The same government department that brought Nova Scotia its worst breach of private information to date, assures us all is well with the most important IT procurement in the province’s history.
That procurement will pick the vendor to provide the digital platform for the province’s planned electronic health record system, called One Person One Record (OPOR). The search is down to two finalists.
We’re told not to worry about the small mountain of evidence that those two finalists — Allscripts and Cerner — had a tighter relationship with the Nova Scotia Health Authority than the unsuccessful companies competing for the contract were permitted.
The province hired a referee from Ottawa to watch over the process that winnowed five bidders to the final two. The ref said the play was onside throughout, and if that’s not good enough for you, tough, because that’s pretty much all you’re getting.
Although, the government let it slip that the panel that did the winnowing based its decisions entirely on material the proponents provided themselves.
That means that if you read Paul Schneidereit’s news analysis in Monday’s Chronicle Herald you likely know more about the recent work experience of the two OPOR finalists than the panel knew when it picked them.
Schneidereit’s piece chronicled, among other things, problems with projects similar to OPOR in other jurisdictions. The projects he cited were led by Cerner or Allscripts and the issues included massive cost overruns, long delays, and potential threats to patient safety.
It was the Department of Internal Services that produced last year’s well-publicized breach of private information. The same department is responsible for the province’s purchasing, which includes the OPOR procurement. Connecting the two functions may seem gratuitous but there is a common denominator — familiarity with the vendor.
It turns out the main vendor on the Freedom of Information Access (FOIA) site that disgorged reams of records it shouldn’t have, was a trusted partner of the government on IT projects, so what could possibly go wrong? Not a thing, other than thousands of records – some containing agonizing personal details – were, with one extra keystroke, in the wind.
The province protected Nova Scotians’ personal information from everyone other than the millions of internet users who are familiar with a simple technique that takes them a little deeper into online data, and that’s where the FOIA site builders stuffed the personal info.
Both Auditor General Michael Pickup and Privacy Commissioner Catherine Tully cited the cosy relationship between the province and the vendor as contributing to the mammoth breach. Due in part to that trusting relationship, the site wasn’t subjected to the rigorous security testing it might have been.
The relationship between the Nova Scotia Health Authority, which has a lead role in OPOR, and the two finalists for the contract may not be as cosy as was the case with the FOIA site, but the relationship existed and the NSHA has been less than forthcoming about its nature.
The authority, for example, has never answered key questions posed by Schneidereit about the apparent preferential treatment afforded the two chosen ones.
At the front end of the process, before the procurement process was officially underway, a senior IT official with the NSHA told one prospective — and eventually unsuccessful — bidder that the authority wasn’t talking to potential proponents. Yet, around the same time, the two eventual finalists participated in NSHA-sponsored information sessions and, reportedly, dined with senior NSHA officials at a couple of the more expensive eateries in Halifax.
The province seems unconcerned that an unsuccessful bidder got the cold shoulder from the NSHA, while the two eventual finalists got what looks like unfettered access.
History shows, as Schneidereit noted in his column and supported with examples, that if complex projects like OPOR are not expertly handled, they can turn into expensive messes.
There is a great deal of smoke surrounding the province’s procurement of a vendor for the OPOR project, and the government isn’t letting anyone get close enough to see if there’s fire.
We are assured that the province has brought the necessary expertise to bear to get this right.
This too sounds familiar. What was it Tully wrote about the FOIA privacy breach?
“One significant and troubling factor is that the technology under investigation was implemented by the group responsible to lead privacy across all government departments.”