{"id":207259,"date":"2026-04-30T00:48:00","date_gmt":"2026-04-30T04:48:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/30\/what-happens-when-we-disregard-ict4d-cybersecurity-risks\/"},"modified":"2026-04-30T01:15:17","modified_gmt":"2026-04-30T05:15:17","slug":"what-happens-when-we-disregard-ict4d-cybersecurity-risks","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/30\/what-happens-when-we-disregard-ict4d-cybersecurity-risks\/","title":{"rendered":"What Happens When We Disregard ICT4D Cybersecurity Risks"},"content":{"rendered":"<p><a href=\"https:\/\/www.ictworks.org\/we-built-digital-health-systems-without-securing-them-now-constituents-are-paying-for-it\/\">What Happens When We Disregard ICT4D Cybersecurity Risks<\/a><\/p>\n<p><a href=\"https:\/\/www.ictworks.org\/we-built-digital-health-systems-without-securing-them-now-constituents-are-paying-for-it\/\">https:\/\/www.ictworks.org\/we-built-digital-health-systems-without-securing-them-now-constituents-are-paying-for-it\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-30 00:48:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.ictworks.org\">www.ictworks.org<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\nThe development sector is proud of what it has built. DHIS2 runs national health information systems in more than 80 countries. CommCare supports community health workers at scale. Safaricom-backed M-Tiba distributed insurance benefits and government health subsidies to millions of Kenyans. These are real achievements.<br \/>\nThey are also real targets.<br \/>\nIn October 2025, a threat actor claimed to have stolen more than 2.15 terabytes of data from M-Tiba\u2019s servers, including patients\u2019 names, national ID numbers, dates of birth, phone contacts, medical diagnoses, and billing information, affecting up to 4.8 million users.<br \/>\nKenya\u2019s Office of the Data Protection Commissioner confirmed it had opened an investigation. This happened two months after M-Tiba announced it had received ISO 27001 certification for its information security management.<br \/>\nIn June 2024, the BlackSuit ransomware group brought down South Africa\u2019s National Health Laboratory Service after a single employee clicked a phishing link. The NHLS runs 265 laboratories serving roughly 80% of South Africa\u2019s population.<br \/>\nThe attack delayed an estimated 6.3 million blood tests. HIV, TB, and mpox diagnostics stalled. The NHLS later admitted its systems were \u201cin no way geared to counter\u201d the attack.<br \/>\nNo donor has been held accountable for either failure. No implementing partner has faced a regulatory penalty. The people whose data was exposed had no notification, no legal recourse, and no recourse at all.<br \/>\nThat is the scandal. Not the breaches. The accountability structure that makes them inevitable.<br \/>\nWe\u2019ve Known of Cybersecurity Threats for Years.<br \/>\nUSAID formally recognized cybersecurity as a development challenge in its 2020 Digital Strategy. Its 2023 Cybersecurity Primer stated that every USAID activity and program must consider cybersecurity as a strategic and operational matter. The Principles for Digital Development include a dedicated principle on privacy and security.<br \/>\nNone of this requires anything.<\/p>\n<p>There is no mandated budget line for security in digital projects.<br \/>\nNo penetration testing requirement before deployment.<br \/>\nNo security audit required at program closeout.<br \/>\nNo donor publicly discloses what percentage of its digital health portfolio has undergone independent security review.<\/p>\n<p>The commercial IT sector treats 10-15% of total IT budget as a baseline security allocation. No comparable standard exists for development-funded digital systems, because no one publishes the data.<br \/>\nThe sector does not measure what it does not believe it owns.<br \/>\nNetHope\u2019s 2023 State of Humanitarian and Development Cybersecurity found that 66% of surveyed nonprofit members reported their cybersecurity programs were underfunded, and 65% were not confident in their cybersecurity posture. Its 2025 report noted a 241% increase in cyberattacks against civil society organizations between 2024 and 2025.<br \/>\nWe have had this data for years. The sector wrote recommendations. No one changed the funding requirements.<br \/>\nScale Without Security Is Just a Bigger Attack Surface<br \/>\nHere is what I find most troubling about the current conversation around digital health global goods. We celebrate the reach. DHIS2 in 80 countries. OpenMRS serving millions. These are cited as evidence that open-source development models work.<br \/>\nThey also mean that a vulnerability in a national deployment of any of these platforms is a vulnerability affecting a country\u2019s entire health information infrastructure.<br \/>\nDHIS2 has a dedicated security team, a vulnerability disclosure policy, and solid platform-level security documentation. What it does not publish is results of independent penetration tests on national deployments. Neither does OpenMRS. Neither does CommCare.<br \/>\nPlatform-level security and deployment-level security are not the same thing.<br \/>\nThe NHLS ran TrakCare, a commercial laboratory information system, from one of Africa\u2019s most sophisticated regulatory environments, under the Protection of Personal Information Act, with an Information Regulator and a national CSIRT.<br \/>\nIt was still brought down by a phishing email. The framework existed. The operational investment did not.<br \/>\nINTERPOL\u2019s 2025 Africa Cyberthreat Assessment found that 90% of African countries require significant upgrades to law enforcement and prosecution capacity.<br \/>\nRansomware detections in Africa rose sharply in 2024.<\/p>\n<p>South Africa recording nearly 18,000 detections<br \/>\nKenya more than 3,000.<br \/>\nIn Tanzania, deepfake-driven fraud surged 317% in a single year.<br \/>\nIn Nigeria, financial institutions lost the equivalent of roughly $35 million to fraud, a 196% increase over five years.<\/p>\n<p>Donors know this threat environment. It is not a surprise. Deploying systems into it without security requirements is a choice.<br \/>\nWho Actually Gets Hurt: Constituents<br \/>\nWhen M-Tiba\u2019s data was stolen, the records exposed included HIV status, diagnoses, and insurance information. In contexts where HIV disclosure can cost someone their employment, their relationships, or their safety, this is not an abstract privacy violation.<br \/>\nNo affected user had been notified as of the most recent reporting. The operator neither confirmed nor denied the breach.<br \/>\nWhen the NHLS went offline in South Africa, a peer-reviewed account in the South African Medical Journal documented the clinical impact at Tygerberg Hospital alone. The patients affected were overwhelmingly from the public health system, which serves people who have no private alternative.<br \/>\nThe pattern is consistent across incidents: the populations development programs were built to serve bear the full cost of security failures, with no legal recourse directed at the organizations that built, funded, or implemented the systems.<br \/>\nI have found no case in which a donor or implementing partner faced regulatory sanction or legal action for a data breach affecting beneficiary populations in an LMIC. That absence is not evidence of good practice. It is evidence that no accountability mechanism currently operates.<br \/>\nWhat Accountability Would Look Like<br \/>\nI want to be clear that the problem here is structural, not individual. Program managers are not negligent; they are working within incentive structures that treat security as overhead. The fix requires changing those structures at the donor level.<br \/>\nImproving digital development cybersecurity outcomes requires treating security as a structural requirement, not a professional development topic.<br \/>\nNetHope\u2019s Digital Protection Program demonstrates that collective infrastructure, shared threat intelligence, and funded capacity are achievable. The sector has not adopted these approaches at scale because donors have not required it.<br \/>\nCertification and frameworks are necessary conditions, not sufficient ones. The sufficient condition is sustained, funded, audited operational security. That requires donors to stop treating it as optional.<\/p>\n<p>\tNow Read These Related Posts<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What Happens When We Disregard ICT4D Cybersecurity Risks https:\/\/www.ictworks.org\/we-built-digital-health-systems-without-securing-them-now-constituents-are-paying-for-it\/ Publish Date: 2026-04-30 00:48:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":207260,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/i0.wp.com\/www.ictworks.org\/wp-content\/uploads\/2018\/01\/cybersecurity-ngo.png?fit=640%2C356&ssl=1","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,25,34,27],"class_list":["post-207259","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-phishing","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/207259"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=207259"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/207259\/revisions"}],"predecessor-version":[{"id":207261,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/207259\/revisions\/207261"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/207260"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=207259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=207259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=207259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}