Cyber and POPIA in the South African healthcare industry

The South African regulatory environment is becoming increasingly complex due to developing cyber and data privacy laws as well as established healthcare-related laws and regulations. We explore the impact of data privacy and cyber related risks on healthcare affiliated organisations in the South African landscape and what steps should be taken to mitigate these risks.

Healthcare institutions are increasingly becoming the targets of cyber-criminal activities. This is largely due to the fact that healthcare institutions are the custodians of inherently sensitive information, which is defined as “special personal information” under the Protection of Personal Information Act, 4 of 2013 (“POPIA”), which often requires a higher standard of care when being processed. 

The Information Regulator (South Africa) is starting to take an active role in ensuring POPIA compliance, especially in the recent security compromised notifications set out in section 22 of POPIA.

Some of the pertinent insights to consider:

• In the event that a business is victim to a cyber attack, appointing the right cyber incident response team for effective and efficient management of the incident, is crucial for limiting the damage associated with the incident.
• It is important for organisations to conduct regular cybersecurity audits on internal systems and third-party service providers’ systems to ensure cyber resilient protocols have been established against cybercrime, and to ensure compliance with POPIA.
• Run breach scenarios that test an organisation's readiness.

Download key considerations on cyber and data privacy

Should you require guidance on South Africa’s legislative landscape relating to data privacy, cyber law, healthcare, and how best to prepare and defend against these emerging risks, please reach out to the key contacts below.