In 2021, a total of $706,452 was paid as ransom to cybercriminals by Nigerian businesses and organisations. The average cost of rectifying a cyber-attack in the country also went up from $0.46 million in 2020 to $3.43 million in the same year.
Cybersecurity entails the protection of internet-connected systems such as hardware, software and data from external and internal cyber threats. The practice is used by individuals and enterprises to protect their systems against unauthorised access to data centres and other computerised systems. Cybersecurity access management is crucial, especially in today’s world where a high percentage of sensitive data – including personal and government data – lives digitally.
Today, Nigerian healthcare organisations are no strangers to cyber threats. In a world where everything is moving to digital technologies, medical records aren’t left out either. Critical medical information in the wrong hands is like placing the nuclear launch codes in the hands of anarchists and terrorists.
In the case of a developing country like Nigeria where health records are often unsecured, there is an urgent need for a stronger framework for tactically securing health records, especially [as it relates] to cloud technologies.
There is a strict and professional observance of patient confidentiality which is recognised by law as codified in the Nigerian National Health Act (NHA) 2014 where adequate provisions for the privacy rights of patients were developed. Section 26 (1) of the NHA clearly states that “all information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment, is confidential”.
Unfortunately, [the] implementation of these protocols by healthcare organisations to protect patient data is significantly lacking as seen in the increase in the rate of cybercrime in Nigeria. Nigerian law also recognises healthcare as a [part of the] national critical information infrastructure sector. Infringement of this critical infrastructure is punishable by law as codified in the Cybercrimes (Prohibition & Prevention) Act 2015.
There are three critical leading practices that healthcare organisations in Nigeria should consider to protect themselves from cyber threats.
Nigerian healthcare organisations inherently lack an established cybersecurity culture as demonstrated by the rise in ransomware cybercrime. The cyber security culture, like any organisational culture, should be cultivated, nurtured and sustained.
According to data published by a top global cyber security firm, Sophos, 71 per cent of Nigerian businesses were hit with ransomware in 2021, up from 22 per cent in 2020.
A global cybersecurity expert, Ameya Khankar, who has developed several successful cybersecurity strategies for healthcare businesses worldwide, prescribed a few solutions for healthcare organisations serious about protecting data: Assess the organisational culture and establish where organisational security stands currently, outline the mission by clearly establishing what constitutes success for cybersecurity initiatives, establish executive leadership participation to drive the priorities for employees to foster a healthy cyber-security culture, clearly define expectations to eliminate ambiguity with a detailed plan specifying roles, goals and responsibilities for departments if a cyber-attack occurs, allocate resources to invest in the development of cyber security platforms and familiarise employees, especially the ones handling key medical records with protocols to tackle cyber attacks, among others.
Nigerian cyberspace is the second most attacked, according to the Sophos survey which revealed that 86 per cent of Nigerian companies fell prey to attacks.
According to Khankar, the principle of least privilege (PoLP) is an information security concept which maintains that a user or entity should only have access to the specific data, resources and applications needed to complete a required task. Ameya emphasises that this is particularly critical for cloud applications that store sensitive patient information to not only safeguard the information from external threats but also from threats within the organisation.
He further added that this principle should be implemented along with the authentication, authorisation and accountability – AAA – principle. This framework addresses the need to verify the identity of users seeking access to a network or other resource (authentication), determine what they’re allowed to do (authorisation) and track all actions they take (accountability).
Furthermore, Khankar outlined the benefits of implementing privileged access management to be “not only the protection of healthcare organisations from potential insider and outsider threats but also regulatory compliance where access to patient records should be restricted and patient privacy should be maintained. This may mean designing the cloud application security in such a way that the most critical patient data has the highest amount of access restrictions”.
Thus, a doctor, nurse, surgeon or consultant that needs permission to a patient’s data would not have access to data beyond what is required for them to perform their duties. From a back-office processing standpoint, this means that a healthcare developer who needs rights to write code in a test environment would not have permission to also move lines of code into production. The developer also likely does not require access to sensitive patient information to do their job and, thus, their access should be restricted and segregated within the cloud environment.
Plan for the unexpected
Rising cybersecurity threats in Nigeria can lead to unforeseen challenges, disasters and roadblocks while preparing to prevent a cyber-attack.
Khankar highlighted the need for healthcare organisations in Nigeria – both privately and public-owned – to adopt a “meta-readiness approach”, which essentially entails working to reduce potential adverse outcomes to a negligible level by careful planning, stress-testing, and red-teaming (hiring an independent group of attackers to test your defences). It also means not getting bogged down by protocols when a cyberattack does occur and, instead, adopting a flexible mindset and adaptability to overcome the breach.
He reasoned that Nigerian healthcare organisations will have to protect their reputation; a fact which depends on their preparedness for possibilities of cyberattacks, how well they respond to the cyber threat (if it occurs) and how they demonstrate resilience to successfully emerge from the crisis while protecting patient trust.
Otuyemi, a cyber security analyst, wrote in from Abuja. He can be reached via firstname.lastname@example.org