POPI a major challenge for SA healthcare industry
Very few IT service providers in the South African healthcare industry are able to comply with even the minimum security standards required for compliance with the Protection of Personal Informational Act (POPI).
That's according to Dr Wim Booyse, lead in healthcare industry data policy at business consultants P'etanque International, whose recently released white paper on POPI and Healthcare Data Privacy characterises the current state of healthcare data management in South Africa as "a free for all".
"As healthcare providers come to understand that in terms of POPI, they are ultimately responsible for the security of their patients' personal information, they will start demanding that vendors provide them with certificates of compliance to international data security and privacy standards," he said.
This means that all providers of IT services to the local healthcare industry will have to go back to the drawing board and evaluate what they have to do to ensure POPI compliance. "This may require vendors to invest in new systems and processes, which has huge cost and service implications."
Booyse maintained that at the very least, all IT healthcare service providers should comply with the ISO 27000 series standard for Information Security Management Systems. At present, only 17 companies in South Africa have ISO 27000 certification - and none are in the healthcare sector.
The P'etanque International White Paper also lists a further 13 ISO and ISIO/IEC standards that should be adopted by practice management software vendors; switches and third-party aggregators; and medical aid schemes and third-party medical aid scheme administrators - all key IT players in what Booyse refers to as the healthcare claim submission value chain. This is where the greatest security risk lies, he said.
In addition, patient information held by healthcare practices is at risk from spyware, ransomware, key-logging and phishing attacks, as well as lost and stolen devices, human error and criminal insider attacks. Third-party data storage providers who store medical records on behalf of healthcare providers for legislated timeframes which can be as long as 21 years in the case of paediatric patients, are also at risk of data breaches.
Theft and illegal collection and dissemination of this data is one of the most lucrative commercial undertakings in the world.
Forrester Research has stated that the underground value of medical records is now worth 10 times more than credit card numbers.
According to the latest Breach Level Index, the healthcare industry has been a major target of data thieves in recent years. In the first half of 2016, healthcare suffered more data breaches than any other industry, accounting for one quarter of all breaches. This directly affected over 100 million people in the United States alone.
"Healthcare providers have good faith that their IT service providers will protect them and their practice from data breaches. As the penalties for POPI transgressions in the healthcare sector are formalised, IT service providers will come under increasingly pressure to protect their customers - and their customers' patients.
"It therefore makes commercial sense for IT vendors to ensure they comply with international standards as quickly as possible," Booyse concluded.