VICTORIA – The Provincial Health Services Authority (PHSA) has failed to address security and privacy vulnerabilities in B.C.’s Provincial Public Health Information System (the System) – putting the personal health information of British Columbians at risk.
An investigation report released by Michael McEvoy, B.C.’s information and privacy commissioner, says the security and privacy vulnerabilities have been known to the PHSA since 2019.
The system, managed by the PHSA, holds personal health information, some of it very sensitive, about every British Columbian. It supports front-line health-care workers to deliver primary health care and helps public-health officials track the spread of infectious diseases, including COVID-19.
The commissioner initiated this review following the PHSA’s failure to provide satisfactory answers to questions about the system’s privacy and security protections.
Section 30 of the Freedom of Information and Protection of Privacy Act (FIPPA) requires public bodies to take reasonable measures to protect personal information from security risks, such as unauthorized access.
Investigators examined how the PHSA protects the central database in the system to establish whether the PHSA has the necessary security and privacy measures in place to protect personal information.
Investigators found the system’s vulnerabilities requiring immediate attention include:
* a lack of proactive auditing for suspicious activity;
* no ongoing program for managing application vulnerabilities;
* not encrypting personal information within the database at rest; and
* no universal requirement for multi-factor authentication to access the System.
“Our findings were concerning. Because there are no proactive processes in place to monitor for suspicious activity, a major breach of the database could occur today, and no one would know. It is alarming to me that the PHSA has known about this and other vulnerabilities since 2019 – and has not fixed most of the problems,” McEvoy said.
The report recommends the PHSA take seven actions, including that the PHSA:
* acquire, configure and deploy a privacy-tailored proactive audit system;
* ensure a multi-factor authentication solution, meeting provincial standards, is used to log onto the System;
* encrypt personal information within the database at rest; and
* create appropriate written security architecture that includes full systems design documents and operations manuals for each component of the System.
“The System contains some of our most sensitive health information – matters relating to our mental and sexual health, infectious diseases and more. It is imperative that the PHSA put in place commensurate security measures to protect British Columbians from potential harms,” McEvoy said.
The full report is available here:
https://www.oipc.bc.ca/reports/investigation-and-audit-reports/