Cybersecurity and health records: Leaving no one behind globally
Facebook Twitter LinkedIn EmailAs our world continues to digitize, with products and services increasingly embracing digital solutions, cybersecurity is on everyone’s mind. We have all heard of ransomware attacks that extort money from unsuspecting people. Sophisticated hackers target major infrastructure and power grids. And according to the World Bank, about 10.5 million records are lost or stolen every month. The risks are real and are not only economic but also related to business disruption and reputational damage.
Unsurprisingly, cybersecurity is a growing field with active participation and contributions from international donors and development implementing agencies. And while cybersecurity is a day-to-day concern in countries with a high prevalence of digital tools and services — namely developed economies — it might seem to be less of a concern in countries where digital systems data are not as pervasive. For upper middle-income countries, it is estimated that 84% of the population owns a bank account (an indicator of digital uptake), in contrast with only 39% in low-income countries. (1)
Photo: Providing hands-on capacity building to a government of Nigeria implementing partner and facility staff at Aminu Kano Teaching Hospital in Kano, Nigeria, on Dec. 12, 2022. Pictured, from left: Asma’u Shuaibu (health officer, GGHN- ACE 2 project); Hajara O Aliyu (mentor mother, facility staff); Maimuna Bala Idris (mentor mother, facility Staff); and Laurina Nyang (quality improvement specialist, Data.FI).
If low-income countries still rely primarily on paper records, does that mean they face fewer information security risks? Are the same cybersecurity approaches enough for countries with mostly paper-based services?
These questions do not have satisfying answers.
It is clear, though, that international development projects face a unique set of challenges when it comes to information security. In particular, projects need to strike a balance between present and future needs. Countries that are not yet using digital solutions still need to protect their paper records and ensure the privacy and safety of the people they serve. And introducing new digital solutions requires developing local capacity to address new information security risks that were not a concern when using paper records.
Nowhere are these challenges clearer than when it comes to health records, especially for people with HIV and orphans and vulnerable children. Low- and middle-income countries carry an estimated 80% of the HIV disease burden. (2) This suggests that many of these records are only available in paper form, and that the health care and privacy of millions depends on securing these paper records from loss, damage and theft. There is an urgent need to strengthen information security of these paper-based health systems in low- and middle-income countries and to help them prepare for a gradual digitization that does not neglect the existing health and privacy concerns of HIV clients.
The situation is exacerbated by the widespread prevalence of mobile devices, which are typically common even in areas with generally low digital uptake. Mobile devices make it easy for health workers to share information, which in turn can lead to information breaches, especially when no proper channels or procedures have been established. And whether on paper or in digital form, a misplaced clinical record can expose clients to serious harm and stigma. This is a particular concern in countries where key populations are targeted by the local laws – as of 2020, 53% of countries criminalize homosexual sex, sex work and/or drug use. (3)
Palladium’s Data.FI project works within this health care context, and is helping to provide comprehensive support to low- and middle-income countries with high incidence of HIV to strengthen health information systems. Information security is at the center of this work. Part of the project’s mandate is to help ensure that health care workers receive the proper training to handle their intake forms and client lists and that proper data management procedures and channels are in place.
If the scope of cybersecurity only includes securing and mitigating risks associated with managing digital data, countries that are managing paper health records and facing great health challenges will be left behind. Indeed, we must recognize that this scope is not sufficient for a wide range of contexts. And leaving no one behind, one of the core principles underpinning the United Nations’ Sustainable Development Goals, requires us to ensure we strengthen information security and develop capacity in nondigital contexts.
We all want countries to continue to advance their digital transformation journeys. But this is a long-term, ongoing process. In the meantime, we must address information security risks as we find them. And while cybersecurity’s focus on all things digital makes an intuitive sense, an overly digital focus is not sufficient to address the challenges faced by international development health projects.
References
1. The World Bank (n.d.). DataBank: Global Financial Inclusion. [Online database.] Accessed online at: https://databank.worldbank.org/source/global-financial-inclusion.
2. K. Allel, G.J. Abou Jaoude, C. Birungi, T. Palmer, J. Skordis, and H. Haghparast-Bidgoli. (2022). Technical efficiency of national HIV/AIDS spending in 78 countries between 2010 and 2018: A data envelopment analysis. PLOS Glob Public Health, 2(8). Accessed online at: https://journals.plos.org/globalpublichealth/article?id=10.1371/journal.pgph.0000463.
3. M.M. Kavanagh, S.C. Agbla, M. Joy, K. Aneja, M. Pillinger, A. Case, N.A. Erondu, T. Erkkola, E. Graeden. (2021). Law, criminalisation and HIV in the world: have countries that criminalise achieved more or less successful pandemic response? BMJ Glob Health, 6(8). Accessed online at: https://gh.bmj.com/content/bmjgh/6/8/e006315.full.pdf.