On the 28th of September 2022, at a low-key but decidedly fancy event, CIMAS Health Group unveiled their ISO/IEC 27001:2013 certification. That’s a lot of letters and numbers that I didn’t know but that matter very much to CIMAS.
A quick Google search tells me that this standard, ISO/IEC 27001:2013 (a mouthful, to be sure) specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. A little more Googling also tells me that this standard’s best-practice approach helps organisations manage their information security by addressing people, processes, and technology. And if we’re going to drill right down, then let’s define standards as a formula for the best way to do something.
Standards Association of Zimbabwe (SAZ) certification carries regional, continental and global weight. It is an accredited certification body that is a fully-fledged member of SADC; African Organisation for Standardisation (ARSO) as well as the International Organisation for Standardisation (ISO). The SAZ Acting Director General, Cosmus Mukoyi, sits on the ISO Council and at the event yesterday, said he believes ‘standards are a way of life’.
It is no small feat then, that CIMAS has achieved this certification. Both Cosmus Mukoyi and CIMAS CEO, Vulindlela Ndlovu, alluded in each of their addresses to the rigorous audit CIMAS subjected itself to in pursuit of this certification. To that end, CIMAS is the first organisation in Zimbabwe to be ISO/IEC 27001:2013 certified. Bravo, Team CIMAS.
But still, what does this mean?
This is the harder question to answer, if you ask me. CIMAS has done this to assure their clients, their shareholders and the broader stakeholder that the information that they share with CIMAS is protected to the best global standards possible. It’s important to note that all information submitted to CIMAS is handled not just by people, but also by technology.
As such, compliance to this standard ensures that by following the processes laid out for them, this information meets the following criteria before, while in the care of, and leaving CIMAS:
- Confidentiality – this information is only being disclosed to authorised parties, and more importantly, only when needed.
- Integrity – the information that is stored and used is accurate.
- Availability – the information is available and accessible when it is needed to help deliver the service required.
In order for CIMAS to provide the service that they do, there exists the need for collaboration. Collaboration between CIMAS and their member. Between the member and their medical practitioner. Between that medical practitioner and CIMAS. Within each link exists the sharing of information. Medical records. Financial information. Biometric data. A slew of other personal details.
This information that circulates within this ecosystem is the reason that CIMAS has sought ISO/IEC 27001/2013 certification. Following the certification, CIMAS information and systems have been stamped as reliable and secure. The assurance here is that the people, the processes and the technology at CIMAS are all in place to best serve you and protect you and your information.
Everyday, we take risks.
The more we use technology, the higher the exposure to the potential of cybercrime. The rigorous audit CIMAS underwent that we referred to earlier then seeks to allay the fears around the risks involved with volunteering personal information. Certification is now, but it is a lifelong commitment. CEO Vuli Ndlovu talked about some of the aspects of the audit and the certification which I think address this.
There now exists an internal culture of security within CIMAS so that employees and service providers prioritize information security by design. CIMAS will continuously improve its processes to provide confidence to the stakeholder. And it has put in place appropriate control measures which will help the organisation navigate cyber threats or any other such compromise to members’ private, confidential and privileged information. It matters to build and put in place sufficient safeguards and management processes that help the organization identify potential threats and to deal with them quickly and effectively.
One word: Access.
The belle of the ball was obviously the ISO/IEC27001:2013 Certification. But in an addendum to his speech, Vuli Ndlovu spoke about how CIMAS exists to provide access. Apparently, it presents a conflict of interest for CIMAS to provide medical facilities. I am intrigued, does it really? He counters that CIMAS is simply there to provide access. In a bid to work towards SDG3 which promotes health and well-being, CIMAS provides access to the facilities that work towards this goal. And to achieve that, there can be no good outcome if data is not being shared, analyzed and used for further research and knowledge.
And you, everyone else?
So, what about the other 28 medical aid societies in Zimbabwe? Does that mean our information isn’t safe with them and we should all move to CIMAS?
CIMAS now has this certification in addition to their lab which was the first to be certified ISO 15189:2012 in July 2014. But I don’t think it matters as much today as it will in the future (near or far remains to be determined). These accolades have not been pursued to distinguish CIMAS from other medical aid societies (although it’s obviously a ‘nice to have’). I caught glimpses of greater ambitions.
This certification is an investment in CIMAS Health Group moving from just a medical aid (woe he who calls it just that) to a technology company. Coming back to the word collaboration which I used earlier, CIMAS intends, and may very well be on the way, to harnessing technology and using it to build an ecosystem that will provide access to world-class healthcare. That’s the story here. And one we will have to wait a little longer to hear.