Wednesday, February 21, 2018

I Wonder If These Changes Will Avoid More Hacking Of The Medicare Number Database?

This appeared a few days ago:

Government to crack down on access to patients’ Medicare numbers

Accelerates shift away from PKI for HPOS
Rohan Pearce (Computerworld) 16 February, 2018 12:44
The government has endorsed the recommendations of a review into health providers’ access to Medicare card numbers.
The government commissioned the review of the Health Professionals Online Services (HPOS) system after revelations that a Tor-protected service was offering to retrieve the Medicare numbers of individuals.
The ‘Medicare Machine’ service on the now-defunct AlphaBay marketplace site offered access to the data in return for a small fee.
The HPOS review made 14 recommendations and the government said today it agreed or agreed in principle to all of them.
“We are committed to protecting the personal information of the Australian people,” a statement issued by human services minister Michael Keenan said.
“These recommendations will make practical improvements to the security of Medicare numbers, without increasing the administrative burden on health professionals.”
The government said it agreed in principle to a recommendation that HPOS be used as the primary channel to access or confirm Medicare numbers and that telephone channels be phased out over two years except in exceptional circumstances.
However, the government said that further work with the health sector would be required before making changes to telephone channels.
The government said it would accelerate the transition away from Public Key Infrastructure (PKI) for HPOS authentication to use of Provider Digital Access (PRODA) accounts.
.....
The government’s full response is available online.
More here:

There is further coverage here:

Govt backs Medicare card safety changes

The federal government has accepted 14 recommendations following a review into the reported sale of Medicare card details on the dark web.
Australian Associated Press February 16, 201812:41pm
A public awareness campaign to encourage Australians to better protect their Medicare cards is one of 14 recommendations accepted by the federal government.
An independent review found Medicare cards should be retained as a secondary form of proof of ID despite reports last year some numbers were being sold on the dark web.
But it was suggested the Human Services Department undertake a public awareness campaign encouraging people and organisations to better protect their details.
Human Services Minister Michael Keenan and Health Minister Greg Hunt on Friday accepted 13 of the 14 review recommendations and committed in principle to working with stakeholders on the last.
They include that it is a condition of claiming Medicare benefits on behalf of patients that health professionals are required to take reasonable steps to confirm the identity of their patients.
More here:

The direct link to the full Government response is here:


What is impressive here is just how co-operative the Governmnent was in just accepting pretty much all of what was suggested. I don't recall any other report which has received such total agreement except - maybe - those on child abuse and aboriginal disadvantage.

At least some parts of the system still work!

David.

2 comments:

  1. Re the government's track record on endorsing then implementing recommendations from reviews.

    The PCEHR had a Privacy Impact Assessment done on it. It's on their website in their FAQ on security

    https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/faq-security-410/$file/Personally%20Controlled%20Electronic%20Health%20Record%20PCEHR%20Privacy%20Impact%20Assessment%20Report.pdf

    Paragraph 5.1.14 recommends that the Minister for Health create regulations that define controls over what Call Centre operators can and cannot do.

    The Department of Health's response to paragraph 5.11 of the Privacy Impact Assessment, above, was this:

    The Department agrees that a clear and robust framework is required for the operation of the PCEHR system Call Centre. The Department considers that this would be achieved in a flexible and responsive way through the use of regulations or rules. This is provided for in the legislation (s109(2) and (3)).

    This is the government's full response:

    https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/faq-security-410/$file/Departmental%20response%20to%20Personally%20Controlled%20Electronic%20Health%20Record%20PCEHR%20Privacy%20Impact%20Assessment%20Report%202011.pdf

    As far as I know, that framework has never been developed or implemented.

    I can't see anything that relates to call centres in the current regulations.
    https://www.legislation.gov.au/Details/F2016C00607

    ReplyDelete
  2. Amazing what can be done when you turn off power point and remove imperative statements. Simple good old fashion analysis and recommendations. Bland perhaps but Government should be a bit grey, it is what we pay them to be and what they are good at given the opportunity.

    ReplyDelete