Kenya’s health ministry hacked despite new guidelines on patient data security

By Gatonye Gathura

Days after posting the first ever guidelines on patient data security, Kenya’s Ministry of Health has lost its internet site to hackers.

On Thursday night (19th April) the site was taken over by a group calling itself Bangaldeshi legion Bombers.

If the same, the group is known for allegedly taking over some 40,000 servers in India including that of Apollo, the country’s leading hospital chain in 2016.

Five days later, Monday 23rd the site remains inaccessible with a GoK Cyber Security Team saying the site is undergoing maintenance to be back soon.

The latest activity at the site was the posting of several policy documents on electronic patient data security ahead of Kenya’s official launch of Universal Healthcare programme.

While the hacking raises doubts on the ministry’s capacity to protect medical data, the recent documents say  huge amounts of patient information is already in the hands of unregulated groups.

The ministry says there are over 35 counties with at least one eHealth project mainly run by foreign NGOs with no government oversight.

“Due to lack of government stewardship and leadership, these eHealth initiatives are not aligned to the Ministry of Health priorities,” say a policy document.

The Kenya National eHealth Policy says the lack of a comprehensive legal framework, on collection and use of electronic health data may be exposing patients to unlawful and unethical practices.

So far the country does not have a legal framework on the electronic collection, storage and use of patient or research participants’ medical data.

The closest legal provision is the Health Act 2017 operationalized last year. The Act proclaims that ehealth is now a recognized mode of health service in Kenya.

“The Cabinet Secretary shall, within three years of this Act becoming operational ensure the enactment of guiding legislation,” says the Act.

This means Kenyan may have to wait until 2021 before they can get legal protection to safeguard their medical records and data.

When such legal provisions are made, the Kenya National eHealth Policy says the safety and privacy of patients will be protected from any unlawful and unethical collection of medical data.

Last year, Kenyans were sent into a scare following reports, indicating data of more than 20,000 blood donors to the National Blood Bank had been breached.

The ministry said the information, appearing in an international journal claiming high levels of HIV in locally donated blood, had been published against normal protocol.

The lack of legal patient data protection, has however not stopped the widespread collection, use and storage of such data.

For example, around 2008 researchers from US Harvard School of Public Health and the Kenya Medical Research Institute (Kemri) obtained private cell phone details of nearly 15 million Kenyans without their knowledge.

The research which was widely published had mapped every call or text made by each of 14,816,521 Kenyan mobile phone subscribers to one of 11,920 cell towers located in 692 different settlements. The researchers were tracking the spread of malaria in Kenya.

“The government should consider enacting legislation that would limit the ability of telcom service providers access to or ability to share personal health information,” says Dr Thomas A. Odeny in the Kemri Bioethics Review publication.

Already  massive amounts of data has been collected especially among  prostitutes in Nairobi, young women and girls by projects dealing with, contraceptives, HIV drugs, test kits, condoms and lubricants.

Such personal data, explains Jane, a prostitute and peer educator with the 27,000 member plus Sex Workers Outreach Programme (SWOP) in Nairobi may be used for research purposes or creating product demand.

Beyond that Jane does not know how else the information may be utilized but in the new guidelines the ministry is suggesting tighter control of such data.

The guidelines, say no data will be shared electronically, in social media or via SMS without the express consent of the patient.

However patients will have a right of access to all their health records and exercise control over whom else should access the information.

The ministry will also establish an electronic central registry that will guarantee all medical records are stored within the national boundaries.

Such data, says a senior official at the Ministry of Health headquarters, will be a goldmine for drug and research groups from all over the world.

With such data, our source says big pharma will be able to influence policy, forecast individual, regional and national drug use and needs and target their production and distribution with precision.

“Pharma will move mountains to get the data hence its access must be entrusted to persons of outmost integrity. We don’t have many of those here,” he told the Standard in confidence.

In the proposed eHealth system, every Kenyan will be recognized by a unique identifier or PIN generated from, the national ID, birth certificate or any such acceptable document.

The policy is especially strict over the use of SMSs to text patient data with offenders  facing six months in jail  a fine of Sh 500,000 or both.



Facebook Comments
Share Button

Leave a Reply

Your email address will not be published.