In consultation with the Ghana Health Service Information Communication and Technology Unit of the Policy Planning, Monitoring, and Evaluation Division (ICT/PPMED), CHISU engaged the information technology training institute Open Labs to conduct a three-week in-person training on cybersecurity and server administration for national-level ICT staff in January 2023. The training covered a basic understanding of cybersecurity and ethical hacking, foot-printing and reconnaissance, hacking web applications, introduction to cloud computing, and cryptography.
The training was divided in two sessions: database administration using Postgre and Linux operating system administration. Participants were taken through key concepts of Internet networks and the types, standards, configurations, encryption and authentication protocols. The training highlighted the most recommended online safety measures. Several threats against wireless networks - including evil twin, brute force, and rogue access point threats - were also discussed.
Overview of Ghana DHIMS2
In Ghana, the District Health Information Management System (DHIMS2) collects, collates and stores health service delivery data across the country. DHIMS2 e-Trackers capture transactional and granular data, with eight instances currently deployed in the country: National Tuberculosis Control Program (NTP), National AIDS Control Program (NACP), Early Infant Diagnosis (EID), MCH/FP, Community-based Health Planning and Services (CHPS), Malaria Outpatient Department (OPD), Functional Community-based Health Planning and Services (fCHPS), Medical Causes of Death Certificate, and COVID-19 vaccination.
One of the known causes of server dysfunction and subsequent possible data loss in a hybrid system such as an e-Tracker (available both as an online/offline mobile and web application) is its vulnerability to malignant intrusions and hacking on the network and the server. Although DHIMS2 has inbuilt security mechanisms - such as two-factor authentication - to curtail hacking and ensure both authentication and authorization, shortfalls in network and domain administration could still make the system vulnerable.
The Ghana Health Service ICT/PPMED identified cybersecurity and data protection as a priority and sought the assistance of the USAID Country Health Information Systems and Data Use (CHISU) program to train staff in these areas.
Topics covered during the training in January included an introduction to relational databases, creating databases, tables, functions, procedures and triggers, implementing indexes and views, managing users and views, and backup and restoration. The Linux Operating System Administration session covered Linux distribution, files and folder management, working with users and permissions, scheduling and automation using CRON, shell scripting, disk management, and web hosting.
The activity contributed to the enhancement of the national-level capacity to better manage and protect the health information systems of the Ghana Health Services, including the DHIMS2 and various e-Tracker modules against external intrusions. The Head of the ICT Unit, who also took part in the training, made very positive remarks:
“I acquired excellent knowledge in cybersecurity in these three weeks of intensive training with Open Labs. Training instructors were well versed in the subject matter and had many years of experience in cybersecurity. The practical sessions made me appreciate this course's value and the need for IT security awareness among health workers. Cybersecurity is a course for all, not only IT professionals. Now I have what it takes to fully protect and manage health data against internal and external threats.”
Another participant, Selorm Nutakor, said that the course was exciting and challenging, adding: “This is my first training in cybersecurity, and I have learned a lot. The lectures were insightful and carefully designed for practical use. I advise that we give this training more time in the future. Additionally, I recommend continuous capacity building and skills upgrades in cybersecurity or any other area for the staff of the ICT unit.”
To sustain the gains made, CHISU is providing additional support to the Ghana Health Service to develop a cybersecurity awareness and data protection training manual for in-service training. Once developed, the manual will be used to periodically train healthcare service providers, IT and non-IT staff across the country to enhance their capacity in safeguarding health management information data or information generated during service provision, including surveillance, monitoring and evaluation data.