Security of electronic personal health information in a public hospital in South Africa

Chuma, Kabelo Given

01 1900

The adoption of digital health technologies has dramatically changed the healthcare sector landscape and thus generates new opportunities to collect, capture, store, access and retrieve electronic personal health information (ePHI). With the introduction of digital health technologies and the digitisation of health data, an increasing number of hospitals and peripheral health facilities across the globe are transitioning from a paper-based environment to an electronic or paper-light environment. However, the growing use of digital health technologies within healthcare facilities has caused ePHI to be exposed to a variety of threats such as cyber security threats, human-related threats, technological threats and environmental threats. These threats have the potential to cause harm to hospital systems and severely compromise the integrity and confidentiality of ePHI. Because of the growing number of security threats, many hospitals, both private and public, are struggling to secure ePHI due to a lack of robust data security plans, systems and security control measures. The purpose of this study was to explore the security of electronic personal health information in a public hospital in South Africa. The study was underpinned by the interpretivism paradigm with qualitative data collected through semi-structured interviews with purposively selected IT technicians, network controllers’, administrative clerks and records management clerks, and triangulated with document and system analysis. Audio-recorded interviews were transcribed verbatim. Data was coded and analysed using ATLAS.ti, version 8 software, to generate themes and codes within the data, from which findings were derived. The key results revealed that the public hospital is witnessing a deluge of sophisticated cyber threats such as worm viruses, Trojan horses and shortcut viruses. This is compounded by technological threats such as power and system failure, network connection failure, obsolete computers and operating systems, and outdated hospital systems. However, defensive security measures such as data encryption, windows firewall, antivirus software and security audit log system exist in the public hospital for securing and protecting ePHI against threats and breaches. The study recommended the need to implement Intrusion Protection System (IPS), and constantly update the Windows firewall and antivirus program to protect hospital computers and networks against newly released viruses and other malicious codes. In addition to the use of password and username to control access to ePHI in the public hospital, the study recommends that the hospital should put in place authentication mechanisms such as biometric system and Radio Frequency Identification (RFID) system restrict access to ePHI, as well as to upgrade hospital computers and the Patient Administration and Billing (PAAB) System. In the absence of security policy, there is a need for the hospital to put in place a clear written security policy aimed at protecting ePHI. The study concluded that healthcare organisations should upgrade the security of their information systems to protect ePHI stored in databases against unauthorised access, malicious codes and other cyber-attacks. / Information Science / M. Inf. (Information Security)

Privacy

Confidentiality

Personal information

Security

ePHI

Digital health technologies

Public hospital

Disclosure of information

Security threats

South Africa

651.5042610968

Privacy, Right of -- South Africa

Compliance with freedom of information legislation by public bodies in South Africa

Nkwe, Itumeleng Marcia Mamagase

January 2020

Bibliography: pages 86-93 / In South Africa, freedom of information (FOI) or the right of access to information (ATI) is entrenched in section 32 of the Constitution. Section 32 guarantees every citizen the right of access to any information held by the state or held by any other person that is to be used for the protection or exercise of any right. The Promotion of Access to Information Act (PAIA) is the law that gives effect to section 32 of the Constitution. Regardless of a remarkable trend towards the adoption of FOI laws globally, international trends have shown this does not automatically translate into fulfilment of people’s right to information, as access to information by citizens remains a challenging factor. This study utilised mixed method research through the explanatory sequential design to assess compliance with FOI legislation by public bodies in South Africa with the view to ensure transparency, accountability and good governance. In this regard, the study first conducted a quantitative study by analysing the reports of the South African Human Rights Commission from the reporting years 2006/07 to 2016/07 to assess compliance with sections 14, 17 and 32 of the PAIA. The compliance trends were identified and thereafter a qualitative study was conducted to answer the question why the situation was the way it was. In this regard, interviews were conducted with a purposively chosen sample from complying and non-complying public bodies. The targeted participants were records managers, deputy information officers or officials responsible for PAIA in each chosen public body. The mixing strategy for the current study was at the data analysis, presentation and reporting level. Key results suggest that over the years, there were problems in the implementation of the FOI legislation in South Africa and its use was limited. Where implementation has taken place, it has been partial and inconsistent. The responsibility for implementation of FOI legislation in most public bodies is assigned to legal departments that do not have knowledge of what records are created, where and how they are kept. With regard to compliance, in terms of the degree of comparison, the situation was better in national departments, worse in provincial departments (with full compliance from the Free State, Limpopo, Western Cape and, to some extent, KwaZulu-Natal) and worst in municipalities. The study recommends the establishment of an information governance unit to implement FOI in public bodies. This unit will also be responsible for other information functions such as records management and information technology. Failure to assign responsibility to a relevant unit would perpetuate the non-compliance with FOI legislation in South Africa. As a result, accountability, transparency and good governance preached by the public sector to advance democracy in South Africa would be a mirage. A model for the implementation of PAIA within a public body is suggested. / Information Science / M. Inf.

Freedom of information

Access to information

Records

Accountability

Transparency

Good governance

Public bodies

South Africa

323.4450968

Freedom of information -- South Africa

The position of the whistle-blower in South African law

Isparta, Louise Dorothy

10 1900

The position of the whistle-blower is known to be a precarious one, with the whistle-blower often either regarded as a hero or a reprehensible traitor. Various pieces of legislation have attempted to remedy their precarious position, especially within the employment relationship, and in which the whistle-blower more often than not has the most to lose. The study at hand has the specific objective of comparing the position of the whistle-blower in terms of South African Law, against 16 specific measurables, and in comparison with the position of the whistle-blower in New Zealand, Australia (Victoria) and the United Kingdom. In the main, the protection offered to the whistle-blower within the South African context, is embodied within the Protected Disclosure Act 26 of 2000 (hereinafter referred to as the “PDA”).In examining the protection afforded to the whistle-blower in South Africa, it is concluded that the framework involved extends much further than just the mere provisions in the PDA. However, there are admitted challenges in respect of this framework as discussed, both legislative and non-legislative, especially in respect of duties of disclosures placed on persons in circumstances in which concurrent protection is not afforded to the whistle-blower. With reference to the comparison in respect of the measurement parameters set, it was found that the PIDA (UK) meets the least amount of the measurements set, with the PDA A (Australia, Victoria) meeting the most of the measurements; the PDA NZ is equally balanced in meeting and not meeting the measurements and the PDA meeting less of the measurements than not, but still meeting more than the PIDA. It was found that had it not been for the catch-all provision contained in section 4 (1) (b) of the PDA, the PDA would have ranked last. / Mercantile Law / LLD

Whistle-blower

Whistle-blowing

Protected Disclosures Act 26 of 2000

Corruption

Protected Disclosures Act 7 of 2000

Public Interest Disclosure Act 1998

Protected Disclosure Act 2012

Protected disclosure

Disclosure

344.12596068