- Expertise on the privacy and security aspects of the eHealth systems being deployed in resource-constrained environments such as developing countries and humanitarian operations is severely lacking; the knowledge base in this space is similarly weak;
- To be effective, the principles and aspirations for medical privacy enshrined in international agreements, policies, and commitments must be supported by a local awareness of privacy responsibilities, a strong national legal and regulatory footing, and the appropriate use of information and communication technology;
- Among the legal and regulatory requirements for strong privacy and security protections are respect for self-determination, the appropriate and proportionate collection, management, access and disclosure of medical information, and strong mechanisms for monitoring compliance and accountability;
- Within developing country and humanitarian operation contexts, there is a wide and diverse range of social, ethical and gender considerations related to medical privacy which must be more fully appreciated by those involved in developing eHealth systems; the user must not be taken for granted;
- Threat models must also consider the organisational risks to medical privacy and health information security in these resource-constrained environments, such as insider threats and intra-organizational data-sharing;
- Any ‘solutions’ to medical privacy or health information security in these contexts will need to incorporate both technological means such as directed identifiers, access controls and encryption, as well as appropriate organisational, legal and policy responses;
- Any decision by funders, designers, or implementers to exclude these privacy and security mechanisms from an eHealth system must be made as the result of informed deliberation rather than as a matter of expediency.