A comprehensive academic analysis and governance redesign project examining the 2020 cyberattack on Life Healthcare Group and proposing an integrated Information Security Governance framework.
- Project Overview
- Problem Domain
- Project Members
- Objectives
- Key Deliverables
- Governance Framework
- Methodology
- Technology Stack
- Project Structure
- Key Findings
- Recommendations
- References
- License
This academic project provides a holistic analysis of the June 2020 cyberattack on Life Healthcare, one of South Africa's largest private healthcare providers. The study critically examines how breakdowns in governance and information security exposed systemic weaknesses across strategic, tactical, and operational levels.
Through structured problem analysis and framework evaluation, the project evaluates the organisation's Corporate Governance, IT Governance, and Information Security Governance functions in relation to enterprise best practices using COBIT 2019, ISO/IEC 27001, and ISO/IEC 27005 frameworks.
The project culminates in an integrated governance model designed to strengthen oversight, resilience, and value delivery while addressing the failures that led to the 2020 ransomware incident.
In June 2020, Life Healthcare experienced a severe ransomware-style cyberattack that:
- Forced core IT systems offline, including patient admission platforms, business processing applications, and email servers
- Disrupted billing, claims processing, supplier invoicing, and financial reporting
- Occurred during the COVID-19 pandemic, placing additional strain on healthcare operations
- Exposed critical weaknesses in governance, disaster recovery, and cybersecurity oversight
The incident revealed failures across multiple organisational levels:
Strategic Level:
- Insufficient board-level prioritisation of cybersecurity
- Lack of IT governance framework integration (e.g., COBIT 2019)
- Inadequate alignment between IT investments and enterprise risk management
Tactical Level:
- Weak disaster recovery and business continuity policies
- Insufficient risk assessment and mitigation processes
- Limited tactical oversight between executive directives and operational execution
Operational Level:
- Dependency on legacy systems
- Absence of robust backup and recovery mechanisms
- Limited incident response preparedness
This project was completed by the following group members:
-
Line Redpath
GitHub Profile: Line's GitHub -
Juanette Viljoen
GitHub Profile: Juanette's GitHub -
Tinotenda Mhedziso
GitHub Profile: Tino's GitHub
The project aims to:
- Analyse the 2020 Life Healthcare cyberattack as a case study of failed governance
- Map Life Healthcare's existing IT governance structure using COBIT 2019 domains
- Assess Information Security roles and responsibilities across strategic, tactical, and operational levels
- Design an integrated Information Security Governance model addressing identified weaknesses
- Evaluate governance frameworks (COBIT, ISO 27001, NIST) and recommend the most appropriate approach
- Propose a refined board/executive structure for Information Security oversight
- Develop operational security policies and controls aligned with ISO 27001
- Conduct a risk assessment and mitigation planning exercise
- Design a cybersecurity training and awareness campaign
| Deliverable | Description | Weight |
|---|---|---|
| Case Study Analysis | Critical examination of governance failures in the 2020 cyberattack | 10% |
| IT Governance Mapping | Visual mapping of Life Healthcare's structure using COBIT domains (EDM, APO, BAI, DSS, MEA) | 10% |
| InfoSec Roles Assessment | Responsibility matrix (RACI) and role analysis across strategic, tactical, and operational layers | 10% |
| Governance Model Design | Proposed three-tier governance model with new roles (CIGO, IT Governance Committee) | 10% |
| Framework Comparison | Comparative analysis of ISO 27001, NIST CSF, and COBIT 2019 with recommendation | 10% |
| Board/Executive Structure | Refined executive reporting structure integrating InfoSec governance | 10% |
| Operational Policies | Comprehensive Information Security Policy Architecture (ISPA) with sub-policies | 10% |
| Risk Management Plan | Risk assessment matrix, mitigation strategies, and treatment priorities | 10% |
| Training & Awareness Campaign | Multi-phase cybersecurity awareness programme aligned with ITIL 4 | 10% |
| Group Participation | Collaborative engagement throughout the semester | 10% |
The proposed model organises Information Security Governance into three hierarchical layers:
- Roles: CIO, CFO, CRO, CIGO (newly proposed), Audit and Risk Committee (ARC), IT Steering Committee (ITSC)
- Functions:
- Define governance direction and allocate resources
- Establish risk appetite and enterprise-wide InfoSec strategy
- Ensure IT investments deliver measurable value
- Integrate cybersecurity into board-level decision-making
- Roles: Group Head of Cybersecurity Engineering (GCSE), Group Business Information Security (GBIS), Group Risk Manager (GRM), Group Privacy Officer (GPO), Group IT Governance Lead (newly proposed)
- Functions:
- Translate executive directives into actionable policies and standards
- Oversee compliance with ISO 27001, POPIA, and GDPR
- Coordinate risk-based approaches across business units
- Bridge strategic intent with operational execution
- Roles: Head of IT Operations, Head of Cybersecurity, IT Operations Team, Security Operations Centre (SOC)
- Functions:
- Execute security controls and incident response protocols
- Monitor systems, detect threats, and manage daily operations
- Provide feedback and performance metrics to tactical and strategic levels
- Enforce policies and maintain operational controls
graph TD
A[Board of Directors & ARC] --> B[EDM: Evaluate, Direct, Monitor]
B --> C[APO: Align, Plan, Organize]
B --> D[BAI: Build, Acquire, Implement]
B --> E[DSS: Deliver, Service, Support]
B --> F[MEA: Monitor, Evaluate, Assess]
C --> G[CIO, COO, CRO, Group Risk Manager]
D --> H[Group Enterprise Architect, IT Operations Team]
E --> I[SOC, Head of Cybersecurity, IT Security Team]
F --> J[Group Privacy Officer, Group Head Business InfoSec]
The project follows a Project-Based Learning (PBL) approach structured across seven phases:
- Phase 1: Identify the need for a Corporate Information Security Governance Framework
- Phase 2: Define the problem (governance failures in South African organisations)
- Phase 3-4: Research and design the project using case studies and frameworks
- Phase 5: Create and develop the solution (governance model, policies, risk plans)
- Phase 6: Present and share findings
- Phase 7: Reflect and improve based on feedback
- COBIT 2019: IT governance and management framework providing strategic oversight
- ISO/IEC 27001: Information Security Management System (ISMS) certification standard
- ISO/IEC 27005: Risk management guidelines
- King IV: Corporate governance principles for South African entities
- NIST Cybersecurity Framework (CSF): Operational cybersecurity controls and maturity model
- COBIT 2019 – IT Governance Framework
- ISO/IEC 27001:2013 – Information Security Management
- ISO/IEC 27005 – Information Security Risk Management
- King IV – Corporate Governance for South Africa
- NIST CSF 2.0 – Cybersecurity Framework
- ITIL 4 – IT Service Management
- Microsoft Word/Excel – Documentation and data analysis
- Draw.io / Lucidchart – Governance model diagrams
- Mermaid – Entity-relationship diagrams
- Academic databases – Peer-reviewed sources and case studies
Life-Healthcare-Governance-Framework/
│
├── README.md # Project overview and documentation
├── LICENSE # MIT License
│
├── Documents/
│ ├── Life_Healthcare_Project.pdf # Complete project report
│ ├── Activity_Plan_2025.docx # Semester activity plan and rubric
│ └── Executive_Summary.pdf # High-level findings and recommendations
│
├── Models/
│ ├── IT_Governance_Mapping.png # COBIT domain visualization
│ ├── InfoSec_Governance_Model.png # Three-tier governance structure
│ └── Board_Executive_Structure.png # Proposed executive reporting lines
│
├── Policies/
│ ├── Corporate_InfoSec_Policy.md # Master CISP document
│ ├── Access_Control_Policy.md # User access management
│ ├── Patch_Management_Policy.md # System patching requirements
│ ├── Backup_Recovery_Policy.md # Disaster recovery protocols
│ └── Incident_Response_Policy.md # Escalation and response procedures
│
├── Risk_Management/
│ ├── Risk_Assessment_Matrix.xlsx # Risk scoring and prioritization
│ ├── Risk_Mitigation_Plan.md # Treatment strategies by risk ID
│ └── Risk_Appetite_Framework.png # Three lines of defence model
│
├── Training/
│ ├── Awareness_Campaign_Plan.md # Phased training programme
│ ├── Training_Modules.md # Role-based learning tracks
│ └── ITIL_Integration.md # Continuous improvement approach
│
└── Appendices/
├── Appendix_A_Corporate_Governance.png
├── Appendix_B_Direct_Control_Model.png
├── Appendix_C_Material_Matters.png
└── Appendix_D_Risk_Appetite.png
-
Strategic Oversight Gap:
- IT governance was not prioritised at board level
- The dissolution of the Risk, Compliance, and IT Governance Committee in May 2024 weakened oversight
- IT was viewed as a cost centre rather than a strategic enabler
-
Tactical Coordination Weakness:
- Limited integration between security functions and business continuity planning
- Inadequate disaster recovery policies and failover testing
- Reactive compliance approach lacking proactive risk treatment
-
Operational Execution Issues:
- Dependency on legacy systems increased vulnerability
- Insufficient patch management and endpoint protection
- Limited escalation protocols between SOC and governance committees
| Framework | Strengths | Weaknesses | Recommendation |
|---|---|---|---|
| ISO 27001 | Internationally recognised, prescriptive controls, operational focus | Vague on board-level governance, documentation-heavy | ✅ Retain for ISMS certification and operational compliance |
| NIST CSF | Practical, vendor-neutral, excellent for cyber defence | Not a governance framework, weaker on accountability | |
| COBIT 2019 | Strong board-level structure, aligns IT with business strategy, defines accountability | High-level, not prescriptive for technical controls | ✅ Primary recommendation for holistic governance |
Conclusion: COBIT 2019 is the most appropriate framework for Life Healthcare, providing the strategic governance structure needed while integrating seamlessly with existing ISO 27001 certification.
Chief Information Governance Officer (CIGO)
- Focus on aligning IT and InfoSec initiatives with organisational objectives
- Partner with Enterprise Architect and IT Steering Committee
- Drive holistic IT governance beyond security-only perspectives
Group IT Governance Lead
- Oversee policy implementation at tactical level
- Coordinate compliance activities across departments
- Ensure alignment between strategic directives and operational execution
- Separate IT Governance from Audit and Risk Committee (ARC)
- Provide dedicated focus on IT strategy, investments, and oversight
- Meet quarterly with direct reporting to Board
Board Directive: Establish IT and data as strategic assets requiring protection
Corporate Information Security Policy (CISP): Master policy defining purpose, ownership, and compliance requirements
Critical Sub-Policies:
- Access Control Policy
- Endpoint Protection Policy
- Patch Management Policy
- Backup, Recovery & Business Continuity Policy
- Incident Response Policy
- Logging & Monitoring Policy
Priority Risk Treatment:
| Risk ID | Category | Likelihood | Impact | Priority | Mitigation Strategy |
|---|---|---|---|---|---|
| R5 | IT Systems & Cybercrime | High | Critical | 🔴 Critical | Centralised patch orchestration, redundant infrastructure, third-party penetration testing |
| R4 | Business Resilience | Medium | High | 🟠 High | Improve disaster recovery plan, quarterly failover simulations |
| R2 | Regulatory Compliance | Medium | High | 🟠 High | Establish Data Governance Committee, quarterly privacy audits |
| R3 | Macro-economic | Medium | High | 🟠 High | Reframe IT investments as strategic value, not financial constraints |
| R6 | Changing Business Environment | Medium | High | 🟠 High | Establish CIGO role for digital transformation alignment |
| R1 | Human Capital | High | Medium | 🟡 Medium | Increase cyber awareness training frequency and scope |
Phase 1: Foundation (Months 1-3)
- Role-based training tracks (clinical staff, administrative teams, executives)
- Baseline phishing simulation and awareness assessment
Phase 2: Reinforcement (Months 4-6)
- Biweekly phishing tests with feedback loops
- Monthly password hygiene reminders
- Poster campaigns and email reminders
Phase 3: Continuous Improvement (Ongoing)
- ITIL 4 Plan-Do-Check-Act integration
- Metrics tracking (completion rates, phishing success decline, incident response times)
- Lessons learned from real incidents fed back into policies
This project draws upon:
- Life Healthcare Group Holdings Limited Integrated Annual Reports (2020-2024)
- King IV Report on Corporate Governance for South Africa (2016)
- ISACA COBIT 2019 Framework
- ISO/IEC 27001:2013 Information Security Management Systems
- NIST Cybersecurity Framework (CSF) 2.0
- ITWeb, Reuters, and CyberPeace Institute reporting on the 2020 incident
Full reference list available in project documentation.
This project is licensed under the MIT License for academic purposes only.
Academic Use Declaration:
This project was prepared solely for academic purposes as part of the Information Technology Management and Governance (ITMG302) module. All corporate names, figures, models, and information referenced have been adapted from publicly available materials of Life Healthcare Group Holdings Limited and recognised governance frameworks including King IV, ISO, and COBIT.
- Automated Governance Dashboards: Real-time visualisation of governance metrics and risk postures
- AI-Driven Risk Prediction: Machine learning models to forecast emerging cyber threats
- Integration with SIEM Tools: Centralised logging and threat intelligence platforms
- Blockchain for Policy Versioning: Immutable audit trails for policy changes and compliance
- Extended Case Studies: Comparative analysis with other South African healthcare providers
Course: Information Technology Management and Governance (ITMG302)
Institution: [Nelson Mandela University]
Semester: 2, 2025
Methodology: Project-Based Learning (PBL)
Making governance tangible, resilient, and value-driven.