Ditch PKI certs in Medicare look-up system: review

A government-ordered review into how health providers access Medicare numbers has recommended the cards continue to be used as a form of identification despite security and privacy concerns with the system.

The federal government ordered the review - led by professor Peter Shergold - after The Guardian revealed Medicare details were being sold on the dark web for around A$29 per file.

The Department of Human Services has said the individual selling the card numbers exploited legitimate access to obtain the data.

The manner in which the data was being sold indicated the unknown person was accessing Medicare card details through Human Services' HPOS Medicare verification service for healthcare providers.

Further detail has not been provided given an AFP investigation is currently underway.

HPOS - which has been in operation for eight years and allows people who don't have their Medicare card on them to receive emergency treatment - lets healthcare providers access a person's card number if the individual has provided their name and date of birth.

Access is provided in two ways: either through public key infrastructure (PKI), where a preloaded certificate and PIN code is used by a healthcare organisation to gain access; or through a provider digital access (PRODA) account, which requires an individual user's name and password as well as a separate unique verification code.

The government's review, published on Friday, highlighted security issues with the PKI aspect of HPOS, recommending it be replaced by the more secure PRODA accounts "expeditiously".

It said that although providers are told to keep PKI certificates secure and not share them, in reality there were risks that healthcare workers would share the certificates internally and potentially with third-party IT providers.

"This means that the Department of Human Services may not be aware of who is accessing HPOS using the certificate," the panel wrote.

Around 163,000 accounts had access to HPOS at 30 June 2017, according to the report. The system is used around 45,000 times per day.

The review panel also recommended a handful of tweaks to better secure the system.

It suggested that individuals be able to access audit logs of which healthcare professionals had accessed their Medicare card data through HPOS; that consent be granted before a person's Medicare card data is accessed through the system; that batch requests be reduced from 500 to 50 card numbers per batch and to only one batch per day; and that any HPOS account inactive for six months be suspended.

However, broadly it found that the benefits of using the Medicare card as a form of identity verification outweighed any security or privacy concerns with the HPOS system.

Calls to remove Medicare cards as a form of ID had been made given the apparent ease with which card data can be accessed.

A separate inquiry into the HPOS system by the senate's finance and public administration references committee, tabled today, similarly recommended the continued use of the card for this purpose.

"While the committee considers [identity theft] to be a serious issue, it also notes that there appears to be considerable support to the continued use of the Medicare card as an identity document," it wrote.

"The committee is aware of the wider impact on the community were the Medicare card to be withdrawn as a proof of identity document."

It also said it was "satisfied" that the potential for identity theft by means of a stolen Medicare card number "does not result in an individual's health information being accessed, as the Medicare card system is a discrete system completely separate from My Health Record, with My Health Record requiring a different authentication process".

The committee declined to comment further given the current AFP investigation into the dark web Medicare card data sales.