For a while there, it seemed like 2019 was going to be the Year of the Hack.
Computers and networks ransomwared. Emails, identities and money stolen. Personal information lost, or found somewhere it shouldn’t be, like in a pile at the dump.
Or in a fax. For young people reading this, “fax” is short for “facsimile.” A fax machine scans pages and transmits them over a phone line. It’s ancestor, the electric printing telegraph, was patented in 1843.
Nearly 180 years later, the Government of the Northwest Territories is still using the devices to send and receive sensitive health records.
This may be completely mind-boggling for someone without experience with the North’s infamous Internet reliability, or lack thereof, but it’s understandable in the context of the information technology and infrastructure challenges still faced by smaller communities. And in the context of digitally stored personal information being available to bad actors anywhere in the world with a web connection, faxes are actually more secure.
However, the treatment of personal information by the GNWT remains obtuse and ineffective. Navigate to the phone directory on the government’s website – which, despite News/North pointing out the page’s lapsed security certificate late last year, still prompts a “not secure” warning in web browsers – and you’ll find four jobs directly linked to managing privacy in the health department, including chief healthy privacy officer, ATIPP and health privacy officer, senior privacy specialist, and senior health privacy officer (two of the positions are vacant).
All this and yet, somehow health records ended up in the dump in Fort Simpson.
Such breaches are nothing new to NWT privacy commissioner Elaine Keenan Bengts, who has been critical of them in her reports for more than a decade. She mentioned the dump incident specifically, alongside a decidedly more digital snafu, the theft of a GNWT laptop without encryption and left in a vehicle containing the personal health information of 33,000 NWT residents, in her most recent report to the legislative assembly, tabled in December.
Both incidents, which took place in 2018, are the subject of a lawsuit brought against the GNWT by three law firms.
It’s clear now that the privacy-related training that’s been delivered within the health department hasn’t got through to everyone. Part of the challenge must be turnover, in particular among doctors, many of whom work here on a locum, or temporary, basis for periods as brief as two weeks.
If 2019 was any indication, concerns over privacy and security when it comes to personal information are not going to dissipate any in 2020. Our new crop of progressive MLAs may not be able to change the world overnight, but a shift to better and more secure technology in the health department, where the information gets as personal as it can get, surely is within reach. It would probably help if Health and Social Services Minister Diane Thom, who has ducked our requests for comment on this topic thus far, would show some leadership in the light of day and demand better from the people who answer to her.
Failing that, one wonders aloud whether the privacy commissioner’s office should have more of an arsenal to combat breaches of all kinds, physical and digital.
Good on Keenan Bengts for keeping up the pressure, but she has no power except to complain. MLAs should give her some actual teeth so she can prosecute breaches. Maybe then health officials will learn their lesson.