Protecting Health Information in Nigeria: Lessons From Nigeria HIV/AIDS Indicator And Impact Survey (NAIIS) Data Breach
Table of Contents
- 1 Introduction
- 2 The Unsecured Database.
- 3 Understanding the Risk
- 4 Obligation in Research and Survey
- 5 Any Risk With the Use of De-identified Data?
- 6 What Does the Law Says?
- 7 Recommendations
- 8 About Authors
There was a recent report about the discovery of a data breach affecting about 80,000 Nigerians that participated in the Nigeria HIV/AIDS Indicator and Impact Survey (NAIIS) in 2018. Wizcase, a cybersecurity firm “released lists of medical websites across the world whose database servers are insecure”. All databases were found to be unsecured as experts do not need password to access information leaving millions of patients and medical staff members exposed. The countries include Saudi Arabia, Brazil, Canada, China, the United States, France and Nigeria. The data breach revealed facility and hospital names; patients’ pregnancy status; laboratory results code and value; patients’ age; HIV validation first test date and time; HIV encounter data; medical observations of anonymous people taking the survey.
The Unsecured Database.
The database that contained thousands of sensitive information had no access control neither did it require authentication. Access control is the first step in keeping information away from unauthorized access. “The more you limit permission and privilege, the better”. The “Open MongoDB server” was used for the database. MongoDB server just like any other server has to be secured when data are being stored in them. The security of any database is paramount.
There has been a lot of MongoDB database breaches. Hackers search for unsecured databases using a search engine such as ZoomEye/Shodan. A simple query could result in thousands of prospective victims in a matter of minutes.
One of the risks of MangoDB is that it is easy to mess up with either by using an older version lacking remote access authentication, or a newer instance that has been poorly secured. According to Nakedsecurity, the public configuration makes it possible for cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains. When we give privacy or security advice, we usually talk about confidentiality, authentication, authorization, accounting and integrity. Databases holds sensitive information and good security practice is important. Good security practice includes:
- Always setting up database management system (DBMS) to require passwords
- Once sensitive and confidential data are stored, robust algorithms should be used to encrypt those data. This will make it illegible to any person who accesses it without authorization.
- Ensuring that database activities are being monitored and stored. Having a complete history of transactions allows you to understand data access and modification patterns and thus avoid information leaks, control fraudulent changes and detect suspicious activity in real time.
- Avoiding production database from being exposed to the internet. Restricting physical access to your database is an important aspect of security. If it’s not necessary, do not expose your production database to the internet. In case of any compromise, if an attacker cannot physically connect to your MongoDB server, your data is that much more secure.
The unfortunate truth is no technology can ever be completely safe from an attack, as the human component of it will always be open to manipulation and the lack of stringent security measure will always open technologies to risks.
Understanding the Risk
Unauthorised or unlawful disclosure, illicit access or misuse of health records could reveal intimate and embarrassing details about patients that could result in infringements of individuals’ privacy rights (intrusion), commodification of health data for targeted advertisement, health insurance fraud and abuse ( by raising premiums for “at-risk patients”), blackmail and other social discrimination, which weakens the fabric of trust between healthcare providers and patients. Broadly, health data are considered special category of data which requires adequate protection and usually specifically protected by law. They reveal accurate intrinsic details about an individual’s healthcare treatment and records. The database compromise could have exposed the survey subjects to both privacy and security such as “phishing, extortion email campaigns, phone and email fraud, and identity theft”.
Traditionally, there is a professional obligation in medical practice to ensure the confidentiality of a patient’s personal health information, unless consent to release the information is provided by the patient or on any other recognised legal basis. According to Nass S.J. et. al. “protecting the security of data in health research is important because health research requires the collection, storage, and use of large amounts of personally identifiable health information, much of which may be sensitive and potentially embarrassing.” Privacy and security breach in the healthcare sector exposes providers to innumerable risk that can cause disruption of services, economic loss, reputational damage, reduced patient’s confidence, and penalty under regulation. According to Reuters, health data is increasingly more desirable than financial data – “health data, unlike financial data that becomes worthless after the victim discovers the fraud, has a longer shelf life for exploitation”. The record is factual and permanent.
Obligation in Research and Survey
Health data is required for innovation and development of new treatment options. Consequently, the survey was a good idea that provided incisive insight to HIV epidemic in Nigeria. However, the compromise exposes the survey subjects. Section 28 of the National Health Act (NHA) 2014 allows health care provider to access patient’s health record for the purpose of research subject to safeguards. Protection of privacy and security of data should not be allowed to stifle life-saving invention that could lead to the growth and overall improvement of healthcare. If the data is identifiable, there is a need for the approval of the healthcare facility, however, where the data is de-identified (not capable of being identified) there is no need for such approval.
Any Risk With the Use of De-identified Data?
The data in the compromised database include “facility and hospital names; patients’ pregnancy status; laboratory results code and value; patients’ age; HIV validation first test date and time; HIV encounter data; medical observations of anonymous people taking the survey”. The health data compromised are reported to be anonymous. The use of de-identified data for research is permissible under the NHA. De-identification of data could by way of pseudonymisation or anonymization. The distinction in the two process is that pseudonymised data are capable of being re-identified, while anonymised data is presumably incapable of re-identification hence, data protection laws do not apply to anonymised data.
A first look at this might suggest there is no real harm to the participants in the survey, however, a recent research suggest that “anonymised data can never be totally anonymous.” The research suggest this is possible by ‘cross referencing’ with other available facts. In 2017, a similar research in Australia revealed anonymised medical billing record was re-identified by cross referencing the de-identified data with other known facts. The implication of this is that patients’ health data could be exposed.
What Does the Law Says?
There are various laws that emphasizes on the need to secure user data and the need to ensure that the health information of the Nigerian citizens are handled and treated properly.This includes the National Health Act(NHA)2014 and Nigeria Data Protection Regulation(NDPR) among others.
National Health Act (NHA) 2014
Section 26 (1) of the NHA provides that “all information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment is confidential”. Section 29 mandates the head of a healthcare facility to put in place “control measures to prevent unauthorised access to those records and to the storage facility in which, or system by which, records are kept”. This implies a good data security, governance and management policy and procedure to prevent unauthorised access, unlawful disclosure, data loss, and data theft – both online and offline. The section prescribes offences and the punishment of two (2) years imprisonment or fine of N250,000 or both. The offences include falsification or alteration of records, destruction of records without authority, re-identifying de-identified records, unlawful access or interception of records.
 Pseudonymisation is the “processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual.”
 Anonymisation is the process of removing personal identifiers, both direct and indirect, that may lead to an individual being identified.
Nigeria Data Protection Regulation (NDPR)
Article 1.3 of the Regulation categorised health data as sensitive personal date. Security is one of the principles of data protection recognised under the Regulation. According to the Regulation, personal data shall be “secured against all foreseeable hazards and breaches…” Further, Article 2.1(2) imposes a duty of care to the data subjects on data controllers and also a duty to be accountable.
The Regulation places a high threshold on security and imposes the obligation to ensure both technical and organisational procedure to ensure security of personal data. The breach of the provisions of the Regulations attracts administrative sanction and penalty, criminal prosecution and exposure to litigation from data subject which include patients or the survey volunteers.
Cybercrimes (Prohibition and Prevention) Act
Section 5 of Cybercrimes (Prohibition & Prevention) Act 2015 designates certain sectors of the economy as Critical National Information Infrastructure (CNII). Part 7.5 of the National Cybersecurity Policy designates the healthcare sector as a National Critical Information Infrastructure. The Act criminalises attack on sectors designated as critical national infrastructure and this is punishable by imprisonment term not less than 15 years without an option of fine. The Act also includes other offences that could affect the sector.
Similarly, Section 38(5) of the Act provides that service providers should put in place adequate safeguards to ensure both privacy and security of such data for the purpose of law enforcement.
HIV and AIDS (Anti-Discrimination) Act 2014
The Act protects the persons living with HIV or affected with AIDS from discrimination based on their status. Section 13(1) of the Act guarantees the protection of data of persons living with HIV or AIDS with “respect to their health and medical records.” Further, Section 13(2) provides a punishment not exceeding two (2) years imprisonment term for non-compliance. For an individual guilty of infraction with the provision, it is punishable by of fine of not less than N500,000 and not less than N1,000,000 for a corporate body. In deserving circumstance, the court can impose both imprisonment term and fine on the offender.
 Article 2.1 (1) (d)
 Article 2.1 (3) of the NDPR
 Article 2.6 of the NDPR
The recurrent thread in the fabric is that there is low level of awareness around the risk on the side of the government and citizens alike. Also, a non-existent enforcement template under the existing law is plague. According to Deloitte’s 2018 Global health care outlook report “many employees at hospitals, health plans, life sciences companies, and governments lack awareness of and training to manage financial, operational, compliance, and cyber risks. Led by senior management, organizations should perform a thorough assessment to understand how recent and upcoming policy changes will impact organizational priorities and explore strategies to build second-line defenses to reduce their administrative, financial, and reputational exposure.”
The Federal Ministry of Health can take a cue from the United State’s Health Insurance Portability and Accountability Act (HIPAA) by enacting a national privacy and security rule that defines the privacy and security standards for the protection, storage and transfer of health data held in electronic or physical form. This includes administrative, technical, online and physical safeguards. The privacy rule should clearly define other legal basis for processing and derogations, mechanism for cross-border transfer of health data (patients are becoming more mobile with medical tourism), storage and retention period, other rights should be defined (right to be informed and access is already established under the NHA), framework for reporting breach and notification of users, and put in place stronger transparency and accountability mechanism.
Section 2 of the NHA gives the Federal Ministry of Health the mandate to make a guideline for the development of the health sector which will include addressing emerging privacy and security concerns with new technologies. There is an urgent need to sensitize health practitioners and members of the public on privacy and security, and how it affects them. The National Research Ethics Committee conceived under Section 33 of the NHA should define the standard of ethics, privacy and security for research. The standard should include safe de-identification strategies that can minimise the possibility of re-identification.
The risks and costs associated with health care data security breaches are too high, and the confidential, personal health data of millions are at risk.There is a need for a more aggressive approach to ensure that health information are properly handled and protected.Proper application security and network security are important.A good encryption is necessary to protect data from being accessed if an attacker finds their way to your system/database and also , best security practice should be in place.
Ridwan Oloyede leads the data protection and privacy team at Tech Hive Advisory.
Simbiat Ozioma Sadiq is a cybersecurity Analyst and a cybersecurity blogger