Hackers on Medicare smart card waiting list

Privacy advocates have slammed the new Medicare Smartcard, describing it as an insecure and technologically inept implementation.

Privacy advocates have slammed the new Medicare Smartcard, describing it as an insecure and technologically inept implementation.

Furthermore, questions exist as to why the government is even implementing the technology in the first place, with Executive Director of Electronic Frontiers Australia (EFA) Irene Graham saying potential exists for the card to become a new unique identification card similar to the proposed Australia card which the the federal government tried to introduce it in the 1980s. Muddying the issue further, even the government's own statements on the card appear to contradict themselves.

The card, which was launched in July 2004, is designed to provide secure access to the federal government's new HealthConnect (HC) system, which combines Australia's hodge-podge of medical record databases into a single network. HC is undergoing extensive trials in Tasmania and South Australia, and the card itself is currently undergoing a trial in Tasmania. To date, over 800 Tasmanians have voluntarily registered for the card.

Speaking with ZDNet Australia on the issue, Graham said: "The information that they're putting out makes it sound like the whole thing is totally insecure. There's also the question of exactly what information is going to be on the Smartcard. As far as I can understand it at the moment, the actual Medicare Smartcard will not have your health records on it, but you will somehow have to use this card to be able to access the records that are stored in the HC database." Graham also commented that she understood that a new HC identification number would be stored on the card, which would refer to a citizen's record in the HC online database.

Earlier on in the week, Graham appealed to her organisations' privacy-focused email discussion list for information on the card, saying: "Surely this cannot be such a technologically clueless implementation as it appears to be. Am I missing something? If so, what?" Further discussion on the list focused on the fact that the potential benefits of smart card technology comes from an ability to provide challenge/response authentication services within the card itself - a feature which the Medicare Smartcard does not utilise.

While Jenn Stonebridge, a spokesperson from the Health Insurance Commission told ZDNet Australia that the card "does not currently contain a HC ID number", Stonebridge also mentioned that "it is anticipated that with the introduction of HC in Tasmania in mid-2005 a consumer participating in HC will have a HC Access Number linked to their HC profile." A presentation by HC Manager Suzanne Roche at an Australian Government Information Management Office (AGIMO) information forum back in September 2004 also confirmed the government's plans for a HC Access Number to be stored on the card.

This unique HC ID number is, according to Graham, one of the real privacy dangers of the system, as it would create a national unique identification number if the card was rolled out nationally.

"It seems to be that on the card, at the very least, there is going to have to be a HC number for each individual. To me, there is this potential for the Medicare card to increasingly become a unique ID number and card. You can't just get a new Medicare card, you have to provide 100 points of ID, just like a bank card. So Medicare cards are going to become claimed to be one of the most secure evidence of ID documents that exist in Australia. I can just see this heading down the track to the Australia card."

Graham said some basic questions need to be answered by the government - questions like "Why have we got a Smartcard in the first place? And why is it so insecure?"

However, according to Graham, the real danger to citizens comes when the HC ID number is linked up with a citizen's health record on the HC online database. "If there's no PIN on the Smartcard," said Graham, "I don't understand what is going to control access to the HC database. They talk about having a secret question, like - what is your mother's maiden name - that's the example they use on the brochures on the Health Insurance Commission web site."

But Graham says this sort of question would negate the purpose of the Smartcard technology: "If there is a secret question like this, that you have to use, to get access to your records on a HC database, then what have you got a Smartcard for?"

And the Office of the Federal Privacy Commissioner (OPC) has also weighed in on the card's lack of PIN security, saying in a submission on the HC business architecture (BA): "There is some ambiguity in the BA surrounding [HC online] registration for consumers who have a (proposed) Medicare Smartcard." Pointing out that several pages in the BA make reference to a PIN, the FPC went on to say: "It is the OPC's understanding that the Medicare Smartcard will not have a PIN or other attributes which could be used by consumers for secure online authentication."

Furthermore, "if a Medicare Smartcard is stolen, it is unclear what would prevent an individual from enrolling another person in HC ... and then obtaining health information on that person by instigating the process of establishing the initial health profile ... Such a possibility may also raise identity theft risks," said the submission.

It is also possible in the future that simple medical data such as drug reactions and allergies will be stored on the card. While Stonebridge told ZDNet Australia that "There is no personal health information stored on the Medicare Smartcard or the standard Medicare card," Graham said that "there's vague commentary about - at the next stage - people may be able to include their details about allergies and drug reactions and things - on the card!"

Graham went on to say: "Personally I wouldn't want my drug reactions and allergies and things on a card that anybody can swipe through a machine and find out what they are! This all strikes me as exceedingly dangerous information. You don't want other people knowing what drugs you're allergic to - or I don't think you do."

Stonebridge was quick to react to the possibility of health information being stored on the card, saying: "The protection of any personal health information which may be stored on the Medicare Smartcard in the future (that is, adverse drug reaction, emergency contact details) is of paramount importance to HIC and would only be implemented following advice from the OPC. If the role of the Medicare Smartcard is to be expanded it will be done in consultation with the Privacy Commissioner."

Irene Graham has this week been completing EFA's submission to a Senate Committee inquiry into the Commonwealth Privacy Act. The submission will contain a section expressing the EFA's concerns about security and privacy issues surrounding the Medicare Smartcard.