Latest News
B.C.’s information and privacy commissioner has released an investigation report that finds security and privacy vulnerabilities in the province’s Public Health Information System, which have been known to the Provincial Health Services Authority since 2019.
Photo via Wikimedia Commons
Investigation finds security vulnerabilities within B.C.'s public health database
Published 11:31 PST, Thu December 15, 2022
—
An investigation report released by Michael McEvoy, B.C.'s information and privacy commissioner, has found security and privacy vulnerabilities in the province’s Public Health Information System (the System).
The report finds that the Provincial Health Services Authority (PHSA) has failed to address the vulnerabilities in the System, despite knowing about them since 2019, putting the personal health information of British Columbians at risk.
The System, managed by the PHSA, holds personal health information—some of it very sensitive—about every British Columbian. It supports front-line health-care workers to deliver primary health care and helps public-health officials track the spread of infectious diseases, including COVID-19.
The commissioner initiated this review following the PHSA's failure to provide satisfactory answers to questions about the System's privacy and security protections.
Section 30 of the Freedom of Information and Protection of Privacy Act (FIPPA) requires public bodies to take reasonable measures to protect personal information from security risks, such as unauthorized access.
Investigators examined how the PHSA protects the central database in the System to establish whether the PHSA has the necessary security and privacy measures in place to protect personal information.
Investigators found the System's vulnerabilities requiring immediate attention include:
• A lack of proactive auditing for suspicious activity
• No ongoing program for managing application vulnerabilities
• Not encrypting personal information within the database at rest
• No universal requirement for multi-factor authentication to access the System
"Our findings were concerning. Because there are no proactive processes in place to monitor for suspicious activity, a major breach of the database could occur today, and no one would know. It is alarming to me that the PHSA has known about this and other vulnerabilities since 2019—and has not fixed most of the problems," said McEvoy.
The report recommends the PHSA take seven actions, including that the PHSA:
• Acquire, configure, and deploy a privacy-tailored proactive audit system
• Ensure a multi-factor authentication solution, meeting provincial standards, is used to log onto the System
• Encrypt personal information within the database at rest
• Create appropriate written security architecture that includes full systems design documents and operations manuals for each component of the System
"The System contains some of our most sensitive health information—matters relating to our mental and sexual health, infectious diseases, and more. It is imperative that the PHSA put in place commensurate security measures to protect British Columbians from potential harms," said McEvoy.
The full report is available here: oipc.bc.ca/reports/investigation-and-audit-reports/.
2 Hours of free financial consulting
Jai Xin Planning Ltd.
C$120.00 C$0.00
Use any of our home staging service and get a second month rental for free!
MiiX Interiors
C$500.00 C$0.00
Get 10% off any order
Phantom Screens Lower Mainland
C$200.00 C$180.00
