Healthcare providers will need to confirm the identity of new patients, batch requests for Medicare numbers by large hospitals will be more tightly controlled, and Australians will be able to find out who has accessed their Medicare details, following the discovery last year of Medicare numbers for sale on the dark web.

The Federal Government has accepted 13 recommendations of the Independent Review of Health Providers’ Access to Medicare Card Numbers and committed in principle to implement the last, according to Human Services Minister Michael Keenan and Health Minister Greg Hunt.

“The panel’s recommendations are practical, evidence-based and in keeping with the government’s mandate to preserve Medicare as the cornerstone of public healthcare in Australia,” the government’s response said.

Led by Professor Peter Shergold, with support from the RACGP and the AMA, the review panel found that changes to the Health Professionals Online Services system and telephone channels were required to tighten security.

“This response acknowledges the need for immediate practical improvements to the security of Medicare card numbers while continuing to ensure people have access to the healthcare they need in a timely manner. It also recognises medium to long-term changes required to reinforce the security of the HPOS system,” the government said.

The changes will require health professionals to undertake identity checks when patients initially present at a health service to reduce the potential for individuals to fraudulently claim benefits using another person’s Medicare details.

Healthcare providers will also need to gain patient consent before accessing Medicare details, and they will have to provide patients with information on how to request a list of people who have sought access to their Medicare card numbers.

Large healthcare providers, such as metropolitan hospitals, will be required to apply in writing to the Chief Executive, Medicare, demonstrating a clear business need for a limit higher than 50 card numbers per batch request and more than one batch request per day.

A public awareness campaign will be conducted to inform Australians of the importance of protecting Medicare numbers, given the use of the cards as a form of proof of identity.

[Read more: Inquiry into Medicare numbers for sale on the dark web calls for changes to health worker access | GPs tell inquiry into the Medicare data breach that HPOS and My Health Record are safe]

The independent review, which was announced in July last year, considered how to balance health professionals’ access to card numbers to confirm patient eligibility for services with security concerns.

“The panel noted that the current HPOS and telephone channels are critical in ensuring healthcare remains accessible including for vulnerable individuals who may not be able to present their Medicare card. However, the system has to balance convenience with security,” the response said.

Other recommended changes to existing HPOS access controls included replacing the Public Key Infrastructure (PKI) certificates used by healthcare providers to gain access to Department of Human Services systems with the more secure Provider Digital Access (PRODA) authentication. Inactive accounts will be suspended and time limits introduced for delegate arrangements.

Most of the changes will be implemented by mid-2019.  

The government conceded that modifications to the system could create short-term inconveniences.

“Health professionals are likely to have to make changes to their administrative arrangements as new requirements are implemented. They will be supported by detailed information and educational materials, and the government will work closely with professional colleges and organisations to assist their members with the transition.”

While private health information was not at risk from last year’s breach, the government said improvements were necessary to protect the integrity of the Medicare system and reinforce public confidence in the government’s cybersecurity capabilities.

“The government takes seriously its obligation to protect the significant personal information of Australians, and is working to maintain and strengthen its defences against ever more sophisticated cyber and criminal attacks.”

The Australian Federal Police investigation into the sale of Medicare numbers on the dark web continues.




White papers