31 minute read
6 Special Study 2 findings
In this section the findings for Special Study 2 are presented systematically against each of the main study questions. Lessons learnt will be summarised in the next chapter.
6.1 Delivery of the Database and Demographic Exchange
6.1.1 Preamble
This section combines findings from our review of programme records and documents, with information from key informants – mostly Implementing Partners who had some involvement with this specific component. The findings below are based on a synthesis and triangulation of evidence. Overall, there was strong consistency across evidence sources; however, we have also tried to reflect a range of perspectives on the factors influencing outcomes.
6.1.2 Understanding the DDE ambition
In Malawi, a health passport is used to access health services. The health passport is also used to record all diagnoses and treatments/interventions given. Our desk review confirmed that, at facilities with access to an electronic medical record, health passports may be labelled with a unique identification code (UIC) and associated barcode. In the field of HIV, key populations75often move across borders, along the line of rail and between points of service. UICs can help authorised service providers protect anonymity, while providing access to longitudinal records over subsequent visits, and avoiding record duplication. UICs are also valuable to programmes for analytics on the HIV cascade of care. 76In Malawi, UICs are also being extended to other services (and EMR modules), such as ANC and OPD registration, to further the anonymity of HIV clients at designated points of care.
Box 5: Use of UICs in working with key populations 77
UICs can perform the following functions for key population members, programme implementers, and M&E specialists: • Create a confidential service recognition system that uniquely identifies individuals without disclosing personal information • Improve health information management for highly migratory populations • Improve assessment of mobility of key populations through outreach services and health facilities • Avoid duplication in the counting of key populations attending services • Identify new individuals engaging with prevention through treatment services • Conduct analysis of the HIV cascades through continuum of care indicator data • Help facilities follow up with patients who have missed referrals, are lost to follow-up, or who lack treatment adherence
As shown in Figure 8 below (from Kuunika’s 2016 proposal),
78 the Kuunika team saw the DDE as one element of a system architecture that would optimise the functioning of EMRs. Using the system of UICs, the DDE would prevent duplication of records when patients moved between health facilities.
75 Key populations can include sex workers, drug users, men who have sex with men. 76 USAID et al. (2016). Unique Identifier Codes: Guidelines for Use with Key Populations. 77 Ibid 78Lighthouse Trust International. (2016). Grant Proposal Narrative for the Bill and Melinda Gates Foundation.
Figure 8: Kuunika's 2016 system architecture showing the DDE component
In the 2016 proposal, the Kuunika team described the scale-up of the DDE to target districts as a key project activity under the leadership of BHT. The DDE had already been piloted by BHT (using CDC funding) in three facilities to identify inputs and processes needed. The proposed scale-up would allow health sector partners using different types of EMRs to connect to the DDE and request UIC for HIV clients. BHT would also undertake a number of component activities to establish the DDE platform and ensure its functionality within the wider system.
More recently, Kuunika project documents have captured a clearer articulation of the shared ambition to progress from EMRs to a system based on secure shared Electronic Health Records (EHR). This ambition is also reflected in the National Digital Health Strategy, 20202025. Figure 9 below shows Kuunika’s vision for this progression within the wider digital health architecture. 79 Figure 9 also shows the implementation progress made by December 2020 using a ‘building blocks’ approach to developing the digital health architecture (see Annex 3 for Cooper-Smith’s summary of progress in terms of building blocks).
As shown in Figure 9, EMRs are now expected to form one ‘point of service’ for health data entry into an integrated digital health system. Under this vision, data from points of service would be interlinked via an Interoperability Layer to registry services and other key national databases, including DHIS2. Within this vision, the DDE would be replaced by a secure Client Registry. 80
79 This diagram is sourced from the Cooper-Smith presentation, Kuunika: Data for Action - Investment Overview, Successes, Lessons, and Thoughts for the Future (December 2020). Supporting text suggests that, for the foreseeable future, the main points of service for roll out will continue to prioritise the HIV use case. 80 Client Registries usually require establishment of a Master Patient Index – see, for example, https://www.ihs.gov/hie/masterpatientindex/
Figure 9: Vision for a shared EHR system within the digital health architecture
Notably, our desk review highlights some concerns about EHRs, not least because of the increased risk of cybersecurity threats and breaches of data privacy in immature system settings – see Figure 10 below. 81 In keeping with these concerns, the National Digital Health Strategy, 2020-2025 acknowledges the transition to EHRs needs to be gradual and go hand-inhand with advances in governance, regulations, data/technology standards and system interoperability.
82
Figure 10: Advantages and disadvantages of Electronic Health Records
81 Derived from Menachemi, N. & Collum, T. H. (2011). Benefits and drawbacks of electronic health record systems. Risk management and healthcare policy, 4, 47–55. Also based on inputs from expert consultations. 82 Vital Wave’s Gap Analysis for Malawi’s Data Use Partnership also emphasises the need to support this digital health initiative with a distinct Sustainability Plan and improved governance measures, such as better coordination among/within ministries; and a focus on development of common standards for interfacing of data systems.
6.1.3 The implementation reality
As described in Chapter 2, implementation progress in the first phase of the Kuunika Project was slow. 2019 saw the reconfiguration of the consortium, with the core membership reduced to LIN, with TA support provided by Cooper/Smith. CDC transferred its EMR investment to EGPAF to ensure timely access to sex and age disaggregated HIV data for performance reporting to PEPFAR.
The country-based key informants interviewed for this study (Annex 6) referred to these events to explain Kuunika’s apparent lack of progress in establishing the DDE component in accordance with its 2016 proposal. They also emphasised the dynamic and shifting ecosystem in which the Kuunika Project has been implemented. The following points were made:
● Loss of BHT: Although some BHT technical staff were sub-contracted as consultants to
Kuunika post 2019, the loss of BHT within the consortium (and its subsequent disbanding) meant technical knowledge and experience were lost. The task areas for which BHT was the lead implementing partner (such as the DDE) were deprioritised – at least in terms of
Kuunika’s original plan of work. However, as explained below some BHT technical staff have progressed this task area under EGPAF. ● Donor sensitivities: There was an additional stalling of progress because CDC believed
Kuunika’s initiative to scale up EMRs and the DDE component effectively “hi-jacked” the work they had been funding through BHT and there was insufficient acknowledgment of
CDC’s contribution. Some observers suggested this perception was fuelled by the implicit criticism of earlier, rather fragmented EMR initiatives in the 2019 Vital Wave review83 (see
Chapter 2). ● EGPAF’s role: Since 2019, PEPFAR / CDC have transferred their investment in EMRs in
Malawi to EGPAF. EGPAF’s work in this area extends to some DDE functionality. LIN acts as a subcontractor to EGPAF in the northern region. Key features of EGPAF’s recent EMRrelated activities are as follows:
– Since 2020, EGPAF has deployed EMRs across 726 ART clinics. This includes 520 sites that use a basic eMaster Card system and 206 sites that use a more advanced Point of
Care (POC) EMR system. In moving to scale, EGPAF has built on existing systems, including the BHT system (although loss of data from the BHT server during the transition has slowed progress). – EGPAF has extended DDE functionality to a proxy server, usually at district hospital level where connectivity is generally more reliable. This supports a local client registry and is expected to become operational from October 2021. There have been discussions with
Kuunika, government and other key stakeholders about scaling up this DDE platform to support a national client registry, EGPAF has been reluctant because this step would have implications for its own agreements with the Department of HIV and AIDS, and contractual obligations.84
– EGPAF is now supporting the development of a central data repository or “Data Lake” for the MoH Department of HIV and AIDS. This system aggregates and manages data to allow MoH and key stakeholders to access data visualisations and dashboards for decision-making. – EGPAF is assisting the National Registration Bureau with the development and deployment of the electronic system that supports birth and death registration. As of
83 Vital Wave. (2019). Op.cit. 84 Expert observers suggest there could be scope for adopting a more ‘global goods’ approach in these investments.
2021, the Civil Registration and Vital Statistics Systems (CRVS) is deployed in 28 district registration offices, 28 district hospitals, and three central hospitals. ● Earlier consultations with the Department of HIV and AIDS had already limited information exchanges via the DDE to demographic data to protect the anonymity of HIV patients and ensure confidential service delivery. ● The changing role of Kuunika: Since 2019, Kuunika has shifted its focus to digital health governance activities through its support to the Digital Health Division (most recently under
MoH’s Policy and Planning Directorate). Here the emphasis has been on strengthening the
Division’s operational capabilities and strategic focus (most notably through development of the National Digital Health Strategy) and, more recently, in establishing interoperable platforms for COVID-19 analytics. Kuunika’s new role at the governance level (and its Phase 3 pivot) means its primary focus is now on a coordinated approach to building a sustainable digital health systems architecture. For example: – Kuunika is currently conducting a mapping exercise to identify custodians and clients of each system component to allow better definition of roles and responsibilities and more rationalised engagement of key stakeholders. – Kuunika has led on the development of a generic API for linking any system to the Interoperability Layer – this will allow continued expansion of a central repository. ● Maintaining wider system alignment: There is recognition that work on a Master Client
Registry and shared EHR system needs to remain aligned with wider initiatives, such as
National Registration Bureau’s efforts to establish a National Registration and Identification
System. The Kuunika team has been providing technical inputs for this dialogue. In recognition of the need to ensure full alignment of standards, systems and governance measures across sectors, the MoH leadership has requested the Digital Health Division to temporarily pause work on the Master Client Registry.
6.1.4 Benchmarking against global standards
For this study question on delivery against the DDE task area, the global Principles for Digital Development provide a useful benchmark for assessing good practice. Table 5 below presents the investigators’ assessment of the extent to which implementation of this task area was consistent with these principles.
Overall, the available evidence points to good efforts by Kuunika to promote the nine global principles of digital development. However, timely delivery of a DDE was hampered by a shifting ecosystem, challenges of designing for scale and sustainability (e.g. lack of system maturity, evolving technology competing operational priorities, alignment challenges), and difficulties in collaborative working. Data privacy and security considerations are likely to need additional prioritisation as the modular OpenHIE framework is rolled out.
Table 5: Reflections on performance against Principles of Digital Development
Principle for Digital Development Assessment of adherence in DDE delivery
1. Design with the User
● Evidence of initial piloting of DDE by BHT and iterative design with end users at facility level – this informed EGPAF deployment. Scope for better definition / alignment of primary end ‘users’ at each system level as solutions evolve.
2. Understand the Existing
Ecosystem
3. Design for Scale
4. Build for Sustainability
5. Be Data Driven
6. Use Open Standards, Open Data,
Open Source, and Open
Innovation
7. Reuse and Improve
8. Address Privacy & Security
9. Be Collaborative
● Useful successive effort to map the digital health system architecture, but scope for better analysis / monitoring of the wider operational, stakeholder and governance ecosystem.
● Early recognition that usefulness and scale-up of DDE would depend on progress in system interoperability, an Expanded Health Data
Exchange, and governance / regulatory alignment. Scale-up more challenging than anticipated – mostly due to a highly dynamic operational and institutional context, and the evolving digital health architecture.
● Earlier vision for digital health architecture (including the DDE component) appears to have been superseded by a more sustainable vision based on an Open HIE framework that is referenced in the new
National Digital Health Strategy. However, there has been relatively little attention to the overarching governance / regulatory aspects, and its acknowledged governance aspects need to keep pace to ensure system safety & sustainability.
● DDE intended to support data driven decision-making. Design will be adapted to OpenHIE framework but needs to reflect system maturity and governance context.
● Design documents point to general adherence to open source, open data principles. Since 2019, Kuunika has sought to build consensus on adoption of a modular OpenHIE framework to support open source / open standards working around a shared digital health vision.
However, this remains a key area for better partner collaboration and
‘global goods’ thinking.
● DDE design has built on BHT technology. BHT server data was lost in transition to EGPAF, leading to loss of continuity. There have since been significant technological developments and shifts in the digital health ecosystem.
● Dialogue on DDE and an Expanded Health Data Exchange prompted discussion on some key issues of health data governance, privacy and security – these discussions need to continue for development of the Client Registry and EHR system within the OpenHIE framework.
● Still concerns about a fragmented digital health landscape in Malawi.
There are now opportunities for better partner alignment / collaboration around a shared vision for a DDE / Client Registry (including the role of UICs) within the OpenHIE approach.
6.2.1 Preamble
This section on the role of implementation and aid effectiveness issues combines findings from our desk review and stakeholder mapping exercise (Annex 2) with information from key informants. The findings below are based on a synthesis and triangulation of evidence.
We acknowledge that a key limitation of this study is that we have not been able to interview donor representatives (especially BMGF, CDC, PEPFAR, CHAI etc) within the timeframes of the study. Any findings referencing donor perspectives are, therefore based on secondary sources.
6.2.2 Key role-players and their objectives
As shown in the stakeholder mapping for this study (Annex 2), there are multiple stakeholders who have a primary or secondary stake in the activities of the Kuunika Project. These stakeholders can be categorised into four main groups:
● Government of Malawi - including MoH, the Ministry of ICT, along with a range of substructures and related ministries/institutions – see Chapter 3. ● Donors – including BMGF and other donors directly involved in improving digital health systems for HIV programming (the joint use case), along with donors and multilateral agencies who have indirect involvement through their participation in the wider digital ecosystem. ● Implementing Partners – including those who are (or have been) directly involved in
Kuunika implementation, and related digital health activities - including the recent COVID-19
‘digital surge’ . ● Other role-players – those who play a role in the wider project implementation landscape (such as CHAM, the private sector, other NGOs and EMR providers and independent evaluators). Since 2017, there have been some significant efforts to support digital health collaboration and alignment in Malawi – although these have mostly been around planning and strategy development. For example, in 2017, CMED convened 80 members of the Malawi Health Data Collaborative representing 20 organisations85 to help finalise the new Monitoring and Evaluation/Health Information System Strategy and identify ways to strengthen governance, leadership and coordination of investments.86
Our desk review confirmed that members of the above stakeholder groupings have interests, priorities and strategic objectives that mean they could have been key role-players in the Kuunika Project ecosystem. It was clear that sometimes interests converged, but sometimes there was potential for divergence.
The desk review of programme documents and stakeholder publications showed there was generally strong stakeholder convergence around the common objective of building an effective, efficient and sustainable digital health information system – ultimately for the benefit of healthcare users, especially those affected by HIV. Since 2019, there has also been strong stakeholder convergence around accessing real-time data to respond to the COVID-19 pandemic.
85 These included: Alliance for Public Health; BMGF; CDC; Cooper/Smith; Data for Health (Bloomberg Philanthropies); DFID; GiZ; Johns
Hopkins University; Luke International; Palladium; Partners in Health; Partnership for Maternal, Newborn & Child Health; PEPFAR;
Population Services International; The Global Fund; UNICEF; University College London; and USAID. 86 See: https://www.healthdatacollaborative.org/where-we-work/malawi/2/progress-updates/
However, a rapid ‘force field’ analysis also points to three potential fault lines for stakeholder divergence in the Kuunika operational landscape. These potential fault lines (or divergent ‘leanings’) fall across government and donors, the Kuunika consortium and (post-2019) Kuunika and other Implementing Partners (Figure 11).
Figure 11: Potential fault lines across Kuunika stakeholder interests
This desk-based analysis suggests Kuunika progress may have been considerably influenced by how well these potential fault lines have been negotiated over time.
6.2.3 The implementation reality
As described in Chapter 2, the ‘fault line’ across the Kuunika consortium prompted a significant reconfiguration in 2019. Country-based key informants (Annex 6) made the following additional points about the role of implementation and aid effectiveness issues in project progress.
● Competing consortium priorities: Some reports indicated a particular challenge for original consortium partners was managing the competing expectations of government,
Kuunika and a wider portfolio of donors (e.g. for BHT there were issues regarding acknowledgment of CDC contributions and maintaining a distinction between donor inputs and objectives). ● Government engagement challenges: Successive national elections and changes in leadership within the MoH have made it difficult for some partners to maintain continuous engagement and manage changes in strategic direction, especially when government / MoH positions were themselves divergent (e.g. differences in perspective on prioritising digital health for national planning decisions or local-level patient centred care). ● Pulling the purse strings: While many donors and partners fully acknowledge the importance of government ownership and leadership for sustainability, the reality is that
Malawi’s health sector remains highly dependent on donor funding, especially with respect to
HIV programming. This means donors have considerable power to push an agenda –
particularly when they have made large financial commitments.87 GoM is still associated significant “budget credibility challenges” so most donors remain cautious about direct budget support and, in practice, programme ‘ownership’ is a continuous negotiation.
88
Moreover, Implementing Partners often have to act as mediators and intermediaries especially when donors have no country presence. ● Differences in ‘donor culture’: Some key informants explained that the BMGF ‘culture’ of learning-centred and adaptive approaches to project delivery is distinctive. Other donors in the field of HIV tend to take a more traditional ‘projectised’ approach based on principles of supplier accountability for resources and results. The early tensions in the Kuunika consortium illustrate how Implementing Partners may find it difficult to reconcile the two approaches within standard project delivery arrangements. It can be difficult for
Implementing Partners to take ‘delivery risks’ (e.g. protracted district engagement) in a highly competitive supplier landscape. ● Donor coordination challenges: Several key informants indicated there is scope for donors to collaborate and harmonise investments more effectively among themselves – especially in the competitive field of digital innovation. While partner forums convened by CMED’s M&E
Technical Working Group, such as the Health Data Collaborative, have been productive,89there remain concerns that partner initiatives contribute to a fragmented digital health landscape with duplication of effort. Some key informants suggested the ‘three pillars’ conceived under the pre-2019 Digital Health Project Implementation Unit (PIU) for effective harmonisation and alignment remain valid.90The Blantyre Prevention Project was cited as a useful model for demonstrating how improved donor, government and stakeholder collaboration could function at all system levels. ● Kuunika’s governance foothold: Since 2019, Kuunika’s role in seconding staff to the
Digital Health Division is widely seen as positive for providing well-informed technical guidance, coordination and capacity development support at national level. This, in turn, promotes continuity and government credibility in technical dialogue with external partners.
However, there are concerns about a potential conflict of interest if Kuunika is competing with other Implementing Partners for access to government / donor resources. There were concerns too about the possibility of a disproportionate influence in building the shared national vision on digital health. ● Learning from the COVID response: There was emerging consensus that the recent
COVID-19 ‘digital surge’ demonstrates how Implementing Partners can, with strong national direction, collaborate effectively around shared priorities within a common systems architecture. However, there were also concerns about the failure to fully involve the
Department of eGovernment (compromising sustainability), and failure of some
Implementing Partner to be fully open with source codes, server access etc.
6.2.4 Benchmarking against global standards
For this question on implementation issues affecting Kuunika delivery, we will use the principles of aid effectiveness as the benchmark for assessing good practice. Table 6 below draws on the
87 For example, PEPFAR is reported to have invested US$700 million in Malawi since 2003 – see A 15-Year Review of the PEPFAR Support to Malawi: How Has It Succeeded? | AVAC 88 UNICEF. (2019). 2019/20 Health Budget Brief: Towards Full Implementation of the Essential Health Package: Achieving SDG 3 in
Malawi 89 See for example: Malawi Ministry of Health. (undated). Data and Digital Priorities: Digital Health for Universal Health Coverage.
Developed with the Malawi Health Data Collaborative. Available at: https://www.healthdatacollaborative.org/fileadmin/uploads/hdc/Documents/Country_documents/Malawi/Malawi_Ministry_of_Health.p df 90 These are: a single National Digital Health Strategy; a single ‘investment roadmap’; and a single digital health human resources development plan.
triangulated evidence to present the investigators’ assessment of how Kuunika’s implementation experience measures against the core principles of aid effectiveness. 91
Overall, our assessment found donors supporting the HIV/AIDS programme in Malawi have broadly adhered to the aid effectiveness principles of country ownership and strategy alignment. However, there is now scope for donors to strengthen adherence to aid effectiveness principles (including those relating to harmonisation, managing for aligned results and mutual accountability) by working through existing partner forums to advance the new Digital Health Strategy and roadmap. This will need to be accompanied by a greater focus on systems thinking and substantial investments in institutional strengthening and governance capacity.
Table 6: Reflections on Kuunika’s experience against the principles of aid effectiveness
Principle of aid effectiveness
1. OWNERSHIP:
Developing countries should be owners of their development
2. ALIGNMENT:
Development assistance should be aligned to country policies, institutions and local systems
3. HARMONISATION: Developing countries and partners should harmonise their action
Assessment of Kuunika’s implementation experience
● There is good evidence that Kuunika has sought to keep GoM in the driving seat. However, while donor investments have broadly supported MoH strategic objectives, there is evidence of donordriven agendas, vertical HIV programming, parallel reporting systems, and some lack openness in partner practice.
● Good evidence that the Kuunika design and implementation was aligned to the country policy and institutional context within the field of HIV programming. However, some concerns that in Phase 1 of the project some consortium members were not fully engaging district-level counterparts. ● In Phase 3, Kuunika’s support to the Digital Health Division and development of the National Digital Health Strategy contribute to an enabling environment for improved alignment of development assistance. But, more widely, there are still concerns that donor investments continue to perpetuate fragmented approaches.
● Kuunika’s support to the Digital Health Division, along with the
National Digital Health Strategy and mapped digital health architecture provide the foundations for a digital health investment roadmap to support harmonised donor investments. However, to date, there appears to be limited traction on this and donor interests and investments remain siloed.
4. MANAGING FOR RESULTS:
Developing countries and donors should focus on measurable results ● Some evidence of divergent expectations of intended results. Some donors place considerable emphasis on timebound results delivery, while others place greater emphasis on adaptive learning to advance strategic goals
5. MUTUAL ACCOUNTABILITY:
Developing countries and their partners are jointly accountable for development results ● Some evidence of transparency and collaborative working by government, donors and Implementing Partners towards broad strategic objectives. However, primary IP accountability tends to remain with donors. Some residual concerns remain about issues of data sovereignty.
91 Revisiting the principles of aid effectiveness. Available at: www.dandc.eu/en/article/revisiting-principles-aid-effectiveness
6.3 Role of intellectual property regulation, data privacy and global digital governance standards
6.3.1 Preamble
This section on the role of the regulatory environment combines findings from our desk review and key informant interviews. The findings below are based on a synthesis and triangulation of evidence. Overall, there was strong consistency across evidence sources.
6.3.2 Regulatory context of the Kuunika Project
As described in the Chapter 3, our desk review confirms the overarching legal and policy frameworks for all ICT initiatives in Malawi are set by the Ministry of ICT. The Ministry of ICT includes specialist departments such as the Department of eGovernment. The latter is responsible for ensuring ICT is used to: a) facilitate effective and efficient public service delivery and interaction between public services and citizens, companies, government institutions, cooperating partners and other key stakeholders; and b) enhancing government oversight functions.
Key legislation relating to this study includes the eTransactions and Cyber Security Act (2016) especially Part IV on data protection and privacy. Also of relevance are Malawi’s Access to Information Act (2017), the National Registration Act (2009) and the National ICT Policy (2013). As indicated in Table 2 , the new Data Protection and Privacy Bill (2021) represents a timely and positive development; however, there are stakeholder concerns about ambiguous terminology, and some oversight and enforcement issues - several of which have human rights implications.
With regards intellectual property rights, Malawi has five main intellectual property laws. These are: the Trademarks Act (2018), Patents Act (1986), Trade Description Act (1987), the Registered Designs Act (1985) and the Copyright Act (2016). These intellectual property laws are designed to create a conducive, but regulated, environment for the development of small and medium-sized enterprises (SMEs), thereby promoting local industry and social and economic development. Additionally, these laws cover the transfer of technology to and from industrialised countries (including local digital technology innovation).
The MoH is responsible for the application of national legislation to health data and information systems. The MoH’s foundational document on digital health regulation is the National Health Information Systems Policy (2015) which specifies sectoral roles and obligations relating to: data collection; confidentiality; data compilation/aggregation; data analysis; quality assessment and adjustment; reporting and data transmission; data storage, access and ownership; and information dissemination and use. This policy is referenced for implementation purposes in the Health Sector Strategic Plan (HSSP) II, 2017-2022, as well as the Monitoring, Evaluation and Health Information Systems Strategy (MEHIS), 2017-2022.
Recently, the National Digital Health Strategy, 2020-2025 has replaced the National eHealth Strategy, 2011-2016. The new strategy focuses more directly on priorities relating to: digital health governance and sustainability; digital health coverage; system interoperability; infrastructure and connectivity; and workforce capacity. The National Digital Health Strategy includes a specific strategic objective on protecting data privacy and “improving the security of information and digital health systems”. Priority actions recommended under this objective are summarised in the Box below.
Box 6: The Digital Health Strategy's priority actions to protect digital health security
In summary, the Digital Health Strategy’s recommended actions on digital health security are:
• Data loss or damage: Ensure continuity of service delivery in all service delivery points in cases of disasters and loss of property by working with the ICT Section to ensure a risk analysis is conducted annually and Disaster Recovery Sites are operational. • System security: Develop and deploy standardised security management process in health sector to promote acceptable use of data and related tools, including hardware and software – e.g. by implementing security checklists at all service delivery points, and ensuring security breach response systems are operational. • Ethical concerns: Addressing ethical issues in digital health to promote privacy and security of clients’ data by implementing Data Access and Release SOPs and ensuring a data access tracking system is operationalised.
• Threat protection: Ensure that digital health information and users are protected from undesirable threats, including physical threats (fraud and theft), malwares, breach of privacy, misuse of information by implementing user account management SoPs, and ensuring additional physical access control measures are deployed and operational.
The MoH recently commissioned the Malawi Health Data Collaborative to identify data and digital priorities to support consensus-building for the National Digital Health Strategy and promote the principles of universal health coverage. The Collaborative identified improvements to security of information and ICT systems as one of the top priorities.92
We note the Kuunika Project has supported the development of 12 SOPs (Annex 5). These SOPs cover multiple aspects of digital health governance and system security, such as user account management, data access and release and data breach protocols – although notably the SOP on ensuring security of data systems has not yet been drafted. Key informants suggest that, with the institutional changes in MoH and the outbreak of COVID-19, progress has stalled. However, we suggest that, given the groundwork done and the importance of SOPs for translating ICT legislation and the Digital Health Strategy into action, there is a strong case for re-prioritising this task area.
6.3.3 Implementation experience
In key informant interviews, the following points were made on project implementation experience relating to the digital health policy and regulatory environment.
● System security risks: There are particular government concerns about system security risks and the need to safeguard patient information from unauthorised disclosure, alteration, loss or destruction – for example, GoM is now seeking to expand country-based server capacity to avoid a dependence on cloud-based hosting (in line with the eTransactions and
Cyber Security Act). In recent years, there have been experiences of health data being lost, and there is now awareness of the need for multi-faceted approaches that combine technical protection measures (including data back-up and retrieval) and secure data storage methods (with encryption and access controls etc), with data governance measures (such as legal, policy and regulatory measures). ● Implementation challenges: Key informants emphasise the need to implement and enforce existing data protection measures at all system levels e.g. from the security of shared devices at facility level, to the access permissions granted at higher system levels. This, in
92 Malawi Ministry of Health. (undated). Data and Digital Priorities: Digital Health for Universal Health Coverage. Developed with the
Malawi Health Data Collaborative. Available at: https://www.healthdatacollaborative.org/fileadmin/uploads/hdc/Documents/Country_documents/Malawi/Malawi_Ministry_of_Health.p df
turn, requires inclusive training and improvements in digital literacy from the community to the national level. The fragmented nature of health service delivery and information systems across public, private and non-governmental providers makes this challenging. There is recognition that SOPs need to be finalised, but concern that roll-out and compliance will be challenging to address. ● Data sovereignty and ownership considerations: While there is legislation in place covering data sovereignty and the transfer of data across borders, and the National Health
Information Systems Policy provides clear government statements on data access and ownership, there is limited enforcement with respect to donor / IP reporting systems. Key informants suggest this is due to government’s financial dependence on donors, as well as inconsistent leadership in the digital health space. In recent years, there have been efforts to tighten up on ethical approvals and data sharing permissions for health research;93 however, it has also been reported that weak communication between national and sub-national levels on these permissions can fuel operational tensions. ● Governance capacity challenges: The original organograms for the Digital Health Division make provision for both governance positions (with a focus on policy and standards compliance) and technical operations (with a focus on product development and sustainability). While technical operations positions have largely been filled (partly through
Kuunika secondments), the governance positions remain vacant. These are acknowledged to be key areas for future recruitment and investment.
6.3.4 Benchmarking against global standards
For this question on the role of the regulatory environment in Kuunika delivery, we will use the Global Digital Health Index model as the yardstick for assessing good practice. Table 7 below presents the investigators’ assessment of how Kuunika’s implementation experience measures against key indicators of digital health leadership, governance, legislation, policy and compliance.
94
Overall, available evidence suggests Malawi’s regulatory environment is reasonably good when measured against standard global indicators on leadership, governance and policies. However, weaknesses remain in resource allocations for implementation and enforcement, operational guidelines tailored to each system level, and policies on cross-border data security and data sharing.
93 National Regulatory Requirements, Procedures and Guidelines for Conduct of Research in Malawi. Available at: https://www.ncst.mw/research-clearance/ 94 Global Digital Health Index. (2019). The State of Digital Health 2019. Available at https://www.ncst.mw/research-clearance/ https://www.digitalhealthindex.org/stateofdigitalhealth19
Table 7: Reflections on Kuunika’s regulatory context against key GDHI indicators GDHI indicators Assessment of Kuunika context
1. LEADERSHIP & GOVERNANCE:
Indicator 1: Digital health prioritised at the national level through dedicated bodies / mechanisms for governance ● Digital health prioritised through relevant structures in place in Ministry of ICT (Department of eGovernment) and MoH (ICT Unit, CMED and
Digital Health Division)
2. LEADERSHIP & GOVERNANCE:
Indicator 2: Digital health prioritised at the national level through planning, strategies and resource allocation ● Digital health prioritised at the national level through the National Health Information Systems
Policy (2015) and successive health strategies.
However, financial and human resource allocations remain insufficient.
3. LEGISLATION, POLICY & COMPLIANCE:
Indicator 1: Legal Framework for Data
Protection (Security)
4. LEGISLATION, POLICY & COMPLIANCE:
Indicator 2: Laws or Regulations for privacy, confidentiality and access to health
5. LEGISLATION, POLICY & COMPLIANCE:
Indicator 3: Protocol for regulating or certifying devices and/or digital health services
6. LEGISLATION, POLICY & COMPLIANCE:
Indicator 4: Cross-border data security and sharing ● General ICT legislation on data protection in place and reflected in the National Health Information
Systems Policy (2015) – although some scope for updating. ● Requirement for SOP on data security identified but not yet developed.
● General ICT legislation on data privacy in place and reflected in the National Health Information
Systems Policy (2015) and strategies. ● Relevant SOPs drafted but not yet finalised or implemented.
● Explicit reference in legislation, policies and strategies limited but SOP on ‘Introduction of New
Systems’ available in draft (timeframes for finalisation and implementation uncertain).
● Little explicit reference in health sector policies and strategies but some references made in eTransactions and Cyber Security Act (2016) and legislation on intellectual property.
6.4 Lessons for future programming
The table below presents the investigators’ summary of the main lessons emerging for each of the core study questions. These lessons are based on a triangulated synthesis of contributions from key informants and the investigators’ analysis of data from other sources (desk review, round table discussions etc).
Table 8: Seven lessons arising from the Special Study 2 questions
Question 1: Why did the important Database and Demographic Exchange step in the development of EMRs for HIV eradication fail?
1. Sustainability of digital health building blocks is likely to be enhanced when there is reference to an updated digital health and information system architecture, and when there is wider stakeholder buy-in on the shared vision, strategy and roadmap.
2. Elements involving exchange of personal health records must be aligned to the wider governance, regulatory and standards environment – especially with respect to data privacy, security and access.
Question 2: What role did implementation and aid effectiveness issues such as project design, project management and donor co-ordination play?
3. An understanding of the ecosystem requires a focus on the stakeholder, governance and political economy ecosystem, as well as the digital ecosystem. Seconded technical assistance (TA) can be on the front line of mediating the stakeholder ecosystem – distinct skill sets are required.
4. There is scope to build on existing partner forums to convene diverse stakeholder groupings and build consensus around implementation of a joint digital health roadmap.
5. Investments in a patient-centred ‘use case’ are likely to be more sustainable & scalable if partners retain a system focus and there are complementary investments in effective digital health governance at all system levels.
Question 3: How useful would intellectual property regulation, data privacy & global digital governance standards have been in creating a more propitious context?
6. Particular attention needs to be given to data protection and cybersecurity threats.
New digital health solutions should be accompanied by key assessments, such as threat risk and privacy impact assessments. There is scope for working more closely with the
ICT Ministry, international collaboration and contributing to legislative dialogue e.g. on
Malawi’s Data Protection & Privacy Bill.
7. Sound digital health governance requires long-term investment, and needs to extend to effective mechanisms for implementation, staff capacity building and oversight, and standards compliance at each system level. Finalisation / roll-out of key SOPs could be a relatively quick win, but this is a process heavy task area that needs focused leadership.
