Privacy by design means building privacy safeguards into health IT systems and processes from the outset. In practice, this means proactively preventing data leaks rather than waiting to fix them after a breach. Key principles include data minimization; collect and keep only the information truly needed for care, and default encryption of sensitive records. Embedding these protections ensures patient data remains confidential as a matter of course.
In Nigeria, many hospitals run on outdated software, and have little to no security embedded in their infrastructure, and studies find widespread non-compliance to global security standards due to poor regulation and low awareness. Under these conditions, daily habits matter. Hospitals must encrypt data, control access, and train staff to meet their legal and proffessional duty; protecting patient information.
Encryption: Protect Data In Transit and At Rest
Encrypting patient records is non-negotiable. All PHI transmitted over networks for example, when clinicians access EMR in a browser or send lab results, should use end-to-end encryption (HTTPS/TLS) so eavesdroppers cannot read it. Likewise, data at rest on servers, laptops, or mobile devices should be stored in encrypted form (using strong algorithms like AES-256). If a hacker copies your database or steals a device, the information will be indecipherable without the keys.
Hospitals should also encrypt backups and archives. Maintain multiple off-site or cloud backups of patient records, but ensure those backups are encrypted at creation. Finally, never store passwords or sensitive keys in plain text: use secure hashing (with salt) or vault services to protect credentials. In the nigerian setting, this duty is often pushed to the designers of the EMR system in use, as they usually design and deploy these systems. However, hospitals must ensure that their EMR providers are following best practices and that these features(using https, encryption) are implemented and enabled by default.
Access Controls and Strong Authentication
Limiting access is another daily imperative. Every staff member must have their own account on the EMR, secured by a strong, unique password. Default or trivial passwords (“1234”, “password”, birthdays) are easy for attackers to guess. Replace these habits with complex passphrases or implement multi-factor authentication where possible. Enforce lockout and auto-lock policies so unattended computers do not expose sensitive patient records.
Physical Security and Daily Habits
Privacy by design is not only digital. Computers and devices that display PHI must be protected against casual access. Doctor/nurses' Workstations should lock automatically when idle, hospitals can make this work even better by setting up local AD servers. Server rooms and storage areas must be physically secured. Personal devices used by clinicians must be encrypted, PIN-protected, and cleared of patient data after use.
Working with EMR Providers and Ensuring Compliance
Most hospitals now rely on third-party EMR vendors. It is vital to drive security requirements through contracts. Insist that vendors encrypt data at rest and in transit, enforce strong passwords or MFA, and keep detailed audit logs. Remember: even when outsourcing, your hospital remains responsible for patient data. Choose reputable providers who undergo regular audits and penetration tests. Negotiate terms that allow independent assessments, and always change default settings or passwords immediately.
Key Daily Practices
- Encrypt all PHI in transit and at rest (web traffic, databases, backups, and devices).
- Enforce strong, unique credentials and lock screens on inactivity.
- Share data only through secure, approved, encrypted channels.
- Keep backups encrypted and securely stored; delete or archive data when no longer needed.
- Train all staff regularly and appoint a Data Protection Officer as required under NDPA.
Each of these practices should become routine. ClarenSec supports hospitals in achieving this through risk assessments, staff training, and system hardening to ensure both compliance and trust.
