Review asks for tighter Medicare card privacy controls from Human Services
A review into heath providers' access to the Health Professional Online Services (HPOS) system, and in particular access to Medicare card information, has requested the Australian government move the authentication location of HPOS into the "more secure" Provider Digital Access (PRODA) platform as a means to tighten the security controls around card information and other personally identifiable elements.
Authentication for HPOS is currently run via public key infrastructure (PKI), but the three-year transition requested by the review panel would see this step handled by PRODA -- an online authentication system based on a username, password, and verification code to log in, run by the Department of Human Services (DHS).
As such, the committee wants to see the terms and conditions for HPOS, PKI, and PRODA simplified and presented to users in a form that ensures that they "fully appreciate the seriousness of their obligations".
In total, the Final Report of the Independent Review of Health Providers' Access to Medicare Card Numbers details 14 recommendations the review panel said have been made to improve the security of Medicare card numbers within the HPOS system, while continuing to support access to health services without unnecessarily increasing the administrative workload faced by health professionals.
As of June 30, 2017, 24.9 million individuals were eligible for Medicare, the report noted, and there were 14.1 million active Medicare cards.
A Medicare card demonstrates a person's eligibility to receive Medicare services, as well as lower cost medications under the Pharmaceutical Benefits Scheme (PBS). In 2016-17, DHS processed 399.4 million Medicare services and paid Medicare benefits totalling AU$22.4 billion. Under the PBS, DHS processed 207.9 million services and paid benefits totalling AU$12.4 billion during the same period.
It is also used as a valid form of secondary identification when applying for services such as a passport, driver's licence, mobile phone contracts, bank accounts, personal loans, rental contracts, police checks, and security clearances.
The review panel is happy to keep a Medicare card as a form of secondary evidence for identity purposes in Australia, responding to submissions asking for its removal as potentially disadvantaging certain vulnerable members of the community; however it recommends that DHS, working with industry and consumer organisations, undertakes a public awareness campaign that encourages individuals to protect their Medicare card details, and reminds organisations that hold that information of their obligation to protect it.
Under current arrangements, health professionals are able to obtain their patients' Medicare card numbers from DHS using online and telephone channels. The HPOS system, introduced in 2009, is currently used 45,000 times daily, and allows medical practitioners and health providers to look up Medicare details when a person does not have a Medicare card on them.
As such, the review said it considered the balance between appropriate access to a patient's Medicare number for health professionals to confirm Medicare eligibility, with the security of patients' Medicare card numbers.
In a bid to provide greater security and availability, the review panel has recommended DHS phase out the HPOS telephone channel over the next two years, except in exceptional circumstances.
The report recommended individuals be able to request the audit log of health professionals who have sought access to their Medicare card number through the HPOS "find a patient" service.
The committee also asks that health professionals be required to seek the consent of their patients before accessing their Medicare numbers through HPOS or by telephone, and that during the phasing down of the telephone channels, conditions for the security check for the release or confirmation of Medicare card information by telephone should be strengthened, with additional security questions having to be answered correctly by health professionals or their delegates.
It is also recommended that as a condition of claiming Medicare benefits on behalf of patients, health professionals should be required to take reasonable steps to confirm the identity of their patients when they are first treated.
Meanwhile, batch requests for Medicare card numbers through HPOS should be more tightly controlled, according to the review panel, which recommended 50 card numbers per batch request, and only one batch request per day be requested by healthcare providers unless consent is received from the chief executive of Medicare.
The committee has called for delegations within HPOS to require renewal every 12 months, with a warning to providers and their delegates three months before the delegation expires. Where HPOS accounts have been inactive for a period of six months, the committee recommends they be suspended following a warning to users after three months of inactivity.
Over 20 submissions were received by the committee in response to the discussion paper that was released in August.
The discussion paper asked respondents 12 questions and made a total of 11 draft recommendations.
The Australian government commissioned the review of health providers' access to Medicare card numbers in July, to consider the balance between appropriate access to Medicare card numbers for health professionals and the security of patients' Medicare card numbers.
When announcing the review, the government admitted it was commissioned in response into reports originally from the Guardian that Medicare card details were being sold on the dark web.
"The reported theft and sale of Medicare card information is a serious issue, which could undermine public confidence in the security of personal information that government holds," the discussion paper read. "Changes will be required to current systems to ensure that this information is protected."
In its final report, the panel said it considered options to improve the security of Medicare card numbers while continuing to support access to health services and without unnecessarily increasing the administrative workload faced by health professionals.
"The reported sale of Medicare card numbers highlights the fact that the Medicare card has become an important component of Australia's proof of identity processes," the review noted. "The Medicare card can be used to help verify an identity and, like any evidence of identity credential, is therefore susceptible to theft for identity fraud and other illicit activities."
The report said that while there has been no risk to patients' health records as a result of the reported sale, there is a danger that inappropriate access to Medicare card numbers might reduce public confidence in the security of government information holdings, such as the My Health Record system, which in August was given the go-ahead from the Council of Australian Governments Health Council to begin automatically signing up Australians.
When responding to initial reports of dark web Medicare card availability, Minister for Human Services Alan Tudge downplayed the cyber aspects of the data leak.
"The advice that I've received from the chief information officer in my department is that there has not been a cybersecurity breach of our systems as such, but rather it is more likely to have been a traditional criminal activity," Tudge said previously.
The minister said the department had referred the matter to the Australian Federal Police, and refused to comment on whether the information leak was a result of an employee with access to Medicare data selling the information.
In its submission to the review committee, the Australian Medical Association said the government's response to the alleged sale of Medicare numbers needs to be proportionate.
The office of the Australian Information Commissioner believes consideration must also be given to the security of that information and whether the use of personal information in this manner strikes an appropriate balance between achieving policy goals and any impact on privacy.
Trent Yarwood of Future Wise said the problem with the latest breach is that there would be serious implications if Medicare data is combined with already available data.
"For people like Alan Tudge to say there is no data security issue is obviously incorrect, and I think reflects a very poor understanding of what the power of these sorts of linked datasets is," Yarwood told ZDNet.
"[A Medicare card] is a valid form of identification, so the potential to actually be able to use that data to then go on and then apply other details -- it's the ability to be able to link all this stuff together.
"It's an amazingly intrusive level of detail on people's lives that could be reassembled."
The final recommendation by the review panel was that DHS undertake a Privacy Impact Assessment when implementing the review recommendations, identifying the impact of changes on the privacy of individuals.