By Martin Fernandes, Business Development Manager, Fortinet Africa

While policy debates continue over the 15-year horizon for the National Health Insurance (NHI) and its planned Single Electronic Health Record (SEHR), a quieter, faster transformation has already reshaped South African healthcare. It didn't happen in parliament; it happened in the app store.

This is the era of "shadow digitisation" – the rapid, unplanned adoption of innovative and on-demand digital tools.

The SEHR was intended to be the digital spine of the NHI – a unified, secure, and interoperable standard that would house the medical history of every citizen to the benefit of state healthcare as well as private services. But the market has not waited for the state. In the vacuum left by the delay of centralised infrastructure, the private sector has sprinted ahead.

The South African digital health and telemedicine market was already valued at around R15.7 billion back in 2023, according to industry research, and is projected to grow substantially through this decade. Demand for virtual consultations has risen sharply since the COVID-19 pandemic, with telehealth increasingly shaping how non-emergency healthcare is delivered in both private and public settings.

Smartphone and internet access – the backbone of digital health usage – has expanded significantly in South Africa, with millions of people online and mobile internet penetration facilitating access to virtual care tools.

This organic growth solves immediate problems of access and efficiency. However, it creates a fragmented security challenge that is far more complex than the legacy paper files it replaces. Instead of building a fortress we are now building a sprawling, unplanned web of connections that works (in many cases beautifully) but lacks a unified security foundation.

The risk of hyper-connectivity

The danger lies in the connections. In a formalised SEHR system, you have a defined perimeter to defend. In this current ecosystem, the perimeter is non-existent.

Consider the data journey of a single patient. They might consult a doctor via a video app, receive a digital script sent to a pharmacy chain, and claim the expense via a medical aid app. That is three different organisations, three different security postures, and sensitive health data flowing between them via Application Programming Interfaces (APIs).

APIs are the digital glue that makes this interoperability possible, but they are frequently a blind spot. If a small, innovative telemedicine startup has not rigorously secured its API, it acts as an open door. A cybercriminal does not need to hack the sophisticated defences of a major hospital group. They simply need to compromise the smaller, less secure app that has legitimate access to the hospital’s database.

We are seeing a global rise in attacks targeting these "soft" entry points. Criminals are bypassing the front gate to climb through the digital window left open by a third-party vendor.

The human cost of digital fragility

We often discuss cybersecurity in terms of data privacy or financial penalties, but in the healthcare sector, the stakes are physical. The digital systems now managing our health have effectively become critical national infrastructure, and a failure here comes down to a lot more than mere inconvenience.

The upside to leveraging technology such as The Internet of Medical Things (IoMT) delivers clear tangible outcomes but too often at a cost that is overlooked. IoMT devices such as IV infusion pumps, patient monitors, dialysis machines and other MedTech devices such as incubators, X-Ray machines, MRI and CT scanners pose high risk to any digital transformation.

Most of these systems are made up of embedded operating systems (of different variants) and utilise proprietary software and communication channels that interact with Picture Archiving and Communication systems (PACS), Radiology Information Systems (RIS) and Electronic Health Record (EHR) systems which traditionally were deployed on premise. With the shift to cloud and the adoption of AI to improve clinical and operational processes, data protection isn’t the only concern, but the increasing exposure of devices and systems through a chain of interconnected systems is becoming a major concern.

Considering that most of these devices lack modern cybersecurity protection, the fact that they lack endpoint protection as well as long lifecycles (10-20 years), many of these systems (more than 60% of devices) cannot be supported by the Original Equipment Manufacturer (OEM) anymore, rendering these systems as much easier, higher-impact targets for attackers. In fact, studies indicates that more than two thirds of IoMT devices are vulnerable to attacks with devices hosting as many as six Known Exploited Vulnerabilities (KEV’s).

Further exacerbating the situation is the risk posed beyond IT and IoMT with the introduction of Smart Facility initiatives. Hospitals are operational complex environments that consist of many physical processes which are a crucial part of the clinical chain. Digitisation of physical elements such as Heating, Ventilation and Air Conditioning (HVAC), Water processes, Electrical and Power infrastructure, Gas systems etc. effectively connects these systems to the enterprise network that enables centralised visibility and control via Building Management Systems (BMS).

Remote access is another concern in that remote connectivity to systems are provided/installed by Vendors/OEM’s through solutions not governed by IT.

Both IoMT and Operational Technology (OT) areas commonly fall outside the remit of the SOC rendering a large portion of devices, connections and communication a massive blind spot from a cybersecurity perspective.  

Addressing these IoMT and OT challenges requires a multi-step approach consisting of:

• Enforcing clear ownership – Cybersecurity should be Board level priority that must include IoMT and OT.
• Establish a complete asset inventory – real time monitoring and reporting of all IoMT, OT and clinical systems (device type, firmware versions, physical connection details and traffic profiles.
• Introduce proper segmentation – establish a zone-based architecture with strict control over traffic flows and communication. Importantly, ensure that the cybersecurity detective and preventive controls are capable of interpreting proprietary communication protocols.
• Enforce Identity and Access Control:
  • Implement network access controls leveraging multiple profiling methods (not just MAC address) to mitigate rogue connections.
  • Enforce Multi-factor Authentication (where possible).
  • Enforce Privileged Access Management to establish least privileged access management, eliminate shared accounts and uncontrolled access to systems that also govern remote access.
• Eliminate multiple direct remote OEM connections by migrating access into a centralised access solution that eliminates direct access to critical systems and offers inspection and protection of activity and communication (even when encrypted).
• Extend Patch and Vulnerability Management to IoMT, OT and MedTech infrastructure and systems – This is probably the biggest obstacle as organisations are frequently caught between OEM dictated operating and maintenance rules and clinical uptime SLA’s. To address these challenges, it is crucial that organisations include mitigating controls in the assessment process when selecting a cybersecurity solution.
• Amalgamate monitoring and incident detection – There is very little value to be gained in guarding your front door when your back door is left unattended. Ensure that your SOC ingests, and monitors alerts across every aspect of your ecosystem that extends beyond traditional IT measures and incorporates clinical devices, infrastructure services, cloud and AI integrations.
• Resilience and continuity – while a major focus area in healthcare, it is often approached primarily from a data recovery perspective with very little attention to sustained operation and critical physical processes where the real operational and patient safety risks reside.

The potential consequences of a cyber incident extend far beyond data loss. When the digital backbone fractures, the impact can be immediate and physical: surgeries could be postponed if theatre schedules become inaccessible; critical treatments might be delayed if diagnostic results cannot be retrieved; and patient access to care could be cut off if booking portals go dark.

The efficiency we gain from this web of apps becomes a single point of failure if not secured. If the "shadow" web of private tools that now supports our healthcare collapses or is breached, it turns a solution for access into a hazard for patient safety.

Identity is the new perimeter

The on-demand model also introduces a unique identity challenge. Doctors are now logging into multiple disparate systems daily, often using personal devices. This fragmentation makes Identity and Access Management (IAM) critical.

If a doctor uses the same password for a secure insurer platform as they do for a less secure scheduling app, a breach in one compromises the other. In a country where 1 800 qualified doctors couldn’t find work after completing all statutory prerequisites, the gig-economy model of telemedicine provides a vital lifeline for careers, but it also means the "human firewall" is moving between organisations constantly.

This reality demands a Zero Trust approach. In the past, we trusted anyone who was "inside" the network. Today, we must assume that every device and every user is potentially compromised until proven otherwise.

Zero Trust means that when a doctor’s tablet requests access to a patient record, the system does not just check the password. It checks the context. Is this request coming from a known device? Is it coming from a usual location? Is the device free of malware? If the answer to any of these is no, access is denied, even if the password is correct.

Hardening the applications

For the developers and organisations building these health tools, the focus must shift to "Application Security" (AppSec). Security cannot be a final check before an app goes live. It must be integral to the code itself.

Many of these health apps are built for speed to market. In the rush to launch a new feature that lets patients book appointments online, developers might inadvertently leave an API key exposed or fail to encrypt data stored locally on the phone. Automated testing tools can now scan code as it is being written, acting as a spell-checker for security flaws. This prevents vulnerabilities from ever reaching the public.

Stabilising the hybrid reality

The delay of the official SEHR does not mean we have time to relax. It means we are locked into a much longer period of hybrid risk. We will have paper files, legacy government servers, and cutting-edge private apps all trying to coexist for the next decade or more.

The organisations that survive this transition will be the ones that stop waiting for a national master plan to dictate their security standards. They will realise that in a world of shadow digitisation, they are responsible for their own data sovereignty.

We need to secure the healthcare system we have, not the one we are waiting for. That means securing the API connections, validating every identity, and hardening the apps that millions of South Africans are already using to manage their lives.