REMOTE Senior Healthcare Data Privacy Management Consultant to develop PIA and STRAs for 8 new hospital device/system projects - SOW20250407SH - April 21 -

S.i. Systems enterprise public health client has a new hospital campus under construction in Vancouver BC. They are seeking a REMOTE Senior Healthcare Data Privacy Management Consultant to develop PIA and STRAs for 8 new hospital device/system projects - SOW20250407SH.

REMOTE - must be based in Canada and work PST hours when required

May - Dec 2025 contract + built in extensions

MUST HAVE SKILLS:

• Expert knowledge and/or related education of privacy and security loss, relevant legislation, best practices in data privacy in public healthcare in Canada
• Experience conducting Privacy Impact Assessments and Security Threat Risk Assessments of hospital systems

NICE TO HAVE:

• Direct previous experience with Providence Health Care’s privacy team and PHSA’s security teams preferred.
• Understanding of BC Health Authority structure and operations.

PROJECT DESCRIPTION:

The New St. Paul’s Hospital and Health Campus Project will be located in Vancouver’s False Creek Flats area on Station Street and will lead the delivery of BC’s new model for health care by providing our patients with the highest quality integrated, innovative and patient-centered care, where and when they need it most.

As approved in the IT Business Case, the IT programs vision is for the NSPH to be a national healthcare reference centre for best practice information technology solutions that enable patients and families, clinical professionals, academics and research partners to improve the patient-care experience. Equally important to the project’s delivery objectives is to align with and help advance the broader IMIT objectives and mandates established from the Ministry of Health, Providence Health Care, Vancouver Coastal Health, Provincial Health Services Authority, Research and Academic entities and other stakeholder groups.

The scope of this statement of work is for the development of privacy and security assessments for eight (8) projects associated with NSPH:

(1) A Real Time Location System (RTLS) - Borda Technology - this project includes using asset tags and distributed antennas / beacons to provide real time location information related to patient wandering, wireless staff duress and tracking of specialty medical equipment. Limited patient and staff information will be entered into the system for identification purposes.

(2) An Integration Engine - Connexall - this project includes integrating information from multiple source systems to direct and share information between systems e.g. nurse call, wireless staff communications, RTLS, etc. Limited patient and staff information may be ingested by the integration engine related to RTLS and access control systems.

(3) Digital Room Display - Austco Communication Systems - will ingest patient level information and alerts to display isolation precautions and other critical care indicators on a touch-screen panel at entrances to patient care areas.

(4) Intercom System - AiPhone - Assumed light assessment from a Privacy / PIA perspective due to no patient / staff information being stored in or processed by the system; STRA required.

(5) Intrusion Detection - Bosch - Assumed light assessment from a Privacy / PIA perspective due to no patient / staff information being stored in or processed by the system; STRA required.

(6) IP Video Surveillance System - Avigilon - PIA required, STRA requirement to be determined. There is an existing PIA but use cases are intended to be expanded for NSPH therefore amendments to existing may be required. Includes both clinical cameras (non-recording) and security cameras (recording).

(7) Automated Guided Vehicles - JBT Automation - this project includes a number of autonomous vehicles that deliver goods throughout the facility. The vehicles communicate over the regular IMIT wireless network to a centralized server application, which also communicates with wired controllers throughout the facility. Limited staff information will be used by the system to authenticate users on login.

(8) Digital Wayfinding - youRhere Interactive Directories - Assumed light assessment from a Privacy / PIA perspective due to no patient / staff information being stored in or processed by the system; STRA required. This project consists of several interactive displays and kiosks within the hospital to facilitate guests finding their way through the facility. The kiosks have local software installed which communicates with a cloud-based application.

For each of the eight projects listed above (RTLS, Integration Engine, Intrusion Detection, Digital Room Display, Intercom, IP Video Surveillance, AGVs and Digital Wayfinding), complete a Privacy Impact Assessment (PIA) and Security Threat Risk Assessment (STRA) as required and as further detailed below:

Privacy Impact Assessment (PIA)

Comprehensive PIA to examine the implementation of each of the eight identified projects including analysis of the following:

· Examination of approach and all related privacy controls

· Analysis of applicable legislative environment

· Identification of privacy risks and mitigation strategies

The deliverable for this portion of the work is a completed privacy impact assessment (PIA) on the approved PHC template ready for sign-off by PHC’s Privacy Director and the business and system owners.

Security Threat Risk Assessment (STRA)

Initial completion of a STRA intake form, which will in turn be reviewed by PHSA IMITS for confirmation of further STRA work as required. For those identified as requiring a complete STRA, complete a comprehensive STRA to examine the implementation of each of the identified projects including analysis of the following:

· Security standards and policy implications

· Security implications of network setup and controls

· Security-related risks and mitigation strategies

The deliverable for this portion of the work includes initial completion of a STRA intake form, to be reviewed by PHSA IMITS for confirmation of further STRA work as required. For those identified as requiring a complete STRA, the follow-up deliverable is a completed Security threat risk assessment (STRA) on the approved PHC template that can be used to inform a Statement of Assumed Risk (SoAR) for signoff by the PHSA Security Team and relevant business and system owners.

Anticipated timeline for completion for all eight (8) projects would be within the 2025 calendar year.