The Australian government has opened its review into the Health Professional Online Services (HPOS) system, releasing a discussion paper on Friday for public consultation.
The review, announced last month, is expected to consider the balance between appropriate access to Medicare card numbers for health professionals to confirm patients' Medicare eligibility with the security of patients' Medicare card numbers.
It will also review a citizen's -- and a health professional's -- access to Medicare card numbers via the HPOS system and the accompanying telephone channel.
HPOS, introduced in 2009, is currently used 45,000 times daily, and allows medical practitioners and health providers to look up Medicare details when a person does not have a Medicare card on them.
The discussion paper, Independent Review of Health Providers' Access to Medicare Card Numbers, is asking for submissions from interested parties that detail their views on the review panel's draft recommendations.
Although the review -- headed by professor Peter Shergold, and comprising also the president of the Australian Medical Association Dr Michael Gannon; Dr Kean-Seng Lim, also from the Australian Medical Association; and president of the Royal Australian College of General Practitioners Dr Bastian Seidel -- is yet to be completed, the panel has made a total of 11 recommendations.
The recommendations fall into four categories: Health professional channels to access Medicare card numbers, protecting the security of Medicare card numbers in the community, identity requirements when accessing health services, and the use of the Medicare card as evidence of identity.
"The review panel has identified a number of measures that could assist in strengthening the security of Medicare card information. As the review is still in progress, these are not final recommendations, and they may be dropped, refined, or supplemented based on stakeholder consultation and further briefings," the paper [PDF] states.
"Responses to the discussion paper will assist the review panel to refine their views as they form their recommendations to government in their final report."
In total, the paper poses 12 questions based on the recommendations made thus far, with the first asking respondents if patients have sufficient control and awareness of access to their Medicare card details.
Another asks if the current access controls for HPOS is sufficient to protect Medicare information and prevent fraudulent access, while another queries if the identifying information patients have to produce to access health services is secure enough.
The discussion paper seeks to determine what circumstances health professionals would need to make batch requests for Medicare card details through HPOS, and questions whether such requests should be limited to certain types of providers or health organisations. It also asks if health providers should be subjected to a higher level of scrutiny in such situations.
When it comes to privacy elements, respondents are asked if there is sufficient information available to health professionals regarding their obligations to protect Medicare card information and if it is sufficiently clear and easy to understand.
The paper also questions whether one's Medicare card should continue to be used as a form of evidence of identity and how the government can build public awareness of why it is important for individuals to protect their Medicare card information.
When announcing the HPOS review in July, the government admitted it was commissioned in response into reports originally made by the Guardian that Medicare card details were being sold on the dark web.
"The reported theft and sale of Medicare card information is a serious issue, which could undermine public confidence in the security of personal information that government holds," the discussion paper states. "Changes will be required to current systems to ensure that this information is protected."
When responding to initial reports, Minister for Human Services Alan Tudge downplayed the cyber aspects of the data leak.
"The advice that I've received from the chief information officer in my department is that there has not been a cybersecurity breach of our systems as such, but rather it is more likely to have been a traditional criminal activity," Tudge said previously.
The minister said the department had referred the matter to the Australian Federal Police, and refused to comment on whether the information leak was a result of an employee with access to Medicare data selling the information.
Trent Yarwood of Future Wise said the problem with the latest breach is that there would be serious implications if Medicare data is combined with already available data.
"For people like Alan Tudge to say there is no data security issue is obviously incorrect, and I think reflects a very poor understanding of what the power of these sorts of linked datasets is," Yarwood told ZDNet.
"[A Medicare card] is a valid form of identification, so the potential to actually be able to use that data to then go on and then apply other details -- it's the ability to be able to link all this stuff together.
"It's an amazingly intrusive level of detail on people's lives that could be reassembled."
Submissions to the review panel close September 8, 2017. It is expected the final report will be handed over to the government by September 29, 2017.