Why healthcare institutions are extra vulnerable
Healthcare data behaves differently from regular office files
Imagine: it is Tuesday morning. A nurse tries to open the EHR system and gets an error message. The GP wants to view a patient file — impossible. The day treatment schedule is on an encrypted system. Care continues, but without the information healthcare providers need. Healthcare institutions are the most frequently targeted organisations in the Netherlands when it comes to ransomware. An EHR record is not a standalone file but a database with internal references. Restoring one table without the rest makes the record unusable. Continuity is not optional: in healthcare, downtime can mean medication is not administered or wrong decisions are made.
- Healthcare institutions
- EHR backup
- NEN 7510
The misconception that costs many institutions dearly
The EHR supplier does not fully handle your backup
"Our EHR supplier takes care of the backup." We hear this often. And it is not correct. The supplier ensures the availability of their application but the responsibility for backing up the underlying data lies with the healthcare institution itself in most contracts. Check your data processing agreement. A proper NEN 7510-compliant backup requires that you as an institution can demonstrably control where data is stored, how long it is retained and how you retrieve it.
The EHR supplier does not protect you against ransomware. A proper backup does.
What do I need to back up if I use an EHR system?
The data healthcare institutions most often overlook
Healthcare institutions often assume their EHR supplier handles everything — but the underlying data is your responsibility. An EHR system stores data in a relational database, not as individual files. You need to back up the full database at a consistent point in time. Critical data to include: the full EHR database including all patient records and treatment history, scheduling and planning systems, scanned documents and diagnostic images, medication administration records, and financial and billing administration. Ask your EHR supplier explicitly what their backup covers — and get it confirmed in writing in your data processing agreement.
- Healthcare
- EHR system
- Patient records
What a proper backup actually does
The 3-2-1 rule as the baseline standard
The widely accepted standard is the 3-2-1 rule: 3 copies of your data on 2 different storage media with 1 copy fully isolated. For a healthcare institution: a daily backup of all systems including the EHR database for fast recovery, a weekly full backup physically separated, and a cloud backup with immutable storage for ransomware protection. An immutable backup cannot be modified or deleted after writing — not even by someone with administrator rights. If ransomware strikes on Wednesday you can restore to Monday.
How do healthcare institutions protect themselves against ransomware?
Isolated, immutable and tested — the three requirements
Healthcare institutions are the most targeted sector in the Netherlands for ransomware — because downtime directly affects patient safety and the pressure to pay is high. Three properties make a backup ransomware-proof. First, isolated: the backup environment must be completely unreachable from your main network. Second, immutable: once written, the backup cannot be changed or deleted — not even by an administrator with full rights. Third, tested: quarterly restoration tests are required under NEN 7510. Test by restoring a patient record or scheduling file to a separate environment and verifying completeness. Document every test — the IGJ may ask for proof.
How do I create a backup if I use an EHR system?
Step-by-step: connecting a backup solution to your EHR
Creating a proper backup of an EHR system requires more than pointing a backup tool at a folder. Follow these steps: First, ask your EHR supplier for the database connection details and confirm they support external backup access. Second, choose a backup solution that supports database-level backup — not just file-level. Third, configure daily incremental backups and weekly full backups. Fourth, ensure the backup destination is located on Dutch soil and fully isolated from your production environment. Fifth, test the restore process quarterly by recovering the database to a test environment and verifying that patient records are complete and readable. Sixth, document everything — under NEN 7510 you must be able to demonstrate your backup process at any time.
NEN 7510 and GDPR: what this means in practice
Compliance requirements for healthcare institutions
Healthcare institutions fall under NEN 7510, the Dutch standard for information security in healthcare. The IGJ can request proof of your information security policy in the event of an incident. You must be able to demonstrate that backups are made and tested regularly, that data stays within the EU, and who has access to it. Minimum retention periods: active patient records daily with 90 days of version history, closed records 20 years (WGBO), administration minimum 7 years.
A backup is for fast recovery. An archive is for long-term retention. Both are required — and they are separate systems.
- NEN 7510
- ISO 27001
- WGBO 20 years
Five steps to get this sorted
Even without a large IT department
Map your systems
Which systems contain patient data? EHR, scheduling system, email, medical equipment. Ask each supplier who is responsible for the backup.
Define your RPO and RTO
The EHR requires a different recovery time than your email archive. Determine what is acceptable per system.
Choose a NEN 7510-certified solution
Verify that the provider is demonstrably certified and stores data on Dutch soil. They must be able to provide a data processing agreement.
Test your backup every quarter
A backup you have never tested is not a backup. Restore a test environment every quarter and verify that records are intact and readable.
Document the recovery process
Who does what when things go wrong? Who calls the supplier? This document must be available offline.
Your questions answered
Frequently asked questions from healthcare institutions
It depends on the contract but in most cases only partially. The responsibility for an independent controllable backup lies with the healthcare institution itself. Check your data processing agreement.
Under the WGBO a retention period of 20 years applies after the last treatment. Backup and archiving are two separate systems — make sure both are in order.
No. The US CLOUD Act gives American authorities access to data regardless of where it is physically stored. Storage on Dutch soil is the most watertight choice.