Sunday, October 15, 2017

Its Seems No-One Is Meant To Read This Government Report On The Medicare Card Issues With The Final Report Being Released On A Saturday!

Here is the link to the Review:
The official title of the review was:

Independent review of health providers’ access to Medicare card numbers

Here is the basic contents of the web-page:

About the review

The review, announced on 10 July 2017, examined access by health professionals to Medicare card numbers by using the Health Professional Online Services (HPOS) system or by calling us.
The Australian Government wants to ensure the system is convenient and secure. The system hasn’t been significantly changed since its establishment 8 years ago.
The review was led by Professor Peter Shergold AC. Dr Michael Gannon, President of the Australian Medical Association (AMA) and Dr Bastian Seidel, President of the Royal Australian College of General Practitioners (RACGP), were also members of the review team.

Discussion paper and the final Report

The Review Panel invited submissions from interested parties on the issues raised in the discussion paper. Consultation closed on Friday 8 September 2017. Feedback and suggestions were considered by the Review Panel in their final report to government.
The Review has identified options to improve the security of Medicare card numbers within the Department’s HPOS system, while continuing to support access to health services without unnecessarily increasing the administrative workload faced by health professionals. The report has been provided to the Minister for Health, The Hon Greg Hunt MP and Minister for Human Services, The Hon Alan Tudge MP.
The 14 recommendations made are as follows:
Recommendation 1: It is recommended that the Medicare card be retained as a form of secondary evidence for identity purposes.
Recommendation 2: It is recommended that the Department of Human Services, working with industry and consumer organisations, undertakes a public awareness campaign encouraging individuals to protect their Medicare card details, and reminding organisations that hold that information of their obligation to protect it.
Recommendation 3: It is recommended that as a condition of claiming Medicare benefits on behalf of patients, health professionals should be required to take reasonable steps to confirm the identity of their patients when they are first treated.
Recommendation 4: It is recommended that health professionals should be required to seek the consent of their patients before accessing their Medicare numbers through Health Professional Online Services (HPOS) or by telephone.
Recommendation 5: It is recommended that individuals should be able to request the audit log of health professionals who have sought access to their Medicare card number through the HPOS ‘Find a Patient’ service.
Recommendation 6: It is recommended that the Department of Human Services undertake a Privacy Impact Assessment when implementing the Review recommendations, identifying the impact of changes on the privacy of individuals.
Recommendation 7: It is recommended that delegations within HPOS should require renewal every 12 months, with a warning to providers and their delegates three months before the delegation expires.
Recommendation 8: It is recommended that batch requests for Medicare card numbers through HPOS should be more tightly controlled (50 card numbers per batch request, and only one batch request per day), unless healthcare providers apply in writing to the Chief Executive Medicare, demonstrating a clear business need for a higher limit.
Recommendation 9: It is recommended that authentication for HPOS should be moved from Public Key Infrastructure (PKI) to the more secure Provider Digital Access (PRODA) expeditiously, with the transition completed within three years.
Recommendation 10: It is recommended that HPOS accounts that have been inactive for a period of six months should be suspended, following a warning to users after three months of inactivity.
Recommendation 11: It is recommended that the process of opening and reactivating a HPOS account should be administratively straightforward.
Recommendation 12: It is recommended that the Terms and Conditions for HPOS, PKI and PRODA should be simplified and presented to users in a form that ensures that they fully appreciate the seriousness of their obligations.
Recommendation 13: It is recommended that, in order to provide greater security and availability, the Department of Human Services should actively encourage health professionals to use HPOS as the primary channel to access or confirm their patients’ Medicare card numbers, and that telephone channels be phased out over the next two years except in exceptional circumstances.
Recommendation 14: It is recommended that, during the phasing down of the telephone channels, conditions for the security check for the release or confirmation of Medicare card information by telephone should be strengthened, with additional security questions having to be answered correctly by health professionals or their delegates.
Lots more detail is available in the full 62 page report:
Of special interest was the following:

“2.3.4 Limitations of stolen Medicare card numbers

While the theft of Medicare card numbers is a serious issue, it is important to note that an individual’s Medicare card number does not, in isolation, provide access to any clinical information or to an individual’s My Health Record. Some media commentary on the alleged sale of Medicare card numbers associated the availability of Medicare card numbers with the risk of unauthorised access to clinical information or the My Health Record. The Review Panel is not aware of any evidence that this has occurred.
The information for sale through the dark web was limited to individual Medicare card numbers, Individual Reference Numbers (IRNs) and expiry dates. This information is not sufficient to establish or access an existing My Health Record. In addition, this information is not sufficient to access the information that the Department of Human Services holds about an individual, such as details of services, claims or prescriptions received. The Department of Human Services does not hold any clinical information linked with Medicare card numbers.”
There are three impressions I am left with reading all this.
1. No-one is keen to make life any harder for the docs, no matter how insecure the system actually is.
2. The comments on linkage between the Medicare Number and Clinical Data seems very odd – given the Medicare system holds so much pharmacy and procedural clinical data!
3. The Medicare Number + Name / DOB / Sex etc. go a long way to opening a myGov account etc. and access to the myHR.
How reasonable to others think this report is?
Funny about this report turning up on a Saturday!
David.

3 comments:

  1. What about "intertwined" Medicare numbers leading to corrupted MyHR records? This was buried in a report to ADHA from the Office of the Information Commissioner (OAIC). Been going on for more than a year and still not resolved. See:

    https://www.oaic.gov.au/about-us/corporate-information/mous/australian-digital-health-agency-mou-biannual-report-2016-2017-for-the-period-ending-31-december-2016

    Seems Kate from Pulse IT was right when she noticed this some time ago. An iceberg for MyHR steaming ahead to opt-out?

    ReplyDelete
  2. Anon October 16 - 5:27. Now you really were not suppose to bring that back from under the carpet. This does question the validity of the report, yet again a review is constrained by a narrow scope. We obviously need a complete end-to-end, top-to-bottom review of eHealth systems in Australia. Who knows what problems will be introduced elsewhere by implementing the recommendations from this or any other review?

    Be good if someone had a national repository of architectures or even a commonly agreed eHealth reference model. Or maybe the ADHA does. I remember it being a key deliverable for the long over due interoperability Framework as listed in the FAQs

    ReplyDelete
  3. I don't have a lot of faith in a review, which would likely be done by 24yr old new grads working for an international consulting agency. How about ensure quality of what is in use now. Picking winners is something they don't appear very good at. Making sure what is is in use is safe is something government should be involved in.

    ReplyDelete