Protecting Cloud and SaaS in Healthcare

In a mid-sized hospital in Lagos, the IT team recently finished migrating patient records from a local server to a cloud-based EMR platform. The old server had been unreliable for years, crashing during power cuts and requiring constant maintenance. The new system was faster, accessible from any device, and the vendor handled updates automatically. Within weeks, doctors were pulling up records on tablets during ward rounds. It felt like a breakthrough. But when the hospital's administrator asked who exactly had access to that data, and where it was physically stored, no one on the team had a clear answer.

This scenario is playing out across Nigeria's healthcare sector. As hospitals, clinics, and diagnostic centres adopt cloud-hosted platforms for electronic medical records, telemedicine, billing, and pharmacy management, they are gaining real operational benefits. But many are doing so without fully understanding the security implications of handing patient data to a third party.

What Cloud and SaaS Look Like in Nigerian Healthcare

Cloud computing, in simple terms, means storing and accessing data and applications over the internet instead of on a local computer or server. SaaS (Software as a Service) takes this further: instead of installing software on hospital machines, staff log in through a browser and the vendor hosts, maintains, and updates everything remotely.

In Nigeria, cloud-based healthcare platforms are growing fast. Hospitals and clinics now rely on tools like:

• Cloud EMR systems such as Helium Health, ClinikEHR, Hyella, and HealthOne for managing patient records, prescriptions, and billing.
• Telemedicine platforms like Doctall and Tremendoc that store consultation notes, prescriptions, and patient histories in the cloud.
• Pharmacy and supply chain tools such as DrugStoc and mPharma that manage inventory and procurement online.

The appeal is obvious. Cloud platforms reduce the burden on hospital IT teams, eliminate the need for expensive on-site servers, and allow staff to access records from multiple locations. For a country where power supply averages around four hours a day and diesel-powered generators keep most facilities running, offloading infrastructure to a cloud provider can feel like a lifeline.

Where the Risks Live

Cloud and SaaS platforms are not inherently insecure. Many of the larger providers invest heavily in infrastructure security. The risks tend to emerge in the gaps between the vendor's responsibilities and the hospital's assumptions.

• Unclear data ownership. When you sign up for a cloud EMR, do you know where your patient data is physically stored? Is it on servers in Lagos, London, or somewhere else entirely?
• Weak access controls. Some cloud platforms are accessible from any device with an internet connection. Without multi-factor authentication and strong password policies, a single compromised login can expose thousands of patient records.
• No Data Processing Agreement. Many Nigerian hospitals adopt SaaS tools without signing a formal agreement that specifies how the vendor will handle, store, and protect patient data. This is both a legal and a security gap.
• Vendor lock-in and opacity. If your vendor experiences a breach, how quickly will they notify you? Can you export your data if you need to switch providers? These questions often go unasked until it is too late.
• Shared responsibility confusion. Cloud security operates on a shared model: the vendor secures the infrastructure, but the hospital is responsible for how its staff use the platform. Misconfigured settings, overly broad user permissions, and unmonitored access logs are the hospital's problem, not the vendor's.

What Nigerian Law Requires

The regulatory landscape around cloud-hosted health data in Nigeria has tightened significantly. Hospitals using cloud and SaaS platforms need to be aware of three key frameworks:

• The Nigeria Data Protection Act (NDPA) 2023 classifies health information as sensitive personal data. It requires explicit consent for processing, mandates breach notification within 72 hours, and requires Data Processing Agreements with any third party handling personal data. Penalties can reach N10 million or 2% of annual gross revenue.
• The National Health Act 2014 (Section 26) makes all patient information confidential. Section 29 requires hospitals to implement proper measures to prevent unauthorised access to health records and storage systems, with penalties of up to N250,000 or two years imprisonment.
• NITDA's National Cloud Policy 2025 introduces a data classification framework that places healthcare data at Level 3 (sensitive), requiring it to be hosted exclusively within Nigeria. International cloud providers must establish local operations to serve this market. Cross-border data transfers are only permitted when fully compliant with both the NDPA and the Cloud Policy.

For hospitals, the practical implication is clear: you cannot simply sign up for any cloud platform and assume you are compliant. You need to verify where your data is stored, confirm the vendor meets Nigerian regulatory requirements, and document everything.

Practical Steps for Hospitals

Securing cloud and SaaS platforms does not require a massive budget or a specialised team. It requires attention, the right questions, and consistent follow-through. Here is where to start:

• Ask where your data is stored. Before signing any contract, confirm the physical location of servers. If the vendor uses a global cloud provider like AWS or Azure, ask whether data is hosted in a Nigerian or African region. Under the new Cloud Policy, sensitive health data must stay within Nigeria.
• Sign a Data Processing Agreement. This is not optional under the NDPA. The agreement should specify data handling, storage duration, encryption standards, breach notification timelines, and what happens to your data if the contract ends.
• Enforce multi-factor authentication. Every user account on your cloud EMR or SaaS platform should require a second factor beyond a password. This alone blocks the majority of credential-based attacks.
• Review user permissions regularly. Staff leave, roles change, and temporary accounts get forgotten. Audit who has access to what at least once a quarter. Remove accounts that are no longer needed.
• Request the vendor's security certifications. Ask for evidence of regular security audits, penetration tests, and compliance certifications. A vendor that cannot provide these is not ready to handle patient data.
• Test your ability to export data. Before you are locked in, confirm that you can export patient records in a standard, usable format. Data portability is both a practical safeguard and a regulatory expectation.
• Monitor access logs. Most cloud platforms generate logs showing who accessed what and when. Review these regularly. Unusual login times, access from unfamiliar locations, or bulk downloads of records are all warning signs.

The Bigger Picture

Nigeria's cloud computing market is projected to reach $0.82 billion in 2025, growing at nearly 26% annually. The government's target of 80% EMR adoption by 2030, combined with the World Bank's $500 million BRIDGE investment in digital infrastructure, signals that cloud adoption in healthcare will only accelerate.

This is a good thing. Cloud platforms, when properly secured, can transform how Nigerian hospitals deliver care. They can make records accessible across locations, reduce the impact of power outages, and free up resources that would otherwise go to maintaining ageing servers.

But the transition has to be done carefully. The hospitals that benefit most from cloud technology will be the ones that treat security as part of the adoption process, not an afterthought. They will ask the hard questions before signing contracts, train their staff on safe usage, and hold their vendors to the same standards they hold themselves.

The cloud is not the risk. Blind trust is. Secure your platform, protect your patients.