5 minute read
Webinar Highlight- Healthcare Cybersecurity: Protecting patient information
By Ayo-Olagunju Muna
Our just-concluded webinar was graced by a seasoned panellist of industry experts and savants across the intersection of Cybersecurity and health law in the persons of; Rotimi Akinyele, a renowned cybersecurity expert, and the first Offensive Security Certified Professional/Expert (OSCP) out of Nigeria. Yomi Ajibade, a thoroughbred legal professional with a master in law, focused on the intersection between law and tech and lastly, an erudite legal scholar, who is equally a health law consultant, and a recipient of the 2021 Nigerian prize for literature award, in the person of Prof. Cheluchi Onyemelukwe.
Advertisement
Rotimi opened by pointing toward a KPMG survey that spoke to the fact that 80% of healthcare execs say they haven’t fallen victims to cyber security attacks, which is not entirely an indicator of progress. Instead, it poses a red flag, as most times victims of cyber attacks are often vectors for the healthcare industry, which include, the use of dated technologies and legacy systems, limited security awareness amongst staff, unrestricted access to computers (multiple users sharing a single login), lack of appropriate security controls on Wi-Fis (especially through guest WiFis) and insecure asset disposal techniques. Rotimi provided a quick glimpse into some sections and sub-sections within the Cybercrimes (Prohibition and Prevention) Act 2015, which designates the health sector as a National Critical Information Infrastructure, which means that similar controls currently in place to safeguard critical national information and assets oblivious to these attacks. He stated that the attacks could vary in complexity from a simple attack on a corporate Facebook page, as reported here, to a threat on a class III medical device as posited here by Barnaby Jack or the more critical instance of the Wannacry ransomware attack in 2017 on the UK NHS, which resulted to 19,000 cancelled appointments, GPs being locked out of medical devices, patients records being inaccessible, emergency patients being diverted to other hospitals and ultimately costing £92 Million. He stated that healthcare cyberattacks are becoming predominant and would continuously be on the increase, due to the heavy adoption of technology and digitisation within the sector and the gradual shift toward paperless, which has provided enablement coupled with the sensitivity of the data within the sector, making it very attractive. We were introduced to the most common attack
are equally applicable to the health sector. These policies and frameworks are merely a high-level guide on what should be obtainable. In the practical context of how health care providers can protect patient information against cyber attacks, he advised the following; conduct risk assessments, conduct technical security controls, promote security awareness and culture shift, take frequent and routine data backups, update digital assets and enforce strong and secure authentications.
Yomi took over the baton, doing further justice to the discourse, focusing on data protection from a legal purview. On a global
scale, the audience was introduced to the EU GDPR which ascribes certain obligations to entities that operate not only within Europe, but companies that operate within other jurisdictions, but process data of European Nationals. Domestically, the NDPR addresses this, which is mirrored after the GDPR, similarly affecting and relating to data subjects of Nigerian descent. Some high-level insights were provided on how to protect data across all sectors and meet compliance needs which were; knowing your data protection goals, knowing your data - what do you have in your system and how do you collect what you have? Educate/train your employees and lastly, initiate eternal oversights, internal controls and enforcement measures. In summary, Yomi implored the audience to keep up with global best practices, by holding their organization accountable to the highest level of standards, that way, one is certain to meet the obligations of less stringent data protection guidelines, citing the GDPR as the gold standard in that regards.
The erudite professor, Cheluchi took the virtual podium, being the closing panellist, coming from a legal background, she brought in the legal/regulatory perspective from the local context. She shone a light on legislative and regulative provisions that govern data protection, privacy, cyber security and patient rights, ranging from the; Consitution of the Federal Republic of Nigeria 1999, National Health Act 2014, Cybercrimes (Prohibition and Prevention) Act, National Health Insurance Scheme Act (NHIS Act), Freedom of Information Act (FOI Act), National Data Protection Regulation (NDPR) 2019 and Patients Bill of Rights (PBoR). Each of these pieces of legislation is geared toward protecting upholding and protecting the patients’ right to confidentiality, especially for Personally Identifiable Information (PII) which is information that can uniquely identify an individual. These provisions create an allowance for scenarios and preconditions that permit the ethical and safe disclosure of patients’ information, some of which include; when the patient’s consent is sought, if a court order or any appropriate law requires such disclosure, if non-disclosure poses a serious threat to public health, if the disclosure is necessary for a legitimate purpose and especially if it is in the best interest of the patient and in the case of a person who is otherwise unable to grant consent upon the request of a guardian or representative. She wrapped up by providing some practical recommendations that healthcare organizations can adopt for protecting data; developing an information governance framework, developing/ reviewing information governance policies, reviewing agreements with EHR vendors, developing tailored privacy policies and appointing a data privacy officer. The webinar wrapped up with a Q&A session. Prof. Cheluchi, in response to a question on data ownership between a patient, healthcare provider and EMR company, asserted that in the context of patient medical information, despite the patient being the data subject, the other actors in the value chain within this context can equally intellectually contribute to the said data. The best way she retorted, which the NDPR equally makes provision for is to seek appropriate consent before the data is being used, as most times it is the use of data that occassions the debate of ownership. Rotimi respond to the question from the opener, on how a patient can know their data has been compromised, by saying it would be near impossible without adequate proof.
The panellists dropped their social handles, which are contained within their picture inset. If you enjoyed this highlight and are looking forward to our next edition, use these links, to keep up to date with us; Facebook, Instagram, Twitter, LinkedIn.
ADVERTISE WITH US
Send email to editorial@genesys-health.com
25th April 17th May
31st May
18th May 7th April
