The unions representing information technologists within the Saskatchewan Health Authority are concerned about the recent investigation report released by the Saskatchewan Information and Privacy Commissioner, and the ongoing plan for the SHA to transfer all Information Technology assets (except for digital health) including employees to eHealth.
“To date there have been far too many unanswered questions; now we have discovered through Mr. Ron Kruzeniski’s report that the board and leadership of eHealth is in disarray. We know that this is not the first time that the eHealth Board has been removed by the Sask Party government. A similar removal occurred in 2018. Top leadership of the organization also has been changed by the Ministry of Health. For the protection of our members and for the security of private health information for all in Saskatchewan, we believe that the pattern of chaos needs to be curbed and an identifiable period of stability established prior to any contemplation of the need for the move of valuable IT services out of the control of our provincial health authority. Trust badly needs to be restored.” says Barbara Cape, President of SEIU-West.
SEIU-West and CUPE 5430 leaders are not confident that the IT systems, supports and communication needs of the SHA can be met by eHealth. Nor do the union leaders believe that continuing to push this agenda of the Health Authority shedding responsibility will improve controls and monitorship of IT network access or increase testing of disaster recovery plans. The recent investigation and recommendations made reinforce ongoing concerns of SHA employees who are slated to transfer to eHealth.
At present, both the SHA and the Ministry of Health retain custody and responsibility for their IT services with an explicit duty to protect that information. Mr. Kruzeniski’s report confirms this continuing obligation. The unions believe that this oversight duty should prevail as a best practice.
Sandra Seitz, President of CUPE 5430, states, “Now, more than ever before, it is time to pause and fully contemplate the big picture. When the Privacy Commissioner expresses a lack of accountability and transparency on the part of all parties in reporting and managing this privacy breach and ransomware attack, it is so obvious that the decision to transfer all assets to eHealth needs to be reconsidered following the independent governance, management and program review of eHealth directed to be completed by the Minister of Health.”
IT employees of SHA and their union representatives have been engaged in endless restructuring talks since 2018.
Seitz adds, “Now is an opportune time to look at the real problems that exist - instead of stubbornly insisting upon jamming all assets into one organization that has not demonstrated responsible cyber security processes and policies, effective monitoring and controls, economies of scale or adequate incident response. We also recognize that government investment in IT systems infrastructure has been lacking for many years – cobbling together multiple aging IT systems is a recipe for these kinds of disasters.”
Cape agrees and states, “Despite dire warnings, privacy breaches and the recent ransomware attacks our government does not rate the security of personal and private health information as a priority. At the same time, we must extend our appreciation for those employees within eHealth and SHA who are doing their best to keep our IT systems together in the midst of an environment of dated systems and a lack of oversight.”
SEIU-West and CUPE represent health care providers including those who are employed in IT services who work in nine of the former health authorities.