HOW NIGERIAN HEALTHCARE ORGANIZATIONS CAN IMPROVE THEIR SECURITY ACCORDING TO A GLOBAL CYBER EXPERT

By Adetaio Otuyemi

In 2021, a total of $706,452 was paid as ransom to cybercriminals by Nigerian businesses and organisations. The average cost of rectifying a cyber-attack in the country also went up from $0.46 million in 2020 to $3.43 million in the same year.
Cybersecurity entails the protection of internet-connected systems such as hardware, software, and data from external and internal cyber threats. The practice is used by individuals and enterprises to protect their systems against unauthorized access to data centres and other computerized systems. Cybersecurity access management in particular is crucial especially in today’s world where a very high percentage of sensitive data including personal and government data lives digitally. This article will cover healthcare cybersecurity access management in detail by considering expert input from a global cybersecurity expert, Ameya Khankar. He is a highly regarded and trusted cybersecurity professional focusing on the areas of technology risk, enterprise transformations, and digital governance. He advises large global enterprises as an expert on enterprise technology risks with a deep focus on strategies to strengthen their cybersecurity posture. He has advised $3 billion, $4 billion, and $9 billion healthcare organizations meet complex cybersecurity regulatory requirements in the past.

CYBERSECURITY: A CRTICIAL NEED FOR HEALTHCARE ORGANISATIONS IN NIGERIA
Nigerian healthcare organisations today are no strangers to cyber threats, in a world where everything is moving to digital technologies, medical records definitely aren’t left out either. Critical medical information in the wrong hands is like placing the nuclear launch codes in the hands of anarchists and global terrorists.
In the case of a developing country like Nigeria whereby health records are often unsecured – there is an urgent need for a stronger framework for tactically securing health records especially relating to cloud technologies.
There is a strict and professional observance of patient confidentiality which is recognised by law as codified in the Nigerian National Health Act (NHA) 2014 where adequate provisions for the privacy rights of patients were developed. The section 26 (1) of the NHA clearly states that “all information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment is confidential”. Unfortunately, implementation of these protocols by healthcare organizations to protect patient data is significantly lacking as evidenced by overall increase in the rate of cybercrime in Nigeria. Nigerian law also recognises healthcare as a National Critical Information Infrastructure sector. Infringement occurring on this critical infrastructure is punishable by law as codified in the Cybercrimes (Prohibition & Prevention) Act 2015.
There are three (3) critical leading practices that healthcare organizations in Nigeria should consider to protect themselves from cyber threats:
•ESTABLISH/FOSTER SECURITY CULTURE
•CONTROL ACCESS THROUGH PRINCIPLE OF LEAST PRIVILEGE
•PLAN FOR THE UNEXPECTED

ESTABLISH/FOSTER SECURITY CULTURE
Nigerian healthcare organizations inherently lack an established cybersecurity culture as demonstrated by the rise in ransomware cybercrime. Cyber security culture, like any organizational culture, should be cultivated, nurtured, and sustained.
According to data published by a top global cyber security firm, Sophos, 71 per cent of Nigerian businesses were hit with ransomware in 2021, up from 22 per cent in 2020.
According to top global cybersecurity expert, Ameya Khankar; who has developed several successful cybersecurity strategies for healthcare businesses worldwide, the following ways should be considered by any serious Nigerian healthcare organization:
•Assess the organizational culture and establish where organizational security stands currently
•Outline the mission by clearly establishing what constitutes success for cybersecurity initiatives
•Establish executive leadership participation to drive the priorities for employees to foster a healthy cyber-security culture
•Clearly define expectations to eliminate ambiguity with a detailed plan specifying roles, goals, and responsibilities for departments if a cyber-attack occurs
•Allocate resources to invest in the development of cyber security platforms and familiarise employees especially the ones handling key medical records with protocols to tackle cyber attacks

CONTROL ACCESS THROUGH PRINCIPLE OF LEAST PRIVILEGE
The Nigerian cyber space is the 2nd most attacked country, according to the Sophos survey which revealed that 86% of Nigerian companies fell prey to attacks.
According to Ameya Khankar, the principle of least privilege (PoLP) is an information security concept which maintains that a user or entity should only have access to the specific data, resources, and applications needed to complete a required task. Ameya emphasizes that this is particularly critical for cloud applications that store sensitive patient information in order to not only safeguard the information from external threats but also from internal threats within the organization. He further adds that this principle should be implemented along with the AAA principle. AAA stands for authentication, authorization, and accountability. This framework addresses the need to verify the identity of users seeking access to a network or other resource (authentication), determine what they’re allowed to do (authorization), and track all actions they take (accountability).
Furthermore Ameya Khankar outlines the benefits of implementing privileged access management to be “not only the protection of healthcare organisations from potential insider and outsider threats but also regulatory compliance where access to patient records should be restricted and patient privacy should be maintained. This may mean designing the cloud application security in such a way that the most critical patient data has the highest amount of access restrictions.” Thus a doctor, nurse, surgeon, or consultant that needs permission to a patient’s data would not have access to data beyond what is required for them to perform their duties. From a back-office processing standpoint, this means that a healthcare developer who needs rights to write code in a test environment would not have permission to also move lines of code into production. The developer also likely does not require access to sensitive patient information to do their job and thus their access should be restricted and segregated within the cloud environment.

PLAN FOR THE UNEXPECTED
Rising cybersecurity threats in Nigeria can lead to unforeseen challenges, disasters, and roadblocks while preparing to prevent a cyber-attack.
Ameya Khankar, in his experiences as a top global cyber security expert has highlighted the need for healthcare organisations in Nigeria, both privately and publicly owned to adopt a “meta-readiness approach”, which essentially entails working to reduce potential adverse outcomes to a negligible level by careful planning, stress-testing, and red-teaming (hiring an independent group of attackers to test your defences). It also means not getting bogged down by protocols when a cyber attack does actually occur and instead adopting a mindset of flexibility and adaptability in order to overcome a cyber breach.
He highlighted that Nigerian healthcare organisations will have to protect their reputation and it will depend on how seriously they prepare for the possibility of a cyber attack, how well they respond to the cyber threat if it occurs, and how they demonstrate resilience to successfully emerge from the crisis while protecting patient trust.