Where There is No CISO.

Globally, health information security and associated topics have received considerable attention from both professionals and the academic community. The literature on the threats and mitigations when it comes to developing countries is scarce, and tends to focus on issues such as cryptographic techniques for secure safe data transmission or patients’ perceptions of data confidentiality. However, investigation of health information threats in relation to the local context has received less attention. In this paper we reflect on a long-term and global action research project that presents different perspectives on information security. Operating in environments of absent or obsolete relevant jurisdiction, poor institutional capacity for adherence and oversight, and limited awareness of appropriate security and confidentiality issues, we note unique security and confidentiality threats “where there is no CISO”. We reflect on mitigations adopted over the years to counter rising threats, and provide recommendations for practice and further research in this regard.