The government has endorsed the recommendations of a review into health providers’ access to Medicare card numbers.
The government commissioned the review of the Health Professionals Online Services (HPOS) system after revelations that a Tor-protected service was offering to retrieve the Medicare numbers of individuals.
The ‘Medicare Machine’ service on the now-defunct AlphaBay marketplace site offered access to the data in return for a small feee.
The HPOS review made 14 recommendations and the government said today it agreed or agreed in principle to all of them.
“We are committed to protecting the personal information of the Australian people,” a statement issued by human services minister Michael Keenan said.
“These recommendations will make practical improvements to the security of Medicare numbers, without increasing the administrative burden on health professionals.”
The government said it agreed in principle to a recommendation that HPOS be used as the primary channel to access or confirm Medicare numbers and that telephone channels be phased out over two years except in exceptional circumstances.
However, the government said that further work with the health sector would be required before making changes to telephone channels.
The government said it would accelerate the transition away from Public Key Infrastructure (PKI) for HPOS authentication to use of Provider Digital Access (PRODA) accounts.
The PKI system does not require an individual sign-on. It uses a PIN in combination with a digital certificate supplied by the Department of Human Services installed on a health provider’s computer system (or systems).
PRODA requires an account linked to an individual email address, with a username and password necessary to log-in. It also incorporates two-factor authentication.
DHS “has already ceased issuing PKI individual certificates where PRODA provides the required functionality, and is actively encouraging health professionals to revoke their PKI certificate once they have established a PRODA account,” the government’s response said.
The phase-out of PKI will involve selectively revoking certificates, ceasing renewals for individual recipients, and the eventual revocation of all individual and site PKI certificates.
The department aims to transition 85 per cent of all PKI individual certificates within 18 months, the government said.
“The Department will transition the remaining PKI individual certificates and all PKI site certificates by December 2020,” the government said.
Another recommendation that the government will implement is that individuals will be able to request an audit log of people who have sought access to their Medicare card number through HPOS.
The government said it would also crack down on batch requests for Medicare card numbers.
The government’s full response is available online.