Information Security Strategies and Patient Data Privacy Among Health Facilities in Nairobi

Abstract

Health facilities have become more reliant on information systems and are subsequently, more susceptible to security and data breach challenges. This study investigated information security strategies and patient data privacy among health facilities in Nairobi County. Security applies to how patient information is secured. Privacy refers to the privileges that patients have in relation to access and use of their personally identifiable information. The objectives of the study were to: (i) establish information security strategies implemented by health facilities in Nairobi, (ii) establish performance of data privacy by health facilities in Nairobi and (iii) establish information security and patient data privacy implementation challenges faced by health facilities in Nairobi. This research employed a descriptive survey design and the study population comprised of all 49 registered facilities as per the Kenya master health facility list of November 2020. A questionnaire with open and closed ended questions was used to collect data. The respondents were persons in charge of health information systems and data or records management in the health facilities. Data analysis was done using descriptive statistics. Data tables, frequencies and percentages were used to draw numerical summaries. Data presentation was done by way of tables and figures. As pertains to application of information security strategies, the study found that implementation of compliance mechanisms was the most popular strategy applied by the health facilities, followed by governance and risk management. The second finding of the study, on application of data privacy principles by health facilities in Nairobi, indicated that performance of data accountability and data protection components was the best, followed by legal and regulatory requirements. A notable finding of data privacy performance was that the facilities did not register any significant data breach occurrences. The study however, appreciated the fact that such sensitive information might have been classified confidential and limited to the health facilities. Lastly, the study identified challenges that affected the health facilities in adoption of data protection and privacy. Common challenges that affected all the facilities were identified as; dynamic regulatory environment, fast pace of digital innovation and transformation, increased interconnection and data sharing with third parties and increase in cyber threats, attacks and crime. The study concluded that although the health facilities implemented robust information security strategies they did not achieve some of their data privacy performance requirements like: percentage of staff receiving privacy training, privacy impact assessment completion rate, satisfactory privacy internal audit score and percentage of organisational budget dedicated to privacy programmes. The study recommended that the facilities scrutinise and address the challenges identified in adoption of their information security and privacy strategies. Health facilities must address information security and data privacy risks to prevent patient harm and preserve the human life. Health facilities can assure attainment of their business goals and objectives by aligning their information security, privacy and business strategies.