Protecting Health Data Sovereignty in Ghana: A GDT–PHM–PMT Framework for the Digital Transition

Ghana’s health sector has used electronic health records (EHRs) for decades, yet the security systems meant to protect those records have not kept pace with digitisation. As AI‑driven diagnostics expand and NHIS claims move fully online, the guardrails around health data remain dangerously weak. Drawing on 2023 doctoral research across three regions, this article proposes the GDT → PHM → PMT framework as a practical pathway for safeguarding Ghana’s health data sovereignty.

The research revealed that 50% of EHR breaches stemmed from human error, only 21.4% of facilities had full countermeasures, and 70% of citizens feared their health data could be used without consent. With AI tools now entering hospitals at scale, the consequences of weak governance could be even more severe.

The proposed framework integrates Governance–Deterrence–Trust (GDT), a Public Health Model (PHM) with surveillance as its core pillar, and Protection Motivation Theory (PMT) to address AI risks, privacy violations, human error, and NHIA claims fraud. Policy recommendations for 2026–2030 include mandatory cybersecurity training, a National Health Cyber & AI Threat Surveillance Network, and explicit consent for AI use.

Keywords: Health data sovereignty, cybersecurity, AI governance, Ghana

Introduction

For years, many health facilities in Ghana have relied on electronic health records. But while patient files have gone digital, data security has not scaled with the data. NHIS claims are now paperless, AI is reading X‑rays in major hospitals, and patient information moves across networks daily.

This creates new vulnerabilities. A single wrong click by a nurse can expose 10,000 patient files. A fake “NHIS update” email can shut down a regional hospital. An AI tool deployed without a consent process can quietly train itself on patient scans.

Globally, the average cost of a health data breach reached $10.93 million in 2023, the highest of any sector. In Ghana, the National Cyber Security Centre recorded 1,213 cyber incidents in 2023, with health and finance among the most targeted sectors. Yet most health facilities lack basic detection and response capacity.

This article presents the GDT → PHM → PMT framework as a homegrown response. Built from doctoral research across three regions, it offers the Ministry of Health, NHIA, and health facilities a practical roadmap for protecting data, reducing fraud, and building public trust as digital transformation accelerates.

Key Findings from 2023 Research

• Human Factors Dominate Risk: 50% of EHR breaches resulted from human error.
• Countermeasure Gap: Only 21.4% of facilities had both technical and non‑technical safeguards.
• Threats Were Universal: Large teaching hospitals and small clinics faced similar vulnerabilities.
• Consent Crisis: 70% of citizens feared their health data could be used without consent.
• AI Without Governance: AI tools entered hospitals with no policies on storage, consent, or audits.
• Claims Fraud Risks: Digitisation increased duplicate claims, identity fraud, and billing anomalies.

The GDT → PHM → PMT Framework

1. Governance, Deterrence, Trust (GDT)

Governance

• Ministry of Health to issue a national Cybersecurity + AI Policy by 2027.
• Every facility appoints a Data Security Officer.
• Mandatory audit logs for all patient data access.

Deterrence

• Data Protection Commission publishes sanctions for breaches and unauthorized AI use.
• Visible enforcement increases perceived risk and reduces negligence.

Trust

• Facilities publish annual reports on breaches, AI use, and corrective actions.
• NHIA publishes quarterly fraud reports.
• Transparency builds public confidence.

2. Public Health Model (PHM) — With Surveillance as the Core Pillar

Cyber threats, privacy violations, and claims fraud should be treated like disease outbreaks. Surveillance becomes the backbone of the response.

Surveillance: Early Warning and Detection

• Establish a National Health Cyber & AI Threat Surveillance Network by 2027.
• Collect real‑time data on phishing, unauthorized access, AI misuse, and claims anomalies.
• Publish monthly “Health Cyber Threat Bulletins”.
• 2023 data showed breaches went undetected for three weeks — surveillance closes this gap.

Prevention

• Introduce a Transition Security Checklist for all EMR and AI tools: encryption, access controls, staff training.
• Prevention can eliminate up to 50% of human‑error breaches.

Education

• Continuous public education via radio, TV, and SMS on data hygiene and consent.
• Annual cybersecurity and AI ethics training for health workers.

Information Sharing

• When Tamale detects phishing, Accra and Kumasi receive alerts within hours.
• Real‑time sharing prevents spread.

Response

• Use analytics to detect unusual data access or billing patterns.
• Quarantine affected systems, trace sources, and contain damage.

3. Protection Motivation Theory (PMT)

Behaviour changes when people perceive a real threat and know exactly what to do.

• Train staff: “Don’t click this link. Report this SMS.”
• Educate citizens: “Check NHIS SMS. Ask for consent. Report suspicious use.”
• Simple actions + real threat perception = safer behaviour.

Addressing Claims Fraud

NHIA claims fraud requires a three‑pathway response:

• GDT: Real‑time audit trails + published sanctions.
• PHM: Analytics to detect billing “outbreaks” + early alerts.
• PMT: Staff verification training + citizen reporting of suspicious claims.

Policy Recommendations (2026–2030)

1. Ministry of Health: Mandate annual cybersecurity + AI ethics training from 2027.
2. Ghana Health Service: Establish a National Health Cyber & AI Threat Surveillance Network by 2027.
3. Data Protection Commission + GHS: Require explicit consent for AI, data sharing, and research.
4. NHIA: Deploy real‑time claims audit + biometric verification; publish quarterly fraud reports.
5. Health Facilities: Use a Transition Cybersecurity + AI Checklist before any rollout.
6. Citizens: Demand transparency on data protection, AI use, and claims.

Conclusion

The GDT → PHM → PMT framework offers Ghana a practical, homegrown shield for the digital health era. By treating cyber threats like public health threats — with surveillance, prevention, education, and rapid response — Ghana can protect its data, strengthen trust, and ensure that AI‑driven innovation does not compromise privacy or sovereignty.

With AI adoption accelerating since 2023, acting on these findings is urgent in 2026. Health data sovereignty means secure data, private data, and consented data.

References

Author. (2023). Cyberthreat and privacy concerns in health care delivery in Ghana [Unpublished doctoral dissertation]. KAIPTC.

IBM Security. (2023). Cost of a data breach report 2023. Armonk, NY: IBM.

National Cyber Security Centre. (2024). Ghana cybersecurity report 2023. Accra: NCSC.

World Health Organization. (2021). Ethics and governance of artificial intelligence for health. Geneva: WHO.