There is a clear responsibility for governments and regions in Africa to protect their citizens’ health data, especially in the current era of rapidly proliferating data and nefarious actors wanting to access it. However, this must be balanced against the importance and value of sharing vital health data across platforms and geographies to manage the global spread of infectious diseases as travel increases following the pandemic. The good news is that these seemingly conflicting priorities need not be an either/or situation: innovative policies, thoughtful frameworks, and underlying technologies can enable the protection and sharing of health data.
This was the main takeaway from the recent BroadReach Group Q&A webinar on the sensitive topic of Health Data and Security in Africa in celebration of October’s Cybersecurity Awareness Month. The webinar went over the importance of health data ownership, data protection vs data sharing, and data residency – touching on personal rights to health data as well as the challenges and responsibilities (of both public and private organisations) when it comes to keeping this type of information safe and secure.
Ruan Viljoen, Chief Technology Officer at the BroadReach Group, led the discussion with Dr Farley R. Cleghorn, Global Head of Health Practice at the Palladium Group, and Dr Justin Maeda, Principal Regional Collaborating Centers (RCC) Coordinator at the Africa Center for Disease Control (CDC), to explore the challenges from multiple angles. The session was a Q&A with audience members – comprised of health and program leaders from around the continent – posting their central challenges to the experts for live discussion and debate. The BroadReach Group is a social enterprise that focuses on delivering health equity.
Here are some of the Key takeout from the webinar:
1. Privacy of health information is a fundamental human right
“Health data is the most sensitive personal data we can store and warrants an even stricter duty of care,” Viljoen said in his opening remarks. “We should not put individuals in a position where they should trade their privacy to receive good healthcare.”
“Governments are the custodians of the human rights of their people and therefore have the primary responsibility to protect their citizens’ data, but the issue is complex, and a multi-sectoral approach is needed,” said Dr Maeda. One of the ways that governments could protect their citizens is by disaggregating or de-identifying their health data to make it impersonal and unidentifiable to third parties.
2. Cyber-security becomes more important in healthcare as attacks increase
“We’ve seen a year-on-year rise in attacks on organisations regarding the number of attacks and successful data breaches where data is exfiltrated and sold on the black market. Attackers are quite patient and look around – recent studies show that it takes organisations an average of 271 days to detect that they have been breached. Another 70-odd days to rectify the situation. So, you’re looking at the better part of a year before you can return to normality,” said Viljoen. He said this leads to reputational and financial damage and interferes with service delivery, which is detrimental in the healthcare setting.
Three critical international standards are setting international best practices for protecting general personal information and health information: the General Data Protection Regulation (GDPR) in Europe, the Health Insurance Portability and Accountability Act (HIPAA) in the USA, and the private sector-led HITRUST Alliance.
One of the technologies that can make sharing data safer is tokenisation because tokens are much less valuable to attackers than actual data, said Viljoen.
3. Consumer data is an evolving responsibility
“Personal data sets on everything about the individual are evolving. We need to embrace it because it’s not going away,” said Dr Cleghorn. “Individuals need to take control of their health data. You should assume you have a right to that information, that you can control your information, and that you can use it for your benefit.”
4. African countries are starting to develop and collaborate on data regulations
While the 55 member states of the African Union differ in terms of how extensive their data policies and standards are, the Africa CDC is working on setting common minimum standards for the collection, storage, management, protection, and transmission of data within the African Union. The “Health Information Exchange Policy and Standard” are currently being formulated. Once the various heads of state sign it, the Africa CDC will assist individual countries in attaining those minimum standards through policies and technology solutions.
Dr Maeda said safe inter-continental data sharing was essential considering the increased mobility of people. “To put it into perspective, one person can now be on five continents in one day so that diseases can spread fast.”
But while data sharing was necessary for public health management, data protection was critical. “While governments have the first responsibility to protect their citizens’ data rights, other partners such as the African Union, the United Nations, non-governmental organisations, and the private sector all need to play their part to ensure that protection happens. Health development organisations need to build data security into their development practice,” said Maeda.
Dr Cleghorn said it was important to have regional and Africa-wide agreements to protect the right to privacy-protected health information and set guardrails for sharing information. “The broad availability of mobile platforms has made this much more important and urgent. We need rapid access to health information in the hands of the consumer.”
5. Where the data resides is not the be-all and end-all of data security
Regarding data residency, one cannot say that data is safer in the cloud or on-premises. It depends on numerous factors, and in many cases, a hybrid hosting environment makes the most sense, said Viljoen. The same principle applies to open-source versus closed-source, where the choice for each organisation depends on its circumstances and responsibilities. “There is no right or wrong. What is important is that the solutions you use are fit for purpose, that the data is used with consent, that a data policy is in place, that all regulations are applied, and, if possible, that the data is encrypted to make it useless to third parties.”
6. Ecosystem mapping can be helpful in the management of data
“If you do an ecosystem map, you should be able to describe all the components of data generation, data storage, data retrieval, and data use, and that becomes a virtuous cycle,” said Dr Cleghorn. “Many countries are at different points in this journey, and they can learn from each other’s successes and mistakes. But to do this, we need platforms for sharing information to help others achieve their goals. Learning to map your data ecosystem and stakeholder from others who have done it before can be a precious exercise.”