Hospital losses Kshs. 15million:-Mr. John C. Mbugua, a Director of a hospital in Nairobi, could not believe the loss he had just suffered due to the simple clown- email message purporting to originate from a legitimate supplier.  “What a shock!  our hospital has lost fifteen (15 million) to these cyber fraudsters!  I wish we had taken our cybersecurity and Data Protection seriously last month and upgraded our firewalls for the hospital management information systems (HMIS),” he said last week Monday, February 27, 2023, at a senior management meeting.

This incident came at a time when the hospital was trying to recover from the COVID-19 pandemic. The phishing attack was a  defining moment for the hospital that was trying to survive in the competitive market. The financial loss could only result in hopelessness and discouragement for Mr. John and his team who had just received its NHIF accreditation and were now planning to roll out to other counties.

A loss of a whopping Kshs. 15 million, with a bank loan repayment of Kshs. 5 million due the following day Tuesday, February 28, 2023, Mr. John had to go back to the drawing board and review his expansion plans.  The fate of the 12 new healthcare workers who were on the final recruitment list for the new hospital in Meru County was now in jeopardy. 

As he sat at his c-suite corner deeply contemplating what to do, another phone call from the Head of ICT came informing him of a ransomware attack affecting their HMIS and payroll systems. This double tragedy coupled with the bank loans due the following day made Mr. John a deeply worried and disturbed man.  As he was still drowned in his sorrows and thinking of how to address these crises, he remembered the lesson he learned last month from South-End Tech Limited C-suite Cybersecurity awareness training.

The seven (7) essential steps to manage a cyber-attack

• Mobilize your cybersecurity response team;
• Identify the type of  cyber attack;
• Contain the cyber-breach by disconnecting the affected from the internet;
• Assess and repair the damage by reinstalling the systems and having damaged hardware repaired or replaced;
• Report the  cyber-attack to the Communications Authority of Kenya,  Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC) at  https://www.ke-cirt.go.ke and Email: incidents@ke-cirt.go.ke;
• Communicate with customers (health insurance providers) and let your  public relations team and  your Data Protection Officer (DPO) report the incident  to the Office of the Data Protection Commissioner (ODPC) within 72 hours as required under the Data Protection Act, 2019; and
• Document and  learn from the Experience by improving and upgrading your  systems

Section 24 of the Data Protection Act of 2019 requires hospitals to appoint or designate a qualified person as the Data Protection Officer (DPO) for the hospital to undertake the following:

• Informing and advising the business and employees who carry out data processing of their obligations according to the Act and any other obligations required by the Office of the Data Protection Commissioner;
  • Monitoring compliance with the Act,  General Data Protection Regulations, and the policies of the business concerning the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of business staff involved in processing, and related audits;
  • Advising on request regarding any data protection impact assessments and monitoring its performance under Section 31 of the Act;
  • Acting as the contact point for the supervisory authority or authorities on issues relating to processing, including the prior consultation referred to in Section 31 of the Act, and consulting, where appropriate, concerning any other matter;
  • Responding to the requests of data subjects on the processing of their data and the exercise of their rights under the Act.

Unfortunately, Mr. John and his fellow Directors have never considered cybersecurity for the hospital seriously.  The hospital lacks a cybersecurity response plan and team. The systems and firewalls have never been upgraded to address emerging cyber threats and the hospital has not registered as a Data Controller and Data Processor with the Office of the Data Protection Act (DPA), 2019.

The DPA 2019 governs the use, processing, and archiving of personal data, establishes the Office of the Data Protection Commissioner, makes provisions for the regulation of the processing of personal data, stipulates the data producers’ rights, and specifies the obligations of the data controllers and processors.

The DPA, 2019 gives effect to the Right to Pri­vacy for all individuals as provided for under Articles 31(c) and 31(d) of the Constitution. The DPA, 2019 seeks to ensure the privacy of the personal data of Kenyan citizens.

The DPA, 2019 defines sensitive personal data to include a person’s features such as race, health status, biometric data, marital status, and family information including names of their children, parents, spouse or spouses, sex, or sexual orientation.

Did you know that the DPA, 2019, and the DPA Regulations 2021 require mandatory registration for healthcare providers as Data Controllers and Data Processors? Yes, healthcare providers process sensitive personal data and are required to register. Registration is the first step toward ensuring data privacy for your patients and securing your health information system.  Registration started on 14 July 2022 and is ongoing.

The top three (3) personal data that your health facility collects and stores about your clients may include:

1. Diseases, medical conditions, and injuries
2. Sexual and reproductive health status
3. Mental health and psychological status
4. Medical procedures/treatments/testing results
5. Body specifications, bodily activities, and biological cycles

The lack of registration with the Office of the Data Protection Commissioner (ODPC) and the cyber-attack crisis made Mr. John’s life and the future of their beloved hospital in doubt. Resting and full of thoughts alone the in his office, suddenly, the door rang. A team from South-End Tech Limited had visited him, part of the many futile past visits with a mission of spreading the gospel of Data Protection and Cybersecurity. He tried to compose himself and remained calm to tell the visitors that all was okay at the hospital. As always, the team comprising cybersecurity experts, Data Protection & Privacy experts, and Managed IT team expounded to Mr. John the rising status of cybersecurity in Kenya targeting hospitals. Mr. John found himself speaking about what was paining his heart and how deeply the cyber fraudsters have struck his health facility

The team lead Mr. DNA   listened carefully and the response that came to him shocked Mr. John “ There is always a way out” To cut the story short, he had to face the problem as it is, and this would begin with having appropriate cybersecurity tools, techniques and registration with the Office of the Data Protection Commissioner (ODPC).

The lesson he learned made him implement and deal first with the cyber threats to ensure business continuity, conduct business in a safe cyberspace environment and start the journey of Data Protection compliance.

The Journey to Data Protection and Cybersecurity Compliance

1. Signed a Non-Disclosure Agreement (NDA) and Letter of engagement with South-End Tech Limited to support his registration and compliance with the requirements of the Data Protection Act, 2019.
2. Outsourced cybersecurity experts from South-End Tech Limited for training the staff of the hospital. The training focused on safeguarding devices connected to the internet that protects from various threats in cyberspace, which includes the software, data, and hardware, while also assisting in the prevention of fraudsters getting access to devices or networks. This would protect their data, cash, and intellectual property. The staff became more aware of the cybersecurity threats such as Phishing emails, Malware and viruses, Data breaches, malicious websites, and mobile device attacks.
3. Implement a strong layer of security for the business that covered application security, critical infrastructure security, End-user behavior, information security, and Network security.
4. To avoid the high costs of employing IT Experts, he had to outsource from South-End Tech Limited IT and Cybersecurity related solutions so that the business may only focus on the key objectives. The key tasks included:
5. Ethical hacking, simulation of security breaches, and constant reviews of cybersecurity risks
6. IT hardware and software maintenance updates and upgrades.
7. Diagnose, research, and resolve technical hardware and software issues, provide accurate information on IT products and services
8. Set up proper IT infrastructure, design modern websites, and design security policies
9. Create and implement security plans and procedures, oversee security staff, and investigate accidents and incidents. In the event of an emergency, coordinate with law enforcement and other agencies to ensure a quick and safe response
10. Management, control, and support of ICT services and developing IT solutions in the organization.
11. Develop and implement IT service policies, procedures, and standards
12. Develop a roadmap to establish and standardize the applications infrastructure and drive resolutions of issues that come up with hardware devices, files, servers, and websites.

Briefly, Mr. John’s hope was restored and he is the happiest hospital Director today. All the IT-related aspects and cybersecurity have now been fully restored with the help of South-End Tech Limited.