Government agrees to up Medicare card privacy and security controls

Scrapping PKI certificates in favour of PRODA is one of 14 recommendations the Australian government has accepted following a review into health providers' access to Medicare card numbers.
Written by Asha Barbaschow, Contributor

The federal government has agreed to the 14 recommendations made by the independent review of health providers' access to Medicare card numbers, touting an individual's privacy and card information security.

One recommendation made by the review in October was having authentication for the Health Professional Online Services (HPOS) system moved "expeditiously" from Public Key Infrastructure (PKI) to the more secure Provider Digital Access (PRODA).

In its response [PDF], published on Friday, the government said the Department of Human Services (DHS) has already commenced transitioning HPOS authentication from PKI to PRODA, and in response to this recommendation will accelerate the process.

According to the government, the transition will be implemented in stages.

"The department has already ceased issuing PKI individual certificates where PRODA provides the required functionality, and is actively encouraging health professionals to revoke their PKI certificate once they have established a PRODA account," the response reads.

The first stage of transition will include revoking existing PKI certificates for deregistered health professionals, for health professionals with duplicate certificates, and for health professionals who hold a PRODA account, it was explained.

DHS will then cease renewals for PKI individual certificates, then eventually revoke all existing PKI individual certificates and all existing PKI site certificates.

"There will be communication and engagement with stakeholders throughout the planning and implementation of the transition process," the government wrote.

DHS is aiming to transition 85 percent of all PKI individual certificates within 18 months, with the remaining PKI individual certificates and all PKI site certificates by December 2020.

Another recommendation agreed to by the government was to make the terms and conditions for HPOS, PKI, and PRODA more simplified and presented to users in a form that ensures that they fully appreciate the seriousness of their obligations.

It is expected that updated terms and conditions will be published and promoted to health professionals in the first half of 2018 as a result.

Must read: Australian government's recklessness with medical data is symptom of deeper problems

Also agreed to by DHS was keeping the Medicare card as a valid form of identification in Australia, and as recommended by the review, it will aim to encourage further public awareness on the importance of protecting Medicare card information.

"The Department of Human Services is developing a Communications Plan and associated Stakeholder Engagement Strategy, to outline public awareness activities to be implemented throughout 2018 and 2019 and on an ongoing basis," the government wrote.

"These activities will encourage members of the public to take a more active role in protecting their Medicare information, including asking why their Medicare information is being collected, and how it will be used and protected."

Additionally, it said activities targeted at organisations will remind them of their obligation to protect Medicare information, and consider whether they really need to collect it, and how they will store it safely.

"The government takes seriously its obligation to protect the significant personal information of Australians, and is working to maintain and strengthen its defences against ever more sophisticated cyber and criminal attacks," the government wrote in its response.

"While the implementation of the recommendations may involve short term inconvenience during the transitional stages, it will bring greater security to a system that benefits all Australians."

In the name of security, HPOS will also become the only channel for health professionals accessing or confirming their patients' Medicare card numbers, with the telephone channels to be phased out "except in exceptional circumstances".

The review was originally commissioned in July following reports originally from the Guardian that Medicare card details were being sold on the dark web.

"The reported theft and sale of Medicare card information is a serious issue, which could undermine public confidence in the security of personal information that government holds," the discussion paper released in August read. "Changes will be required to current systems to ensure that this information is protected."

Read more: Review asks for tighter Medicare card privacy controls from Human Services

Another recommendation made by the review was that health professionals be required to seek patients' consent before accessing their Medicare numbers through HPOS or by phone.

Agreeing to the request, the government said it recognises the right of individuals to have control over their Medicare information.

"The government will empower individuals through its implementation of this recommendation, which it envisions will also increase the integrity of health services," it explained.

It was agreed that DHS will undertake a Privacy Impact Assessment when implementing the recommendations. Delegations within HPOS will also require renewal every 12 months, with a warning to providers and their delegates three months before the delegation expires; expiry will occur after six months of inactivity.

Similarly, as agreed to by the government, individuals will be able to request the audit log of health professionals who have sought access to their Medicare card number through the HPOS Find a Patient service; and batch requests of HPOS data will be limited to 50 unless the chief executive of Medicare personally agrees to allow more for a particular health provider.

Overall, the government will fully implement seven of the recommendations by June 30, 2018, with a further four to be fully implemented by December 31, 2018, and one by mid-2019. The remaining two require no changes to current practice, it said.

"The Office of the Australian Information Commissioner will also be consulted on the implementation of recommendations relating to establishing appropriate privacy and security controls for personal Medicare information," the response explains.


Australian government investigating 'darkweb' Medicare card trading

The government has pledged to do whatever is necessary to stop people's personal Medicare details being sold on an illegal auction site.

Why the Medicare information leak should be taken seriously

With a background in healthcare and IT, Future Wise's Trent Yarwood has said the intrusive level of detail on people's lives that has made its way public could be reassembled and shouldn't be downplayed, especially by the government.

Australian Privacy Foundation wants 'privacy tort' to protect health data

The Australian Privacy Foundation wants the federal government to act swiftly in ensuring the health information of citizens is safe from suffering the same fate as Equifax clients.

Re-identification possible with Australian de-identified Medicare and PBS open data

Using publicly known information, a team of researchers from the University of Melbourne have claimed to re-identify seven prominent Australians in an open medical dataset.

Privacy Foundation: Trusting government with open data a 'recipe for pain'

The Australian Privacy Foundation wants the government to develop security controls around sharing open data and provide the agency charged with investigating data misuse with 'adequate' resources.

Political will is holding back digital health: Experts (TechRepublic)

Far from being a technology problem, digital health initiatives are being held back by a lack of incentive and government backing, a panel of health experts has said.

Editorial standards