Privacy & security
NB takes steps to ensure security of
FREDERICTON – Lessons have been
learned and corrective actions taken since the loss of computer
cartridges containing Medicare patient billing information last year,
said New Brunswick Health Minister Michael Murphy.
Murphy was responding to the release of a report by ombudsman Bernard
Richard, whose office investigated the loss of the computer tapes.
The tapes contained Medicare billing information on 485 New Brunswick
residents who received insured healthcare services in British Columbia,
as well as information on 149 British Columbia residents who received
health services in New Brunswick. They were lost last October while
being shipped by courier from New Brunswick to B.C. and have not been
found. Senior officials in the Department of Health only learned of the
missing tapes in mid-December.
“First and foremost, I wish to thank the ombudsman and his office for
their thorough investigation and corresponding recommendations,” Murphy
said. “My department co-operated fully in this investigation, and has
already responded to the ombudsman on his recommendations. We will
continue to strengthen procedures and systems so as to safeguard the
privacy of personal health information.”
Actions taken since the loss of the tapes include:
• The use of encrypted and password-protected CDs to share Medicare
billing data with B.C. until a new system using secure file transfer
protocol technology (SFTP) is in place. The technology, which exchanges
files server to server, is already in place in New Brunswick, and will
be tested with B.C. beginning later this month. The secure transfer of
data with other jurisdictions using SFTP will follow as each
jurisdiction adopts the new process.
• Adoption of a Privacy Breach Policy so that any breach is reported
immediately to the deputy minister.
• Hiring of a full-time corporate privacy officer to focus on creating a
privacy culture within the department, including the development of a
corporate privacy policies.
• Assigning a corporate privacy officer to oversee a full review of all
departmental policies, procedures and protocols, including the
development of policies relating to client access requests, secure
exchange of information, and document retention.
In addition, a department-wide review will be launched of policies,
practices and procedures as they relate to information management and
privacy of personal information.
Murphy said that this review, which will also look at the security of
the department’s existing information management systems, will be
undertaken with the assistance of external support, as recommended by
the ombudsman. A request for proposals for external assistance will soon
“These steps and others have all been undertaken in the last five
months,” Murphy said. “Yet, we know there is more to do to ensure the
security and confidentiality of personal health information, especially
as we develop an electronic health record to improve healthcare for New
Murphy announced that introduction of the province’s new personal health
information legislation will be delayed until the fall. Instead, draft
legislation will be presented in the legislature this spring as a green
paper to allow interested New Brunswickers to comment and provide input
before the final legislation is tabled this fall for approval.
“This will further enhance the involvement of stakeholders who have told
us they want to be fully involved in the development of this
legislation,” Murphy said.
“To date we have had a two-day workshop with stakeholders that has been
very instrumental in developing the green paper that will go out for
public comment.” Murphy said that his department is also requesting that
the Office of the Ombudsman work with the department on the development
of information systems related to the creation of the e-health record.
“We want to ensure that the Office of the Ombudsman has input into and
is kept abreast of policies, procedures and technical safeguards as they
relate to the privacy and security of personal health information that
will be contained in the e-health record,” Murphy said. “We are asking
that the office review at what stage electronic health information
architecture can be introduced.”
Murphy said that privacy and security issues have been and will continue
to be fully addressed in conjunction with the design and development of
all new information management systems.