When South Africa’s National Health Laboratory Service fell victim to a ransomware attack in June 2024, the consequences went far beyond a technology failure.
For two months, doctors could not access test results through their usual digital systems. Over 6 million blood tests went unprocessed.
Critical HIV and tuberculosis treatments were delayed across a network serving 80% of South Africa’s population.
The BlackSuit ransomware gang had stolen 1.2 terabytes of patient data, forcing the entire laboratory system to rebuild from scratch after attackers deleted even the backup servers.
This should serve as a caution for Nigeria and other African nations racing to digitize healthcare records. As we accelerate electronic medical record (EMR) adoption, we risk importing America’s cybersecurity vulnerabilities along with the technology.
Nigeria’s Digital Health Acceleration
Nigeria is moving fast. The Federal Government’s Digital in Health Initiative, inaugurated by Health Minister Prof. Muhammed Ali Pate, aims to create a unified national EMR platform. Interswitch has deployed its eClinic system across four federal hospitals and partnered with Lagos State’s Smart Health Information Platform (SHIP). Private healthcare providers are following suit, eager to modernize patient data management.
This momentum is encouraging. Digital health records promise better patient outcomes, reduced medical errors, and more efficient healthcare delivery. But speed without security creates catastrophic vulnerability.
Why South Africa’s Experience Matters:
South Africa offers the most relevant case study for Nigeria because our healthcare contexts are similar: constrained public health budgets, significant HIV and TB patient populations requiring continuous monitoring, and healthcare systems serving predominantly poor populations who cannot afford private alternatives when public systems fail.
When NHLS systems went down, the impact was immediate and devastating. Doctors had to make clinical decisions without lab results. Major operations were postponed indefinitely.
All test results had to be communicated manually by telephone, a process prone to errors and delays that cost lives.
Though systems were restored after two months of intensive work, the breach demonstrated how digital transformation without adequate security governance can cripple essential health services.
The attack was not sophisticated nation-state espionage. It was a criminal ransomware gang exploiting predictable vulnerabilities in healthcare IT infrastructure, the same vulnerabilities that exist in systems being deployed across Nigeria today.
Learning From America’s Expensive Mistakes
The United States, despite decades of EMR experience and sophisticated cybersecurity infrastructure, continues to suffer devastating healthcare breaches.
The Change Healthcare attack in February 2024 exposed 190 million patient records and forced a $22 million ransom payment.
Ascension Health’s systems were affected for weeks. American healthcare providers have collectively paid billions in ransoms, remediation costs, and regulatory penalties.
Recent research from Black Book Market Research, published this month, reveals the scale of the problem: 74% of Chief Information Security Officers now identify EHR and AI vendors as their top emerging cyber risk.
Among African healthcare leaders surveyed, 71% in South Africa reported that third-party EHR or billing platforms were involved in major security incidents, with 55% experiencing multi-day system downtime.
Critically, 91% believe current risk management practices are inadequate for modern digital health environments.
These were not failures of technical competence; they were failures of governance, inadequate security frameworks, weak access controls, and insufficient oversight of third-party vendors who handle sensitive patient data.
Nigeria cannot afford to repeat these mistakes. When American healthcare systems face breaches, they have insurance, legal recourse, and regulatory enforcement mechanisms; When African healthcare systems fail, patients simply lose access to care.
What Nigeria Must Do Differently:
As Nigeria accelerates Electronic Medical Records adoption, we need governance frameworks embedded from day one, not bolted on after breaches occur.
This requires: Mandatory security standards for all Electronic Medical Records systems. The National Health Insurance Authority and the Federal Ministry of Health should establish minimum cybersecurity requirements before approving any EMR platform for deployment.
These standards must address encryption, access controls, backup systems that cannot be deleted by attackers, and vendor security audits.
Robust data governance frameworks. Nigerian patients need clear rights regarding their health data; who can access it, how it’s used, and what recourse exists when breaches occur.
The Nigeria Data Protection Act provides a foundation, but healthcare-specific regulations are essential.
Security-by-design requirements for vendors. Companies deploying EMR systems in Nigeria must demonstrate security capabilities before implementation, not after breaches.
This includes penetration testing, incident response plans, and cybersecurity insurance.
The Black Book Research data shows that 63% of healthcare organizations globally experienced vendor-linked incidents in the last 24 months, we must require vendors to meet security standards as a condition of market entry.
Regional coordination.: Healthcare data breaches don’t respect national borders. ECOWAS should establish regional cybersecurity standards for health data, enabling member-states to share threat intelligence and coordinate responses to emerging threats.
Investment in cybersecurity capacity: Nigeria needs trained cybersecurity professionals specializing in healthcare IT. Universities and technical institutions should prioritize healthcare cybersecurity training programs to build the workforce needed to secure our digital health infrastructure.
The Cost of Getting it Wrong
The consequences of inadequate healthcare cybersecurity extend beyond data theft. When EMR systems fail, hospitals revert to paper records, but staff trained exclusively on digital systems struggle with manual processes.
Patients lose access to critical medical histories. Treatment decisions are made with incomplete information. People die from preventable complications.
The economic costs are equally severe. Healthcare breaches destroy institutional trust, drive patients to private providers they cannot afford, and create liability that cash-strapped public hospitals cannot manage.
In South Africa’s case, the two-month system disruption meant postponed surgeries, delayed diagnoses, and interruptions in chronic disease management for millions of patients.
The full health impact of those delays may never be fully quantified, but research from the U.S. Cybersecurity and Infrastructure Security Agency shows that ransomware attacks on healthcare systems correlate with increased mortality rates, not just during the attack, but in the months that follow as hospitals operate under degraded capacity.
A Chance to Lead, Not Follow
African nations have an opportunity that the United States did not: we can learn from others’ mistakes before implementing healthcare digitization at scale. We do not need to experience billion-dollar breaches to understand that security cannot be an afterthought.
The question is not whether Nigeria should adopt EMR systems; digital transformation is necessary for healthcare modernization. The question is whether we will implement them with the security and governance frameworks that prevent catastrophic failures, or whether we will rush to digitize and pay the price in compromised patient data, disrupted care, and preventable deaths.
The South African breach shows us the cost of getting this wrong. American healthcare breaches demonstrate that sophisticated technology alone doesn’t guarantee security. Global data confirms that even advanced healthcare systems struggle with vendor-introduced vulnerabilities and inadequate risk management.
Nigeria has a chance to do better, but only if we prioritize governance alongside innovation. We must require security standards before deployment, not after a disaster. We must mandate vendor accountability, not hope for best practices. We must build cybersecurity capacity, not assume problems will solve themselves.
We cannot afford to digitize first and secure later. The health and safety of millions of Nigerians depend on getting this right from the start.
Aisha Arigbabu is a cybersecurity researcher and PhD candidate at the University of the Cumberlands, focusing on AI governance and healthcare security. Her lead-authored research on AI-enabled healthcare systems has been cited 76 times, with her broader body of work accumulating over 130 citations from researchers globally.
