The Role of Cybersecurity Education in Nigeria’s Healthcare Sector
Main Article Content
Keywords
Cybersecurity, Electronic medical records, Cybersecurity education
Abstract
Background: Nigeria’s uptake of digital health through electronic records, telemedicine and connected devices has expanded the cyber-attack surface of health facilities. Cybersecurity failures are not only data-governance problems; they can interrupt prescribing, diagnostics, referral pathways and emergency workflows, with downstream implications for patient safety and trust. Evidence from hospital incidents shows that ransomware and recovery efforts can disrupt services and degrade the timeliness of care when staff are unprepared, underscoring the need to treat cyber resilience as a clinical quality domain.
Main Argument: This letter argues that the most scalable risk reduction in low-resource settings is workforce capability: many healthcare breaches exploit human and workflow weaknesses rather than novel technical exploits. We outline a minimum, role-based cybersecurity education package for medical students and practicing clinicians covering: (1) governance, policies and third-party risk management; (2) core technical controls clinicians encounter daily (access control, encryption, patching, segmentation and logging); (3) training and awareness focused on phishing, social engineering and safe downtime workarounds; (4) incident response and recovery integrated into clinical continuity planning; and (5) compliance and ethics aligned to Nigeria’s data protection requirements.
Conclusion: Embedding these competencies in curricula, accreditation and continuing professional development, reinforced through drills and monitoring, can protect sensitive information and keep essential services running during disruption.
References
World Health Organization. Global strategy on digital health 2020–2025. Geneva: WHO; 2021. [https://www.who.int/docs/default-source/documents/gs4dhdaa2a9f352b0445bafbc79ca799dce4d.pdf](https://www.who.int/docs/default-source/documents/gs4dhdaa2a9f352b0445bafbc79ca799dce4d.pdf) (accessed 20 Feb 2026).
Argaw ST, Pastoriza JRT, Lacey D, et al. Cybersecurity of hospitals: discussing the challenges and working towards mitigating the risks. BMC Med Inform Decis Mak. 2020;20(1):146. [https://doi.org/10.1186/s12911-020-01161-7](https://doi.org/10.1186/s12911-020-01161-7)
Wasserman J. Cybersecurity in hospitals: a systematic, organizational perspective. Front Digit Health. 2022;4:862221. [https://doi.org/10.3389/fdgth.2022.862221](https://doi.org/10.3389/fdgth.2022.862221)
Monticone DK, Dixon P, Aghili D. Cybersecurity in healthcare: a systematic review of modern threats and trends. Technol Health Care. 2017;25(1):1–10. [https://doi.org/10.3233/THC-161263](https://doi.org/10.3233/THC-161263)
Vartiainen T, et al. Vulnerability to cyberattacks and sociotechnical solutions for health care systems: systematic review. J Med Internet Res. 2024;26:e46904. [https://doi.org/10.2196/46904](https://doi.org/10.2196/46904)
Dameff C, et al. Ransomware attack associated with disruptions at adjacent emergency departments in the US. JAMA Netw Open. 2023;6(5):e2312270. [https://doi.org/10.1001/jamanetworkopen.2023.12270](https://doi.org/10.1001/jamanetworkopen.2023.12270)
Guo WA, et al. Impact of trauma hospital ransomware attack on surgical residency training. J Surg Res. 2018;232:389–397. [https://doi.org/10.1016/j.jss.2018.06.072](https://doi.org/10.1016/j.jss.2018.06.072)
Lehmann CU, et al. Data breach remediation efforts and their implications for hospital quality. Health Serv Res. 2019;54(5):971–980. [https://doi.org/10.1111/1475-6773.13203](https://doi.org/10.1111/1475-6773.13203)
Priestman W, Sridharan S, Vigne H, et al. Phishing in healthcare organisations: threats, mitigation and approaches. BMJ Health Care Inform. 2019;26:e100031. [https://doi.org/10.1136/bmjhci-2019-100031](https://doi.org/10.1136/bmjhci-2019-100031)
Gordon WJ, et al. Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system. J Am Med Inform Assoc. 2019;26(6):547–552. [https://doi.org/10.1093/jamia/ocz005](https://doi.org/10.1093/jamia/ocz005)
Boyens J, Smith A, Bartol N, et al. Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST SP 800-161r1 Update 1). 2024. [https://doi.org/10.6028/NIST.SP.800-161r1-upd1](https://doi.org/10.6028/NIST.SP.800-161r1-upd1)
Osama M, Ateya AA, Sayed MS, et al. Internet of Medical Things and Healthcare 4.0: Trends, requirements, challenges, and research directions. Sensors. 2023;23(17):7435. [https://doi.org/10.3390/s23177435](https://doi.org/10.3390/s23177435)
Bonacina S, Dehghantanha A, Choo K-KR, et al. Influence of human factors on cyber security within healthcare organisations: a systematic review. Sensors. 2021;21(15):5119. [https://doi.org/10.3390/s21155119](https://doi.org/10.3390/s21155119)
Kamerer DB, McDermott D. Cybersecurity: nurses on the front line. J Nurs Regul. 2020;11(1):48–55. [https://doi.org/10.1016/S2155-8256(20)30014-4](https://doi.org/10.1016/S2155-8256%2820%2930014-4)
Jalali MS, Kaiser JP. Cybersecurity in hospitals: a systematic, organizational perspective. J Med Internet Res. 2018;20(5):e10059. [https://doi.org/10.2196/jmir.10059](https://doi.org/10.2196/jmir.10059)
National Institute of Standards and Technology (NIST). Cybersecurity Framework (CSF) 2.0. [https://www.nist.gov/cyberframework](https://www.nist.gov/cyberframework) (accessed 20 Feb 2026).
Frati F, Braghin C, Riva G, et al. AERAS approach: cybersecurity education and training in cyber ranges for public administrations. Int J Inf Secur. 2024. [https://doi.org/10.1007/s10207-023-00802-y](https://doi.org/10.1007/s10207-023-00802-y)
Joint Task Force. Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Rev. 5). 2020. [https://doi.org/10.6028/NIST.SP.800-53r5](https://doi.org/10.6028/NIST.SP.800-53r5)
Sreenath SSR, Hewitt B, Sreenath S. Understanding security behaviour among healthcare professionals by comparing results from technology threat avoidance theory and protection motivation theory. Behav Inf Technol. 2024;44(2):181–196. [https://doi.org/10.1080/0144929X.2024.2314255](https://doi.org/10.1080/0144929X.2024.2314255)
Nelson A, Rekhi S, Souppaya M, Scarfone K. Incident Response Recommendations and Considerations for Cybersecurity Risk Management: a CSF 2.0 Community Profile (NIST SP 800-61r3). 2025. [https://doi.org/10.6028/NIST.SP.800-61r3](https://doi.org/10.6028/NIST.SP.800-61r3)
Gandhi NS, et al. Ransomware recovery and imaging operations: lessons learned and planning considerations. J Digit Imaging. 2021;34(3):731–740. [https://doi.org/10.1007/s10278-021-00466-x](https://doi.org/10.1007/s10278-021-00466-x)
Nigeria Data Protection Commission (NDPC). Resources (includes Nigeria Data Protection Act, 2023; Nigeria Data Protection Regulation 2019; and workforce training guidance notices). [https://ndpc.gov.ng/resources/](https://ndpc.gov.ng/resources/) (accessed 20 Feb 2026).
Odusote A. Data misuse, data theft and data protection in Nigeria: a call for a more robust and more effective legislation. Beijing Law Rev. 2021;12(4):1284–1298. [https://doi.org/10.4236/blr.2021.124066](https://doi.org/10.4236/blr.2021.124066)
Article Sidebar
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
This is an open-access journal and articles are distributed under the terms of the Creative Commons Attribution Non-Commercial Share-Alike License 4.0. This licence allows users to download and share, remix, tweak and build upon the article for non-commercial purposes, so long as the original authorship is acknowledged and the new creations are licensed under identical terms.
Emmanuel O. Oisakede, Department of Clinical Oncology, Leeds Teaching Hospitals NHS Trust, Leeds, United Kingdom
Department of Health Research, University of Leeds, Leeds, United Kingdom