Security
HOW NIGERIAN HEALTHCARE ORGANIZATIONS CAN IMPROVE THEIR SECURITY ACCORDING TO A GLOBAL CYBER EXPERT
By Adetaio Otuyemi
In 2021, a total of $706,452 was paid as ransom to cybercriminals by Nigerian businesses and organisations. The average cost of rectifying a cyber-attack in the country also went up from $0.46 million in 2020 to $3.43 million in the same year.
Cybersecurity entails the protection of internet-connected systems such as hardware, software, and data from external and internal cyber threats. The practice is used by individuals and enterprises to protect their systems against unauthorized access to data centres and other computerized systems. Cybersecurity access management in particular is crucial especially in today’s world where a very high percentage of sensitive data including personal and government data lives digitally. This article will cover healthcare cybersecurity access management in detail by considering expert input from a global cybersecurity expert, Ameya Khankar. He is a highly regarded and trusted cybersecurity professional focusing on the areas of technology risk, enterprise transformations, and digital governance. He advises large global enterprises as an expert on enterprise technology risks with a deep focus on strategies to strengthen their cybersecurity posture. He has advised $3 billion, $4 billion, and $9 billion healthcare organizations meet complex cybersecurity regulatory requirements in the past.
CYBERSECURITY: A CRTICIAL NEED FOR HEALTHCARE ORGANISATIONS IN NIGERIA
Nigerian healthcare organisations today are no strangers to cyber threats, in a world where everything is moving to digital technologies, medical records definitely aren’t left out either. Critical medical information in the wrong hands is like placing the nuclear launch codes in the hands of anarchists and global terrorists.
In the case of a developing country like Nigeria whereby health records are often unsecured – there is an urgent need for a stronger framework for tactically securing health records especially relating to cloud technologies.
There is a strict and professional observance of patient confidentiality which is recognised by law as codified in the Nigerian National Health Act (NHA) 2014 where adequate provisions for the privacy rights of patients were developed. The section 26 (1) of the NHA clearly states that “all information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment is confidential”. Unfortunately, implementation of these protocols by healthcare organizations to protect patient data is significantly lacking as evidenced by overall increase in the rate of cybercrime in Nigeria. Nigerian law also recognises healthcare as a National Critical Information Infrastructure sector. Infringement occurring on this critical infrastructure is punishable by law as codified in the Cybercrimes (Prohibition & Prevention) Act 2015.
There are three (3) critical leading practices that healthcare organizations in Nigeria should consider to protect themselves from cyber threats:
•ESTABLISH/FOSTER SECURITY CULTURE
•CONTROL ACCESS THROUGH PRINCIPLE OF LEAST PRIVILEGE
•PLAN FOR THE UNEXPECTED
ESTABLISH/FOSTER SECURITY CULTURE
Nigerian healthcare organizations inherently lack an established cybersecurity culture as demonstrated by the rise in ransomware cybercrime. Cyber security culture, like any organizational culture, should be cultivated, nurtured, and sustained.
According to data published by a top global cyber security firm, Sophos, 71 per cent of Nigerian businesses were hit with ransomware in 2021, up from 22 per cent in 2020.
According to top global cybersecurity expert, Ameya Khankar; who has developed several successful cybersecurity strategies for healthcare businesses worldwide, the following ways should be considered by any serious Nigerian healthcare organization:
•Assess the organizational culture and establish where organizational security stands currently
•Outline the mission by clearly establishing what constitutes success for cybersecurity initiatives
•Establish executive leadership participation to drive the priorities for employees to foster a healthy cyber-security culture
•Clearly define expectations to eliminate ambiguity with a detailed plan specifying roles, goals, and responsibilities for departments if a cyber-attack occurs
•Allocate resources to invest in the development of cyber security platforms and familiarise employees especially the ones handling key medical records with protocols to tackle cyber attacks
CONTROL ACCESS THROUGH PRINCIPLE OF LEAST PRIVILEGE
The Nigerian cyber space is the 2nd most attacked country, according to the Sophos survey which revealed that 86% of Nigerian companies fell prey to attacks.
According to Ameya Khankar, the principle of least privilege (PoLP) is an information security concept which maintains that a user or entity should only have access to the specific data, resources, and applications needed to complete a required task. Ameya emphasizes that this is particularly critical for cloud applications that store sensitive patient information in order to not only safeguard the information from external threats but also from internal threats within the organization. He further adds that this principle should be implemented along with the AAA principle. AAA stands for authentication, authorization, and accountability. This framework addresses the need to verify the identity of users seeking access to a network or other resource (authentication), determine what they’re allowed to do (authorization), and track all actions they take (accountability).
Furthermore Ameya Khankar outlines the benefits of implementing privileged access management to be “not only the protection of healthcare organisations from potential insider and outsider threats but also regulatory compliance where access to patient records should be restricted and patient privacy should be maintained. This may mean designing the cloud application security in such a way that the most critical patient data has the highest amount of access restrictions.” Thus a doctor, nurse, surgeon, or consultant that needs permission to a patient’s data would not have access to data beyond what is required for them to perform their duties. From a back-office processing standpoint, this means that a healthcare developer who needs rights to write code in a test environment would not have permission to also move lines of code into production. The developer also likely does not require access to sensitive patient information to do their job and thus their access should be restricted and segregated within the cloud environment.
PLAN FOR THE UNEXPECTED
Rising cybersecurity threats in Nigeria can lead to unforeseen challenges, disasters, and roadblocks while preparing to prevent a cyber-attack.
Ameya Khankar, in his experiences as a top global cyber security expert has highlighted the need for healthcare organisations in Nigeria, both privately and publicly owned to adopt a “meta-readiness approach”, which essentially entails working to reduce potential adverse outcomes to a negligible level by careful planning, stress-testing, and red-teaming (hiring an independent group of attackers to test your defences). It also means not getting bogged down by protocols when a cyber attack does actually occur and instead adopting a mindset of flexibility and adaptability in order to overcome a cyber breach.
He highlighted that Nigerian healthcare organisations will have to protect their reputation and it will depend on how seriously they prepare for the possibility of a cyber attack, how well they respond to the cyber threat if it occurs, and how they demonstrate resilience to successfully emerge from the crisis while protecting patient trust.
The circular the Central Bank of Nigeria (CBN) issued to all commercial banks on May 6, 2024, directing them to implement a compulsory withdrawal of 0.05 per cent from every electronic transaction as cybersecurity levy has been withdrawn
The directive for collection of the levy led to a nationwide uproar when the central bank introduced the policy last week.
The Presidency however, heeded the warning from various quarters, succumbed and immediately suspended the implementation of the Cybersecurity Levy.
In a withdrawal circular that was issued by the CBN on Sunday night, it directed the banks not to go ahead with the initial directive, in line with the presidential directive. The apex bank authorities claimed it’s a sign that the present administration was a listening one that prioritises public good.
“Further to this, please be advised that the above referenced circular is hereby withdrawn,” CBN director in charge of payments system, Chibuzo Efobi, and the director, financial policy and regulation, Haruna Mustapha, said in the circular, adding that all banks should “Please be guided accordingly.”
By Friday Idachaba, Lokoja.
Nigeria Police, Kogi State Command has announced the rescue of seven more students of Confluence University of Science Secondary Technology (CUSTECH) kidnapped by hoodlums on Thursday, May 9.
Police Public Relations Officer (PPRO) SP William Ovye Aya, made the announcement in a press statement on Thursday in Lokoja.
He said that feat was achieved through the intervention of Inspector-General of Police, IGP Kayode Adeolu Egbetokun who ordered the deployment of the Air Component of Police Security Apparatus made up of a Helicopter Crew.
The deployment, he said was in furtherance of the ongoing Rescue Operation and to sustain the onslaught to rescue all the kidnapped students.
He said that the Air Component deployed to Kogi State on Tuesday 14th May, 2024 was made up of Helicopter Crew specially trained for Aerial Surveillance, Monitoring Team as well as Technical Intelligence Unit (TIU).
“The reinforcement is in response to IGP’s unwavering passion about protecting lives and property of all Nigerians especially the safety of our children in various schools in the country”, Aya said.
With the new development which Aya ascribed to the diligence and indomitable spirit of all the combined team, 27 students have so far been rescued from the kidnappers as a total of 20 students were earlier rescued.
“Be it noted that it is not over until it is over” so we should not rest on our Oars, instead all hands must be on deck to ensure all are safely rescued and perpetrators brought to deserved justice”, the PPRO declared.
He stated that Kogi State Government as well as the University Community were satisfied with the Rescue Operations so far.
“The State Government has commended the indubitable, unassailable level of cooperation, collaboration and synergy amongst the Security Agencies, Local Vigilantes and Hunters in the State”, he enthused.
According to Aya, the Commissioner of Police, CP Bethrand Onuoha has seized this occasion to thank and appreciate the Inspector-General of Police for the deployment of the Air Component.
The CP, he said, also commended the Security Personnel, and Vigilantes/Hunters for their “show of unprecedented and undiluted patriotism and altruism, and to the good people of Kogi State as well as the vibrant Press for their show of concern and empathy.”
“The CP will continue to solicit the cooperation, collaboration and solidarity of the good people of Confluence State with the Police and other Security Agencies.
“Together, we shall ensure adequate Security of life and property of law-abiding citizens in the State”, he assured. (Ends)
***Insists, it is NASS creation to safeguard economy, country against insecurity
The Chairman of the Senate Committee on National Security and Intelligence, Senator Shehu Umar Buba, has allay the fears being entertained by Nigerians over the proposed implementation of the Cybersecurity levy by the Central Bank of Nigeria (CBN).
While giving tacit support to the Federal Government on the levy that has created bad blood among Nigerians against the Tinubu administration Senator Buba said th levy is provided for in the Cybercrimes (Prohibition, Prevention, etc) (Amendment) Act, 2024.
He clarified that the levy is not punitive as it has numerous exemptions to protect and relieve ordinary citizens, particularly the poor.
According to him, the exemptions include salary payments, intra-account transfers, loan disbursements and repayments, and other financial transactions.
Senator Buba said the amendments to the Cybercrimes Act were collaborative effort with the National Assembly’s ICT and Cyber Security Committee. Explaining further he said committee also underwent a transparent public hearing process, receiving contributions from various stakeholders.
“Both chambers of the National Assembly unanimously passed it before President Bola Ahmed Tinubu signed it into law.
Senator Umar reiterated the fact that the provisions for the cybersecurity levy have been in place since 2015 but were delayed due to unclear interpretations and applications.
“The Cybercrimes Act of 2015 has provisions for imposing a cybersecurity levy since its enactment, but the vagueness of Section 44 led to different interpretations until the 2024 amendments. The levy is 0.5%, equivalent to half a per cent of the value of all electronic transactions by businesses specified in the Second Schedule to the Act.
“The amendments addressed crucial gaps in the Act and empowered the nation to implement the National Cybersecurity Programme effectively. They also seek to realign and empower the country to combat the inadequate funding and disruptive effects of cyber threats on national security and critical economic infrastructures,” he said.
Senator Umar underscored the criticality of the cybersecurity levy’s implementation, stating that its prudent utilisation will bolster the nation’s capacity to evaluate, execute, upgrade, and fortify the security of national critical economic infrastructure, thereby safeguarding the nation’s cyberspace.
The chairman commended the Office of the National Security Adviser and the Central Bank of Nigeria (CBN) for initiating the operationalising the cybersecurity levy, highlighting its benefits far outweigh its drawbacks.
He expressed appreciation to the leaders and representatives of MDAs at the federal and state levels, as well as to all stakeholders who contributed to this effort’s success.
While maintaining that the Committee’s mandate is to create laws that align with the aspirations of Nigerians, he appealed for public support, assuring that the policy will yield maximum benefits for citizens in the shortest possible time.
Following the enactment of the Cybercrime (Prohibition, Prevention, etc) (Amendment) Act 2024 and under the provision of Section 44 (2)(a) of the Act, a levy of 0.5 per cent (0.005) equivalent to half per cent of all electronic transactions value by the business specified in the Second Schedule of the Act is to be remitted to the National Cybersecurity Fund, which the Office of the National Security Adviser shall administer.
Though the announcement created controversy, the circular exempted some transactions from cybercrime levy.
The exemptions included loan disbursements and repayments, salary payments, intra-account transfers within the same bank or between different banks for the same customer, intra-bank transfers between customers of the same bank, and Other Financial Institutions (OFIs) instructions to their correspondent banks.
The exemption also applies to interbank placements, banks’ transfers to CBN and vice versa, inter-branch transfers within a bank, cheque clearing and settlements, and Letters of Credit (LCs).
Others include banks’ recapitalisation-related funding only bulk funds movement from collection accounts; savings and deposits including transactions involving long-term investments such as treasury bills, bonds; and commercial papers; government social welfare programmes transactions, e.g. pension payments; non-profit and charitable transactions including donations to registered non-profit organisations or charities; educational institutions transactions, including tuition payments and other transaction involving schools, universities, or other academic institutions.
-
Crime1 year agoPolice nabs Killer of Varsity Lecturer in Niger
-
News1 year agoFCT-IRS tells socialite Aisha Achimugu not to forget to file her annual returns
-
Appointment1 year agoTinubu names El-Rufai, Tope Fasua, others in New appointments
-
News From Kogi1 year agoINEC cancells election in 67 polling units in Ogori-Magongo in Kogi
-
News From Kogi2 years agoEchocho Challenges Tribunal Judgment ordering rerun in 94 polling units
-
News1 year agoIPOB: Simon Ekpa gives reason for seperatists clamour for Biafra
-
Metro12 months ago‘Listing Simon Ekpa among wanted persons by Nigeria military is rascality, intimidation’
-
News1 year agoKingmakers of Igu/ Koton-Karfe dare Bello, urge him to reverse deposition of Ohimege-Igu