Telemedicine Practice In Nigeria Viz-a-Viz Its Implications For Data Security -By Oyetola Muyiwa Atoyebi & Love Ebekhile

INTRODUCTION:

The revolution of technology has spawned substantial changes in the health-care sector, as it has become an essential component of worldwide healthcare administration systems. While Telemedicine is not a nouvelle concept, statistics showed tremendous growth of the practice during the COVID-19 pandemic lockdown, where in 2020 alone, consumer adoption skyrocketed from 11 per cent to 46 per cent, as there was an increased reliance on Telemedicine in the replacement of physical healthcare visits.

Over the last few years since the pandemic, the use of technology in healthcare delivery mechanisms, has gradually progressed from the mere use of physical machinery, to the incorporation of artificial intelligence into healthcare. For example, the introduction of electronic health records in the healthcare sector, online patient monitoring, etcetera.

In developing countries such as Nigeria, the practice of Telemedicine is still in its early stages, so it is an area that is yet to be regulated by Nigerian legislation; thus, raising concerns about the implications for consumer data protection, particularly as the benefits of Telemedicine practice expand.

This disquisition is aimed at examining Telemedicine practice in Nigeria, as well as its implications for data security.

WHAT IS TELEMEDICINE?

The World Health Organization, defines Telemedicine as “The delivery of health care services, where distance is a critical factor, by all health care professionals, using information and communication technologies, for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, and for the continuing education of health care providers, all in the interests of advancing the health of individuals and their communities”[1].

Telemedicine may also be defined as the mechanism that allows health care professionals, use technology in the assessment and management of healthcare services, and it is essentially divided into the following categories:

1. The Store- And-Forward Telemedicine.
2. Tele-monitoring.
3. Real- time Telemedicine.

1. The Store-And-Forward Telemedicine:  This refers to the electronic transmission of a patients’ medical information, such as lab report to a practitioner, usually a specialist, who uses the information to properly evaluate the case or render a service outside of a real-time or live interaction[2]. 

1. Tele-Monitoring: This is the continuous or non-continuous monitoring process, that allows a healthcare professional to remotely interpret the data necessary for a patient’s medical follow-up, and if necessary, make decisions regarding the patient’s state of health[3].

1. Real-Time Telemedicine: Also referred to as interactive services, involves the provision of immediate advice to patients who require medical attention. There are several different mediums utilized for this purpose, including phone, online and home visits. A medical history and consultation about presenting symptoms can be undertaken, followed by an assessment similar to that which is usually conducted during face-to-face appointments[4].

In light of the above, it is clear that the introduction of technology to the Nigerian health care sector, has greatly aided the sector’s growth by ensuring the ease of access to healthcare, lowering the cost of receiving healthcare and improving health care delivery services. However, this innovation is fraught with data security implications, as it has been statistically proven that as the use of broadband internet and mobile devices becomes ubiquitous, so also will the need to protect the data of the people who use it.

DATA SECURITY IMPLICATIONS OF TELEMEDICINE

Telemedicine systems have become high-value targets for cyberattacks because they store a wealth of patients’ protected health information, and interface with a variety of networks and technologies, often with no centralized security policy or control.

According to reports in 2021, there are three major types of attacks against telemedicine systems:

1. Compromise of Confidentiality:

Confidentiality refers to the protection of sensitive information from unauthorized access and misuse. As a result, healthcare patients expect and demand that healthcare providers protect their privacy.

Particularly, Rule 8 of the Rules of Professional Conduct for Medical and Dental Practitioners establishes the obligation of a health practitioner, to ensure the confidentiality of a patient’s personal health information, unless consent to release the information is provided by the patient, or on any other recognized legal basis. However, with Telemedicine, the concept of confidentiality is a little broader because it affects providers and claims processors as well as health practitioners.

Telemedicine is typically carried out over an electronic network, such as a website or a smartphone app. With the addition of features such as electronic health records and filing systems, as well as physician-patient virtual conversations, the need to double-protect patients’ health information from unauthorized third parties becomes critical, as there is a significant risk that such information will be attacked by threat vectors. The vectors worthy of discuss include:

1. Phishing:

This involves the use of emails, text messages and links to primarily trick a recipient into revealing sensitive information. Since many Telemedicine appointments begin with the patient clicking on a link or joining a call from an unverified source, it presents a new opportunity to take advantage of patients while they’re vulnerable.

When healthcare providers use common, unsecured video conferencing platforms to conduct appointments, there is no way for patients to verify their identity. Attackers, may use phishing messages to send patients legitimate-looking links to a fake appointment or web page, and convince them to divulge sensitive information[5].

• Misconfiguration:

      Misconfiguration is an incorrect configuration of a system (Networks, and       applications), that may lead to vulnerabilities.

      A misconfiguration will occur on a Telemedicine platform if the setup         pages are enabled, or a user utilizes default usernames and passwords,      leading to a breach as the hacker can determine hidden flaws, and thus,     access sensitive information. Misconfigured devices and apps present an     easy entry point for an attacker to exploit[6].

 In 2018, Hova Health, a Telemedicine company based in Mexico, reported the   online exposure of the personal data of about 2,373,764 of its patients, after the   misconfiguration of its MongoDB database. The database was publicly available and could be accessed or changed by anyone, even without a password. The database allegedly contained patient names, personal ID codes for Mexican citizens and residents, insurance policy numbers and expiration dates, dates of birth, and addresses. There also were flags noting migrant status or disabilities[7].

The above goes to show that Misconfiguration issues are far too common for the healthcare sector, which already is being walloped by cyberattacks. One wrong click and tens of thousands to millions of patient records can be breached.

Other threat vectors include; Credential harvesting, data exfiltration, emailing sensitive information to the wrong recipient, publishing private data to public web servers, and leaving confidential information displayed on an unattended computer monitor etcetera.

•  Compromise of Integrity

The term “integrity” is the safeguarding of data against unauthorized modification. It refers to the assurance of data accuracy and completeness. Data that is stored on systems as well as data that is transmitted across systems, such as an email between the physicians and patients, must be protected.

A breach in the integrity of a patient’s data is said to have occurred where the initial data of a patient is accessed and altered, so that the patient’s information does not reflect the original position as given by the patient, and this may be due to the following factors: unintended transfer errors, compromised hardware, human error, etcetera.

In maintaining integrity, it is not only necessary to control access at the system level, but to further ensure that system users are only able to alter information that they are legitimately authorized to alter[8].

• Compromise of Availability

Availability guarantees that systems, applications and data are available to its owners when they need them. The most common attack that impacts availability is denial-of-service, in which the attacker interrupts access to information, system, devices or other network resources. A denial-of-service in an internal vehicular network could result in a server not being able to access the information needed to operate, and the server could become non-operational or even worse, bring the system to an unsafe state. An example is the ransomware attack.

To avoid availability problems, it is necessary to include redundancy paths and failover strategies in the design stage, as well as to include intrusion prevention systems that can monitor network traffic pattern, to determine if there is an anomaly and to block network traffic when needed[9].

REGULATIONS AND ORGANIZATIONAL POLICY

Agreeably, Telemedicine practice remains a field of medical practice yet to be regulated by Nigerian legislation, however, several legislations have been enacted to control the data security issues, that may arise in the course of the practice. A few of them are examined below:

1. The Nigerian Data Protection Regulation (NDPR) 2019:

In light of the fact that Telemedicine operates over electronic networks and processes data, organizations that practice it must be in compliance with the data protection requirements as provided in the NDPR.

More particularly, Part 4.1 (1) of the NDPR, mandates all public and private organizations in Nigeria that control data of natural persons, to make available to the general public, their respective data protection policies, appoint a data protection officer and create a database management system. This is to ensure that the privacy rights as provided in the NDPR are guaranteed, and the data of the subjects, who in this case would constitute the users of the Telemedicine platforms.

• Nigerian Communications Commission Guidelines (NCCG)

Paragraph 12 of the NCCG, places an obligation on internet service providers to provide swift responses to content related complaints.

• Code of Medical Ethics 2008

This legislation, enjoins medical practitioners to take precaution in ensuring the security of the patients’ personal information, sent via electronic mails and data storage.

CONCLUSION

From the foregoing, it is clear that there exist data security implications, that can only be addressed by establishing a unified Telemedicine legislation in Nigeria, to regulate telemedicine practice, as it is fundamental to the envisaged growth of the sector.

While we await the much needed Telemedicine legislation in Nigeria, organizations may implement the following to ensure protection of patient’s data:

1. Develop third party compliant agreements;
2. Conduct employee security awareness training;
3. Regular Software update;
4. Development of a cyber-breach response plan; and
5. Develop hard-to-decipher passwords.

AUTHOR: Oyetola Muyiwa Atoyebi, SAN.

Mr. Oyetola Muyiwa Atoyebi, SAN is the Managing Partner of O. M. Atoyebi, S.A.N & Partners (OMAPLEX Law Firm) where he also doubles as the Team Lead of the Firm’s Emerging Areas of Law Practice.

Mr. Atoyebi has expertise in and a vast knowledge of Telecommunications, Media and Technology Law and this has seen him advise and represent his vast clientele in a myriad of high level transactions.  He holds the honour of being the youngest lawyer in Nigeria’s history to be conferred with the rank of a Senior Advocate of Nigeria.

He can be reached at atoyebi@omaplex.com.ng

COUNTRIBUTOR:  Love Ebekhile

Love is a member of the Technology Law Team at OMAPLEX Law Firm. She also holds a commendable legal expertise in Data Protection and Cybersecurity.

She can be reached at love.ebekhile@omaplex.com.ng

[1] ISSA, ‘Telemedicine: Good Practices from Latin America’ < https://ww1.issa.int/analysis/telemedicina-buenas-practicas-en-america-latina#:~:text=The%20World%20Health%20Organization%20(WHO,prevention%20of%20disease%20and%20injuries%2C> accessed 17 February 2021.

[2] CCHP, ‘Medicaid & Medicare: Store-And-Forward’ < https://www.cchpca.org/topic/store-and-forward/> accessed  February 19 2022.

[3] Science Direct, ‘The Human challenge of telemedicine: Tele-monitoring (2019) < https://www.sciencedirect.com/topics/nursing-and-health-professions/telemonitoring> accessed February 19 2022.

[4] Ibid 3

[5] Kinsie Clarkson, ‘Phishing and Security Risks in Telehealth and Video Communication’ Pulsara (2020) < https://www.pulsara.com/blog/phishing-and-security-risks-in-telehealth-and-video-communication> accessedFebruary 20  2022

[6] Balbix, ‘8 Common Cyber Attack Vectors and How to Avoid Them’ < https://www.balbix.com/insights/attack-vectors-and-breach-methods/> accessed February 20 2022

[7] Jessica Davis, ‘Privacy & Security and Telehealth’ Health IT News (2018) < https://www.healthcareitnews.com/news/telemedicine-vendor-breaches-data-24-million-patients-mexico> accessed February 20, 2022

[8] Cert Mike, ‘Confidentiality, Integrity and Availability: CIA Triad’ < https://www.certmike.com/confidentiality-integrity-and-availability-the-cia-triad/> Accessed February 20, 2022

[9] Andrea Gil, ‘Data Security- Confidentiality, Integrity &Availability’ KVA < https://www.kvausa.com/data-security-confidentiality-integrity-and-availability/> accessed February 20 2022