Govt to ditch PKI certs for Medicare look-up system

The Department of Human Services will accelerate plans to end the use of PKI certificates for accessing the HPOS Medicare verification service after the federal government agreed to scrap the mechanism. 

The government today published its response [pdf] to a review into how health providers access Medicare numbers, following revelations last year that Medicare details were being sold on the dark web for around A$29 per file.

It had ordered the review after it appeared the individual selling the card numbers had exploited legitimate access - specifically DHS’ HPOS Medicare verification service for health providers - to obtain the data.

The exact details are being held back pending the results of an Australian Federal Police investigation.

HPOS allows healthcare providers to access a person’s Medicare card number if the individual has provided their name and date of birth.

They can access the platform either through public key infrastructure (PKI) - which involves a preloaded certificate and a PIN code used for an entire organisation - or through a provider digital access (PRODA) account, which requires an individual user's name and password as well as a separate unique verification code.

The review had highlighted that there were "greater risks" with the PKI component of the HPOS and recommended replacing it with the more secure PRODA accounts “expeditiously”.

DHS had already commenced this transition at the time of the review, but will now “accelerate this process” after the government agreed to the review's recommendations.

It will stagger the repeal, first revoking PKI certificates for deregistered health professionals, health professionals with duplicate certificates, and health professionals who hold a PRODA account, whilst ceasing any renewals.

“The department has already ceased issuing PKI individual certificates where PRODA provides the required functionality, and is actively encouraging health professionals to revoke their PKI certificate once they have established a PRODA account," it said in a statement.

DHS aims to have transitioned 85 percent of all individual PKI certificates within the next 18 months, and the remainder by December 2020.

The government has also agreed that health professionals will now be required to seek consent from their patients before access their Medicare numbers through HPOS, and will also be limited to 50 card number retrieval requests per day.

HPOS accounts that have been inactive for a period of six months will be suspended.

Individuals will also now have the ability to request an audit log of health professionals who have sought access to their Medicare card number through HPOS.

The government will soon table its response to a separate inquiry into the HPOS system by the senate's finance and public administration references committee