When it comes to the protection of personal health data in Africa, governments and regions have a clear responsibility to protect their citizens. Especially in the era of rapidly proliferating personal data and nefarious actors wanting to access it.
However, this must be balanced against the importance and value of sharing vital health data across platforms and geographies to manage the global spread of infectious diseases as travel increases following the pandemic. The good news is that these seemingly conflicting priorities need not be an either/or situation: smart policies, thoughtful frameworks and underlying technologies can enable both data privacy and data sharing.
This was the consensus in the BroadReach Group’s recent Q&A webinar about the thorny topic of Health Data and Security in Africa, to mark October’s Cybersecurity Awareness Month. The webinar covered the importance of health data ownership, data protection vs data sharing, and data residency, including personal ownership of health data, and public and private organisations’ challenges and responsibilities in keeping it safe and secure.
Ruan Viljoen, Chief Technology Officer at the BroadReach Group led the discussion with Dr Farley R. Cleghorn, Global Head of Health Practice at the Palladium Group and Dr Justin Maeda, Principal Regional Collaborating Centers (RCC) Coordinator at the Africa Center for Disease Control (CDC), to explore the challenges from multiple angles. The session took the form of a Q&A with audience members – comprised of health and program leaders from around the continent – posting their central challenges to the experts for live discussion and debate. The BroadReach Group is a social enterprise that focuses on delivering health equity.
Key takeouts from the webinar:
1. Privacy of health information is a fundamental human right
“Health data is the most sensitive personal data we can store and warrants an even stricter duty of care,” Viljoen said in his opening remarks. “We should not put individuals in a position where they should have to trade their privacy in order to receive good healthcare.”
“Governments are the custodians of the human rights of their people and therefore have the primary responsibility to protect their citizens’ data, but the issue is complex and a multi-sectoral approach is needed,” said Dr Maeda. One of the ways that governments could protect their citizens is by disaggregating or de-identifying their health data, to make it impersonal and unidentifiable to third parties.
2. Cyber-security becomes more important in healthcare as attacks increase
“We’ve seen a year-on-year rise in attacks on organisations in terms of the number of attacks and successful data breaches where data is exfiltrated and sold on the black market. Attackers are quite patient and look around – recent studies show that it takes organisations an average of 271 days before they detect that they have been breached, and another 70-odd days to rectify the situation. So you’re looking at the better part of a year before you can return to normality,” said Viljoen. This does not only lead to reputational and financial damage, but also interferes with service delivery, which is detrimental in the healthcare setting, he said.
Three important international standards are setting international best practice for the protection of general personal information and personal health information: the General Data Protection Regulation (GDPR) in Europe, the Health Insurance Portability and Accountability Act (HIPAA) in the USA and the private sector-led HITRUST Alliance.
One of the technologies that can make the sharing of data safer is tokenization, because tokens are much less valuable to attackers than real data, said Viljoen.
3. Consumer data is an evolving responsibility
“Personal data sets on everything about the individual are evolving. We need to embrace it because it’s not going away,” said Dr Cleghorn. “Individuals need to take control of their health data. You should assume you have a right to that information, that you can control your information, and that you can use it for your own benefit.”
Viljoen agreed: “We have more data points on every aspect of the individual than ever before, and this will just exponentiate over the next few years. This can be very good for tailored individual healthcare, but the data must be used ethically and safely.”
“We can learn from other industries such as fintech and payments, which have been the target of cybercrime for decades. They use tools like tokenization, disaggregation and deidentification of data to make the sharing of sensitive personal data much safer,” said Viljoen. “I don’t think we should try to solve this as the health industry on our own – we need to get together as a collective and share solutions.”
4. African countries are starting to develop and collaborate on data regulations
While the 55 member states of the African Union all differ in terms of how extensive their data policies and standards are, the Africa CDC is working to set common minimum standards for the collection, storage, management, protection and transmission of data within the African Union. The “Health Information Exchange Policy and Standard” is currently being formulated, and once it is signed by the various heads of states, the Africa CDC will assist individual countries in attaining those minimum standards through policies and technology solutions.
Dr Maeda said safe inter-continental data sharing was especially important considering the increased mobility of people. “To put it into perspective, one person can now be on five continents in one day, so diseases can spread fast.”
But while data sharing was important for public health management reasons, the protection of data was important for individuals. “While governments have the first responsibility to protect their citizens’ data rights, other partners such as the African Union, the United Nations, non-governmental organisations and the private sector all need to play their part to ensure that protection happens. Health development organisations need to build data security into their development practice,” said Maeda.
Dr. Cleghorn said it was important to have regional and Africa-wide agreements to protect the right to privacy, the right to protected health information, and setting up the guardrails for how information is shared. “The broad availability of mobile platforms has made this much more important and urgent. We need rapid access to health information in the hands of the consumer.”
5. Where the data resides is not the be-all and end-all of data security
When it comes to data residency one cannot say that data is safer in the cloud or on premises. It depends on numerous factors and in many cases a hybrid hosting environment makes the most sense, said Viljoen. The same principle applies to open-source versus closed-source, where the choice for each organisation depends on its circumstances and responsibilities. “There is no right or wrong. What is important is that the solutions you use are fit for purpose, that the data is used with consent, that a data policy is in place, that all regulations are applied, and if possible, that the data is encrypted to make it useless to third parties.”
6. Ecosystem mapping can be useful in the management of data
“If you do an ecosystem map, you should be able to describe all the components of data generation, data storage, data retrieval and data use, and that becomes a virtuous cycle,” said Dr Cleghorn. “Many countries are at different points in this journey and they can learn from each other’s successes and mistakes. But to do this, we need platforms for sharing information, to help others achieve their goals. Learning to map your data ecosystem and stakeholders, from others who have done it before, can be a very valuable exercise.”
He also cautioned that personal information such as sexual orientation may be benign in one setting and dangerous in another, and therefore it was important to understand the data security requirements at different levels of data, especially in terms of sensitive data.
Dr Cleghorn continued: “We are going to be generating more and more data about all aspects of people’s lives. To manage this, we have to take an ecosystem approach and think of all the levels of data security that need to be applied. We have to understand the ecosystem better wherever we work.”