Security Technical Architect

  • New Brunswick, Canada View on Map
  • Post Date : June 25, 2020

Job Detail

  • Sector Technical Architect
  • Experience Greater Than 10 Year
  • Qualifications Degree BachelorMaster’s Degree

Job Description

Kindly send the below documents to before 03 July 2020 11:00 am EST to get submitted.

·         Updated copy of resume in word format
.         Completed Evaluation Skills matrix in detail
.         Expected hourly rate.
.        Resource References
.         Right to Represent Consent form


Department of Health


Security Technical Architect


The New Brunswick Department of Health, Innovation and eHealth Branch (IEH), is responsible for alignment and integration of innovation and technology to achieve optimal health system performance and quality care for all citizens of New Brunswick.

The Department is currently undertaking the initiative of transforming the Provincial EMR Program from a single-vendor model to an open market model.  As part of this initiative, the department is transforming the EMR to EHR Clinical Viewer integration (formerly known as EEV – EHR Express Viewer) to be available to Open Market vendors, outside of the Health Network via a SAML/F5 authorization.    Furthermore, the EHR Clinical Viewer will be made available in the future to qualified clinical vendors other than EMRs (for example – DIS, etc).

The Provincial Electronic Medical Record (EMR) Program was created in 2012. The New Brunswick Medical Society (NBMS) was selected to represent the NB Physicians in the delivery of the program.  Velante was formed as a subsidiary of NBMS to deliver the Provincial EMR Program, with oversight from the NB Department of Health.  In its current form, the Provincial EMR is delivered via a single-vendor model for all physicians.

In September 2019 NBMS and GNB made the joint decision to move from a single-vendor EMR to an open market.  This decision represents a natural evolution of the program and it aligns with what has been happening across the country. The transition is currently in progress, and it is scheduled to complete no later than March 2021.

The current vendor is Intrahealth, and the EMR product is Profile.  The Provincial EMR Vendor, IntraHealth, accesses the EHR Clinical Viewer, in context, using Single-Sign On (SSO) over a VPN connection.  In an Open Market, clinical vendors will be able to have SSO access to the EHR Clinical Viewer from a qualified vendor application, with the current patient in context at the click of a button over the internet.


1.     Services Sought

The work and services required of the contractor shall be to conduct a Threat Risk Assessment (TRA) that will cover the ability of the Electronic Medical Records (EMRs) or other qualified vendor products to open the Electronic Health Record (EHR) Clinical Viewer in context.  The various vendor applications could be accessing the EHR Clinical Viewer from both a private connection or from the internet.

2.     Mandatory Experience


The Department seeks a resource that demonstrates the following mandatory (must have) experience:


No. Requirement Required
M1 A University degree in Computer Science or a related discipline; an equivalent combination of education and experience may be considered Yes/No
M2 Demonstrated experience conducting TRAs Yes/No
M3 At least 8 years of IM/IT experience Yes/No
M4 Written and Verbal communication skills in English Yes/No


3.     Demonstrated Skills

The Department seeks a resource that demonstrates the following qualifications and experience:

No. Requirement
D1 Demonstrated knowledge of PHIPPA;
D2 Experience with Provincial EMR and EHR systems in other jurisdictions
D3 Experience in analyzing federated authentication mechanisms and SAML 2.0
D4 Demonstrated knowledge of penetration and vulnerability testing using automated tools (QA Inspect, Nessus, Core Impact, Metasploit etc.);
D5 Relevant security certifications (CISSP, etc.);
D6 Experience using the CSE-RCMP Harmonized Threat and Risk Assessment (TRA) Methodology or substantially similar methodology;
D7 Qualifications must be demonstrated by certifications and examples including experience in Vulnerability Analysis and Threat Risk Assessments of IT systems, preferably but not limited to clinical systems.

4.     References

Please provide 3 project references that demonstrate that the resource has the qualifications required to perform the duties stated in this Statement of Work.  Reference must provide name, title and telephone number of the client contact, a description of the project and the role and degree of involvement of the resource as well as confirmation that the contact is willing to provide a reference.


5.     Reporting Structure

The employee will report to the EMR Project Manager who will provide leadership/supervision regarding overall duties and work assignments.

6.     Duration/Effort

The successful candidate will be required commencing July 13, 2020 until August 17, 2020.  There will be a maximum of 15 days of work for this engagement.


DH reserves the right to truncate the engagement, as needed.


7.     Work Location and Travel

This work may be completed remotely or on site at the DOH offices.  If working onsite, office space with current technology and access to necessary information will be provided in HSBC Place, Fredericton, NB for the duration of the engagement.  If the proposed resource is based outside of Fredericton, it is the vendor’s responsibility to pay for the employee’s travel time and costs to and from their place of business (or home) to Fredericton.


COVID-19 Restrictions for Workers entering New Brunswick:

All suppliers and workers entering the province of New Brunswick for work purposes must comply with the requirements established by WorkSafe NB and Public Health, including isolation requirements where applicable.

Click here for more information on these requirements.


8.     Vendor-Supplied Devices

It is the vendor’s responsibility to provide laptop or desktop computers for use by the successful candidate for the duration of the engagement if working offsite (remotely).  The successful candidate is required to meet with the GNB Departmental Information Security Officer (DISO) and sign an agreement governing the terms under which non-GNB devices may be connected to the GNB network.

Additionally, should the successful candidate require a telephone, it is the vendor’s responsibility to provide this device and pay for any recurring service charges.

9.     Deliverables

The scope of this assessment will cover the ability of the Electronic Medical Records (EMRs) or other qualified vendor products to open the Electronic Health Record (EHR) Clinical Viewer in context.  The various vendor applications could be accessing the EHR Clinical Viewer from both a private connection or from the internet.

The assessment of the baseline EHR (delivered via the Orion Health Platform) is not in scope for this TRA.


The assessment will include assessments of basic infrastructure surrounding the EHR Clinical Viewer implementation such as:


·         External (DMZ) and Internal Integration Engines (Rhapsody Servers)

·         Location Index

·         Databases (Oracle and SQL Server)

·         F5 Appliance

·         EHR Servers (Orion Health Platform)

·         Backup and Disaster Recovery Systems

·         Basic Networking Infrastructure that Connect the Systems.

·         Systems used as data feeds

·         Data Transport Mechanisms that the data throughout the overall solution

·         End user devices

·         Personnel who will maintain and support the solution

·         Users and the clients of the system

The following diagram illustrates how EHR(OHP) Clinical Viewer fits into the eHealthNB conceptual Architecture.  In the proposed Clinical Viewer integration, qualified 3rd party vendors such as EMRs and Community Pharmacies will use SAML/F5 integration to automatically launch the EHR Clinical Viewer in context from within their application. 

 The TRA will comprise, but is not necessarily limited to, the following activities:

·         Development of a high-level work plan for approval by the project manager & meeting with appropriate stakeholders

·         Completion of a Threat and Risk Analysis on the Public Health Immunization Solution using the RCMP harmonized TRA Methodology (or similar) which follows a process that looks generally like:

1.            Identify Assets

2.            Assign Asset Values

3.            Identify Threats

4.            Assess Probability/Magnitude

5.            Vulnerability Assessment

6.            Determine Existing Risk

7.            Work with Dept. of Health to recommend safeguards

8.            Determine Residual Risk

9.            Finalize TRA

10.          Communicate results to appropriate stakeholders

11.          Provide regular updates to the project team.

12.          Report completion

13.          Follow-up


The Department sees the Vulnerability Assessment as an integral part of the TRA.  The technical Vulnerability Assessment generally looks like:

1.            Identify Threats

2.            Assess Vulnerabilities

a.            Server platform vulnerability assessments

b.            Major service vulnerability assessment (databases, etc.)

3.            Assess Probability/Magnitude

4.            Determine existing risk

5.            Work with Dept. of Health to recommend safeguards

·         Determine Residual Risk



Attached Files

Other jobs you may like