Hospitals at risk as Tanzania adopts AI without proper cyber safeguards

IT auditors who have reviewed the country’s healthcare digital infrastructure say a ransomware attack on a single hospital could paralyse critical systems for days, exposing thousands of patient records and endangering lives.

“Imagine Muhimbili or Mbeya Referral Hospital being locked out of patient records, lab results and radiology systems because hackers demand payment,” said an international cybersecurity expert Arpna Aggarwal. “This is happening globally, even in hospitals with stronger security than ours.”

The warning comes as the government accelerates its Digital Health Strategy 2025–2030, aiming to deploy AI-powered diagnostic tools across public hospitals. Yet many facilities still share passwords, lack encryption and have no backup plans in case of system failure.

Weak passwords, big risks

Recent inspections reveal gaps. Staff at several public hospitals share login credentials, making it impossible to track access. Some facilities have not updated software for years, leaving known vulnerabilities exposed.

Under the Personal Data Protection Act 2022, hospitals must protect patient information. Enforcement is weak and cybersecurity is often treated as an optional IT expense rather than a legal requirement.

Exposed medical records can have lasting consequences. Unlike stolen credit cards, patient data, including diagnoses and mental health history, cannot simply be replaced. It can lead to job loss, discrimination and loss of trust in the health system.

Global wake-up call

Healthcare has become a key target for cybercriminals worldwide. Last year, ransomware disrupted hospitals in Kenya, South Africa and Nigeria, delaying surgeries, diverting emergencies and forcing staff back to paper records.

Tanzania’s hospitals are especially vulnerable because AI systems rely on cloud services, mobile apps and third-party vendors, each creating potential entry points.

“AI increases efficiency, but without security controls, it also increases exposure,” said a digital health advocate, Dr James Kimaro. “We’re opening more doors before installing proper locks.”

No clear leadership

Sources say governance gaps are at the heart of the problem. Digital health programmes are funded quickly, but security assessments and staff training are delayed or skipped. Hospital boards rarely assign cybersecurity responsibility and risk registers and vendor contracts often fail to clarify breach protocols.

AI systems making diagnostic or treatment recommendations also cannot always explain their reasoning. Misdiagnoses could create liability issues without proper audits or human oversight.

Steps needed

Experts call for a National Health Cybersecurity Baseline to set minimum standards before deploying AI. This should include multi-factor authentication, encryption, annual testing, secure backups and mandatory Data Protection Impact Assessments.

Training is crucial. Tanzania faces a shortage of cybersecurity professionals, leaving even well-designed systems poorly maintained. Continuous education for ICT teams and clinical staff can prevent common attacks such as phishing.

“With digital health accelerating, the window for safeguards is narrowing,” said Dr Kimaro. “Patients deserve healthcare that is both modern and secure.”