iTnews

Ditch PKI certs in Medicare look-up system: review

By Allie Coyne on Oct 16, 2017 5:57PM
Ditch PKI certs in Medicare look-up system: review

But keep using cards as ID.

A government-ordered review into how health providers access Medicare numbers has recommended the cards continue to be used as a form of identification despite security and privacy concerns with the system.

The federal government ordered the review - led by professor Peter Shergold - after The Guardian revealed Medicare details were being sold on the dark web for around A$29 per file.

The Department of Human Services has said the individual selling the card numbers exploited legitimate access to obtain the data.

The manner in which the data was being sold indicated the unknown person was accessing Medicare card details through Human Services' HPOS Medicare verification service for healthcare providers.

Further detail has not been provided given an AFP investigation is currently underway.

HPOS - which has been in operation for eight years and allows people who don't have their Medicare card on them to receive emergency treatment - lets healthcare providers access a person's card number if the individual has provided their name and date of birth.

Access is provided in two ways: either through public key infrastructure (PKI), where a preloaded certificate and PIN code is used by a healthcare organisation to gain access; or through a provider digital access (PRODA) account, which requires an individual user's name and password as well as a separate unique verification code.

The government's review, published on Friday, highlighted security issues with the PKI aspect of HPOS, recommending it be replaced by the more secure PRODA accounts "expeditiously".

It said that although providers are told to keep PKI certificates secure and not share them, in reality there were risks that healthcare workers would share the certificates internally and potentially with third-party IT providers.

"This means that the Department of Human Services may not be aware of who is accessing HPOS using the certificate," the panel wrote.

Around 163,000 accounts had access to HPOS at 30 June 2017, according to the report. The system is used around 45,000 times per day.

The review panel also recommended a handful of tweaks to better secure the system.

It suggested that individuals be able to access audit logs of which healthcare professionals had accessed their Medicare card data through HPOS; that consent be granted before a person's Medicare card data is accessed through the system; that batch requests be reduced from 500 to 50 card numbers per batch and to only one batch per day; and that any HPOS account inactive for six months be suspended.

However, broadly it found that the benefits of using the Medicare card as a form of identity verification outweighed any security or privacy concerns with the HPOS system.

Calls to remove Medicare cards as a form of ID had been made given the apparent ease with which card data can be accessed.

A separate inquiry into the HPOS system by the senate's finance and public administration references committee, tabled today, similarly recommended the continued use of the card for this purpose.

"While the committee considers [identity theft] to be a serious issue, it also notes that there appears to be considerable support to the continued use of the Medicare card as an identity document," it wrote.

"The committee is aware of the wider impact on the community were the Medicare card to be withdrawn as a proof of identity document."

It also said it was "satisfied" that the potential for identity theft by means of a stolen Medicare card number "does not result in an individual's health information being accessed, as the Medicare card system is a discrete system completely separate from My Health Record, with My Health Record requiring a different authentication process".

The committee declined to comment further given the current AFP investigation into the dark web Medicare card data sales.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
dark web governmentit hpos medicare pki proda security software

Partner Content

Shut the door on ransomware
Partner Content Shut the door on ransomware
Why companies fail at picking cloud modernisation partners
Partner Content Why companies fail at picking cloud modernisation partners
MSI launches innovative new laptops
Partner Content MSI launches innovative new laptops
MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics

Sponsored Whitepapers

Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution
Effectively addressing advanced threats
Effectively addressing advanced threats
The risky business of open source
The risky business of open source
Ensure your e-signatures are legally binding
Ensure your e-signatures are legally binding
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • Beat the DDoS blackmailers in 2021
By Allie Coyne
Oct 16 2017
5:57PM
0 Comments

Related Articles

  • Govt to ditch PKI certs for Medicare look-up system
  • Privacy fears over proposed Medicare data matching scheme
  • Services Australia repurposed a years-old ID solution to meet Covid demand
  • Qld govt trials eftpos as digital ID broker
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Australia Post is building a digital twin of its delivery network

Australia Post is building a digital twin of its delivery network

Google threatens to withdraw search engine in Australia

Google threatens to withdraw search engine in Australia

NBN Co runs fixed wireless tower on diesel generator for over two years

NBN Co runs fixed wireless tower on diesel generator for over two years

NBN Co saves $1m a year by powering down idle line cards

NBN Co saves $1m a year by powering down idle line cards

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.