As the adoption of electronic medical records continues to grow across Nigeria’s healthcare system, cybersecurity and health technology experts have outlined measures hospitals can take to protect patients’ data from cybercriminals.
They noted that hospitals can minimise these risks by strengthening encryption systems and conducting regular security audits.
Also, they recommended training healthcare workers on cyber hygiene and establishing dedicated cybersecurity units within the hospital’s systems as part of strategies to prevent cyberattacks.
PUNCH Healthwise reports that Microsoft’s chief security advisor for Africa, Kerissa Varma, recently warned that African healthcare systems are increasingly facing cyberattacks, with hospitals, laboratories, and digital health platforms becoming prime targets for cybercriminals.
According to her, the sector is under a “silent emergency” as cybercriminals exploit the rush to digitise patient records and services.
“While doctors fight to save lives, cybercriminals are infiltrating hospitals, laboratories, and clinics, turning life-saving environments into digital battlegrounds. Africa’s healthcare organisations faced an average of 3,575 weekly attacks in 2025, a 38 per cent increase from the previous year,” Varma said.
Research indicates that Nigeria’s private healthcare sector is increasingly targeted, with cyberattacks rising at an alarming pace.
Common consequences, Varma said, include temporary loss of access to hospital systems, encryption of patient data, and the risk of sensitive information appearing on the dark web.
“Medical records are a premium target. Unlike credit card data, patient information never expires, and stolen records can be used for years to commit identity theft, make fake insurance claims, and commit prescription fraud. A single medical record can fetch up to $310 on the dark web, compared with $30–$50 for a credit card,” Varma said.
Meanwhile, several hospitals in Nigeria, including private and government-owned, have adopted EMR for efficiency.
Speaking exclusively to PUNCH Healthwise, the experts explained that while EMR systems have improved data management, weak cybersecurity infrastructure, poor staff training, and inadequate monitoring could expose many Nigerian health facilities to the risk of data breaches.
The Founder of CyberWarrior Technologies, Igbagboyemi Oladele, said to protect EMR, hospitals must first implement a computer system that does not automatically trust any user, device, or network.
“They must implement a Zero Trust framework centered on rigorous identity management. This starts with Multi-Factor Authentication for every login and the strict application of Role-Based Access Control, which ensures staff can only access the specific data necessary for their clinical or administrative duties.
“Technically, hospitals must prioritize comprehensive encryption and network isolation to safeguard data from both external breaches and lateral movement. To contain potential infections, the EMR infrastructure should be placed on a segmented network, effectively ‘air-locking’ it away from less secure systems like guest Wi-Fi or Internet of Medical Things devices, such as smart IV pumps, which are often targets for initial entry,” he said.
According to the expert, a resilient strategy requires proactive monitoring and a robust recovery protocol to mitigate the impact of ransomware.
“Hospitals should maintain immutable, off-site backups that cannot be modified or deleted by attackers, ensuring a clean restoration point is always available,” Oladele said.
On immediate steps hospitals should take to protect patient information and restore services in case of attacks, he said, “The immediate priority during a cyberattack is containment to prevent the threat from spreading across the hospital’s digital infrastructure.
“IT teams must physically or logically disconnect infected systems from the network, effectively ‘air-gapping’ the EMR database to stop data exfiltration or further encryption by ransomware.
The expert noted that once the threat is isolated, the focus then shifts to forensic analysis and recovery through the restoration of immutable backups.
“Security professionals must identify the entry point and ‘kill’ any persistent backdoors before bringing systems back online to avoid a re-infection. Following a systematic ‘clean-room’ recovery process, the hospital should restore data from the most recent uncorrupted backup and verify its integrity,” Oladele added.
To stay ahead of new threats, he said, healthcare providers must move away from only defending their systems after attacks and instead focus on verifying user identities and building stronger systems that can resist and recover from cyberattacks.
“Ultimately, staying ahead requires treating cybersecurity not as a technical add-on, but as a core clinical safety metric, integrating continuous threat exposure management directly into the lifecycle of every digital patient interaction,” he said.
On his part, a cybersecurity expert, Adekunle Durosinmi, stressed that safeguarding medical records is essential to protecting patient privacy and maintaining trust in digital healthcare systems.
He noted that with digitalising hospital systems, the management must create the right team and ensure continuous education for personnel to manage patients’ records and prevent the activities of cyber criminals.
Durosimi, who is the President of Ogun Tech Community, said while many hospitals have adopted EMR in Nigeria, some do not know how to protect patients’ data, including the nitty-gritty of managing computer accessibility.
“Doctors, medical records officers, pharmacists, medical laboratory scientists, radiographers, and everyone who has access to these systems need to be trained and retrained — learning and relearning the principles of data protection. People who make use of these computer systems must understand how access and security work so that they can properly protect patients’ data,” he said.
Durosinmi identified social engineering and phishing as common cybersecurity threats facing hospitals using EMR.
“So the major threats we are talking about in this country are social engineering and phishing. That is why we need to enlighten people about what social engineering and phishing are all about.
“The key solution is education. We need to educate people continuously. Because as you are developing ways to protect systems, attackers are also developing new methods to break into them,” he said.
The expert explained that it is essential for hospitals to have a robust ICT department to prevent and act decisively in case of cyber attacks.
“Within the ICT department, there should be different units. One of them should be a cybersecurity unit. Cybersecurity is one of the key things that should be a major goal for hospitals using EMR in the country.
“When we have cybersecurity personnel in hospitals, their responsibility is to develop cybersecurity policy and strategies to forestall any attack,” he said.
He advised that all hospitals must ensure those accessing the EMR uses company’s email and not personal, and other policies like requiring staff to change their email passwords regularly, such as once every month.
“Now, when a cyber attack occurs, if you already have these systems and policies in place, it becomes easier to investigate and respond.
“That is why every organisation should have a cybersecurity unit. The cybersecurity unit also works closely with the Data Protection Officer. The DPO provides guidance on how data should be handled, stored, and protected,” he said.
Copyright PUNCH
All rights reserved. This material, and other digital content on this website, may not be reproduced, published, broadcast, rewritten, or redistributed in whole or in part without prior express written permission from PUNCH.
Contact: health_wise@punchng.
