"The test showing to what extent your digital solution complies with the regulatory framework"


Compliance Healthcheck


The legislative and regulatory framework often is extensive and complex. It results in a multitude of security, privacy and compliance requirements. Your insight into vulnerabilities and shortcomings in combination with your ability to act upon it, is crucial to handling of patient data responsibly. Continuously improving upon the process is necessary from an organizational learning perspective as well as it is enforced by legislation.

Deloitte has developed several assessments to provide you with insight into how your organization complies with the regulator frameworks. Such as:

  • Quickscan
  • GAP Assessment
  • Maturity Scan
  • Awareness tests, such as phishing, password cracking, social engineering


  • A Privacy Impact Assessment (PIA)
  • Security tests on IT infrastructures, all types of (web) applications, medical mobile apps, medical devices and wearables, health-care housing (buildings).

A report from an assessment shows on which aspects improvement can be made with respect to your digital health care solutions. In addition, taking legislation and regulations serious builds trust among internal and external stakeholders.

Many of our customers make use of our Hacking as a Service subscription modules. The vulnerabilities that your digital healthcare solution has to deal with are constantly changing. Performing a security test on your online environment on a periodically basis, for example with an interval of 6 months, can be the solution. The test results provides you insights into the vulnerabilities and points for improvement within your digital healthcare solution.

IT Audits/Assurance Statements

Organizations in the health-care domain are becoming more networked. While this trend makes them become more dependent on each other, responsibility tends to diffuse. Hence, the need to comply with legislation and regulations and thus the responsible handling of patient data is becoming even larger.

A prerequisite for wider exchange of patient data, organizations should be able to trust  the careful handling of patient data. Having adequate measures implemented and being able demonstrate it, is crucial to enhance the adaptation of decentralized trust. Deloitte performs IT audits or issues assurance statements to proof that certain standards are met. Common reporting standards include:

  • ISAE3402 or SSAE16
  • Guideline 3000 of NOREA
  • SOC 1, 2 and 3.

An assurance statement can also be part of contractual arrangements. The latter allow organizations to obtain or provide assurance on the quality of the services each year, ratifying the trust through an independent Deloitte opinion.