510 penetration test?

NEN 7510 requires healthcare organisations to demonstrably protect patient data. A penetration test is the standard evidence that technical security measures actually work — verified by an independent OSCP-certified specialist.

Which healthcare systems can be tested?

EHR portals, patient portals, online appointment systems, staff portals, integrations with labs or pharmacies, and network segmentation around medical devices. MyHealth integrations and healthcare chain connections also fall within scope.

How is patient data protected during the pentest?

An NDA is standard. Where possible, testing is done in an acceptance environment with synthetic data. If production is necessary, strict rules are agreed in advance: no data export, no logging of personal data, and immediate escalation for any critical incident.

NEN 7510 · GDPR · healthcare experience

Penetration Testing for the Healthcare Sector.

EHR portals, patient applications and staff portals are high-value targets. Resync tests manually for vulnerabilities in NEN 7510 context, with respect for patient data and care continuity. Want an overview of our general pentest offering first? That page covers scope categories, pricing model and process in one overview.

Book a free intake → Why healthcare specifically?

✓ Fixed price ✓ NDA standard ✓ Retest included ✓ Works in test or production environment

€8.3M

Average cost of a data breach in healthcare — the highest of any sector.

IBM Cost of a Data Breach 2024

+74%

Rise in ransomware attacks on healthcare organisations over 5 years.

Sophos State of Ransomware in Healthcare 2024

213 days

Average time for a healthcare organisation to detect a breach — the longest of any sector.

IBM Security 2024

Why healthcare

Highest risk, highest impact.

The healthcare sector has a unique risk profile: maximum data value, minimum tolerance for downtime, and strict statutory obligations. Patient records are worth 10× more than credit card data on the dark web — used for identity fraud, insurance fraud, and extortion.

At the same time, a hospital cannot simply be taken offline "for maintenance". Attackers know this, and exploit it. Ransomware groups specifically target healthcare because organisations pay faster and higher than other sectors.

Reality

In 2024, Dutch hospitals, mental health providers and GP networks were repeatedly hit by cyber incidents — often through the same vulnerability classes that a manual pentest would have detected in advance.

NEN 7510 context

Pentest as auditable evidence.

NEN 7510 ("Information security in healthcare") requires healthcare organisations to demonstrably protect patient data. The standard does not explicitly mandate a pentest, but does require periodic verification of technical security measures. In practice, an independent penetration test is the standard form of evidence.

What a pentest covers within NEN 7510

A.12.6.1, Management of technical vulnerabilities: demonstrable identification and assessment
A.14.2.8, Systems security testing: requires active verification
A.18.2.3, Technical compliance review: pentest as objective evidence
Risk management around processing under GDPR Art. 32, adequate technical measures

The Resync report is structured to serve as evidence to a NEN 7510 auditor, IGJ supervision, the Dutch Data Protection Authority and internal governance. Not a loose PDF — a structured document with management summary, technical findings and retest declaration.

Scope

What Resync tests in healthcare organisations.

EHR portals & patient portals

Authentication, authorisation, IDOR on patient identifiers, integrations with DigiD/MyHealth, session management.

Staff portals

Roles and permissions, segregation between disciplines, access to records outside the treatment relationship.

Online appointment systems

Booking flows, rescheduling, cancellations — often carrying IDOR risks on appointment IDs and patient numbers.

External integrations

Integrations with labs, pharmacies, insurers and care groups. API tokens, mTLS, per-party authorisation.

Network segmentation

Isolation of medical-technical equipment, OT networks and office automation. Lateral movement tests.

Public-facing services

External websites, e-consult, intake forms and chat features — often the primary attack path.

Methodology

Safe and careful, without disrupting care.

Working in a healthcare environment requires an adapted approach. Resync applies standard protocols:

Testing in acceptance environment wherever possible, with synthetic data
For production tests: pre-agreed stop criteria and a direct escalation line
No exfiltration of patient data; evidence via screenshots with redacted data
No denial-of-service tests without explicit written consent
Daily status updates during the testing period
NDA and data processing agreement (GDPR Art. 28) standard

Real finding

At a healthcare organisation, Resync discovered an IDOR vulnerability in the patient portal: by simply changing the ID in the URL, it was possible to retrieve another patient's records. Demonstrably resolved before the production release — preventing a data breach potentially affecting tens of thousands of individuals.

Frequently asked questions

Questions from healthcare organisations.

What exactly is a NEN 7510 penetration test?

NEN 7510 requires demonstrable technical security measures. A penetration test is the standard evidence that those measures actually work — verified by an independent OSCP-certified specialist. The report is usable in NEN 7510 audits and for IGJ supervision.

Do you test in production or acceptance?

Standard in acceptance with synthetic data. If production is necessary (for example because acceptance is not representative), strict rules are agreed in advance. No exfiltration, no DoS, escalation line open. This is explicitly agreed per engagement.

How does this relate to an external IT provider or vendor?

An IT vendor manages systems; Resync tests them as an attacker would. Both roles are needed and complementary. The pentest validates your vendors' work and provides independent evidence to regulators. Many healthcare organisations engage Resync precisely because we operate outside the existing IT supply chain.

Is a data processing agreement signed?

Yes, standard. NDA and a data processing agreement (GDPR Art. 28) are signed before the engagement begins. All findings and any data fragments are demonstrably destroyed after completion.

Demonstrable security for your healthcare organisation.

One conversation about scope, NEN 7510 context and planning. Fixed-price quote within one business day, free intake.

Book a free intake → Back to home

✓ NEN 7510 context ✓ NDA + DPA standard ✓ Retest included

Penetration Testing for the Healthcare Sector.

Highest risk, highest impact.

Pentest as auditable evidence.

What a pentest covers within NEN 7510

What Resync tests in healthcare organisations.

EHR portals & patient portals

Staff portals

Online appointment systems

External integrations

Network segmentation

Public-facing services

Safe and careful, without disrupting care.

Questions from healthcare organisations.

Demonstrable security for your healthcare organisation.

Other sector pages & services

Web Application Pentest

Pentest for Municipalities

Knowledge base