Broadreach Group roundtable with Africa CDC and Palladium Group unveils risks and responsibilities for protecting and sharing health data in Africa
When it comes to personal health data protection in Africa, governments and regions have a clear responsibility to protect their citizens. Especially in the age of the rapid proliferation of personal data and malicious actors who want to access it. However, this must be weighed against the importance and value of sharing vital health data across platforms and geographies to manage the global spread of infectious diseases as travel increases post-pandemic. The good news is that these seemingly conflicting priorities don’t have to be a situation: smart policies, thoughtful frameworks, and underlying technologies can enable both privacy and data sharing.
That was the consensus at the BroadReach Group’s recent Q&A webinar on the thorny topic of health and safety data in Africa, to mark October Cybersecurity Awareness Month. The webinar covered the importance of health data ownership, data protection versus data sharing, and data residency, including personal ownership of health data, as well as challenges and responsibilities. public and private organizations to ensure their safety.
Ruan Viljoen, BroadReach Group Chief Technology Officer, led the discussion with Dr. Farley R. Cleghorn, Global Head of Health Practice at Palladium Group and Dr. Justin Maeda, Senior Regional Collaborating Centers (RCC) Coordinator. at the African Center for Diseases. Control (CDC), to explore challenges from multiple angles. The session took the form of a Q&A with members of the audience – comprised of health and program officials from across the continent – presenting their key challenges to experts for live discussion and debate. BroadReach Group is a social enterprise focused on health equity.
Key takeaways from the webinar:
- Privacy of health information is a basic human right
“Health data is the most sensitive personal data we can store and warrants an even stricter duty of care,” Viljoen said in his opening remarks. “We shouldn’t be putting individuals in a position where they have to trade their privacy in order to receive good health care.”
“Governments are the guardians of the human rights of their people and therefore have the primary responsibility to protect their citizens’ data, but the issue is complex and a multi-sector approach is needed,” Dr Maeda said. One way governments could protect their citizens is to disaggregate or anonymize their health data, to make it impersonal and unidentifiable to third parties.
- Cybersecurity becomes more important in healthcare as attacks increase
“We have seen a year-over-year increase in attacks against organizations in terms of the number of attacks and successful data breaches where data is exfiltrated and sold on the black market. Attackers are quite patient and look around. Recent studies show that it takes an average of 271 days for organizations to detect that they have been hacked, and around 70 more days to rectify the situation. So you’re looking at a good chunk of the year before you can get back to normality,” Viljoen said. This not only damages reputation and finances, but also interferes with service delivery, which is detrimental in healthcare settings, he said.
Three important international standards establish international best practices for the protection of general personal information and personal health information: the General Data Protection Regulation (GDPR) in Europe, the Health Insurance Portability and Accountability Act (HIPAA) in United States and in the private sector. led the HITRUST Alliance.
One of the technologies that can make data sharing more secure is tokenization, because tokens are much less valuable to attackers than actual data, Viljoen said.
- Consumer data is an ever-evolving responsibility
“Personal datasets about anything relating to the individual are changing. We have to embrace it because it’s not going away,” Dr Cleghorn said. “Individuals need to take control of their health data. You should assume that you have the right to access this information, that you can control your information, and that you can use it for your own benefit. »
Viljoen agreed: “We have more data points on every aspect of the individual than ever before, and that will only increase over the next few years. This can be very good for tailored individual healthcare, but the data must be used ethically and safely.
“We can learn from other industries such as fintech and payments, which have been targets of cybercrime for decades. They use tools such as data tokenization, disaggregation and de-identification to make sharing personal data much safer,” Viljoen said. “I don’t think we should be trying to solve this problem as a healthcare industry on our own – we need to come together as a collective and share solutions.”
- African countries begin to develop and collaborate on data regulations
While the 55 Member States of the African Union all differ in terms of the extent of their data policies and standards, Africa CDC strives to establish common minimum standards for the collection, storage, management , data protection and transmission within the African Union. . The “Health Information Exchange Policy and Standard” is being developed and once signed by the various Heads of State, Africa CDC will support countries to achieve these minimum standards through policies and technological solutions.
Dr Maeda said secure intercontinental data sharing was particularly important given the increased mobility of people. “To put it into perspective, a person can now be on five continents in one day, so diseases can spread quickly.”
But while data sharing was important for public health management reasons, data protection was important for individuals. “While governments have the primary responsibility to protect the data rights of their citizens, other partners such as the African Union, the United Nations, non-governmental organizations and the private sector must all play their part to ensure that protection. Healthcare development organizations need to embed data security into their development practices,” Maeda said.
Dr Cleghorn said it was important to have regional and pan-African agreements to protect the right to privacy, the right to protected health information and the establishment of safeguards on how information is shared. “The wide availability of mobile platforms has made this much more important and urgent. We need fast access to health information in the hands of the consumer.
- Where data resides is not the be-all and end-all of data security
When it comes to data residency, it cannot be said that data is safer in the cloud or on-premises. It depends on many factors and in many cases a hybrid hosting environment makes the most sense, Viljoen said. The same principle applies to open-source versus open-source, where each organization’s choice depends on its circumstances and responsibilities. “There is no right or wrong. What is important is that the solutions you use are suitable for your purpose, that the data is used with your consent, that a data policy is in place, that all regulations are applied and, if possible, that the data is encrypted to make it useless.
- Ecosystem mapping can be useful in data management
“If you make an ecosystem map, you should be able to describe all the components of data generation, data storage, data retrieval, and data usage, and it becomes a circle virtuous,” said Dr. Cleghorn. “Many countries are at different stages of this journey and they can learn from the successes and mistakes of others. But to do this, we need platforms for sharing information, to help others achieve their goals. Learning how to map your data ecosystem and your stakeholders, from others who have already done it, can be a very useful exercise. »
He also warned that personal information such as sexual orientation can be benign in one context and dangerous in another, so it was important to understand the data security requirements at different levels of data, particularly in terms of sensitive data.
Dr Cleghorn continued: “We are going to generate more and more data on all aspects of people’s lives. To manage this, we need to take an ecosystem approach and think about all the levels of data security that need to be applied. We need to better understand the ecosystem wherever we work.
A recording of the webinar can be viewed here.