Abstract
The increasing prevalence of cyber threats, particularly following the COVID-19 pandemic, has underscored the urgent need for effective cybersecurity strategies to protect sensitive patient data. Healthcare providers confront an ever-changing cyber risk landscape characterised by ransomware, phishing, insider attacks, and other security threats. These risks are exacerbated by the sector's outdated IT systems and the high value of sensitive patient data, making it an attractive target for cybercriminals.
The study highlights the evolving role of internal audit in bolstering governance and enhancing cybersecurity resilience within the healthcare sector. The Internal Audit Functions (IAF) contributes by ensuring that cybersecurity protocols are consistently monitored, refined, and aligned with broader organisational risk management strategies. By leveraging Risk-Based Internal Audit (RBIA) approaches, fostering collaboration with IT departments, and embracing advanced technologies, internal auditors play a crucial role in identifying, assessing, and mitigating cyber risks.
This study employs a qualitative methodology, utilising content analysis of integrated and annual reports from seven healthcare organisations to assess the presence and role of internal audit functions, cybersecurity frameworks, and risk mitigation strategies.
The findings indicate that 85.71% of entities have an established IAF, which actively provide independent assurance on governance, risk management, and internal controls. However, significant disparities exist in the recognition of cyber risks and the adoption of internationally recognised frameworks such as ISO 27001, NIST, and COBIT. While organisations with advanced frameworks exhibited robust cybersecurity measures, others relied on traditional or limited approaches. Additionally, gaps continue to exist in standardised definitions and cohesive methods for cyber risk management.
This study emphasises the strategic importance of internal audit in reducing cyber risks, safeguarding patient information, ensuring regulatory compliance, and fostering patient trust, particularly within a sector heavily reliant on IT infrastructure. The findings aim to contribute to academic literature on internal audit’s evolving responsibilities, while also offering practical insights for enhancing cyber resilience in South Africa’s healthcare industry.