Health Canada gets PKI surgery

In an effort to upgrade its public key infrastructure (PKI) to a secure electronic delivery service (SESD), Health Canada recently awarded a $4.5 million contract to Montreal-based IT consulting firm CGI.

According to Health Canada, a comprehensive request for proposal (RFP) was issued through Public Works and Government Services Canada (PWGSC), and a structured evaluation process was followed to select the winning bidder.

“CGI has the breadth and depth of skilled resources which enabled it to successfully bid on this contract,” said Ross Smith, chief of IT security services for Health Canada.

Rick Donnelly, director of information security practice for CGI, said the decision was made based on CGI’s technical score mapped across to its price per point.

“We probably placed very high in our technical score, and couple that with our price, we were probably the most appealing,” Donnelly said.

Donnelly explained that Health Canada essentially had a first-generation PKI that was one step beyond being a demo.

CGI plans to provide expert analysis to develop, modify or validate security policy, procedures and guidelines, and to design the security architecture.

“What we are going to do is align the security policy with the organizational goals, make it consistent within the organization,” he said. “We are going to explain the security risks and safeguards to senior management, we are going to influence the application development and management of the infrastructure operations, and we are going to structure security management resources to maximize the effect while supporting a centralized computing environment.”

Smith said Health Canada expects to end up with a robust infrastructure based on open standards suitable for the delivery of applications securely over the Internet.

“We are taking a layered approach to security using technologies such as firewalls, virtual private networks (VPNs) and public key infrastructure (PKI),” Smith said. “Much of the information we deal with is very sensitive. It could include personal health records or extremely valuable trade secrets. We have an obligation to protect the privacy and confidentiality of this information.”

Smith added that it is in Health Canada’s best interest to garner the trust and support of the Canadian public and health partners.

Though the contract was only recently awarded, CGI has already developed a project management framework for the SESD. Donnelly said CGI is also working on validating current security policies, validating configuration management, and assisting in the government’s framework.

Originally, the project was to be completed over a period of three years. Donnelly said that realistically, CGI expects it to take only two years to finish. He said CGI will likely put more resources to the project in order to complete it in a shorter time frame.

“There are eleven Pathfinder projects within the government of Canada. I think Health Canada is one of the furthest along,” Donnelly said. “They’ve gone beyond proof-of-concept and now they are doing an implementation and rollout.”