While the policy remains on hold, a delicate web of private apps has left South Africa's healthcare system in limbo

While the policy debate continues over a 15-year horizon national health insurance (NHI) and its planned Single Electronic Health Record (SEHR), a quiet, fast transformation has already reshaped South African Health care. This did not happen in Parliament; This happened in the App Store.

This is the era of “shadow digitalization” – the rapid, unplanned adoption of innovative and on-demand digital tools.

SEHR was intended to be the digital backbone of NHI – A unified, secure and interoperable standard that will incorporate the medical history of every citizen for the benefit of state health care as well as private services. But the market has not waited for the state. In the void created by the delay in centralized infrastructure, the private sector has moved rapidly.

The South African digital health and telemedicine market already existed Value is approximately R15.7 billion According to industry research, it is projected to grow substantially through 2023, and throughout this decade. Demand for virtual consultation has increased increased rapidly Since the COVID-19 pandemic, telehealth is increasingly shaping the way non-emergency healthcare is delivered in both private and public settings.

Smartphone and internet access – the backbone of digital health use – has expanded significantly in South Africa, with millions of people getting online and mobile internet access Access to virtual care tools.

This organic growth solves the immediate problems of access and efficiency. However, this creates a fragmented security challenge that is far more complex than the legacy paper files it replaces. Instead of building a fortress we are now building a vast, unplanned web of connections that works (in many cases beautifully) but lacks a unified security foundation.

Danger of hyper-connectivity

The danger is in the connection. In a formal SEHR system, you have a Defined perimeter to defend. In this current ecosystem, the periphery is non-existent.

Consider a patient's data journey. They can consult a doctor through a video app, get a digital script sent to a pharmacy chain, and claim expenses through a medical assistance app. That's three different organizations, three different security postures, and sensitive health data flowing between them via application programming interfaces (APIs).

APIs are the digital glue that makes this interoperability possible, but they are often a blind spot. If a small, innovative telemedicine startup hasn't tightly secured its API, this serves as an open door. A cybercriminal doesn't need anything to hack the sophisticated security of a major hospital group. They simply have to settle for a smaller, less secure app that has legitimate access to the hospital's database.

We are seeing a global increase in attacks targeting these “soft” entry points. Criminals are bypassing the front gate to get into a digital window left open by a third-party vendor.

The human cost of digital fragility

We often discuss cybersecurity in terms of data privacy or financial penalties, but in the healthcare sector, the risks are material. The digital systems that manage our health have now effectively become critical national infrastructure, and failure here is more than a mere inconvenience.

The benefits of leveraging technology such as the Internet of Medical Things (IoMt) yield clear tangible results, but often at a cost that is overlooked. IOMT equipment such as IV infusion pumps, patient monitors, dialysis machines and other medtech equipment such as incubators, X-ray machines, MRI and CT scanners pose high risks to any digital transformation.

Most of these systems are composed of embedded operating systems (of various variants) and use proprietary software and communication channels that interact with picture archiving and communication systems (PACS), radiology information systems (RIS), and electronic health record (EHR) systems that were traditionally deployed on campus. With the shift to the cloud and the adoption of AI to improve clinical and operational processes, data security is not the only concern, but the increasing exposure of devices and systems through a series of interconnected systems is becoming a major concern.

Considering that most of these devices lack modern cybersecurity protections, the fact that they lack endpoint protection as well as long lifecycles (10-20 years), many of these systems (over 60% of devices) can no longer be supported by original equipment manufacturers (OEMs), making these systems easier, higher-impact targets for attackers. In fact, studies indicate that more than two thirds of IoMT devices are vulnerable to attacks with devices hosting six known exploitable vulnerabilities (KEVs).

Risks beyond IT and IoMt have made the situation more serious with the introduction of smart facilities initiatives. Hospital operations are complex environments involving many physical processes that are an important part of the clinical chain. Digitalization of physical elements such as heating, ventilation and air conditioning (HVAC), water processes, electrical and power infrastructure, gas systems, etc. effectively connects these systems to enterprise networks that enable centralized visibility and control through a building management system (BMS).

Remote access is another concern as remote connectivity to systems is provided/established by vendors/OEMs through solutions not governed by IT.

Both IoMT and Operational Technology (OT) areas typically fall outside the scope of the SOC, making a large portion of devices, connections, and communications a big blind spot from a cybersecurity perspective.

Tackling these IoMT and OT challenges requires a multi-step approach, including:

• Enforce clear ownership – Cybersecurity should be a board level priority which should include IoMT and OT.
• Establish complete asset inventory – real-time monitoring and reporting of all IoMT, OT and clinical systems (device type, firmware version, physical connection details and traffic profiles).
• Introduce proper segmentation – Establish a region-based architecture with tight control over traffic flow and communications. Importantly, ensure that cybersecurity detectives and preventive controls are able to interpret proprietary communication protocols.
• Enforce identity and access controls:
• Enforce network access controls by leveraging multiple profiling methods (not just MAC addresses) to reduce rogue connections.
• Implement multi-factor authentication (where possible).
• Implement privileged access management to establish least-privilege access management, eliminating uncontrolled access to shared accounts and systems that also control remote access.
• Eliminate multiple direct remote OEM connections by moving access to a centralized access solution that eliminates direct access to critical systems and provides oversight and security of activity and communications (even if encrypted).
• Extend patch and vulnerability management to IOMT, OT and MedTech infrastructure and systems – This is perhaps the biggest hurdle as organizations are often caught between OEM-set operations and maintenance rules and clinical uptime SLAs. To address these challenges, it is important that organizations include mitigating controls in the evaluation process when selecting a cybersecurity solution.
• Integrate monitoring and event detection – There is little benefit in securing your front door when your back door is left unmonitored. Make sure your SOC incorporates and monitors alerts across every aspect of your ecosystem that goes beyond traditional IT measures and includes diagnostic tools, infrastructure services, cloud and AI integration.
• Resilience and continuity – while a major focus area in healthcare, it is often viewed primarily from a data recovery perspective, with little attention paid to continued operations and critical physical processes where the real operational and patient safety risks reside.

The potential consequences of a cyber incident extend far beyond data loss. When a digital spinal fracture occurs, the effects can be immediate and physical: surgery may be postponed if the theater schedule becomes inaccessible; Important treatments may be delayed if diagnostic results cannot be obtained; And patient access to care may be cut off if the booking portal is closed.

The efficiency we gain from this web of apps becomes a single point of failure if not secured. If the “shadow” web of personal devices that now supports our healthcare collapses or breaks down, it turns access solutions into threats to patient safety.

identity is the new horizon

The on-demand model also presents a unique identity challenge. Doctors are now logging into multiple different systems daily, often using personal devices. This creates fragmentation Identity and Access Management (IAM) Serious.

If a doctor uses the same password for a secure insurer platform as they do for a less secure scheduling app, a breach in one compromises the other. A country with 1,800 qualified doctors Unable to find work even after meeting all statutory requirements The gig-economy model of telemedicine provides a vital lifeline to careers, but it also means the “human firewall” is constantly moving between organisations.

This reality demands a Zero trust approach. In the past, we trusted anyone “inside” the network. Today, we must assume that every device and every user is potentially compromised until proven otherwise.

Zero trust means that

When a doctor's tablet requests access to a patient's records, the system doesn't just check the password. It checks the context. Is this request coming from a known device? Is it coming from a normal place? Is the device free of malware? If the answer to any of these is no, access will be denied, even if the password is correct.

hardening applications

For developers and organizations building these health tools, the focus must shift to “application security” (AppSec). Final security checks cannot be performed before an app goes live. This should be an integral part of the code.

Many of these health apps are designed to bring speed to market. In the rush to launch a new feature that lets patients book appointments online, developers may inadvertently leave API keys open or fail to encrypt data stored locally on the phone. Automated testing tools can now scan the code being written, acting as spell-checkers for security flaws. This prevents vulnerabilities from reaching the public.

stabilizing hybrid reality

The delay of the official SEHR doesn't mean we have time to relax. This means we are locked in a very long period of hybrid risk. We will have paper files, old government servers and state-of-the-art facilities personal apps All are trying to co-exist for the next decade or more.

The organizations that will survive this change will be those that stop waiting for a national master plan to set their security standards. They will realize that in a world of shadow digitization, they are responsible for themselves. Data sovereignty.

We need to secure our health care system to passNot what we're waiting for. This means securing API connections, validating every identity, and hardening the apps that millions of South Africans already use to manage their lives.

Martin Fernandes, Business Development Manager fortinet Africa.