Blog

Managing Patient Confidentiality In The Virtual Arteries of The Health Sector

Personal health records have evolved beyond bulging family files with scribbled notes at local GP offices...

Personal health records are no more just a bulging family file with scribbled notes kept at the local GP rooms. Whenever we receive some health service, whether it be to test for Covid-19, to get vaccinated, to take out health insurance, to visit the dentist, or just get non-prescription meds at the local pharmacy, personal records are created, updated, and shared amongst the various providers.

Patient data has become a precious commodity in the data-driven empires, including the criminal underground. There is an increasing risk of confidential patient data being stolen, lost, extorted, or exposed, as data and role-players within the health industry increases. Add to that a rather complex supply chain to continuously provide patients with high-level health care, and health workers with an environment that is conducive to providing the best care.

We all know that complexity is the enemy of security (and privacy).

Internal and external data breaches caused by human error or exploited vulnerabilities can expose patient records, lead to unsuccessful treatment, financial ruin, and possible prosecution (violation of SA laws).  Breached patient records in turn can be used to submit fake claims to medical aids or gain access to prescriptions for scheduled medicines.

A medical record is in a sense, set in stone, as we are unable to go back in time and change what illnesses or injuries crossed our paths. This means that when such a record makes its way into criminal hands, there is no way of requesting a new one and starting over.

Recent case studies of data breaches within this sector, enable us to follow the data exposure and how privacy is impacted along these virtual arteries. The Life Healthcare Group, the second-largest private hospital group in SA, experienced a breach in 2020 as reported by EWN news[1]. This hack forced doctors to switch all administrative processes to manual operating systems, as the hack affected IT systems.

A SOUTH AFRICAN DATA MAP

The South African health care industry comprises of various organisations, including research laboratories, drug manufacturing facilities, pharmacies, medical treatment centers, and third parties associated with medical care.

Sensitive patient data is collected, transformed, stored, and shared, within and between these organisations in the health industry. The data collected from these entities is presented using a mind map we detailed in Figure 1.

[1] Life Healthcare Group hacked amid COVID-19 fight (ewn.co.za)

Figure 1: Data collected per sector in Health Industry

This map is our first step in defining the data flow, and ensure privacy along all virtual arteries. We categorise sensitive data into patientinternal and external business data.

Patient data include screening, diagnosis, treatment, demographic, lifestyle choice and also financial data.

Internal business data include patient data used for research purposes, clinical trials, and financial reporting. This data is then used by organisations in the health industry to forecast inventory, identify target market, implement effective marketing campaigns and analyse financial position in the industry.

External business data include patient data used by third-party organisations in the health industry. These organisations include government agencies, law officials, insurance organisations, medical aid facilities, travel agencies and employers.

PRIVACY MANAGEMENT

The digital transformation of the healthcare industry has made it possible to provide easier and accessible treatment at a lower cost. The implementation of information management systems, smart devices, cloud services and the Internet of Medical Things (IoMT) is making it possible to improve patient care and provide effective treatment in a short period of time. 

Patient data can be managed through Electronic Health Records (EHR), or Electronic Medical Records (EMR), where individual patient data is stored at a centralized location. These systems focus solely on patient care and contain clinical, lifecycle, demographic, financial and patient preference data. Such records are then shared between medical practitioners and researchers to provide optimum patient treatment.

The ways in which patient data is used to enhance the health care value chain include the following:

  • Enhance drug discovery and development
  • Optimise effectivity and efficiency of clinical trials
  • Ensure accurate patient diagnosis
  • Deliver optimum treatment, increase the success rate thereof
  • Improve drug delivery and boosters
  • Ensure safety, risk management and control
  • Gain insight into market and performance

Customer relationships are managed through health care customer relationship management systems (HCRM). These systems are focused solely on the operational side of patient care to improve current communication protocols and ensure informed decision-making processes are implemented.

The implementation of security protocols and security vulnerability detection systems are critical to ensure the effective management of risks associated with cybercrime.

DATA LAWS AND DISCLOSURE

Data management and security is essential in all stages of the health industry and is mainly governed by the implementation of policies and procedures as per compliance with the South African health- and security laws.

Medical health data confidentiality is a basic human right, but authorised access can be granted for appropriate reasons according to South African law. South African laws published in the government gazette that address patient record confidentiality, security and access include the following:

  1. The National Health Act, [No. 61 of 2003] available at: National Health Act [No. 61 of 2003] (www.gov.za)

This Act states that it is an offense to disclose confidential patient information without their given consent. However, sections 14, 15 and 16 mention valid reasons for disclosures.

As per the National Health Act:

  • The user consents to disclosure in writing
  • Patient consent is required for sharing with third-party organisations (medical aid, insurance, treatment processes).
  • The medical party gathering the data is responsible for its safety.
  • Confidential patient data should only be used for the purpose that it is collected for.
  • Court order or any law requires that disclosure;

Court order requires no patient consent or notification

  • Non-disclosure of the information represents a serious threat to public health.
  • Medical practitioners are obligated to report notifiable diseases and conditions, without patient consent.
  • Risk of patient harm outweighs confidentiality. Medical practitioners are obligated to thoroughly document steps taken in the event of non-disclosure.
  • A medical practitioner has access to confidential patient information and has the right to share that information with a health care team only in interest of the patient.
  • No consent is required for clinical research purposes if the data presented is not directly linked to a patient. Patient consent is required when reporting individual patient diagnosis (photographs, symptoms, treatment).
  • Health professions council of SA (HPCSA) published ethical guidelines for good practice (available at: MEDICAL AND DENTAL PROFESSIONS BOARD (hpcsa.co.za)). They urge the implementation of security protocols to keep patient HIV results confidential. All clinical data relating to HIV patient results must be disclosed before sharing with professionals and commencing the required treatment processes.
  1. The Promotion of Access to Information Act, [No. 2 of 2000] available at: Promotion of Access to Information Act [No. 2 of 2000] (www.gov.za) (PAIA)

This Act focuses on the right of access of confidential data to public and private bodies, only for legitimate reasons. The purpose of this act is to promote transparency and accountability. Confidential records and information can be formally requested as in terms of the PAIA.

  1. The Protection of Personal Information Act, [No. 4 of 2013] available at: Protection of Personal Information Act (www.gov.za)

The purpose of this Act is to ensure the implementation of appropriate business structures to keep confidential health care data safe. The main objective being to secure data through its life cycle of collecting, processing, storage and sharing. Security protocols and policies should be implemented to prevent unauthorised access, data leaks, damage and cyber-crime.

The health professions council of SA (HPCSA) sets out guidelines for policy development and implementation.

NEXT STEP

As we continue to work with entities in the health sector to design and implement Information Security Management Systems (ISMS), it also enables us to further research into security concerns and solutions in the health sector. This article maps the entities as well as the type of data, so to enable us to provide strategies for securing health records in cyberspace.

Written by: Charne Biermann

Certificate in Cyber Security

Course Details

This practical, hands-on course focuses on establishing a foundation in Cyber Security by introducing candidates to cyber-crime, attack methods, and managing cyber risks.

Mode of Offering: The course is presented via facilitated    e-learning, utilising an e-learning platform and virtual classes.

Intended Audience:

This course is designed for individuals embarking on a career in Cyber Security or performing security functions.

Requirements

Applicants should have a Matric certificate or equivalent qualification with suitable IT knowledge, Internet access, and a PC or laptop on which applications can be installed and services accessed.

Costs:

R10,500 all inclusive

Duration:

6-months

Intake:

We have two main intakes, one at the end of February and another at the end of June. Additional intakes may be scheduled depending on application volumes and requirements.

Course Overview:
Cyber-crime‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎
  • Introduction to cyber-crime
  • Cyber-attack methods (e.g., ransomware, sextortion, email fraud)
  • Cyber criminology (actors behind the attacks, criminal networks, state-sponsored entities, etc.)
  • Tracing the online trail
  • Dark web (criminal forums)
  • Case studies of attacks in SA & Global.
  • Crime-as-a-Service
  • Internet of (Criminal) Things.
Practical Cryptography
  • Introduction to cryptography.
  • Encryption and Decryption.
  • Hash functions
  • Blockchain
  • Virtual Currencies
  • Digital signatures
  • Digital certificates
  • Cryptographic Protocols (SSL, SSH, etc.)
Course Overview:
Cyber Governance, Risk & Compliance
  • Overview of cyber governance, risk, and compliance
  • POPIA & GDPR
  • Data Privacy
  • Policies in action
  • NIST, ISO27001
  • Controls
  • Planning for contingencies
  • Developing the security program
  • Risk analysis and management
Cyber Intelligence‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎
  • Introduction to Cyber Intelligence
  • Attack Tools
  • Attack process
  • Reconnaissance and Footprinting
  • OSINT services and tools
  • Threat and vulnerability feeds and assessments

Cyber Investigations

Course Details

This course is suitable for investigators and investigation teams within the corporate environment and public sectors who are required to track online trails or utilise tools to solve online crimes. It is also intended for professionals and investigative journalists involved in investigations such as fraud, espionage, data theft, and cyber vetting.

Mode of Offering: The course is presented via facilitated    e-learning, utilising an e-learning platform and virtual classes.

Intended Audience:

This course is designed for investigation officers, cyber-crime investigators, investigative journalists, etc.

Requirements

Applicants should have a Matric certificate or equivalent qualification. Although a formal IT qualification or certification is not required, some knowledge of computer systems would be beneficial. Internet access and a PC or laptop on which applications can be installed and services accessed are required.

Costs:

R10,500 all inclusive

Duration:

6-months

Intake:

Applications are accepted throughout the year, with course starting dates in February, May, and August.

Course Overview:
  • Reconnaissance
  • Online services and tools
  • Metadata Encryption & Decryption
  • Digital signatures
  • Online investigations
  • Crime Scene Management
  • Documenting evidence
  • Investigation Process
  • Chain of Evidence
  • Protocols and emails
  • URLs & DNS information
  • Timelines
  • Decryption and deciphering
  • Virtual Currencies
  • Cyber criminology
  • Introduction to the attack process
  • Introduction to attack vectors
  • Social networks (i.e., attacks via Facebook, Twitter, etc.)
  • Dark and hidden web
  • Threat actors
  • Data Collection
  • Social Media
  • OSINT
  • HUMINT
  • SOCMINT

Cyber Intelligence

Course Details

The main objective is to equip delegates with the necessary competencies and practical skills to assist in compiling an intelligence-driven cyber security strategy to provide proactive solutions to a plethora of cyber threats.

Mode of Offering: The course is presented via facilitated        e-learning, utilising an e-learning platform and virtual classes.

Intended Audience:

This course is designed for persons responsible for the security function, CISOs, as well as Data Protection Officers.

Requirements

Applicants should have a Matric certificate or equivalent qualification. Although a formal IT qualification or certification is not required, some knowledge of computer systems would be beneficial. Internet access and a PC or laptop on which applications can be installed and services accessed are required.

Costs:

R10,500 all inclusive

Duration:

6-months

Intake:

Applications are accepted throughout the year, with course starting dates in February, May, and August.

Course Overview:
  • Cyber Security Environment
  • Cyber Landscape
  • Cyber Threats and Exploits
  • Cyber Actors and Criminology Aspects
  • Obtaining Data
  • Sources of Data
  • Collection Operations
  • Applications, Tools, and Services
  • Analysis of Cybercriminals’ Modus Operandi
  • Analysis Techniques (Data to Information)
  • Indicators of Compromise
  • Cyber Intelligence
  • Intelligence Platforms, Applications, and Services
  • Data – Information – Intelligence
  • Intelligence Strategy
  • Incident Management
  • Cyber Warfare
  • Political and Commercial
  • Developing an Intelligence-Driven Strategy
  • Strategic and Tactical Intelligence Function
  • Risk Management

Cyber Governance

Course Details

Establishing a security strategy and defining a suitable implementation plan focused on managing cyber risks in a volatile and dynamic environment requires a solid understanding of the threat space and frameworks. This course unpacks cyber governance and approaches to manage risk and adhere to compliance regulations.

Mode of Offering: The course is presented via facilitated    e-learning, utilising an e-learning platform and virtual classes.

Intended Audience:

This course is designed for Managers and C-Suites responsible for security, Board members, as well as prospective leaders in the Cyber Security space.

Requirements

Applicants should have a Matric certificate or equivalent qualification. Although a formal IT qualification or certification is not required, some knowledge of computer systems would be beneficial. Internet access and a PC or laptop on which applications can be installed and services accessed are required.

Costs:

R10,500 all inclusive

Duration:

6-months

Intake:

Applications are accepted throughout the year, with course starting dates in February, May, and August.

Course Overview:
  • Security Management Program
  • Cyber-crime
  • Threat Environment
  • Cyber Criminology
  • Regulations – GDPR, POPI, Electronic Act, PCI-DSS
  • Skills Frameworks
  • Cyber Awareness Programs
  • Risk management
  • Controls – Choice, Implementation, and Management
  • Security Frameworks and Models
  • Policies and Procedures
  • Data Protection
  • The road to ISO 27001 Compliance and Certification

IT and Cyber Security Program

Course Details

Our courses combine essentials from both industry and academia to provide valid, unique, practical content that is innovatively presented via facilitated e-learning.

The IT and Cyber Security Program is a practical course consisting of coursework, virtual classes, and practical cyber range exercises.

Mode of Offering: Learning will be conducted through a facilitated online format, utilising an e-learning platform to provide an interactive and engaging educational experience. Additionally, hands-on practical sessions and virtual labs will be conducted every Friday from 9:00 AM to 12:00 PM, offering participants the opportunity to apply theoretical knowledge in a real-world context. This blend of online facilitated learning and scheduled virtual sessions aims to create a comprehensive and dynamic learning environment, ensuring a well-rounded educational experience for participants.

Intended Audience:

This course is designed for school leavers, those on a gap year, graduates looking to add industry credentials, and individuals looking to make a career change.

Requirements

Applicants should have a Matric certificate or equivalent qualification. Internet access and a PC or laptop on which applications can be installed and services accessed are required.

Costs:

R 31,350 all inclusive

Duration:

10-months

Intake:

24 February 2024

Course Overview:
IT Foundation for Cyber Security
  • IT Hardware Fundamentals
  • Network Fundamentals
  • Introduction to Operating Systems (Windows and Linux) 
  • Introduction to Cloud Computing (Office 365 and MS Azure) 
  • Protocols 
  • Technical Research and Writing
  • Algorithms and Problem Solving
  • File and Database Systems
  • Scripting
  • New Technologies: AI and Quantum Computing
  • Soft Skills
Certificate in Cyber Security
  • Cyber Security Fundamentals 
  • The Cybercrime Eco-System
  • Actors in Cyber Space – State and Non-State Actors
  • Cyber Incidents: Attacks, Breaches, and Espionage
  • Understanding Tactics, Techniques, and Procedures (TTPs) using the Mitre Attack Framework
  • Cryptography (Symmetric/Asymmetric/Hashes)
  • Secure Protocols
  • Reconnaissance and OSINT (Open-Source Intelligence)
  • Cyber Security Frameworks and Standards: Introduction to the NIST CS Framework and ISO 27000 Series
  • Cyber Risk Management, Cyber Governance, and the Implementation of Security Controls
Facilitated online course with virtual classes, and practical training and skills development on the cyber range platform.