Skip to content

B.C. government takes positive steps to protect people's health data

British Columbians health information was "disturbingly" vulnerable, privacy commissioner Michael McEvoy said in December.
womandoctorandpatient
Two of seven privacy recommendations made by the Office of the Information and Privacy Commissioner have been implemented, according to commissioner Michael McEvoy.

B.C.’s privacy commissioner says the Provincial Health Services Authority (PHSA) has taken positive steps to strengthen the privacy and security of the Provincial Public Health Information System.

"Every day, hundreds of health-care workers and policymakers across B.C. access the system,” commissioner Michael McEvoy said in the report.

“It is critical not only for the protection of British Columbians’ information and privacy rights, but also for the continued delivery of essential services without disruption, that robust privacy and security controls be in place for the system," he said.

The follow-up comes in the wake of an Office of the Information and Privacy Commissioner’s December 2022 report that found the PHSA’s failure to address security and privacy vulnerabilities put British Columbians at risk.

There, the office said the system and the citizens’ information it contains are vulnerable to malicious attacks or employee abuses.

In a report released Dec. 15, 2022, McEvoy said there are many areas where the system is vulnerable.

"The system contains some of our most sensitive health information — matters relating to our mental and sexual health, infectious diseases and more," McEvoy said. "It is imperative that the (Provincial Health Services Authority — PHSA) put in place commensurate security measures to protect British Columbians from potential harms."

That report made seven recommendations, including that the PHSA:

  • acquire, configure, and deploy a privacy-tailored proactive audit system;
  • ensure a multi-factor authentication solution meeting provincial standards is used to log onto the system;
  • encrypt personal information within the database at rest; and,
  • create appropriate written security architecture that includes full systems design documents and operations manuals for each component of the system.

Now, the office said, the six-month follow-up shows two recommendations fully implemented, three substantially implemented, and the remaining two partially implemented with progress continuing.

As examples of work completed, the office cited:

  • encrypting personal information, including tables containing personal information, in the system;
  • implementing an ongoing application vulnerability management program to monitor for risk exposures;
  • completing initial patching updates; and,
  • reporting on risk management assessments to senior management. 

"The implementation of the security architecture document now provides a roadmap to the PHSA for applying the security controls that should have been in place from the outset. Performing regular penetration testing will now help identify the control areas that need strengthening, including user education," McEvoy said.

He said he is encouraged by the PHSA’s efforts to ensure British Columbians’ trust in the health system.

Moreover, McEvoy said in the report, the recommendations are ones many public agencies can apply to their own systems to ensure people’s data privacy.