The Nigerian Health Sector
What’s a healthcare facility without an administrative office with thousands of “red light, green light” files? How about the little card to identify yourself as a member of the facility? Of course, the little card grants you access to your files – This points to the paper-based system of record keeping mostly in use in Nigeria. Health record is top-tier private information that requires a lot of care like a doctor would treat a patient. Statistics have shown that a large percentage of public healthcare systems in Nigeria employ the use of paper-based systems to manage health records.
How Information is Currently Handled in the Healthcare System
How is information handled in the healthcare system? The answer is hinged on the system of managing information. The paper-based system is what is common in Nigeria’s healthcare system and it has several flaws which spell out how health information as an asset to the healthcare facility is being handled. Ever heard of:
Missing files in the hospital?
Doctors spending hours in search of a patient’s files?
Paper not properly tagged to files falling off.
or have you seen that big logbook in the reception with torn pages?
Without a doubt, the answers to these questions are yes and this gives us an insight on how information is handled in the healthcare system which is currently not a commendable one as there is no regard to information management and information security.
Health record includes information like your demographic information, health conditions, laboratory reports, drug prescriptions, and billing information. That’s a lot of personal health information in one file lying on a shelf.
Let’s do a deep dive into this.
Paper-Based Medical Records
Paper-based medical records are health records which are physically documented on paper and stored in a facility to be retrieved when needed. This is as opposed to the Electronic Health Record (EHR) system which has health records stored on a database or technology devices.
How the files are stored, the process that goes into accessing these files, and the individuals that can access the files are factors that define how information should be handled in the healthcare system.
The medical errors that stem from the use of paper-based records is also a subject of concern. It is said that there’s a 42.8% chance for you to be a victim of medical errors every time you use a healthcare system with paper-based records. In addition to all these flaws, there are limitations imposed using paper-based records.
In cases where paper-based records do not serve the purpose, the EHR remove this limitation. For instance, the transfer of a patient’s health information from one health facility to another or from one medical personnel to another in a referral system where geographical location is a barrier comes easy with the use of EHR. However, this system has not been fully embraced in Nigeria. The partial embrace is a result of the intervention of health tech start-ups like Helium health among others, whose goal is to bring an end to the use of paper in the health records system.
For the time being, we can define the handling of information in the Nigeria healthcare system based on the most used system of information management – The paper-based or analogue based information system management
While it is evident that the handling of information in the healthcare system is highly flawed. The question is.
What is the way forward?
What solution do we have?
What can we do better?
The concept of information security, its importance in the healthcare system, and a case study on what is going on in Nigeria will give us some answers to the questions above.
What is Information Security and its Importance in the Health Sector?
The word security in Information security has probably given you an idea of what it means. Let’s put a pause on assumptions for now.
What is Information Security?
According to Wikipedia, Information Security is defined as the process that protects the unauthorized/inappropriate access to data, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. These are risk that information in all its forms, either digital or physical, must be protected against.
Information Security has three basic principles called the CIA Triad. CIA stands for, Confidentiality, Integrity, and Availability. These concepts when explained give a basic ground on what is needed to be done in information security.
- Confidentiality: This refers to the protection of information against unauthorized access. Confidentiality is breached when an unauthorized individual gains access to information, either digital or physical. For instance, the health status of a patient is confidential as only required/authorised people should have access to them. If it gets into the wrong person’s hand, it could cause damage to the patient.
- Integrity: Information that is not subject to unauthorized modification has integrity. Such information is reliable, accurate, and correct. In information security, the principle of integrity ensures data is not tampered with.
- Availability: The usability of information depends on its availability. Information is useful only when it is available for use. Information as an asset to an organization is only valuable when it is available to use. Hence, information security seeks to ensure that the availability of information is preserved.
In general, the end goal is to ensure the protection of information to mitigate cyber risks. Controls are put in place to protect information.E.g., access controls, technical controls, and administrative controls are all in a bid to secure information.
The need for information security cuts across every organization that employs the use of information. You can agree with me that no organization does not have a collection of information they are accountable for, at the very least, the database of employees or information about the organization. In this case, health information of individuals among others.
The Importance of Information Security in Healthcare.
The quality of health information, they say, determines the quality of healthcare service delivered. Medical errors from flawed health records can be minimised if Information security is not taken with levity.
A healthcare record system is a dump of several kinds of information varying from health information, personal information, and demographic information of patients. Information security would go a long way to benefit both the paper-based system and electronic record system.
Healthcare information is “a matter of life and death” and information security will help to mitigate risks that could make this information unavailable, lose its integrity, or an unauthorized person accessing them.
Health Information is now a target for malicious actors. Hence, the need to take information security precautions. According to the HIPAA journal, there was a 30.2% increase in the US health data breach in April 2022. Below is a figure that shows health data breaches over the past 12 months in the US.
There has also been some report of data breach which impacted health information of about 80,000 Nigerians as well.
“I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know”, a line of the Hippocratic oaths that doctors take when inducted into the profession states -this points out the confidentiality of health information.
When health information is not accessible to just anyone, the risk of modification is reduced. Drug prescription dosage can be tampered with by attackers if information security is taken with laxity. An act like this can pose great health risks to patient. .
The physical security of these records also matters as the storage area of the records should not be publicly accessible but limited to appropriate staff and secured with locks when not in use. In Nigeria, the health care sector is not well funded, and a breach that would cost more money is only going to collapse that system.
According to IBM Security, the average cost of a health data breach is $9.23 Million in 2021. Putting enough controls in place and educating healthcare workers on the need for information security would go a long way to mitigate the impact of this risk.
Information security is important in ensuring that health data is of utmost quality as the care to be delivered to patients.
Health information is personal, and its breach can be embarrassing or life-threatening. Information security should hence be baked into any healthcare facility to protect the healthcare system. Regardless of where these information are stored, the confidentiality , integrity and availability of data is key.
The Nigeria Case Study: A Dive on the current Happenings in the Health Sector – Health Information Collection, Storage, and Security Risks.
A common quote states that “Information is the lifeblood of healthcare”.
Truly, every organization thrives on information. and there is no exception to the healthcare sector. Among others, health research is impossible without health information as it is the primary source of medical statistics and clinic materials.
In Nigeria, the ministry of health provides health care services in a three-tier system; primary health care (health centres, extended health centres), secondary health care (regional referral hospitals), and tertiary health care (referral teaching hospitals, and a university hospital). While the ministry of health’s provision is tagged as the public healthcare system, there are privately owned healthcare systems in Nigeria.
All these facilities have the medical records department in charge of organizing health information data by ensuring its quality, accuracy, accessibility, and security in both paper and electronic systems.
Long waiting times in medical centres, misfiling of records, delay in decision making, and medical errors are the order of the day in Nigerian healthcare facilities because of the lag in the Health Information Management (HIM) System. Management of health records is often overlooked. HIM officers do not have enough formal education to ensure health records are properly cared for. Some basic issues ;
- A standard policy guiding the management of health information is also not in place.
- The procedure of storage, archival, and destruction of health records is not properly spelled out in Nigeria.
- There’s no specific period for the retention of medical records as it varies from state to state depending on the management board. These variances are the cause of the irregularities in the Health Information Management System.
Therefore, in Nigeria, paper-based health records pose security risks e.g the absence of medical record backups in the event of a disaster (such as a fire outbreak) would put the health facility and the patients at risk. Preservation challenges also come to play with paper records as various damages can affect them. Aging documents that become weak and break off, decolorization of inks on paper, stains from dust, and fluids within the hospital are threats to the preservation of health records.
In Delta, a survey was carried out on the threats to medical records in health facilities. The following statistics were generated:
- Rodents and pests 70%,
- Sunlight exposure 40%,
- Raindrops 67%,
- Heat 68%,
- Fiber 34%,
- Loss 66%,
- Tampering 78%,
- Theft 44%,
- Flood 20%,
- Physical damage 89%,
- Lack of skilled staff 90%,
- Dust 90%,
- Wear and tear 90% and,
- Misplacement 76%.
In conclusion, with the above statistics, it is evident that good record management practice needs to be cultivated in Nigeria’s health care system irrespective of the format of health records, either paper-based or electronic health records and information security principle should be a core of this process.
Following the flaws, threats, and risks to the health-record system in Nigeria, the following recommendations can help to improve the effective management , security and preservation of health records in Nigeria.
- Information security best practices should be a core component of the Health Information Management System: Information security and its importance should be core in the health information management system courses in Nigeria. This is to ensure that individuals who will be responsible for managing the information of patients understand the importance of security and it is integrated as part of the health information management process
- Qualified individuals should oversee the management of records in healthcare facilities: Graduates of Health Information Management are the most qualified to perform this role. With adequate information on the pros and cons of health information, they can discharge their duties better. The Association of Health Records and Health Information should regulate the recruitment of these officials.
- Define Health Information Management Policies: A comprehensive policy that guides the management of medical records should be created with information security as its core. Documented and well-publicized procedures on medical record management are also needed to ensure synchronization of good medical record management across board.
- Training health officials on Health Information Management: Beyond proper handling of the scalpel, syringe, and needle, Doctors, Nurses, Pharmacists, and every medical office in an operating health facility must be educated on information security and its effect on health information management. Confidentiality, integrity, and availability should be the watchword of these officials as medical records should be handled with care. They should also be exposed to the pros and cons of adhering to good health information management with security in mind.
- Adoption of Electronic Health Records: With the advancement in technology, it is important that Nigeria’s health sector adopts electronic health records. Going by the flaws and the risks the paper records pose, EHR seems to be a way forward. Enacting laws that mandate the use of EHR and providing resources to support this is a way by which the government can spearhead a change in the healthcare system. With several benefits, the EHR can refine the approach to health Information Management in Nigeria. Here is a practical explanation of the current happenings in health facilities in Nigeria, with an admonition to embrace EHR. In addition, advancing from the traditional approach to the management of healthcare information mitigates the risks health information in Nigeria is currently posed with. While it is acknowledged that with EHR, cyber risks are more prominent, we need to build a better health information system which prioritizes confidentiality, integrity, and availability of information.
Ibukunoluwa Morountonu, is a medical student and a cybersecurity fellow with interest in Governance, Risk Management and Compliance.
Simbiat Sadiq is an Information security professional.