Advancing health data security and cybersecurity skills in Africa

Cyber incidents and attacks are rapidly increasing, impacting countries and systems across multiple sectors. Essential health services connected to the internet, such as hospitals and ambulance services, are vulnerable. The health sector has seen a rise in cyberattacks, disrupting the operations of these critical institutions.

The data security status of digital health systems in Africa is improving. However, several challenges remain, including a lack of policies focused on data security for health, limited resources, inadequate infrastructure, and a shortage of skilled personnel across health system levels. As digital health adoption grows, the sector becomes increasingly vulnerable to cyber threats like ransomware and data breaches. Given the sensitive nature of health-related information stored in health systems, health sector actors must place heightened attention on cybersecurity.

In 2024, PATH’s digital health and cybersecurity experts, supported by the United States Centers for Disease Control and Prevention (CDC)-funded Technical Assistance Platform (TAP), conducted data security capacity strengthening activities in three countries across West, Central, and Southern Africa. (The names of the countries will not be disclosed to avoid exposing their systems to exploitation by bad actors as they continue to improve their cybersecurity infrastructure.)

Discussions involving stakeholders in these countries identified potential areas for data security support, which include enhancing data governance through developing health data privacy, confidentiality, and security guidelines; establishing structures for sustaining a secure data environment; emphasizing the importance of conducting scans of electronic health information systems to identify vulnerabilities and best practices; and working collaboratively with in-country stakeholders to ensure a progressively high standard of data security and privacy.

PATH’s Center of Digital and Data Excellence (CoDE) partners with country governments to advance the digital transformation of the health sector. CoDE recognizes that digitally enabled health care and timely data use can positively change the very nature of health care and health systems, but also requires countries to develop effective policies and procedures to govern and secure sensitive health data effectively. We engage deeply with national governments and health professionals to understand the current digital health and policy ecosystem and how to support them best to continue to improve the functionality and security of their health information systems. This includes conducting capacity-building activities to increase relevant knowledge and skills and supporting the creation of digital health strategies, data privacy and security policies, and governance structures.

After discussions with key stakeholders and reviews of past assessments, the TAP team supported a five-day workshop in each of the three focal countries. These workshops were facilitated by PATH and the CDC and consisted of individuals who interacted with the system, including health ministry officials, implementing partners, and donor representatives. The overall goals of these workshops were to deliver essential cybersecurity training and assist participants in performing a data security assessment of their national electronic health records by utilizing the Data Security Assessment Tool-Lite (DSAT-Lite) version.

The DSAT-Lite is meant to be used by individuals without advanced cybersecurity skills, such as information technology personnel, system users, and project managers. It is used to perform an essential security self-assessment of an electronic system. Developed by CDC, with controls derived from the National Institute of Standards and Technology (NIST) framework, the DSAT-Lite encompasses a combination of Cybersecurity Maturity Model Certification Level 1 and Level 2 controls. Out of the 110 NIST controls, only 17 are chosen for this DSAT-Lite assessment (table below), all of which are related to policy and/or implementation.

The assessment was carried out through the following steps:

• System selection.
• Cybersecurity overview.
• Data security and privacy regulations and frameworks contextual overview.
• Orientation to DSAT-Lite.
• Self-assessment.
• Analysis of assessment results.
• Report development.

In each of the workshops, assessment results highlight a range of data security vulnerabilities that stem from systemic issues across three domains: workforce capacity, technological infrastructure, and governance processes. These domains intersect and compound one another, making comprehensive data security challenging to achieve in health systems. Personnel with limited data security expertise can hinder proactive threat management and response efforts, while outdated technologies and inadequate access controls expose systems to high levels of risk. Weaknesses in governance further complicate the data security landscape, with gaps in regulatory enforcement and cross-sector collaboration that expose systems to internal and external threats. The challenges within each domain require targeted, collaborative strategies to address the gaps identified.

Based on the assessment findings and collaborative discussions, tailored recommendations were developed to address the key cybersecurity gaps identified across all assessed health information systems. These recommendations focus on essential improvements in data security policy and implementation as defined by the DSAT-Lite. Emphasizing regular data security training, structured security procedures, and routine monitoring, these measures aim to build a resilient defense against evolving cyber threats. Drawing insights from previous assessments in other regions, these recommendations highlight the importance of engaging all stakeholders, establishing robust governance structures, and securing necessary resources for long-term data security and capacity development.

With the rapidly increasing risks of cyberattacks on electronic health systems, it is essential to bolster data security infrastructure and awareness. However, designing an effective data security strategy within resource and investment constraints is challenging without understanding the primary risk scenarios to which systems are exposed. The DSAT-Lite process and the tool’s replicability and ease of use at recent workshops highlighted a structured, phased approach to enhancing data security in health information systems. As a result of these workshops, participants gained a solid understanding of basic data security principles and acquired the skills needed to independently conduct data security self-assessments on various electronic systems in the future.

By identifying system risks and developing action plans with stakeholders, countries aim to fortify their systems. However, this will require ongoing financial support from stakeholders and human resource capacity-strengthening support. Collaboration with key stakeholders, continuous learning, and adaptability are crucial for the successful implementation and sustainability of these data security measures. This collaborative effort represents a significant step toward strengthening data security in country-based health information systems.

To learn more, please visit the full report here.