Takalane Khashane, Managing Director, Iron Mountain South Africa.

All over the world, data is being generated, stored, and shared at tremendous volume. However, we cannot entrust information to any system without considering the potential for misuse. Data security breaches and cybercrime are rife in this digital age and data needs to be rigorously protected to avoid unauthorised access and exploitation.

Digitalisation accelerated with force during the pandemic, and we now do everything online, including monitoring health and providing and receiving medical care.

Expanding remote care, telemedicine, and m-health initiatives have become the order of the day, and safeguarding sensitive information is being done at a scale comparable to the financial services sector. Whilst the benefits of digitising documents and processes are unquestionable, it has introduced its challenges too. Especially with the growth of remote working, data is increasingly vulnerable to unwanted exposure – and in the healthcare sector, the impact can be enormous.

The health sector is now the most targeted industry in the world as an increase of around 22% was recorded across all industries by the end of 2020. A new report published by Check Point Research found that the average number of attacks on health organisations and systems rose to 626 per organisation in December 2020 from around 430 in October 2020. The form of infringement includes ransomware, botnets, remote code execution, and distributed denial-of-service (DDoS) attacks.

Hospitals are now recording the most ransomware attacks of any sector as criminals exploit the COVID-19 pandemic in an attempt to get rich quick. So far African institutions have been spared the worst, but data security experts say once the criminals run out of option in the developed world, they will turn to the continent to make more illegal cash.

In 2020 a South African hospital group was subjected to a cyberattack that forced it to shut down systems. The group’s admissions systems, business processing systems and email servers were all affected.

Today, it is critical for healthcare leaders to be stringent about data security – not just for operational and financial protection, but to protect the health and safety of patients. More than ever before, all health systems and medical institutions should be taking the necessary steps to ensure their data doesn’t end up in the wrong hands.

A modern IT infrastructure

To begin with, modernising IT infrastructure is vital. While 100% protection isn’t possible, thanks to the increasing sophistication and volume of hacking techniques, a modern IT system will support a robust cybersecurity programme that can either prevent an attack or at least improve the speed of detection, containment, and remediation if one does occur.

This includes things like encryption of stored and transmitted data, recovery and backup systems, and multi-factor login authentication. A security incident response plan should also be developed so that an attack can be identified, evaluated, and contained quickly, and to help prevent a similar one in the future.

Granting access to patient information securely

The South African regulatory environment is becoming increasingly complex due to developing cyber and data privacy laws as well as established healthcare-related laws and regulations.

South African regulations such as the Protection of Personal Information Act (POPIA) and the National Health Act (NHA) govern the protection and privacy of personal information. While the former is more general, the latter focuses specifically on patient information.

A health worker that has access to the health records of a user may disclose such personal information to any other person, healthcare provider or health establishment as is necessary for any legitimate purpose within the ordinary course and scope of his or her duties where such access or disclosure is in the interests of the user. However, the person in charge of a health establishment in possession of a user’s health records must set up control measures to prevent unauthorised access to those records and to the storage facility in which they keep those records.

Healthcare providers must therefore carefully manage how data is collected, for what purpose it is used, and how it is protected from compromise, or risk significant financial fines and reputational damage.

Best practice information security measures

All employees should be provided with clear and concise written policies covering key aspects of information security. This should include the acceptable use of their laptops, phones, and other devices. All employees should also be given cybersecurity training, which will help to keep them alert to potential phishing and malware attacks.

In the case of remote employees, particularly those who handle sensitive records, formal training on privacy policies and tools to prevent misuse should be provided as well. For optimal remote working security, it’s advisable to build out official company policies around the following elements: conducting company business on personal computers or phones, copying business records to personal devices, sending business records to personal email or any other email outside your company domain, printing business documents at home and using personal flash drives to store business information.

Healthcare providers must also ensure that any third-party partners are compliant and have suitable data security measures in place too. Every external organisation with access to patient data is another avenue through which data can be exposed.

Secure paper document disposal

Although digital transformation has indeed taken hold within healthcare settings, the industry is still exceptionally reliant on paper records. Therefore, any data security protocol should also account for the secure storage and disposal of paper documentation. Despite long-term innovations and the moves being made towards digitisation, the reality is that paper records will exist in healthcare for a long time to come.

When the time comes for older records to be digitised and physical documents are ready for disposal, they should be shredded following privacy and data compliance regulations to avoid penalties, fines or legal action. Standard office shredders don’t usually offer a fully compliant process, so an external provider is key.

Furthermore, shredding operations should be fully monitored by 24-hour CCTV, with all materials handled by staff who have been security vetted.

Finally, as information compliance is an ever-changing landscape, it can be very valuable to engage consultants who are always up to date with regulations and best practices and can ensure you have effective, cross-functional information governance in place. In a world where data breaches have the potential to cause so much damage, prioritising data security in healthcare truly is a must.