To keep health data secure, start with the basics

March 29, 2023 by Jacqueline Deelstra

Moving health records online has many benefits for patients—but it also comes with risks. PATH’s in-house cybersecurity expert shares how countries can secure patient data.

AES (Acute Encephalitis Syndrome) team member demonstrates how a data entry app works to track health data across the state of Uttar Pradesh. Photo: PATH/Mansi Midha.

A health care worker uses an app to log health data in Uttar Pradesh, India. Photo: PATH/Mansi Midha.

Moving medical records and personal health information off paper and online has tremendous benefits—it allows countries to better track vaccination rates and disease outbreaks; enables doctors, clinics, or pharmacies to access patients’ complete health history; and supports more patients to receive the best possible care. 

But PATH’s data privacy and cybersecurity expert Nino Hares warns that hackers will certainly target databases that house personal medical information.

Given the reality and frequency of data breaches, combined with the digital transformation process ongoing in health systems around the world, PATH, with Nino’s leadership, established a cybersecurity function to advise and support our partners in creating data privacy and protection policies and protocols as well as best practices as they digitalize their health care systems.

PATH provides consultations, hosts webinars, and conducts trainings to share advice and guidance on data privacy as well as information on cybersecurity best practices. The services are designed for technology innovators, implementing partners, local entrepreneurs, donors, and funders as well as ministries of health and government stakeholders involved in the digital transformation process.

As a security architect with more than 20 years of experience working with global health and development organizations, Nino has made significant contributions to helping nongovernmental organizations and country governments improve their data privacy and cybersecurity protocols.

In his current role at PATH, he is working with the US Centers for Disease Control and Prevention’s (CDC’s) Technical Assistance Platform and the Digital Square initiative to design and operationalize data privacy–preserving digital health solutions and ecosystems that are safe, secure, and aligned with national policies.

We asked Nino a few questions about how rapidly digitalizing countries can learn from major data breaches and build digital systems that are less vulnerable to attacks.

Q: How do you define data security?

Data are secure if they are only accessed and altered by authorized individuals for an approved purpose. To ensure data security, there must be a way of monitoring how data are being defined, accessed, and modified, and by whom. Keeping personal and sensitive data secure starts with simple steps such as strong passwords, giving system access only to people who truly need to have access, and having security policies in place.

Data security is the practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire life cycle. It refers to the protective measures employed to secure data against unapproved access and to preserve data confidentiality, integrity, and availability.

Q: Why is data security important to global health?

Countries know that health care is moving into the digital age and many are already implementing digital health systems. The power of health data for governments and public health agencies is clear, especially in the wake of the COVID-19 pandemic. It is great that countries are moving forward with digital transformation, but they need to prioritize data privacy and cybersecurity at the same time.

I try to deliver the message that digitalization is good, but the cost of not paying attention to data privacy and cybersecurity best practices is massive. Cybersecurity attacks in health care tripled in recent years. In 2018, cybersecurity attacks affected 14 million individuals. This number rose to 45 million individuals in 2021.

Cybercriminals target protected health information due to its high value on the dark web. This is because a single medical record contains a host of sensitive data, that, if disclosed or accessed by unauthorized individuals, could lead to harm or damage to an individual or organization. This sensitive data includes financial details, personal identification numbers, and more.

Insufficient data security can leave health care organizations vulnerable to a host of risks, such as costly fines, reputational damage, and business loss. Data security breaches also cause significant stress and inconveniences for patients, including having to monitor for potential identity theft.

“I try to deliver the message that digitalization is good, but the cost of not paying attention to data privacy and cybersecurity best practices is massive.”
— Nino Hares, Technical Security Architect

Q: What is PATH doing to support countries to improve health data security?

In many countries where we work, PATH is conducting security assessments of existing data systems—we assist and advise on how to conduct a threat analysis, review the system architecture, and perform testing to identify gaps and weaknesses. From there, we collaboratively review the results and develop recommendations for improving data privacy and system security. Many of our country partners are also interested in cybersecurity trainings for health officials and professionals.

For example, in Vietnam, PATH worked with the Ministry of Health, donors, and local technologists to upgrade their HIV data application that tracks treatment for HIV patients and do a security assessment.

And in Uganda, we are working with the Ministry of Health to increase awareness of the potential consequences of digitalization. We are also training Ministry staff on how to ensure personal and sensitive information cannot be accessed by unauthorized individuals.

PATH’s Technical Assistance Platform, funded by the CDC, also has supported countries to strengthen their health data security policies.

In Haiti, for example, we conducted a security assessment on iSanté Plus, an electronic medical record system. Additionally, since Haiti does not have a formal data protection law, we shared data security guidelines with other implementing partners to guide their ongoing governance of existing digital health systems. Eventually, we hope these become national guidelines and eventually policies, so that everyone collecting, storing, using, and sharing health data in the country will know how to keep sensitive and personal information protected and secured.

Q: What are the most important things that government entities can do to prevent data and security breaches?

Most entities are unsure how to approach data privacy and information cybersecurity. It can feel like it is almost impossible to get right—even major companies get hacked. But there are several ways that ministries of health and others handling health data can prevent security breaches.

Some of these include to:

  • Document and understand your data and systems.
  • Analyze current security risks according to HIPAA (Health Insurance Portability and Accountability Act of 1996) rules.
  • Have an incident response plan.
  • Educate staff on data security.
  • Limit access to health records to only those who truly need access.
  • Manage user permissions so staff only can access data essential to their job functions.
  • Limit the use of personal devices.
  • Update software regularly to ensure up-to-date security features are installed.

In recent years, the public health sector has seen an emphasis on developing and deploying digital health systems quickly, regardless of the data privacy, information, and cybersecurity concerns. Countries need to take a step back, review their data and systems, look for the gaps, review best practices, and establish cybersecurity teams to identify and mitigate vulnerabilities.

“There has been an emphasis on developing and deploying digital health systems quickly.... Countries need to take a step back, review their data and systems, look for the gaps, review best practices, and establish cybersecurity teams”
— Nino Hares, Technical Security Architect