The centralised electronic health record (EHR) system, proposed as the cornerstone of South Africa’s National Health Insurance (NHI), is a critical step towards a more modern, digitised healthcare system. However, it also presents an unprecedented, national-scale cybersecurity challenge. To ensure success, the NHI will need to implement sophisticated protective measures that secure the sensitive personal and medical data of millions of citizens.
“Cybersecurity needs to be embedded into the NHI’s EHR system from the ground up, not treated as an afterthought,” says Calin Cloete, Enterprise Security Solutions Lead at ESET Southern Africa. “The interconnected nature of an EHR means that a security breach in one part of the network can potentially compromise the entire healthcare infrastructure. A proactive zero-trust approach can significantly reduce risk of data breaches and enable the NHI to quickly adapt to evolving threats.”
Zero trust operates on the principle of “never trust, always verify.” This means that no user or device, whether inside or outside an organisation’s network, is automatically trusted. Instead, safety measures like multi-factor authentication and role-based access control are mandatory for all users. In the context of NHI, this includes healthcare providers, administrators, and patients.
“Essentially, the idea is to divide the network into very small segments – each with its own tight access control – and ensure that users only have access to the data they need to perform their duties. This limits the ‘blast radius’ of any potential breach. So, if one segment is breached, the attacker cannot easily move to other parts of the network,” says Cloete.
Currently, adoption of EHRs in South Africa is very low, with only an estimated 40% of healthcare professionals currently using digital health records in their practice or hospital. This indicates a steep learning curve for the majority of the country’s healthcare workers, who will need to learn how to use the technology – as well as be trained in cyber safety best practices to ensure the safety of the NHI.
“While implementing a zero-trust architecture can help to reduce the likelihood of basic security errors, it can’t eliminate all human error. Phishing attacks, social engineering, and insider threats still rely on manipulating staff – so cybersecurity training will be crucial,” says Cloete.
Under POPIA, the NHI will have a legal mandate to protect personal information from unauthorised access, loss, or damage. This means healthcare institutions will also have a vested interest in training staff to ensure that patient data is secured – to prevent any legal repercussions.
“The NHI will generate and store a massive volume of sensitive information. This data is extremely valuable, and for cybercriminals, that means its particularly lucrative. At the same time, any changes to patient data can impact their treatment, which puts lives at risk,” says Cloete.
EHRs are a comprehensive digital compilation of a patient’s health data, including a history of medical procedures, medications prescribed, X-rays, laboratory results, and clinical notes. This allows a patient’s health data to be accessed electronically from a central database and enables medical professionals to view records remotely. By improving workflow, EHRs can potentially accelerate diagnostic and clinical decision-making, but only if they are properly secured from cybersecurity threats.
“While the implementation of a zero-trust approach will require significant investment in technology, infrastructure, and staff training – the consequences of a data breach could end up costing far more,” says Cloete.
