Investigation finds security vulnerabilities within BC’s public health database
December 15, 2022
VICTORIA— The Provincial Health Services Authority (PHSA) has failed to address security and privacy vulnerabilities in BC’s Provincial Public Health Information System (the System) — putting the personal health information of British Columbians at risk.
An investigation report released by Information and Privacy Commissioner Michael McEvoy says the security and privacy vulnerabilities have been known to the PHSA since 2019.
The System, managed by the PHSA, holds personal health information, some of it very sensitive, about every British Columbian. It supports frontline healthcare workers to deliver primary healthcare and helps public health officials track the spread of infectious diseases, including COVID-19.
The Commissioner initiated this review following the PHSA’s failure to provide satisfactory answers to questions about the System’s privacy and security protections.
Section 30 of the Freedom of Information and Protection of Privacy Act (FIPPA) requires public bodies to take reasonable measures to protect personal information from security risks such as unauthorized access.
Investigators examined how the PHSA protects the central database in the System to establish whether the PHSA has the necessary security and privacy measures in place to protect personal information.
Investigators found the System’s vulnerabilities requiring immediate attention include:
- a lack of proactive auditing for suspicious activity;
- no ongoing program for managing application vulnerabilities;
- not encrypting personal information within the database at rest; and
- no universal requirement for multi-factor authentication to access the System.
“Our findings were concerning. Because there are no proactive processes in place to monitor for suspicious activity, a major breach of the database could occur today, and no one would know. It is alarming to me that the PHSA has known about this and other vulnerabilities since 2019 – and has not fixed most of the problems,” said Commissioner Michael McEvoy.
The report recommends the PHSA take seven actions, including that they:
- acquire, configure, and deploy a privacy-tailored proactive audit system;
- ensure a multi-factor authentication solution meeting Provincial Standards is used to log onto the System;
- encrypt personal information within the database at rest; and
- create appropriate written security architecture that includes full systems design documents and operations manuals for each component of the System.
“The System contains some of our most sensitive health information – matters relating to our mental and sexual health, infectious diseases, and more. It is imperative that the PHSA put in place commensurate security measures to protect British Columbians from potential harms.”
The full report is available here: https://www.oipc.bc.ca/reports/investigation-and-audit-reports/
A video and fact sheet summarizing the report can be found here:
Michelle Mitchell | Senior Communications Manager
Office of the Information and Privacy Commissioner for BC
250 217-7872 | [email protected] Twitter: @BCInfoPrivacy