Review urges tighter controls for Medicare data access

Phase out PKI certificate system, report recommends

The government-commissioned independent review into the Health Professionals Online Service (HPOS) has recommended tighter security for the system.

HPOS is used by doctors, dentists and other health professionals to access a range of government services, including looking up the Medicare details of an individual.

HPOS is understood the be the source of an illicit service offered through the now-defunct AlphaBay Tor-concealed online market. The service offered to reveal the Medicare card number of any Australian individual by using their name and date of birth — the same details required for the HPOS Find a Patient service.

The review recommends a number of changes to HPOS, including a shift to a more stringent authentication service.

Currently there are two methods for health professionals to access HPOS. One is a Public Key Infrastructure (PKI) certificate, which does not require an individual sign-on — instead it requires a PIN and a digital certificate supplied by the Department of Human Services (DHS) to be installed on a computer system.

Unlike practice-wide PKI certificates, the alternative method — a Provider Digital Access (PRODA) account — requires an individual sign-on, linked to an email address. It requires a username and password to log-in and also incorporates two-factor authentication.

“PRODA provides a greater level of security than PKI certificates, due to the requirement that each individual has their own PRODA account and the strength of the two step verification process for authentication purposes,” the report states.

“The Review Panel considers that the Department of Human Services should accelerate its current move away from PKI certificates to PRODA.”

PKI should be phased out in favour of PRODA “expeditiously”, with the shift completed within three years, the report recommended.

The review also recommends allowing an individual to request an audit log of access to their Medicare number via HPOS and limitations on batch lookups using the system.

The circumstances in which Medicare details were made available on the ‘darkweb’ was also the subject of a Senate inquiry.

The report of that inquiry did not include any recommendations, although a dissenting report by the Australian Greens called for a review of the use of Medicare numbers as a way of proving an individual’s identity to access government services.

The independent review is available from the DHS website. The Senate inquiry’s report is available from aph.gov.au.

Join the newsletter!

Error: Please check your email address.

Tags securitygovernmentmedicarecyber securityprivacy

More about Department of Human Services

Show Comments

Market Place