Keywords: Health Data Sovereignty, Cybersecurity, Artificial Intelligence Governance, Digital Health, Ghana
By: Rebecca Yakubu Akatue, PhD
Introduction
Ghana’s healthcare system has experienced a significant digital transformation over the past two decades. Many healthcare facilities now rely on Electronic Health Records (EHRs), the National Health Insurance Scheme (NHIS) increasingly processes paperless claims, and Artificial Intelligence (AI) is beginning to support clinical diagnostics and decision-making in major healthcare institutions. These innovations promise greater efficiency, enhanced service delivery, and improved patient outcomes. However, the mechanisms required to protect sensitive health information have not evolved at the same pace.
Today, a single mistaken click by a healthcare worker can expose thousands of patient records. A fraudulent email disguised as an NHIS communication can disrupt hospital operations for weeks. Likewise, AI systems may collect, process, and learn from sensitive patient information without adequate consent mechanisms, accountability structures, or governance frameworks. Globally, healthcare remains the most expensive sector for data breaches, with the average cost of a breach reaching US$10.93 million in 2023 (IBM Security, 2023).
In Ghana, the National Cyber Security Centre (NCSC) recorded 1,213 cyber incidents in 2023, with the health and financial sectors among the most frequently targeted (National Cyber Security Centre [NCSC], 2024). Despite these growing threats, many healthcare institutions continue to operate with limited capacity for cyber threat detection, response, and recovery.
Drawing on doctoral research conducted across three administrative regions of Ghana in 2023, this article proposes the Governance–Deterrence–Trust (GDT), Public Health Model (PHM), and Protection Motivation Theory (PMT) Framework as a practical and context-specific approach to safeguarding health data sovereignty in an era of AI-driven healthcare and rapid digital transformation.
Key Findings From the 2023 Research
An exploratory mixed-methods study involving active members of the National Health Insurance Scheme (N¹ = 412) healthcare facilities (N² = 42) and Cybersecurity practitioners (N³ =25) across three administrative regions of Ghana revealed several critical vulnerabilities within the country’s evolving digital health ecosystem.
Human Factors Remain the Greatest Risk
The study found that approximately 50% of reported EHR breaches were attributable to human error. These incidents included weak password practices, accidental disclosure of sensitive information, and susceptibility to phishing attacks. The findings highlight the continuing importance of human behaviour in cybersecurity risk management.
Significant Countermeasure Gaps Persist
Only 21.4% of healthcare facilities had implemented both technical and non-technical cybersecurity safeguards. This finding suggests substantial weaknesses in organisational preparedness, resilience, and overall cybersecurity maturity.
Cyber Threats Affect Facilities of All Sizes
Both large teaching hospitals and smaller health centres reported cybersecurity incidents and vulnerabilities, demonstrating that no healthcare facility is immune from digital threats regardless of its size, resources, or location.
Privacy and Consent Concerns Are Widespread
Approximately 70% of respondents expressed concern about the use of their health information without their knowledge or consent. This finding points to a growing trust deficit within Ghana’s digital health ecosystem and underscores the need for stronger privacy protections.
AI Adoption Is Outpacing Governance
AI technologies are increasingly being introduced into healthcare settings without comprehensive policies governing informed consent, data storage, accountability, transparency, auditing, and oversight. This governance gap poses significant risks to patient rights and data sovereignty.
Digitised Claims Systems Remain Vulnerable
The research identified vulnerabilities within digital claims processing systems, including duplicate claims, identity fraud, and other forms of abuse that threaten the sustainability of health financing mechanisms. As AI becomes more deeply integrated into healthcare delivery, these vulnerabilities may become even more pronounced if robust safeguards are not established.
The GDT–PHM–PMT Framework
1. Governance, Deterrence, and Trust (GDT)
Governance
The Ministry of Health should develop and implement a comprehensive National Health Cybersecurity and AI Governance Policy by 2027. Every healthcare facility should appoint a dedicated Data Security Officer and maintain auditable records of all access to patient information.
Strong governance structures are essential for ensuring accountability, standardisation, and regulatory compliance across the health sector.
Deterrence
The Data Protection Commission should strengthen enforcement mechanisms by establishing and consistently applying sanctions for data breaches, unauthorised access, misuse of health information, and inappropriate deployment of AI systems.
Effective enforcement promotes accountability and discourages negligent or malicious behaviour.
Trust
Public confidence in digital healthcare depends on transparency. Healthcare institutions should publish annual reports detailing cybersecurity incidents, AI deployments, mitigation measures, and lessons learned.
Similarly, the National Health Insurance Authority (NHIA) should publish quarterly reports on claims fraud investigations and outcomes. Transparency strengthens trust between citizens and health institutions while reinforcing accountability.
2. Public Health Model (PHM): Surveillance as the Central Pillar
Cybersecurity threats, privacy violations, and claims fraud should be treated in much the same way as disease outbreaks—identified early, monitored continuously, and addressed systematically.
Surveillance: Early Warning and Detection
At the centre of this framework is the proposed establishment of a National Health Cyber and AI Threat Surveillance Network by 2027.
Led by the Ghana Health Service, the network would collect real-time information on:
– Phishing attacks
– Unauthorised system access
– AI-related misuse
– Data breaches
– Suspicious claims activities
Data would be continuously analysed to identify emerging trends and detect potential “outbreaks” before they escalate into large-scale incidents. Monthly Health Cyber Threat Bulletins could provide timely intelligence and guidance to healthcare facilities nationwide.
The 2023 study revealed that many cybersecurity incidents remained undetected for up to three weeks. Reducing this detection gap is critical to minimising operational, financial, and reputational damage.
Prevention
Before any Electronic Medical Record (EMR) system or AI solution is deployed, it should undergo a standardised Digital Transition Security Assessment covering:
– Encryption standards
– Access control mechanisms
– User authentication requirements
– Staff training protocols
– AI governance safeguards
– Incident response procedures
Preventive measures can substantially reduce the human-error-related breaches identified in the study.
Education
Cybersecurity awareness should be approached as a public health intervention.
The Ministry of Health and the Ghana Health Service can utilise radio, television, community outreach programmes, SMS campaigns, and digital platforms to educate citizens on:
– Protecting NHIS credentials
– Understanding consent procedures
– Recognising phishing attempts
– Reporting suspicious activities
Healthcare workers should also undergo mandatory annual training on cybersecurity, privacy protection, and responsible AI use.
Information Sharing
Threat intelligence must move rapidly across the health sector.
For example, if a phishing campaign is detected in Tamale, healthcare facilities in Kumasi, Accra, Cape Coast, and other regions should receive alerts within hours rather than weeks. Rapid information sharing can prevent localised incidents from becoming nationwide crises.
Response
Healthcare institutions should implement automated monitoring systems capable of identifying:
– Unusual data access patterns
– Suspicious billing activities
– Potential AI misuse
– Insider threats
Once detected, incidents should trigger rapid response procedures, including containment, investigation, recovery, and post-incident review. Early intervention prevents minor incidents from escalating into national emergencies.
3. Protection Motivation Theory (PMT)
Technology alone cannot solve cybersecurity challenges. Human behaviour remains a decisive factor.
Protection Motivation Theory focuses on changing behaviour by increasing awareness of threats while providing simple and practical actions that individuals can take to protect themselves and their organisations.
Healthcare workers should receive clear guidance such as:
– Do not click suspicious links.
– Report unusual emails immediately.
– Verify requests for sensitive information.
– Follow approved data protection procedures.
Citizens should be encouraged to:
– Review NHIS notifications regularly.
– Seek clarification before providing consent.
– Report suspected misuse of their health information.
– Protect personal health credentials.
When threats are understood and protective actions are simple and achievable, compliance improves significantly.
Addressing NHIA Claims Fraud
The research identified growing vulnerabilities within digital claims management systems. The GDT–PHM–PMT framework addresses these risks through three complementary pathways.
GDT Approach
– Real-time audit trails
– Strong accountability mechanisms
– Clear sanctions for fraudulent activities
PHM Approach
– Analytics-driven monitoring of billing patterns
– Early warning systems for abnormal claims activity
– Rapid investigation and quarantine of suspicious providers
PMT Approach
– Continuous training for NHIA and healthcare facility staff
– Public education encouraging beneficiaries to verify services received
– Accessible citizen reporting mechanisms for suspicious claims
Together, these interventions create a multilayered defence against claims fraud and abuse.
Policy Recommendations (2026–2030)
Ministry of Health
Mandate annual cybersecurity, data protection, and AI ethics training for all healthcare workers beginning in 2027.
Ghana Health Service
Establish a National Health Cyber and AI Threat Surveillance Network by 2027.
Data Protection Commission and Ghana Health Service
Require explicit informed consent for AI applications, health data sharing, and research activities involving personal health information.
National Health Insurance Authority
Deploy real-time claims auditing systems, biometric verification mechanisms, and publish quarterly fraud monitoring reports.
Healthcare Facilities
Implement a Digital Transition Cybersecurity and AI Readiness Checklist before introducing new digital systems.
Citizens
Demand transparency regarding data protection measures, AI applications, and the collection, storage, and use of personal health information.
Conclusion
The GDT–PHM–PMT Framework offers a practical, evidence-based, and locally relevant approach to protecting health data sovereignty in Ghana.
By applying established public health principles—surveillance, prevention, education, information sharing, and rapid response—to cybersecurity and AI governance, Ghana can strengthen its resilience against emerging digital threats while fostering public trust in digital healthcare systems.
As AI adoption accelerates and healthcare systems become increasingly interconnected, the findings from the 2023 research underscore the urgency for action. Health data sovereignty is not merely about securing information; it is about ensuring that health data remains protected, private, and used only with informed consent and appropriate oversight.
A secure digital health future for Ghana will depend not only on technological innovation but also on effective governance, accountability, public trust, and the responsible implementation of emerging technologies.
References
Author. (2023). Cyberthreat and privacy concerns in healthcare delivery in Ghana (Unpublished doctoral dissertation). Kofi Annan International Peacekeeping Training Centre.
IBM Security. (2023). Cost of a data breach report 2023. IBM Security.
National Cyber Security Centre. (2024). Ghana cybersecurity report 2023. National Cyber Security Centre.
World Health Organization. (2021). Ethics and governance of artificial intelligence for health. World Health Organization.
