Privacy and Security for HealthTech in Nigeria
The HealthTech in Nigeria can be described as nascent and growing compared to Fintech. However, the space is witnessing increasing investment and innovation. The growth is capable of creating life-saving solutions, easier access to healthcare services, and pivot new treatment options. However, the innovation is driven by personal data, and the continuous use remain critical in creating life-saving solutions. Aggregating the benefit could lead to the growth and overall improvement of healthcare. Proliferation and advancement of technology has increased the generation, processing, storage, sharing and collection of health data including genetic and clinical data.
The growth of HealthTech in Nigeria without adequate security and privacy will increase the risks of patient’s safety in a case of data breach. Cyber-attacks will disrupt health care personnel’s ability to provide services; it could result in theft or misuse of health data for blackmail or commodification; it can allow attackers to manipulate records of patients for and this results to giving treatments that are not appropriate for them, resulting into terrible complications. Consequently, it becomes imperative to ensure the privacy and security of the data.
The Nigerian Picture
According to Techcabal’s State of Health Tech in Nigeria Report, it chronicled 75 active health-tech startups. The NHIS website listed 52 Health Management Organisation. The picture also includes health facilities digitalising health record, health data held by employers, medical laboratories and research centres. Helium health is one of the HealthTech players in Nigeria – founded in 2015 and it is helping medical institutions store patient information electronically. “The hope is that digitisation would help hospitals manage their records, which would be vital to facilitating information sharing between hospitals, a necessary step in preventing outbreaks.” Ubenwa “analyses the frequency patterns in the cry of a new born baby in order to quickly diagnose birth asphyxia.”
According to Stears Business, another area that health-techs have penetrated is telemedicine. There are only about 23,000 hospitals in Nigeria. The World Health Organisation (WHO) recommends that a country has one doctor for every 600 patients; Nigeria has one doctor to 4,000 patients. Doctors are supposed to see at most 20 patients a day, but in Nigeria, they see up to 150. Start-ups like Mobidoc and Hudibia are electronically connecting patients to doctors.” User records on the app can also be securely transferred to another healthcare provider if the need for it ever comes up.” As technology evolves, HealthTech in Nigeria will continue to grow and new ones will spring up. The innovation will be driven by personal data of users and there will be challenges as regards to privacy and security. These concerns will arise from the many flows of data across the health care system, between and among providers, payers, and secondary users, with or without the patient’s knowledge.
“An unlawful disclosure, illicit access or misuse of health records could reveal intimate and embarrassing details about patients that could result in infringements of individuals’ rights to privacy (intrusion), commodification of health data, blackmail and other social discrimination, which weakens the fabric of trust between healthcare providers and users. There was a recent exposure of the data of about 80,000 Nigerians that participated in national HIV survey in 2018. As the threat landscape increases, so also is the threat actors. It is not just the monetary value of records from a breach that we should be worried about- It is the fact that people’s health might be at risk. In fact, the importance of privacy and security in healthcare has never been more pronounced. Now more than ever, medical organizations must be vigilant in establishing safeguards against online threats, which is why it is imperative to have a solid understanding of the risks and protections available.
Privacy and Security Landscape
Health data are considered special category of data which requires adequate protection and usually specifically protected by law. According to Reuters, health data is increasingly more desirable than financial data – “health data, unlike financial data that becomes worthless after the victim discovers the fraud, has a longer shelf life for exploitation”. Privacy and security of both electronic and paper health data is an essential thread in healthcare fabric. According to PWC’s Health Research Institute 2018 annual report, “there is 525 percent increase in medical device cyber security vulnerabilities reported by the government.” According to Deloitte’s 2018 Global health care outlook report, “globally, the average total cost of a healthcare data breach to an organization reached USD $3.62 million per incident in 2017.” ‘
State of the Legal Framework
Privacy and security is regulated by different legislations. The National Health Act is the principal legislation which is supported by the Nigeria Data Protection Regulation and the Cybercrimes Act. The legislations created privacy and security obligations on service providers. There are other supporting laws like the HIV and AIDS (Anti-Discrimination) Act 2014, Freedom of Information Act, National Health Insurance Scheme Act that creates a duty of confidentiality on players.
Recommendations on Improving Privacy and Security in Health Tech
- Privacy by design and default: Entities should consider privacy and security at the design stage of a product rather than as an afterthought.
- Records of processing: it is important to keep record of processing activities to show evidence of compliance and accountability. It also maps data flow and legal basis for processing of data.
- Retention policy and schedule: Storage limitation is principle of data protection. Entities should create a data retention schedule according to its policy. There should be reckon to extant law provision on data retention, For example, the Medical Laboratory Science Council of Nigeria has a Guideline on Documents and Record Retention that highlights schedule for different health records.
- Framework for reporting breach and notification of users: There is a legal requirement to report breach and notify the supervisory authority. The entity should have an incidence response plan and a breach notification procedure.
- Appoint a Data Protection Officer: Health data is a special category data that should be protected adequately. Entity should appoint a DPO to assist with its compliance and accountability obligation. In the event they cannot appoint one in-house, they might look at prospect of outsourcing the role to a competent individual or entity.
- Training: According to Deloitte’s 2018 Global health care outlook report “many employees at hospitals, health plans, life sciences companies, and governments lack awareness of and training to manage financial, operational, compliance, and cyber risks. Similarly, according to Verizon’s 2018 Protected Health Information Data Breach Report, 58% of all healthcare breaches are initiated by insiders. Organisation needs to regularly train their staff on privacy and security procedure.
- Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations should consider storing this backed-up information away from the main system if possible
- Maintain good computer habits: New employee onboarding should include training on best practices for computer use, including software and operating system maintenance.
- Device Security: Medical devices provides the data needed to help medical professionals carry out their jobs by making right diagnosis decisions. Tampering with medical data may cause wrong diagnosis and the integrity of the data will be lost. data on internal applications and servers, instead of external applications to limit exposure to the outside world.
- Encryption: Encryption can help protect data you send, receive, and store, using a device. It is the process that scrambles readable text so it can only be read by the person who has the secret code, or decryption key. It helps provide data security for sensitive information.
- Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
Regardless of the business model, it is more likely a HealthTech player will process personal data of users or on behalf of another business. It is important to consider adequate privacy and security as an integral part of the continuous existence of the business. It has become important as businesses continue to scale and seek global competitive advantage.
Ridwan Oloyede leads the data protection and privacy team at Tech Hive Advisory.
Simbiat Ozioma Sadiq is a cybersecurity Analyst and a cybersecurity blogger